AUDIT REPORT
Vendor Management Office Contract
Administration
Audit Opinion: Satisfactory
June 10, 2015
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
Table of Contents:
Page
Executive Summary
Background
Audit Objectives and Scope
Individual Section Ratings
Audit Opinion
1
1
1
2
Appendix
Definitions
Issue Classifications
Distribution
Audit Performed By
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
3
4
6
6
Executive Summary
Background
The Contract and Vendor Administration work unit was transferred from the Purchasing department on
February 2, 2015 to the Vendor Management Office (VMO). This organizational change occurred to align
vendor and contract management with the Citizens corporate strategy to improve scalability, cost structure
alignment, maximize efficiencies of core systems and balance staffing resources.
To achieve Citizens vendor management strategy, the VMO was created to provide centralized
governance and oversight of the contract and vendor life cycle. The VMO is responsible for developing
and maintaining a standardized vendor management approach and process across all business units,
ensuring due diligence is conducted, and developing reporting mechanisms to facilitate executive
oversight. As of February 28, 2015 Citizens has 599 contracts and 381 purchase orders with an
approximate value of $976 million during the life of the contracts.
As a result of the organizational alignment, the VMO is responsible for coordinating and enabling the
execution of all contracts and maintaining/administering any documentation related to the Contract
Administration function.
Audit Objectives and Scope
With this audit the OIA assessed the effectiveness of the Contract Administration function within the
VMO and verified that the roles and responsibilities align with Statute 287.057 and 287.058. The audit
scope included:
 Verification that the Contract Administration function is compliant with the State of Florida Statute
287.057 and 287.058.
 Verification that all segments of the revised Contract Administration function are assigned;
business areas are aware and accountable for assigned responsibilities.
 Review and evaluation of the effectiveness of the Contract Administration process currently
implemented under the new vendor management strategy.
 Review of all segments of the Contract Administration function which have not been implemented
under the new vendor management strategy in relation to the project objectives and timeline.
 Assessment of the Contract Administration function and its alignment with Citizens corporate
vendor management strategy.
Individual Section Ratings
Section
Contract Administration compliance with Florida Statutes
Contact Administration process ownership and accountability
VMO process implementation as of May 15, 2015
VMO project implementation plan and strategy
Contract Administration alignment with VMO Strategy
Rating
Satisfactory
Needs Improvement
Satisfactory
Satisfactory
Satisfactory
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |1
Executive Summary
Audit Opinion
The overall effectiveness of the processes and controls evaluated during the audit is rated as Satisfactory.
The VMO is in the process of implementing the Vendor Management Strategy and OIA has reviewed the
objective and components of the Vendor Management Strategy and we are of the opinion that identified
governance and controls are consistent with industry contract administration best practices. Recent VMO
achievements include refreshed contract terms and conditions, the implementation of a vendor
classification model, a procedure to address vendors who are not complying with contracts, the
development of a vendor risk tool and the establishment of Contract and Vendor Management Guidelines.
In addition, our work has identified specific areas for control enhancements and potential improvement
opportunities that should be considered while the VMO continues to implement the Vendor Management
Strategy.

There is no process to actively monitor Contract Managers and to ensure ongoing post award
contract management functions are adequately performed. The implementation of the Vendor
Management Strategy by the VMO has focused on managing vendors to gain efficiencies, improve
vendor compliance and enhance vendor communications. Business areas are responsible to ensure
that vendors adhere to contractual obligations which will require ongoing monitoring, assessing
and communicating. These responsibilities are not a business area’s primary function, as such
process oversight and coordination is needed to realize benefits of the VMO Vendor Management
Strategy. The VMO agreed to create a process to ensure business areas perform post award contract
administration responsibilities in an adequate or reliable manner.

The need to ensure roles and responsibilities between the VMO, Purchasing and Contract
Managers are formalized. Roles and responsibilities must be clearly defined and coordinated
across the VMO, Purchasing and Contract Managers. Through discussion and review of
documentation, we noted process responsibilities and ownership gaps between the VMO,
Purchasing and Contract Managers. Misalignment of process responsibilities or ownership may
impede or delay expected benefits from the Vendor Management Program. The VMO will ensure
that roles and responsibilities are formally communicated and acknowledged by all departments
to ensure gap and overlaps are corrected.

The need to update and enhance the Purchasing Desk Reference Manual to reflect VMO and
Purchasing structure and applicable statutes. The Purchasing Desk Reference Manual is the
single point of reference utilized by all business areas to guide end user procurement and contract
administration process. The Purchasing Desk Reference Manual should provide specific guidance
to direct contract management, contract administration, and vendor administration process and
procedure questions. In collaboration with the Purchasing department, the VMO will revise the
Purchasing Desk Reference Manual and re-issue the document as the Purchasing and Vendor
Management Playbook (the “Playbook”).
We would like to thank management and staff for their cooperation and professional courtesy throughout
the course of this audit.
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |2
Appendix 1
Definitions
Audit Ratings
Satisfactory:
Critical internal control systems are functioning in an acceptable manner. There may be no or very
few minor issues, but their number and severity relative to the size and scope of the operation,
entity, or process audited indicate minimal concern. Corrective action to address the issues
identified, although not serious, remains an area of focus.
Needs Improvement:
Internal control systems are not functioning in an acceptable manner and the control environment
will require some enhancement before it can be considered as fully effective. The number and
severity of issues relative to the size and scope of the operation, entity, or process being audited
indicate some significant areas of weakness. Overall exposure (existing or potential) requires
corrective action plan with priority.
Unsatisfactory:
One or more critical control deficiencies exist which would have a significant adverse effect on
loss potential, customer satisfaction or management information. Or the number and severity of
issues relative to the size and scope of the operation, entity, or process being audited indicate
pervasive, systemic, or individually serious weaknesses. As a result the control environment is not
considered to be appropriate, or the management of risks reviewed falls outside acceptable
parameters, or both. Overall exposure (existing or potential) is unacceptable and requires
immediate corrective action plan with highest priority.
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |3
Appendix 2
Issue Classifications
Control Category
Financial Controls
(Reliability of financial
reporting)



