vendor management assessment checklist
TRANSCRIPT
-
8/10/2019 Vendor Management Assessment Checklist
1/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
I D ri ver s
1 Has the management been a through a comprehensive decision making
process to solicit reasons to outsource a function?
2 Have there been formal meetings and communications to identify and
discuss the potential of outsourcing as a strategy?
3 Has management researched other organizations plans to utilize
outsourcing within the same industry?
I I Feasib i li ty Study
1 Did management formally study the adequacy of its internal human,
financial, and technological resources to effectively support an outsourcing
relationship?
2 Does management have formal policies and procedures to address the
selection process and management of the service provider?
3 Did management formally assess and analyze whether it was necessary to
outsource the function to an external service provider?
4 Did management research the outsourcing trends and best practices
currently being utilized in management's business environment?5 Did management research whether it is possible to outsource a function
within management's regulatory framework?
6 Did management research the adequacy of available service providers (in
quantity and quality) to be contracted for the outsourced function?
7 Has management analyzed and documented the impact from outsourcing a
function on technological and business aspects of client operations?
8 Were objections and/or issues regarding the outsourcing selection and
decision process identified and documented?
9 Did the decision to outsource go through formal authorization / consistent
procedures as though a new line of businesses is being approved?
10 Is management's IT environment that is being considered for outsourcing
centralized?
Assessment
Objective: The Vendor Management Summary Checklist is designed to gain a high-level understanding of certain critical areas of management-service
provider relationship.
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 1 of 16
-
8/10/2019 Vendor Management Assessment Checklist
2/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
I II Con trac t
1 Is the existing contract a detailed contract (vs. a relational
contract/partnership) that binds management and service provider to specific
terms and conditions?
2 Are all relevant parties (both management and the service provider) involved
in the contract negotiations?
3 Has management hired external experts, consultants, or used in-house staff
to help negotiate specific sections of the contract?
4 Is there a formal contract review process in place (management and service
provider) ensure that all their individual concerns and needs have been
addressed in the contract and complete before signing?
5 Has the contract been through legal scrutiny or review to ensure its legality
and that all legal rights and obligations have been addressed for bothmanagement and service provider?
6 Is the contract benchmarked against international/national standards
organizations or regulatory agencies to ensure that all necessary areas have
been addressed?
7 Are the items in the contract flexible to accommodate changes in the service
environment?
8 Does the contract address data privacy and confidentiality?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 2 of 16
-
8/10/2019 Vendor Management Assessment Checklist
3/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
IV Serv ice Level Agreements (SLA)
1 Is there a formal, documented Service Level Agreement between
management and service provider?2 Does the SLA include a section that documents the standards and
processes, to mitigate the risk of operational failure or l iabilities that
includes:
a a provision for the appropriate level of technical support for all
hardware, operating systems and application software?
b the maintenance of physical and logical security environments to the
service standards?
c change management procedures?
d scheduled maintenance plans?
e the need for a documented Business Continuity Plan and/or Disaster
Recovery Plan from management and service provider?
f escrow agreements on source code developed by the service
provider to ensure that the code is not lost?
g insurance for client and service provider which adequately protects
assets against damage or loss?
h the need for the service provider to sign confidentiality agreements to
protect management from fraudulent use of intellectual property and
proprietary assets?
i that requires the service provider to create useful documentation (i.e.
maintenance checklists, user's and systems manuals) for
management?j specifying the formal procedures for identifying, documenting, and
monitoring conflicts of interest?
k the performance measurement methods and processes?
l the specific performance analysis reports needed to be created during
performance measurement monitoring?
m the penalties charged to the service provider in the event of non-
performance or SLA violations?
n problem management and escalation procedures?
o terms for computer operations including backups and monitoring
computer utilization?
p the requirement, frequency, and by whom an independent audit of theoperations of the service provider would be conducted and the
specific use of the reports by management?
q the formal periodic reviews and evaluations to validate service
provider continuance?
r the ownership of physical and non-physical assets?
s data retention agreements?
t the termination of a service provider?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 3 of 16
-
8/10/2019 Vendor Management Assessment Checklist
4/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
3 Does the SLA include a detailed section listing all the systems, applications,
and databases supported by the work of the service provider?
4 Are the clauses in the SLA flexible to accommodate changes in the service
environment?
5 Is the SLA benchmarked against best practices, regulatory agencies, or
international/national standards?
V Organizat ional /Accountabi l i ty
1 Are detail employee position descriptions and responsibilities formally
documented of both client and service provider?
2 Does management have the necessary management skills to effectively
manage the service provider relationship?
3 Does management perform background check to verify the service provider
employees for the necessary technical skills and business knowledge to
perform in their roles?
4 Is there a centralized management function/team within management that is
responsible for managing the entire client-service provider relationship?
5 Are there small teams within central management function/team that are
responsible for managing specific areas in the service provider relationship?
6 Do polices (documented separately or as part of the SLA or contract) exist
that specify the insurance coverage?7 Do policies (documented separately or as part of the SLA or contract) exist
that specify the decisions regarding acquiring equipment, hardware, and
applications?
8 Do polices (documented separately or as part of the SLA or contract) exist
that specify the parties accountable for staffing issues?
9 Does management monitor in-house and service provider employee turnover
for trends or concerns?
10 Did management take responsibility for managing conflict of interest?
11 Is there appropriate separation of duties between client and service provider
employees?
