THE PRIVATE AGRICULTURAL SECTOR SUPPORT (PASS) TRUST CONSULTANCY SERVICE FOR INTERNAL AUDIT OF INFORMATION AND COMMUNICATION TECHNOLOGY
TERMS OF REFERENCE
1. Background and Purpose of the intirnal audit on ICT PASS Trust is a charitable organization
working in the field of Agribusiness financing, enabling access to finance for agribusiness entrepreneurs. It operates on commercial terms charging commercial rates for its services. PASS
facilitates access to finance on credit guarantee model for small scale farmers and agribusiness
entrepreneur’s financial institutions through a technical support by offering a range of Business
Development Services (BDS) in the form of, inter alia, feasibility studies and business plans for
Prospective bank clients; farmer group formation; farmer and agribusiness capacity development
training, incubation and facilitation of contract farming.
The ultimate objective of the Trust is to improve quality of life through agribusiness transformations. The information system at PASS Trust has different functions and activities coupled with several computer systems and installations at different locations. All operations and process flow of the Trust are computer based with a centralized database driven application. Zonal offices use internet connectivity for accessing the ICT service. In July 2018, Danish a commissioned an evaluation of PASS, which found that PASS continues to be relevant. While the findings of the evaluation were overall quite positive, one area that the evaluation team found PASS could further explore Was digitalization, both in terms of improving the Trust’s organizational processes and operational efficiency, and with regard to improving the client- PASS interface. The evaluation noted that, “With further growth of the PASS organization, further digitization is needed to improve effectiveness, as with this strong growth, the effectiveness of the internal organizational processes runs the risk of lagging behind.”’ Therefore, mid 2019, The Danish Government allocated DKK 20 million to support PASS in its endeavor to accelerate its use of digital technology in its product and service offerings in order to increase efficiency, expand its outreach and ultimately, increase its impact to the target beneficiaries. These developments expose the Trust to inherent risks associated with the information and communication systems which may impact the system in different ways.
In view of the above PASS Trust is looking into engaging a competent firm for the Internal Audit of its Information and Communication Technology system that also takes into account the overall digitalization project.
2. Objectives
This audit is a part of the overall audit processes, seeking to ensure control optimization and risk
mitigation on the ICT environment. Specific Objectives and Methodology Building on the initial internal Audit, the primary focus of this internal audit is to further assess, analyses and investigate the areas above and come-up with clear recommendations and posited course of actions, with a specific focus On areas indicated under scope of work, below.
The audit seeks to provide an independent and objective assurance as to whether the information systems, related resources and the environment adequately safeguard assets, maintain data and system integrity; provide relevant and reliable information, achieve organizational information system goals and consume resources efficiently, and have internal controls that provide reasonable assurance that operational and control objectives will be met, undesired events will be prevented or detected & rectified in a timely manner.
3. Scope of Work
1. Assessing the information system’s functionality, efficiency and security through risk assessment, internal control evaluation and detailed testing of associated data.
2. Analyze and evaluate the Trust’s information and communication systems (manual and
computerized) with a view to detecting and rectifying blockages, duplication, and leakages.
3. Assess the information and communication technology infrastructure, policies and Operations and determine whether existing ICT controls protect the Trust’s assets, ensure data integrity, and are aligned with the business overall goals. This will include all TRUST ICT systems/modules/processes/practices.
4. Assess and analyses the value for money of digitalization project for the period July 2019-
June 2022 including the impact derived and On digitalization project, the auditor shall assess
achievement of technological objectives as per signed/approved specifications for each developed systems and assess value for money spent on the project.
5. Assess to what extent the digitalization of PASS processes and products has increased
efficiency and expands outreach and stakeholders update on this product.
6. Assess and evaluate financial management information system including the loan tracking
and credit monitoring, digital payment and procurement process.
7. Perform risk analysis and provide mitigation measures (covering all process functionalities
and utilization thereof, vulnerabilities etc.), and review for improvements in operations,
procedures and controls, covering the Trust’s ICT and processes based on national and international guidelines and best practices. The identified risks should indicate their degree of severity (High, Medium, Low).
8. To review PASS TRUST internal control systems, fraud and risk management mechanism and
assess the clarity on roles and responsibilities of dealing with procurement, fraud cases including the reporting of fraud allegations.
9. Assess the quality of physical security controls, database security, key interface as well as overall business and financial controls that involve information and communication technology systems.
