15.3. VENDOR GOES OUT OF BUSINESS
As evidenced by the recent dot-com bust, there are no guarantees that prospective vendors will remain in business. If a vendor goes out of business or significantly reduces staff, the success of any IS development project will be in jeopardy. Therefore, due diligence is an important control that organization management should perform prior to expending significant IS resources and prior to signing any contracts or agreements. After obtaining competitive bids, due diligence efforts should include:
Reviewing audited financial statements of vendors for the last two or more years (see Chapter 6 for more details).
Contacting current and former clients to assess customer satisfaction.
Reviewing vendor privacy policies displayed on their websites.
For organizations which are external service providers or IS security vendors, reviewing the last two or more SAS 70s or other applicable IS security certification results (e.g., TruSecure, CPA SysTrust, CPA WebTrust, BBBOnline, TRUSTe). See Chapter 5 for more details on each of these types of audits and certifications.
Outsourced technology services create significant enough risks to financial institutions that the Federal Financial Institutions Examination Council (FFIEC) issued a guidance letter to members, including banks, thrifts, and credit unions, on November 28, 2000. The letter, entitled "Risk Management of Outsourced Technology Services," provides a general overview of risk management controls. It also ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
