IT Procurement Guide

Introduction to IT Procurement

This guidance for procuring technology (or information technology or IT) goods and services at the University of Colorado is actively managed by the Procurement Service Center (PSC). The PSC is a part of University of Colorado System Administration and provides purchasing and payables services for the University’s campuses – Boulder, Denver | Anschutz, and Colorado Springs – and System Administration.

This handbook is intended to clearly outline the appropriate process for making IT purchases using the various purchasing vehicles available to University employees: CU Marketplace, the Procurement Card, the Travel Card, and through Employee Reimbursement. The guidelines contained herein have been established to facilitate due diligence in the purchase of IT hardware, software and other related goods and services to ensure:

AV Equipment

  • compatibility with existing platforms and systems,
  • completion of contract and legal sufficiency review,
  • completion of IT security risk and compliance review, and
  • use of a purchasing method that adheres to University rules and requirements, compliance audit findings and resulting directives.

The guidelines in this procedure apply to all technology resources and related services that are owned, used, or otherwise operated by the University, regardless of the source of funding, location or intended purpose. Technology goods and services include but are not limited to:

  • Audio visual equipment & services
  • Telecommunications equipment & services
  • IT hardware (switches, routers, controllers, etc.)
  • IT services
  • Software
  • Data storage
  • Personal computer equipment and accessories
  • Internet Service Providers (ISP)
  • Computer data input services
  • Technology services
  • IT Consulting
  • Maintenance contracts
  • Peripheral computer equipment (keyboard, cables, adapters, etc.)
  • Network devices
  • Cloud services
  • World Wide Web site operation (host)

Established IT Purchasing Agreements

The University of Colorado purchases IT goods and services across all levels and organizational units within the university, including department solutions, campus solutions, and enterprise (system) solutions. A strategic approach has been developed and applied to IT purchases through IT category management which includes department-specific, campus-wide, and even system-wide contracts, as well as the development and management of key IT supplier relationships. Many IT purchasing needs have solutions already established and available for purchase within these existing agreements. When evaluating products to meet your individual department needs, it is recommended that you first consider any existing agreements that have previously been negotiated.

Department-Specific and Campus-Wide Agreements

Campus IT Operations

Campus IT operations offer support for University-owned hardware, software, and peripherals with the goal of ensuring reliable and secure computing for the campus community. To maintain network and application integrity, the campus IT departments often provide access to IT commodities within their infrastructure that are sustainable, compatible with existing systems, and can be efficiently scaled and supported by the department. This could include, but is not limited to, secure data storage solutions, software licensing and telecommunications or web conferencing solutions. The purchasing of IT goods and/or services should be vetted with your campus IT organization prior to completing the departmental purchasing process. Your campus or department IT organization may be able to quickly address and direct your purchasing needs based on services they offer internally, or under supplier agreements or local enterprise licenses they already have in place.

Consult with your department’s internal IT contact and/or your campus IT organization to determine what solutions may be available for your technology purchasing needs prior to moving forward with an alternate solution.

Boulder
303-735-4357
oithelp@colorado.edu
 website
Colorado Springs
719-255-4357
helpdesk@uccs.edu
 website
Denver | Anschutz
303-724-4357 (4-HELP)
oit-servicedesk@ucdenver.edu
 website
System
303-860-HELP (4357)
help@cu.edu
 website

Enterprise (System) Agreements

System-wide “enterprise” IT agreements are established to provide overall value to campuses and departments. These agreements may deliver cost savings for IT goods and services, and the purchasing activity with these suppliers is streamlined with an efficient, effective, and standardized process across the system. Some of these suppliers have also been identified as strategic IT suppliers – vendors selected to establish product brand standardization across the entire University system. For example, Dell and Apple are strategic IT suppliers and as a result they are the established computer brands for University use. The contract terms and conditions, IT security risk and compliance review and the review for legal sufficiency within a contract have already been processed and finalized when purchasing from a supplier with a system-wide IT agreement or enterprise license in place, as well as when purchasing from a strategic IT supplier.

Details on the specific catalog of available licenses and other goods or services can be obtained directly from CU Marketplace in the individual supplier punch-out catalogs. Additional information on available hardware and software with enterprise-wide agreements can be found at the How to Buy: Software and How to Buy: IT Hardware web pages, or by contacting the appropriate PSC Purchasing Agent for more information.


