procurement policy

Are there any "best practices" guides for developing a procurement policy for IT (including software, hardware, OS etc). What would auditors be looking for in your IT procurement procedures, what can you get/do wrong in this area that would cause concerns to auditors?
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
eeRootConnect With a Mentor Commented:
That's to be determined by management and the accounting department.  But generally, it would include showing approval for purchases, verifying vendors are approved venders, and tracking purchases.
0
 
dbruntonConnect With a Mentor Commented:
Probably looking at the justification or the business case for the purchase of the IT equipment.  Purchase of a new Apple iPad because of "Shiny, shiny, shiny, must have" won't work.

For example the case of a new server might go like.

Old server at end of expected lifetime of five years (there are recommendations on the Net on how long you should keep your computers; don't quote me on the five years as gospel).  Can't upgrade anymore as memory is maxed out and no more higher spec processor available.  Server performance lacking as it is now serving 40 users instead of expected 30.
Now there's something an auditor can understand.

Proposed new server will have an Intel chip blah-blah with 64 Gb of memory and 6 Tb hard disk space and be capable of supporting xy users.  It will also support the blah-blah database from Oracle.  Specifications of server were determined by consulting Microsoft and Oracle - see attached reference documents.

Three quotations were received from various companies and we are using HP because of price and warranty - see attached documents.  The server can be upgraded to 128 Gb of memory and 24 Tb hard disk to accommodate any future expansion.  Expected lifetime of server is blah-blah years.
That's more an auditor could like.  You are showing reasons for purchase, cost of equipment, warranties, life expectancy, upgradability, competitive quotes.

Now there's a lot more that is possible that an auditor might look for, such as costs of retraining staff, data format transfer but you'd really need to ask the auditors.  Some companies may already have policies in place and government agencies should already have them.
0
 
btanConnect With a Mentor Exec ConsultantCommented:
On the procurement aspect probably key areas are the
- proper documentation on the tendering and governance if the project and program. The person involved and the decision make with appropriate archived and safeguarded.

- proper payment of schedule and deliverables are mapped and checked by the user recipient.  The acceptance of the various test stages conducted are essential to demonstrate fulfillment of functionality, user acceptance and integrated collective acceptance if the whole project deliverabke including system. Importantly not missing the   security test conducted prior to commisioning  and acceptance of the deliverable.
- maintenance and service request are part of the vendor managment too and itil processes available make known for proper escalation of faults, issues and enhancements are documented and apprised.

Overall the process above are generalised in checkpoints of the milestones. And policy is to state such due diligences done in ensuring the completion and no 'slip through'. Even liquidated damages if applicable should be part of the checks.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
btanExec ConsultantCommented:
Always good to check out some policy from public but need to consider references accordingly. Copyright and intellectual property ownership is another agreement to be explicit in all deliverables
http://eurojust.europa.eu/procurement/Pages/procurement-policy-procedure.aspx
0
 
btanExec ConsultantCommented:
Not forgetting supply chain policy as there may be restricted based on countries..or even enterprises perspectives
http://www.casey.co.uk/supply-chain-policy
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Procurement needs due diligence and full disclosure. You need to source any item from 2 or more vendors. You need each vendor to reveal any foreseen or unforeseen financial windfalls or upcoming litigation against themselves. Your suppliers aren't always the same as the vendor you bought from, vet them too.
http://www.hpw.qld.gov.au/SiteCollectionDocuments/MitigateRiskSupplyChainPresentation.pdf

http://www.business-anti-corruption.com/tools/due-diligence-tools/public-procurement-tool.aspx
-rich
0
 
nickg5Connect With a Mentor Commented:
You have been given some good ideas so far.

Procurement is the purchase of works, assets, goods and services for the organization.

In your case services, etc.


Here is an interesting article that outlines topics that may need to be considered by you.

1. Objectives of a procurement policy.
2. What are the different stages?
3. Who should be involved.
4. Ethical concerns.
5. Required Paperwork.

Many of the topics discussed can be applied to IT.

http://www.mango.org.uk/Guide/Procurement
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.