10. Evaluate sustainability of PASS digitalization system to improve accuracy, relevance, security, and timeliness of recorded information, the audit shall conduct a full review of:
1. System and data alignment to the established PASS Trust control framework.
2. System alignment ta key reporting requirements and data lineage.
3. System alignment to International Public Sector Accounting Standards (IPSAS) implementation requirements.
4. Key interface efficiency and controls.
5. Database security, and
6. Continuous monitoring.
The audit shall specifically cover the following
areas:
1. The Trust’s digitalisation project
2. Value for money audit
3. IT system security policy
4. \T security function
5. IT organization
6. Authorization of IT functions (ie. system
administrators etc)
7. IT and associated technologies risk
Management
8. Data classification
9. Logic and managing control access
Management
10. Network and remote access of the IT system
control
11. IT property management
12. Operative and system record management
13. Data backup management
14. Service providers’ relations management
15. Equipment suppiiers’ relations management
16. IT system development management — project
Management
17. Physical security of primary and secondary
location
18. Password policy
19. Configuration management
20. Change management
21. Operations continuity planning
22. IT systems disaster recovery plan in case of
unplanned incidents
23. Incidents management
24. Applying malicious code protection
25. Internal policies, procedures, and instructions
4. Key Deliverables
The Auditor is expected to adopt a risk-based approach in performing the assignment, with reference to frameworks and standards on information and communication systems as
provided by relevant partners and global best practices including the alignment to International Public Sector Accounting Standards (IPSAS) implementation requirements.
The selected auditor shall be provided with PASS ICT policy, manuals, strategy, guidelines, PASS 2018-2022 Strategic plan, all ICT audits and internal audit reports. In addition, they will be provided with the digitalization programme document, digitalization progress reports, digitalization work plans & budgets and approved disbursement plans.
During the inception meeting, the auditor shall present to the TRUST and Joint Technical Committee (JTC) the methodology to be used in undertaking the assignment. The coverage areas shall be expanded or reduced if relevant after the inception meeting with JTC.
The Auditor is required to submit:
1. Inception report including the methodology and detailed observations on aforementioned
areas and other areas the audit may find worth covering two weeks after signing of the contract.
2. Draft report two weeks after inception.
3. Final detailed report with concrete conclusions, recommendation and mitigation measures that
are backed by actions to be taken, in order to address the needs on the follow up.
4. Inception report, Draft report and final report are ailing to be delivered in both hard and soft copy and electronic.
5. Desired Competencies
Tenderer shall present a technical proposal with a detailed planned methodological approach for the assignment, this plan should give an explicit indication of the sample size and depth of the
review. The tender shall include at least three consultants with extensive experience in audits.
The audit team should also incorporate an additional expertise on ICT assessment and one of them must be well experienced with practical ICT skills.
Tenderer shall specify the Lead consultant with ICT expertise responsible for the assignment
and the other consultants participating in the assignment, specifying the level of competence
for the consultants allocated to the assignment.
Secondly the tender shall present a financial proposal that specifies the total cost of the assignment, in the form of an hourly fee for each category of personnel and any other reimbursable costs. Reimbursable costs must as a minimum and when applicable, be specified with costs for per diem, assignment (including reimbursable expenses and applicable taxes).
The invoice shall be specified in the same way as the budget presented in the tender.
The consultancy firm should have a team with members possessing the following:
a} Academic Qualifications
1. A University Degree in ICT, Finance Management,
2. Professional certification of CISA (Certified Information Systems Auditor) is a must.
3. Additional professional certifications (CIA, CFE) are desirable.
4. Additional professional certifications on information technology and accounting are desirable.
5. A professional certification, ie., Chartered Accountant, Certified Public Accountant or Certified Chartered Accountant is an added advantage.
b) Experience
1. At least 5years’experiencein IT audit, preferably in finance, public of not-for-profit sector.
2. Expert level knowledge and practical experience in auditing IT governance, security, risk management and management of large IT projects.
6. Application procedures
Interested firms are invited to submit proposals by email to [email protected], registered mail, or in sealed envelope to Managing Director, PASS
Trust, P. O. Box 9490, Dar es Salaam.
Application Deadline
Applications should be received in two weeks from the date of this advertisement.
7. Evaluation of Applicants
The firm will be evaluated based on a cumulative analysis considering the technical and financial proposal.
Technical Proposal: max 80 points Financial Proposal: max 20 points
8. Duration of The Contract
This contract is at a maximum of 2 months and will & be awarded to a firm not individuals. s
