Professional Documents
Culture Documents
Acquisition Steps
Acquisition Steps
When purchasing (acquiring) HW/SW from a vendor, consideration should be given to the following:
Every time a technological development has allowed for increased computing speeds or new capabilities,
these have been absorbed immediately by the demands placed on computing resources by more
ambitious applications. Consequently, improvements have led to decentralized, interconnected open
systems through functions bundled in OS software to meet these needs. For example, network
management and connectivity are features now found in most OSs.
When selecting new system software, a number of business and technical issues must be considered
including:
1. Software is required for a generic business process for which vendors are available and software can
be implemented without customization.
2. Software (vendor’s) needs to be customized to suit business processes.
3. Software needs to be developed by the vendor.
4. Software is available as a service through the cloud, software as a service (SaaS). This is generally
available for generic processes.
A project team with participation by technical support staff and key users should be created to write an
RFP or ITT. An RFP needs to be prepared separately for each case referred to previously. The invitation
to respond to an RFP should be widely distributed to appropriate vendors and, if possible, posted via a
public procurement medium (Internet or newspaper). This process allows the business to determine
which of the responding vendors’ products offers the best solution at the most cost-effective price.
When the product and related services are known in advance, a user organization will prefer an invitation
to tender (ITT) so they can obtain the best combination of price and services. This is more applicable
where procurement of hardware, network, database, etc., is involved. When the requirement is more
toward a solution and related support and maintenance, an organization generally prefers a request for
proposal (RFP), where the capability, experience and approach can be measured against the
requirement. This is more applicable in system integration projects such as ERP and SCM that involve
delivery or escrowing of source code.
Often, prior to the development of an RFP, an organization will develop a request for information (RFI) to
solicit software development vendors for advice in addressing problems with existing systems.
Information obtained in this manner may be used to develop an RFP. The project team needs to carefully
examine and compare the vendors’ responses to the RFP. This comparison should be done using an
objective method such as a scoring and ranking methodology. After the RFP responses have been
examined, the project team may be able to identify a single vendor whose product satisfies most or all of
the stated requirements in the RFP. Other times, the team may narrow the list to two or three acceptable
candidates (i.e., short list of vendors). In evaluating the best-fit solution and vendor against the given set
of business requirements and conditions, a suitable methodology of evaluation should be adopted. The
methodology should ensure objective, equitable and fair comparison of the products/vendors (e.g., a gap
analysis to find out the differences between requirements and software, the parameters required to
modify, etc.).
It is important to keep in mind the minimum and recommended requirements to use software, including:
Required hardware such as memory, disk space and server or client characteristics
Operating system (OS) versions and patch levels supported
Additional tools such as import and export tools
Databases supported
In addition, it is likely that more than one product/vendor fits the requirements with advantages and
disadvantages with respect to each other. To resolve such a situation, agenda-based presentations
should be requested from the short-listed vendors. The agenda-based presentations are scripted
business scenarios that are designed to show how the vendor will perform certain critical business
functions. Vendors are typically invited to demonstrate their product and follow the sample business
scenarios given to them to prepare. It is highly recommended that adequate participation from various
user groups is included when evaluating the product/vendor’s fit and the system’s ease of use. The
project team thus has an opportunity to check the intangible issues such as the vendor’s knowledge of
the product and the vendor’s ability to understand the business issue at hand. With each short-listed
vendor demonstrating their product following a scripted document, this also enables the project team to
evaluate and finalize the product/vendor with knowledge and objectivity built into the process. The finalist
vendor candidate is then requested to organize site visits to confirm the findings from the agenda-based
presentations and check the system in a live environment. Once the finalist is confirmed, a conference
room pilot needs to be conducted. A conference room pilot enables the project team to understand the
system with a hands-on session with business end-users and identify the areas that need certain
customizations or workarounds.
Additionally, for the short list of vendors, it can be beneficial for the project team to talk to current users of
each of the potential products. If it can be arranged and can be cost-justified, an onsite visit can be even
more beneficial. Whenever possible, the organizations chosen should be those that use the products in a
similar manner.
An IS auditor should encourage the project team to contact current users. The information obtained from
these discussions or visits validates statements made in the vendor’s proposal and can determine which
vendor is selected. The discussions with the current users should concentrate on each vendor’s:
Upon completing the activities cited, vendor presentations and final evaluations, the project team can
make a product selection. The reasons for making a particular choice should be documented.
The last step in the acquisition process is to negotiate and sign a contract for the chosen product.
Appropriate legal counsel should review the contract prior to its signing. The contract should contain the
following items:
Managing the contract should also involve a major level of effort to ensure that deployment efforts are
controlled, measured and improved on, where appropriate. This may include regular status reporting
requirements. Additionally, the milestones and metrics to be reported against should be agreed on with
the vendor.
An integrated solutions implementation is a very large software acquisition project. The acquisition and
implementation of an ERP system impacts the way that an organization does business, its entire control
environment, technological direction and internal resources. Generally, an organization that adopts an
integrated solution is required to convert management philosophies, policies and practices to those of the
integrated software solution providers, notwithstanding the numerous customization options. In this
respect, such a solution will either impair or enhance IT’s ability to support the organization’s mission and
goals. When considering a change of this magnitude, it is imperative that a thorough impact and risk
assessment be conducted.
When implementing an ERP solution or any off-the-shelf software, the business unit has the option of
implementing and configuring the new system in the simplest configuration possible: as-is, out-of-the-box
and not developing any additional functionality or customization to bridge the gaps in an organization’s
specific business processes. The business opts to change business processes to suit the industry
standard as dictated by the software solution.
While this decision results in less software design, development and testing work than does
customization, it does require greater change in the business units to work differently. Due to the large
costs in software development, maintenance and continuous upgrading and patching, customization is
not usually recommended by software vendors.
Because of the magnitude of the risk involved, it is imperative that senior management assess and
approve all plans and changes in the system’s architecture, technological direction, migration strategies
and IS budgets.