Operational Controls
(Effectiveness and
efficiency of operations)






High
Actual or potential
financial statement
misstatements >USD 5
million
Control issue that could
have a pervasive impact
on control effectiveness
in business or financial
processes at the business
unit level
A control issue relating
to any fraud committed
by any member of senior
management or any
manager who plays a
significant role in the
financial reporting
process
Actual or potential losses
>USD 2.5 million
Achievement of principal
business objectives in
jeopardy
Customer service failure
(e.g., excessive
processing backlogs, unit
pricing errors, call center
non responsiveness for
more than a day)
impacting 10,000
policyholders or more or
negatively impacting a
number of key corporate
accounts
Actual or potential
prolonged IT service
failure impacts one or
more applications and/or
one or more business
units
Actual or potential
negative publicity related
to an operational control
issue
An operational control
issue relating to any
fraud committed by any
member of senior
management or any
manager who plays a
significant role in
operations
Medium
 Actual or potential
financial statement
misstatements between
USD 2.5 million to 5
million
 Control issue that could
have an important
impact on control
effectiveness in
business or financial
processes at the
business unit level
Low
 Actual or potential
financial statement
misstatements below
USD 2.5 million
 Actual or potential
losses between USD
0.5 to 2.5 million
 Achievement of
principal business
objectives may be
affected
 Customer service
failure (e.g., processing
backlogs, unit pricing
errors, call center non
responsiveness)
impacting 1,000
policyholders to 10,000
or negatively impacting
a key corporate account
 Actual or potential IT
service failure impacts
more than one
application for a short
period of time
 Actual or potential
losses below USD 0.5
million
 Achievement of
principal business
objectives not in doubt
 Customer service failure
(e.g., processing
backlogs, unit pricing
errors, call center non
responsiveness)
impacting less than
1,000 policyholders
 Control issue that does
not impact on control
effectiveness in business
or financial processes at
the business unit level
 Actual or potential IT
service failure impacts
one application for a
short period of time
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |4
Appendix 2
Control Category
High
 Any operational issue
leading to death of an
employee or customer
Medium
 Any operational issue
leading to injury of an
employee or customer
Low
Compliance Controls
(Compliance with
applicable laws and
regulations)
 Actual or potential for
public censure, fines or
enforcement action
(including requirement to
take corrective actions)
by any regulatory body
which could have a
significant financial
and/or reputational
impact on the Group
 Any risk of loss of
license or regulatory
approval to do business
 Areas of non-compliance
identified which could
ultimately lead to the
above outcomes
 A control issue relating
to any fraud committed
by any member of senior
management which
could have an important
compliance or regulatory
impact
Such an issue would be
expected to receive
immediate attention from
senior management, but
must not exceed 60 days to
remedy.
 Actual or potential for
public censure, fines or
enforcement action
(including requirement
to take corrective
action) by any
regulatory body
 Actual or potential for
non-public action
(including routine fines)
by any regulatory body
 Areas of noncompliance identified
which could ultimately
lead to the above
outcomes
 Areas of noncompliance
identified which could
ultimately lead the
above outcome
Remediation timeline
Such an issue would be
expected to receive
corrective action from
senior management within
1 month, but must be
completed within 90 days
of final Audit Report date.
Such an issue does not
warrant immediate
attention but there should
be an agreed program for
resolution. This would be
expected to complete
within 3 months, but in
every case must not
exceed 120 days.
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |5
Appendix 3
Distribution
Addressees
Stephen Guth, VP Vendor Management
Spencer Kraemer, Director Purchasing
Copies
Juan Cocuy, Citizens Audit Committee Chairman
Bette Brown, Citizens Audit Committee Member
Jim Henderson, Citizens Audit Committee Member
Barry Gilway, President/CEO/Executive Director
Kelly Booten, Chief Systems & Operations
Dan Sumner, Chief Legal Officer & General Counsel
Bruce Meeks Inspector General
Following Audit Committee Distribution
The Honorable Rick Scott, Governor
The Honorable Jeff Atwater, Chief Financial Officer
The Honorable Pam Bondi, Attorney General
The Honorable Adam Putnam, Commissioner of Agriculture
The Honorable Don Gaetz, President of the Senate
The Honorable Will Weatherford, Speaker of the House of Representatives
Audit Performed By
Auditor in Charge
Anthony Huebner
Audit Director
John Fox
Under the Direction
of
Joe Martins
Chief of Internal Audit
Report Number: 2015-AUD-05 Vendor Management Office Contract Administration
P age |6