How to Purchase IT Goods and Services

How to Purchase

The University of Colorado as a public institution of higher education of the State of Colorado is exempt by law from all federal excise taxes from all Colorado State and local government sales and use taxes when purchasing goods or services in the conduct of official University business.

How to Purchase Goods and Services

CU Marketplace

CU Marketplace is the University’s electronic purchasing and payment system that includes online shopping through CU-specific supplier catalogs as well as forms for processing purchases from suppliers that do not have catalogs in the system. CU Marketplace is the preferred method to purchase IT goods and services regardless of whether there is an existing supplier catalog available for the purchase. Making purchases through CU Marketplace following the processes outlined below will create greater likelihood that your IT purchases are screened for system compatibility and support, contract and legal sufficiency as well as IT security risk and compliance, prior to completion of the purchase.

CU-Supplier Catalog Orders

CU-specific pricing is automatically applied to orders processed through the supplier catalogs in CU Marketplace. There are several IT suppliers with expansive catalogs in place including Dell, Apple, CDW, Connection, and Newegg Business. Utilizing a supplier’s current catalog in Marketplace is the most efficient and expedient process available for obtaining IT goods and services. Catalog orders of up to $25,000 in total cost will automatically issue a purchase order to the supplier with no additional reviews required from a PSC Purchasing Agent. This generally results in almost immediate order fulfillment for items in stock with the supplier and available for shipment.

When the required IT goods or services are not available in a CU-specific supplier catalog, the purchase should still be processed in CU Marketplace using a non-catalog form.* When initiating a purchase outside the pre-established catalogs, suppliers will generally provide a purchase quote that can be used to populate the non-catalog form in CU Marketplace. These quotes will often include a contract with a signature requirement as part of the acquisition process for the IT purchase. The contract can appear as a specific section directly on the price quote, as terms embedded in a quote or in a provided scope of work, or in other documentation that has terms and conditions directly listed on, or provided as a link within, the supplier-provided supporting document. When contract language is suspected in purchase documentation related to an IT acquisition, contact the appropriate PSC Purchasing Agent for guidance (also see Contract and Compliance Review section below).

*The non-catalog form within CU Marketplace allows you to create a purchase requisition for a registered supplier and create line item order details that will populate a purchase order for that supplier. Generally, these orders are accompanied by a purchase quote provided by the supplier. Requests can be made electronically for new supplier registration.

When your purchase is not available from a CU-supplier catalog, follow the appropriate process in CU Marketplace based on the total value of the IT goods/services purchase. These non-catalog order processes are outlined below.

Non-Catalog Orders Over $10,000

In CU Marketplace, use the non-catalog form, or standing purchase order form*, to initiate a requisition for the IT goods and/or services you want to procure. If the supplier requires signature on a contract, or you have other evidence of supplier-specific terms and conditions, attach the unsigned contract or other documentation to the purchase requisition on the non-catalog form. You will also need to include the final assessment from your campus IT Security Risk and Compliance team (see IT Security Risk and Compliance Review section below). After department/fiscal staff approval on the requisition, the form will route to the appropriate Purchasing Agent at the PSC for review to ensure all legal, security, compliance and other issues are resolved and documented in the system prior to the purchase order being issued to the supplier. The Purchasing Agent will initiate and manage the contract review process and will attach the fully executed contract to the purchase requisition once complete. Once all steps are complete, the Purchasing Agent will issue the purchase order to the supplier for processing and order fulfillment.

*Standing purchase order form is used for purchase agreements spanning multiple years, or when services are not specifically defined via the contract vehicle

Non-Catalog Orders of $10,000 and Under

In CU Marketplace, the non-catalog form is used to initiate a requisition for the IT goods and/or services you want to procure that otherwise are not available on a vendor catalog or from a vendor that does not have a catalog. Though the purchase will generally require full Contract and Compliance Review prior to fulfilment (see section below), the system will not automatically route these small-dollar purchases to the PSC Purchasing Agent to manage these processes. Therefore, the purchase initiator will be responsible for managing the IT Security Risk and Compliance Review and for identifying whether the supplier requires a contract to be signed or agreed to, prior to submitting the requisition in CU Marketplace. The purchase initiator will also email the unsigned contract or other documentation related to supplier-specific terms and conditions to the appropriate PSC Purchasing Agent, along with the final assessment from the campus IT Security Risk and Compliance team, once complete. The Purchasing Agent will initiate and manage the contract process and will oversee completion of other related paperwork as needed with the appropriate PSC teams.

Once the contract has been negotiated and revised to incorporate any security and/or other compliance language as determined and dictated by the Contract and Compliance Review process, the Purchasing Agent will email the signed contract back to the original purchase requestor. The completed contract along with the finalized IT Security Risk and Compliance Review assessment should then be attached to the requisition being submitted on the non-catalog form in CU Marketplace. Following completion of this process, the PO will be issued to the supplier with the executed contract attached for order processing and fulfillment.

Bid Thresholds

When purchasing IT goods over $10,000 and IT services over $50,000, a solicitation process may be required. When there is not an established system-wide contract or other master or enterprise agreement that applies to the product and/or supplier being contracted for the purchase, and the purchase of goods exceeds $10,000 or the purchase of services exceeds $50,000 (including SaaS, PaaS, BaaS, LaaS, IaaS, etc.), competition will be required. At the University, this competition is sought via the informal process known as a Request for Documented Quote or the more formal process known as the Request for Proposal.

For information how to buy from a specific supplier, the solicitation process, or to inquire whether there is an existing contract or catalog supplier that can provide the commodity being sought, please contact the appropriate PSC purchasing agent for your category of purchase.

Sole Source Procurements

Procurement without competition, regardless of price, can be authorized in certain circumstances when limiting conditions present, and when written justification and documentation of these conditions is reviewed and approved by the purchasing department to preclude the use of the competitive process. These Sole Source Procurements are rare and are justified when there is only one good or service that can reasonably meet the need and there is only one supplier who can provide that good or service. Brand name specifications do not justify a sole source when there is more than one supplier for that good or service. Preference for a product, or desire to avoid the competitive process is also not a justification for a sole source. Additionally, price is not a consideration to justify a sole source, either.

To submit a request for a Sole Source Procurement, purchase initiators can compete a Sole Source Justification form in CU Marketplace. As outlined in the Procurement Rules, these requests will require a demonstrated need for the specific item from the single vendor, as well as an explanation of how the product or service uniquely meets the department’s required business need. The purchasing department should take reasonable steps to avoid using a Sole Source Procurement except when it is demonstrably necessary, and in the best interest of the University. The purchasing department has the final authority for approving a Sole Source Procurement request. When a Sole Source Procurement is requested, and there is reasonable doubt on whether the circumstances justify the request, competition will be solicited.

“As-a-Service” Software and Similar Purchases

For many years the procurement of software strictly followed the purchasing process for IT goods. This was due to the software purchases being identified as commodities that were physically obtained after the purchase was completed, and then installed on the organization’s own servers for deployment to the end users (on-premise). Software as a service (SaaS) by contrast is identified as a cloud-based application that end users access via the internet, with no hosting on a local server. Many platforms and other offerings have moved to a cloud computing environment, and some of the more common “as-a-service” products now available for procurement include Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Backend as a Service (BaaS).

As cloud-hosted software, applications and platforms have become more prevalent, so has the subscription (licensing) model for pricing these commodities. In response to this shift, the procurement space has begun identifying these purchases as IT services, and the PSC has followed suit, applying the purchasing thresholds for IT services accordingly. For questions on whether your software, application or platform purchase qualifies “as-a-service” and should be subject to the purchasing threshold for IT services, contact the appropriate PSC purchasing agent.

More information on considerations that should be made when considering an “as-a-service” solution can be found in the Office of Information Security’s (OIS) webpage on Choosing a SaaS Solution. When purchasing “as-a-service” products, even for a small-dollar amount, CU Marketplace remains the preferred method of procurement.

