WIXLIB

RP011-22PAGE 4IT Staff Auditor- One to three years of recent experience conducting IT audits or internal audits.- Relevant professional certifications desired.IT Audit Manager or Director (Security Expert)- Five or more years of experience evaluating IT security controls and providing specific ITsecurity recommendations, including three years leading formal IT security reviews oraudits.- Industry or governmental experience in managing IT operations desirable.- Active certification as a Certified Information Systems Security Professional (CISSP) and/orCertified Information Systems Manager (CISM).- Demonstrated cybersecurity and network security expertise, including knowledge of thelatest risks, threats, and tools.- Preferred: Offensive security (penetration testing) experience and/or certification asOffensive Security Certified Professional (OSCP) or Certified Ethical Hacker (CEH).Senior Internal Auditor- Four or more years of recent experience conducting internal audits, including two yearsleading internal audits.- Experience conducting internal audits for medium to large client organizations.- Active CIA, CPA, or CFE certification.- Demonstrated mastery of internal audit principles.- Demonstrated success working with clients.The total number of audit hours per year is expected to be 1,400-1,900. IT Senior Auditor will beused primarily on most audits and should have sufficient IT security knowledge to successfullyconduct engagements without additional expertise or extensive oversight. To promote efficiency,an IT Staff Auditor may be used as appropriate to request data and test controls with generalsupervision. The IT Audit Manager or Director (Security Expert) may be used for consultation orparticipation in walkthroughs and test design as needed in certain areas. For planning purposes, IAanticipates approximately 100-300 hours for the Manager or Director.External staff should have sufficient tenure with respondent firm to validate expertise and workproduct quality.Project ManagementIA generally schedules assignments based on the annual audit plan. However, some engagementscould occur or change on short notice. The departments may also modify work schedules orcancel engagements based on business needs. The County requires the capability and flexibility torespond to schedule changes. Respondent firms should possess sufficient depth of qualifiedresources.This staff augmentation model is not expected to involve a multi-layered approach from the firm.IA expects external staff to produce clear and accurate deliverables with minimal need for review.IA may internally designate a Gwinnett County employee as senior program manager to overseework product quality and delivery, working closely with external staff. Depending on audit work andavailable resources, IA may designate an additional County employee to work alongside externalstaff as IT senior auditor. IA personnel assigned to the engagement should be copied on allengagement communications and invited to all meetings.

RP011-22PAGE 5External Auditors will submit detailed time summaries to support billing. Time summaries shouldbe consistent with audit progress and deliverables as visible in the IA project management tool.Time summaries will be agreed to monthly billing invoices and used for future planning purposes.IA does not expect to be billed for re-work or onboarding resulting from turnover of firm personnelassigned to Gwinnett during an engagement.Deliverables and Performance ExpectationsExternal staff must exercise sound judgment and be adept at successfully working in a diverseenvironment with employees from all organizational levels. Audit objectivity is paramount, butaudits should also be collaborative and contain results and recommendations that are fully vettedwith control owners to ensure quality and relevance.Typical IT and internal audit activities and deliverables may include, but are not limited to thefollowing:Develop a risk control matrix (RCM) tailored to the County operations in scope. Include apreliminary assessment of risk for each control and suggested test plans. Confirm controlswith management and add or adjust controls according to IA and management input. Submitthe RCM to the Division Director of Internal Audit (IA Director) for approval prior to starting testwork.Prepare detailed control narratives using information gathered at each interview, walkthrough,or observation.Formulate and perform test plans for review and feedback from IA and the department.Effectively manage data requests to obtain timely and sufficient data while minimizingdisruption to departmental operations. Follow IA sampling standards.Document test procedures and results with logical conclusions supported by evidence. Use theIA project management tool to document all outputs from the assessment.Promptly review each potential finding or issue with departmental management and determineits root cause. Develop practical and cost-effective recommendations to remediate controldeficiencies. Maintain a list of the issues, the risks they pose, and recommendations.Periodically evaluate the effectiveness of remediation efforts.Prepare a clear and concise draft report of background context, observations, andrecommendations for review by the management team. Use the standard IA report format andvet draft reports with control owners for accuracy, validity, and management response.Keep the IA project management tool up to date to enable accurate point-in-time summaries ofthe total number of controls tested, passed, and failed per domain.IA is the owner of all work products and may choose to assign internal staff to direct, produce, orrevise certain deliverables as necessary to meet project timeframes and quality standards. Externalstaff are expected to use professional judgment, time management, IA guidance, and reasonablyefficient analysis techniques to minimize waste in their successful performance of audit work.Background Checks and ConfidentialityResponsive firms will be required to provide successful background check results for involved staffmembers before the engagement begins. Gwinnett County information must remain confidential

RP011-22PAGE 6and only discussed with appropriate Gwinnett County employees and other staff. By responding tothis RFP, the respondent firm agrees not to disclose County-specific information learned during theengagement, including but not limited to network architecture or components, hardware orsoftware, internal controls, processes, risks, deficiencies, weaknesses, or vulnerabilities.INSURANCE REQUIREMENTSThe successful consultant shall provide adequate coverage for the entire term of the contract.Exceptions to Terms and Conditions or Proposal RequirementsRespondents must clearly list any exceptions to the Terms & Conditions or ProposalRequirements. Please note that any exceptions will be considered during the evaluation processand points may be deducted. Our standard service agreement is included in this RFP.Prospective Service Providers should review and indicate any exceptions to these Terms andConditions.SignaturesProposals and accompanying bids shall be submitted in the official corporate name of thecorporation and should be signed by the individual authorized to bind the corporation.III.PROPOSAL SUBMISSION INSTRUCTIONSConsultants are asked to read the Request for Proposal carefully to ensure that they addressthe specific requirements of this Request and submit all requested information. ProposingConsultants will be evaluated and scored based on the information provided in their proposalsas it relates to this Request. The Consultant’s Proposal shall be organized in the order andformat described below.Respondents are encouraged to submit clear and concise responses, and excessive length orextraneous information is discouraged. In an effort to ensure our ability to evaluate and choosea successful firm for this project, respondents are encouraged to be responsive to the specificrange of issues requested in this solicitation. Submission of excessive “boiler plate”information, including sales brochures, is discouraged. Proposers should not submit websitelinks in lieu of written responses. Website links and any information contained within may notbe reviewed or considered by Gwinnett County. Consultants are requested to submit one (1)original unbound, three (3) copies, and one (1) electronic copy on a flash drive of the proposalpackage to meet the requirements below. All copies of the proposal must be identical.A. Firm ExperienceProvide a narrative description of the company’s history, purpose, range of services,resources, and past and current business activities. In the latter area, describe in detail thecompany’s experience in conducting internal auditing services to include IT auditing andstaff augmentation services. Describe any special capabilities of the company, such asresources, programs or practices that set it apart from other firms.B. Resource ManagementHow much relevant professional training do auditors/consultants receive each year? Doesthe firm employ third party consultants or firms to perform the sort of work being sought inthis RFP? What percentage of the firm's staffing is covered by employees versuscontractors? Are there other firm offices that could provide back-up or supply specialtyconsultants? Explain as necessary. Describe any instances where the firm was required toquickly mobilize an individual or team to deal with an unplanned or urgent event.

RP011-22PAGE 7Provide your firm’s approach to developing, managing, and retaining a high-performancestaff. Include your firm’s requirements for continuing professional education (training) andyour firm’s performance evaluation practices, including examples of performance targetsfor staff and management. Describe your firm’s vetting process for employment, includingprotocols for background checks and confidentiality. Describe your firm’s flexibility andability to respond to urgent or unscheduled requirements or cancellations.C. Experience, Skills and QualificationsProvide a staffing plan for the proposed services. Provide resumes to include background,experience, certifications, and qualifications of key personnel that will be assigned toGwinnett County.Provide a description of the role each staff member will play in this contract. