Buying Software: Quick Tips for Navigating Your Organization’s Procurement Process

We all know there are numerous benefits to having an audit management software solution in place. If you’re considering a new system to help manage your audit, risk and compliance projects, these are the key areas you should consider addressing within your organization when purchasing software.

Here’s a quick checklist to ensure you don’t encounter any internal software purchase approval delays.

1. Identify requirements

Is a request for proposal needed?
A request for proposal (RFP) is a document that an organization requests to elicit bids from potential vendors in order to procure a product/service through a responding business proposal. Does your organization require vendors to submit a formal RFP? If so, what are the proposal requirements and the timeframe by which a vendor needs to respond by?

There are varied levels of RFPs:

• A sole source invitation is where only one vendor is invited to submit a proposal
• A small list of pre-qualified vendors is where only a select few vendors are invited
• A long list of invited vendors is open to as many vendors as possible

Who are the stakeholders involved?
Larger organizations tend to have a higher departmental approval threshold for software purchases. Often, if the value exceeds US$100,000, the process typically requires purchase transactions to be facilitated by a purchasing committee.

• Verify whether your organization has a procurement policy.
  It’s important to establish which department/group has the final authority on the budget and the stakeholders who will have an impact on the buying decision. The decision maker should be included in the early stages of the buying process to help gain internal support for the new purchase and speed up the contract approval phase.
• If you’re not a final decision maker, who has the final sign-off on the purchase?
• Is this individual aware of this purchase, or will the request be the first time he/she sees it?
• Does this individual have the bandwidth to help with this project; what is his/her availability?

2. Review IT technical and security requirements

When it comes to introducing new technologies, it’s best to involve IT in the early decision making stages. Begin developing your relationship with IT to understand how their decision fits within the organization and the type of influence they’ll ultimately have on the purchase.

Software as a Service (SaaS) purchase (ACL GRC)

• If you’re considering a cloud based solution, such as ACL GRC, you will want to know your organization’s cloud/security policy and requirements.
• Are there any IT and/or Security issues surrounding ACL hosting your data? If so, ACL’s Security Policies adequately cover security questions IT might have.
• Where are the offices located globally and where will the data need to reside?
• What additional documentation does IT need to support this purchase?

On-premise software purchase (ACL Analytics and Analytics Exchange)

• Does IT need to provision a server and will this request fit within their timeline?
• What other technologies do you have that the system will need to integrate with (e.g., SAP® ERP, etc.)?

3. Solicit legal help

Once you’ve selected audit management solution, your legal team will likely be interested in reviewing the contract’s terms and conditions. Find out how much time is required for the full process from submission to approval. Also, inquire when the best time is to submit a review request to get it in the queue faster.

For example, ACL GRC is governed by the GRC Terms of Use and Service Level Agreement (SLA). ACL Analytics is governed by the ACL Software License Agreement. These terms are industry standard and are customer friendly. The terms address ownership and security of customer data, provides an infringement indemnity and a mutual limitation of liability clause.

Ownership of and access to/use of customer data
Who owns your data? It’s a question we often hear. With ACL GRC, customers have complete control of all data that goes into the service, and the GRC Terms further provide that ACL will not:

a) Modify customer data
b) Disclose customer data, except as expressly permitted in this agreement or by [customer] in writing
c) Access customer data, except to provide the service and to prevent or address service or technical problems

(Source: ACL Blog)