Information Technology Vendor Management Follow-up
Technology Services fully implemented only one recommendation made in the original audit report. The agency only partially implemented one other recommendation and did not implement the remaining six recommendations. For the recommendation that was fully implemented, the agency conducted a staffing analysis and established an organizational structure for its information systems vendor management team.
If Technology Services implements the remaining recommendations, as it intends to do, it will minimize the risks that the city is not getting what it pays for from outside vendors. This will also help ensure technology vendors adequately protect city data and services are delivered as promised.
Remaining Risks
The seven recommendations Technology Services did not fully implement present several lingering risks. Among them:
- While Technology Services hired a contractor to refine its draft vendor management policy and procedures, the contractor stopped working for the city before the work was finished. As a result, this promised policy is still in draft form and has not been shared with staff. This continues to risk a lack of vendor accountability and inconsistencies in staff tasks.
- Without a formal training program and procedures to monitor performance, staff that handle information technology vendors will not effectively monitor outside vendors. They also risk not holding vendors accountable for breaking contract terms and not monitoring for and communicating when vendors stop working for the city.
- The continued absence of any vendor-separation procedures leaves staff uninformed about their responsibilities when a vendor stops working for the city. This can lead to time wasted requesting information from a vendor or even potentially receiving confidential information that city staff no longer need.
- Without an active employee assigned to manage vendors and perform periodic security reviews, the city risks vendor incidents going unnoticed, contracts expiring and posing a legal risk, and communication suffering or ceasing altogether.
Auditor's Letter
December 7, 2023
In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.
After following up on the “Information Technology Vendor Management” audit report issued in September 2022, we determined the city’s Technology Services agency did not implement most of our recommendations. Managers fully implemented one of the eight recommendations they agreed to, partially implemented one, and did not implement six others.
During the original audit, we found Technology Services had no comprehensive structure for vendor management. The agency had an incomplete strategy and lacked several key components of effective governance: detailed and approved policies and procedures; defined roles and responsibilities; and plans for staffing, budget, and training.
Based on our follow-up work, we determined Technology Services did not fully address all the risks associated with our initial findings. Consequently, we may revisit these risk areas in future audits to ensure the city takes appropriate corrective action.
We appreciate the leaders and team members at Technology Services who shared their time and knowledge with us throughout the audit and the follow-up process. Please contact me at 720-913-5000 with any questions.
Denver Auditor's Office
Timothy O'Brien, CPA
AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor
Denver Auditor's Office
201 W. Colfax Ave. #705 Denver, CO 80202
Email: auditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook Connect with us on Twitter