12 Does management and/or service provider have a security policy in place
addressing service provider access?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 4 of 16
-
8/10/2019 Vendor Management Assessment Checklist
5/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
VI Contro l Envi ronment /Moni tor ing
Control Environment
1 Have the reporting lines (organizational structure) been reviewed foreffectiveness in communication and knowledge transfer?
a Are there regular reviews of service provider policies and procedures
against management's policies and strategy to ensure alignment between
policy standards?
b Are policies and procedures monitored for compliance with governing
regulatory agencies?
c Does Beacon's and service provider's insurance coverage reflect any and all
changes to the service relationship and environment?
d Are audits of the service provider performed internally or externally on a
periodic basis?
e How are Beacon communications, change requests, etc. received and
monitored by service provider management?
f Are separate budgets, strategic initiatives, and capital expenditures kept and
monitored by service provider management for Beacon?
Monitoring
2 Does the service provider have an benchmarks that can be measured?
a Is there is specific team or division at the service provider in charge of
gathering the data, analyzing measurements, producing reports, and
ensuring monitoring procedures as specified in the SLA/contract?
b If yes, is the monitoring process automated?c Are measurements and calculations recorded for the service provider's
performance level done in a timely manner and reviewed periodically?
d Are performance measurements reports that analyze the results and trends
computed and reviewed by service provider management? Are these
reports provided to management?
e Are the documents that were used in creating calculating performance
measurements kept on file (paper or electronically) for future reference and
audits?
f Are there necessary tools available to effectively measure and report on
service provider performance?
g Are any performance weaknesses or exceptions addressed by the serviceprovider and their status reported to management?
h Are periodic meetings held with the service provider in order to discuss
monitoring weaknesses?
I Are penalties enforced to the service provider for non-performance as
specified in the SLA?
Operations
3 Are there formal policies and procedures for computer operations including
backups, computer utilization, and data retention?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 5 of 16
-
8/10/2019 Vendor Management Assessment Checklist
6/16
-
8/10/2019 Vendor Management Assessment Checklist
7/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
d Are security reviews performed of service provider employee access to
applications?
e Are access requirements for service provider employees tested to determineif the access is proper for their roles and responsibilities?
f Are service provider employees required to obtain ID's and security access
cards to client buildings and secured areas?
g For networking/web projects, are firewalls installed to restrict unauthorized
access?
h Are activity levels for the network/websites monitored for security issues?
I Is the service provider's environment physically secure? Are any client's
assets at the service provider secured?
j Is access to client data appropriately restricted to the proper service provider
employees?
k Are service provider employees required to sign non-disclosure (of client
information/data) agreements?
l If a privacy and confidentiality agreement exists, does management require
that service provider employees are aware of and kept current on the
confidentiality agreement and its provisions?
If yes, does management require that all service provider employees have
signed a confidentiality agreement?
m Is the service provider in compliance with key data privacy and security
regulations (e.g. HIPAA, GLBA, etc.)? What evidence exists?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 7 of 16
-
8/10/2019 Vendor Management Assessment Checklist
8/16
Vendor Management Category Review Results
No. Summary Checklist Question Red
(No)
Yellow
(Partial)
Green
(Yes)
N/A
Assessment
VII Service Level Problem Management and Escalat ion Procedures
1 Are escalation procedures formally documented in the SLA and agreed upon
by both management and service provider?2 Is the person(s) or team(s) that caused the issues/problems identified at the
outset of an issue/problem?
3 Are there specific, appropriate reporting lines established within the
organization for the escalation and reporting of issues/problems that gives a
division ownership of the resolution of issues/problems?
4 Are problems and issues documented and tracked through to its resolution?
5 Are problems and issues prioritized?
6 Are there methods for tracking the effectiveness and usefulness of the
problem management and service level escalation procedures?
VII I Bi l l ing/Invoice Processing
1 Is the bill/invoice compared to the contract specifications by management for
accuracy and reasonableness?
2 Are there formal policies and procedures involved in disputing a bill/invoice?
IX Annual Serv ice Provider Reassessment
1 Do all service provider relationships receive a formal periodic review and
evaluation by management to validate continuance of the SLA/contract?
2 Is there a formal evaluation and review matrix that details what
characteristics the evaluation should focus on and the critical areas to
study?
3 Is there a requirement for a periodic independent audit of the service
provider?
4 Is management also periodically reviewed for compliance with the contract
and service level agreement?
5 Are the performance levels of each individual employee of the service
provider, assigned to work for management, evaluated and reported on?
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 8 of 16
-
8/10/2019 Vendor Management Assessment Checklist
9/16
Recommendations
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 9 of 16
-
8/10/2019 Vendor Management Assessment Checklist
10/16
Recommendations
Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 10 of 16
-
8/10/2019 Vendor Management Assessment Checklist
11/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 11 of 16
-
8/10/2019 Vendor Management Assessment Checklist
12/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 12 of 16
-
8/10/2019 Vendor Management Assessment Checklist
13/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 13 of 16
-
8/10/2019 Vendor Management Assessment Checklist
14/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 14 of 16
-
8/10/2019 Vendor Management Assessment Checklist
15/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 15 of 16
-
8/10/2019 Vendor Management Assessment Checklist
16/16
Recommendations
Created: 8/6/99
Modified and Printed on: 11/5/2014 Summary Checklist Page 16 of 16