Acquisition Project Guidance

Acquisition projects begin with the submission of a project request. Procedures should be in place to facilitate the request process and ensure management systematically reviews all requests. Requests should present a business case for acquiring a product, identify desired system features, and, to the extent possible, describe the information requirements, network interfaces, hardware components, and software applications that will support and interact with a new product. Management should complete a feasibility study to determine if the business case supports the procurement of either customized or off-the-shelf software. All affected parties should document their approval of the overall feasibility of the project.

Determining the feasibility of an acquisition proposal includes consideration of issues such as:

  • Business objectives;
  • Technology objectives;
  • Functional requirements;
  • Security requirements;
  • Internal control requirements;
  • Documentation requirements;
  • Performance requirements;
  • Network requirements;
  • System interface requirements;
  • Expandability requirements;
  • Reliability requirements;
  • Maintenance requirements;
  • Installation requirements;
  • Conversion requirements;
  • Personnel requirements;
  • Processing requirements;
  • Product development standards;
  • Product design standards;
  • Testing requirements;
  • Training requirements;
  • Vendor's financial strength;
  • Vendor's support levels; and
  • Cost/benefit analysis.

To determine the feasibility of a project, management should consult with various personnel, including those listed below. These individuals should be involved in all phases of the project as deemed appropriate depending on their role in relation to the specific system being acquired:

  • Audit personnel;
  • Business unit managers;
  • Database administrators;
  • End users;
  • Legal counsel;
  • Network administrators;
  • Network technicians;
  • Quality assurance personnel;
  • Security administrators;
  • Systems analysts;
  • Technology department managers; and
  • Vendor personnel.

If a request appears feasible, the feasibility study can help define the functional, system, and organizational requirements included in the request-for-proposals and invitations-to-tender that management distributes to third parties in the bid solicitation process.

After organizations receive bids they should analyze and compare the bids against each other and against the organization's defined requirements. Vendors' proposals should clearly address all of the organization's requirements and identify any other applicable issues such as:

  • Software:
    - Confidentiality standards;
    - Compatible operating systems; 
    - Copyright standards;
    - Delivery dates;
    - Escrow criteria;
    - Liability limitations;
    - Licensing restrictions;
    - Maintenance procedures;
    - Next release date;
    - Regulatory requirements;
    - Software language;
    - Subcontractor details;
    - Testing standards;
    - Training provided; and
    - Warranty specifications.
  • Hardware:
    - Backup options;
    - Maintenance requirements;
    - Memory capacities;
    - Performance capabilities; and
    - Servicing options.

Procedures should be in place to ensure organizations appropriately review bids. After the selection process narrows the list of potential vendors, management should review the financial stability and service commitment of the remaining vendors. After an organization selects a product and vendor and negotiates a contract, legal counsel should review the contract prior to signing.


Previous Section
Acquisition Standards
Next Section
Escrowed Documentation