Procurement Card

While procurement Cards (PCards) can currently be used for making IT purchases, consideration should be given to other procurement vehicles before proceeding, especially with purchases of software and applications. These purchases can create tremendous exposure for the University as there are no mandatory workflows to ensure contract and compliance review as part of these purchases. While PCards are not the preferred method for making IT purchases in general, their use is allowed when purchasing through CU Marketplace is not a viable option, or when there is a critical business need, and the CU Marketplace access is unavailable or unreasonable for the immediate IT procurement.

When purchases of software and applications are made on the PCard, the cardholder is responsible for ensuring the purchase has been reviewed for legal, security and compliance concerns. Cardholder should refer to required reviews in the Contract and Compliance Review section of this handbook.

Travel Card

The travel card is used for payment of travel-related expenses while conducting official University business away from campus. The card can also be used to cover incidental costs of eligible goods during official University business travel. IT peripherals (e.g. mouse, charging cables, adapters) and items like batteries are permitted to be purchased with the travel card when in travel status. Other IT software, hardware, and services are not allowable purchases on the travel card.

Additional information on travel-related expenses can be found in the PSC Procedural Statement: Travel and the in the PSC Procedural Statement: Travel Card Handbook.

Employee Reimbursement

Out-of-pocket IT purchases may be allowed and reimbursed when making a purchase through CU Marketplace is not a viable option, or there is a critical business need such as an unexpected/essential purchase that could not be deferred to regular business hours and standard business processes. These purchases should be treated as exceptions and they should be infrequent. Any such purchase should include an explanation with the expense entry in Concur with the reason the purchase could not be made in CU Marketplace or otherwise in accordance the established IT Procurement Handbook.

Out-of-pocket reimbursement for small purchases of IT goods used for business-related needs is allowed without additional review. Common end-user IT peripherals (e.g. wireless mouse, charging cable, adapters) or items like batteries are allowed as an out-of-pocket expense and are eligible for reimbursement. These purchases are generally expected to be infrequent.

Additional information on how to request reimbursement for out-of-pocket expenses can be found in the PSC Procedural Statement: Business Expense Reimbursement.

Mobile Equipment & Cellular Service Solutions

Cellular phone service and related mobile equipment is considered an IT purchase, however the process of procuring this service and related goods is different than other IT purchases previously outlined. The University utilizes the State of Colorado’s cooperative agreements for mobile equipment and cellular services offered through three major cellular service providers: Verizon, AT&T and Sprint/T-Mobile. Department users can establish cell phone services and purchase related equipment by making requests directly to the sales representatives of these providers. The department users are expected to research, become familiar with, and follow any internal department requirements concerning review and approval before establishing the new line(s) of service. Once service is established, the department user can establish a sub-account under the University’s master account from which they can individually manage their service and invoices with the provider. The contact information for the cellular service representatives along with additional information on buying cellular phone service can be found on the How to Buy Telecom webpage.

Given the volume of individual accounts that are set up under the University’s master accounts, departments/individuals are encouraged to set up an on-line account with the service provider directly for bill pay purposes. Bill pay is most efficiently and effectively established with a procurement card which increases accuracy on posting payment to the correct cell phone account each month. These expenses need to be reconciled monthly in Concur by the department cardholder. If the cell phone purchase and/or monthly commitment exceeds $5,000 however the department must establish a Marketplace purchase order and submit subsequent monthly invoices to apinvoice@cu.edu to pay the cell service provider via CU Marketplace.

Additionally, the PSC Procedural Statement: Personal Technology and Telecommunications sets forth the rules and requirements under which the University may provide wireless telecommunications to employees and non-employees in support of official university business. Information to consider when looking to provide equipment, services, or reimbursement to employees for cellular services and other related expenses can be found in this policy. Exceptions to this policy should be approved by the University Controller.

Online Coordinators/Crowdsourcing Services (e.g. Mechanical Turk, Prolific Academic, Testable Minds, etc.)

Various options have emerged in recent years for on-demand, self-service platforms that can be used to recruit and pay participants, usually for their involvement in research experiments or studies. This service concept leverages a crowdsourcing marketplace that allows individuals from large, diverse populations to complete micro-tasks online for small amounts of money. Tasks may include survey participation, research participation, data validation, etc. These services typically include the sharing of University data and therefore represent a potential risk that must be addressed when looking to establish such an account.

The following steps are recommended prior to establishing an online crowdsourcing account with any supplier:

  1. Contact your campus IT Security Risk and Compliance organization or individual to initiate and complete a risk assessment for the supplier you have selected to ensure protection of the University and University-owned data (see IT Security Risk and Compliance Review section below)
  2. Email the appropriate PSC Purchasing Agent the final risk assessment once it is received and completed
  3. Ensure the following parameters are established:
  • Payment to individual payees in the program cannot exceed $100 as outlined in the PSC Procedural Statement: Study Subject Payments.
  • Supplier must be able to provide a report that shows who was paid and how much was paid for each transaction
  • Supplier must be able to ensure only U.S. Persons are being paid to perform advertised tasks

Once these steps have been completed including satisfactory review from your campus IT Security Risk and Compliance organization, it is then acceptable to establish an online crowdsourcing account with your selected supplier using your procurement card to pre-fund the account. The security assessment should be included as supporting documentation when completing the expense report for the charges in Concur, and the comments should indicate that the purchase is for an online crowdsourcing platform.

Contracts and Legal Sufficiency Review

Contracts & Legal Sufficiency

Contracts and contract language are frequently presented by suppliers when engaging with them to purchase IT goods and services. Any contract, supplier-provided terms or other conditions associated with a purchase must be reviewed by the appropriate PSC staff for special provisions and legal sufficiency as part of the purchasing process at the University. This contract review process is completed as part of the procurement workflow, however depending on the vehicle for the purchase, there may be additional manual steps involved to ensure compliance. Each purchasing method outlined in this handbook provides information on the proper process for obtaining contract and legal sufficiency review.

The PSC Purchasing Agents have been delegated authority to enter into contracts on behalf of the University. Department purchasers, fiscal staff and most other university employees do not have this authority. In fact, there are very few campus employees with the authority to enter into contracts on behalf of the University. If purchase documents are found to have contract language, they should always be submitted to the PSC Purchasing Agent for negotiation of the contract terms as needed during the purchase review process. The Purchasing Agent will also provide required signatures on these contracts following negotiation, ensuring the University is properly represented and protected.

IT Security Risk and Compliance Review

In addition to contract review for legal sufficiency, the University must ensure that contracts for IT software, applications and service purchases include the proper language to address the necessary IT security risk and compliance controls. Application service providers, software vendors, and other IT consulting or other outsourced service providers can present a significant data security risk to the University. To mitigate this risk, the campus IT security office is tasked with reviewing the security protocols of supplier organizations for any applications, programs, or services procured to provide guidance on security controls required for the arrangement. Review for security controls is required on the purchase or renewal of any product that allows access to or that requires transmission, processing, or storage of the following types of information:

  • Protected health information
  • Student records
  • Personal identification information
  • Payment card information
  • Export-controlled

At the Boulder campus, this required review also includes assessment of compliance with accessibility policies and related requirements. This initial assessment is essential to minimizing legal issues by ensuring the IT security expectations are clarified and included, along with other relevant security provisions, in the language of the negotiated contract.

It is strongly recommended that the IT Security Risk and Compliance Review process is initiated as soon as an IT procurement need is identified to allow time for the security review and any resulting negotiations between the PSC and the supplier. The final assessment that is produced by the appropriate campus security office from the completed review must be provided with the purchase requisition when entering the purchase requisition in CU Marketplace. When procuring goods and/or services on an existing enterprise, campus or other existing agreement, this process will generally have already been completed, and there is no need to attach related documentation.

More information about promoting security controls in contracts and service arrangements can be found at the Office of Information Security’s webpage dedicated to IT Purchasing Standards.

To ensure compliance with the review process established for your campus, refer to the following guidance:

Sales and Use Tax

As a public institution of higher education of the State of Colorado, the University is generally exempt from most federal taxes and from all Colorado State and local sales tax. The tax exemption applies when the purchase is for the exclusive use of the University, to be used by the organizational unit in conducting official university business; and, when the purchase is made using a purchase order or University Procurement Card. If an employee makes a purchase with personal funds, the purchase is not tax-exempt, even if the employee presents a University tax-exemption number and is subsequently seeking reimbursement from the University. See Sales & Use Tax guidance in the Accounting Handbook provided by the Office of the University Controller for more information.