Provision of ICT Audit Services for Kenya Human Rights Commission
Terms of Reference
A. Overview
The
expected output of this audit will be a report that details the dependability
of existing systems at the commission, recommends improvements to these systems
and provide a basis for the formulation of an ICT policy.
B. Audit Scope
The
scope will entail conducting an assessment of ICT systems as per Section C:
Audit Services Required.
This
includes: identification and evaluation of both hardware and software of the
commission and recommending/assist in implementing a set of best practices and
tools governing the ICT systems within the commission.
The
Auditor will inform the Commission as soon as possible of any limitations in
the scope of work he/she may find prior to or during the audit.
C. Audit Services Required
The IT
Audit shall include, but not be limited, to the following:-
I. Operating System (OS) for servers, Databases, network equipment,
Security Systems and Storage Area Networks.
a. Set
up and maintenance of system parameters
b.
Patch Management
c.
Change Management Procedures
d.
Logical Access Controls
e. User
Management & Security
f. OS
Hardening
g.
Performance, Scalability and Availability
h.
Firewall efficiency
II. Review of IT Processes and ICT Management Tools
a. I.T
Asset Management
b.
Enterprise Management System
c.
Change Management
d.
Incident Management
e.
Network Management
f. Data
and Systems Backup Management
g.
Enterprise Anti-Virus Management
h.
Vendor & SLA Management
i.
Disaster recovery
j.
Hardware Power Backup Management
III. Security Management
a.
Security Equipment Configurations & Policies Penetration testing and Vulnerability
Assessment (PT / VA) of various security zones.
b.
Network & systems audit
c.
Network architecture review
d.
Network traffic analysis and base lining
e.
Virtual LANS (VLANs)
IV. Network & systems audit
a.
Network architecture review
b.
Network traffic analysis and base lining
c.
Virtual LANS (VLANs)
V. Review the existing policy documents of the commission such
as IT Policy, IT Procurement Policy, IS Security Policy etc., and suggest
required changes.
VI. Review of installed applications and web portals at the
commission, with emphasis on security. Though these systems have already been
tested by the developers and end-users, an audit is required as a measure to
enhance quality and assurance on adequacy, security, appropriate internal
checks and controls in the systems. A list of the applications to be audited
will be provided to the Auditor prior to engagement.
D. Audit Planning & Reporting:
The
consultants/consulting firms should deliver at the end of the Audit exercise, a
complete Audit Report comprising an Executive Summary, Findings and
Recommendations which should include, but not limited to, System
Vulnerabilities, Security Program Management of Information Technology
Resources and Application Life Cycle Controls.
The Auditor
should in accordance with ISAE 3000, prepare audit documentation and obtain
sufficient appropriate audit evidence to support audit findings and to draw
reasonable conclusions on which to base the audit report.
The
Auditor should use professional judgment to determine whether audit evidence is
sufficient and appropriate.
This
report should be submitted to the Director, Finance & Administration.
Any
significant deviation from the formally approved work schedule shall be
communicated to the director through periodic activity reports.
E. Knowledge & Skills requirements
The
consultant/ consulting firm should have a minimum of 5 years work experience in
computer systems audit.
The key
personnel who will be handling this assignment should be graduates in Computer
Science, Computer Technology or its equivalent.
They
should also include their resumes in the proposal which will be considered
during the initial evaluation process.
They
must also be members of professional bodies such as CISA, CISCO and
ISACA.
The
consultant/ consulting firm should have undertaken similar engagements
previously and have ready references to corroborate.
Curricula Vitae (' CVs')
The
Auditor will provide the Commission with CV's of the partner or other person in
the audit firm who is responsible for the audit and for signing the report
together with the CVs of the other audit team members. CVs will include
appropriate details on the type of audits carried out by the staff indicating
capability and capacity to undertake the audit as well as details on relevant
specific experience.
The
Commission will examine the CV's before it signs an order form or other
applicable contractual document for this engagement and reserves the right to
reject them if they are not considered suitable for the requirements of the
engagement.
F. Standards and Guidance
The
Auditor who performs this systems audit is governed by: The IFAC International
Framework for Assurance Engagements and International Standard on Assurance
Engagements ('ISAE') 3000 for Assurance Engagements other than Audits or
Reviews of Historical Financial Information insofar as these can be applied in
the specific context of a systems audit intended to provide assurance that
risks to the achievement of the objectives of the Project are properly managed
and controlled.
The
IFAC Code of Ethics for Professional Accountants (issued by IFAC's
International Ethics Standards Board for Accountants (IESBA), which establishes
fundamental ethical principles for Auditors with regard to integrity,
objectivity, independence, professional competence and due care,
confidentiality, professional behaviour and technical standards; though the
auditor needn’t be an accountant, adherence to these fundamental ethical
principles is paramount during the audit.
The
IFAC International Standards on Quality Control (ISQCs), which establish
standards and provide guidance on an Auditor's system of quality control.
G. Deliverables and Timelines
The
duration of the IT Audit exercise is expected to take around 10 weeks.
Work
will begin January 2013.
The end
of the contract will be determined as the audit progresses.
H. Application Procedures
- If you meet the
criteria above submit an application to admin@khrc.or.ke by 4th January
2013 that includes: Your company profile
- Resumes of the
key personnel to handle this assignment.
- 3 Professional
referees of whom you have done a similar assignment for.
Costing
based on the work described above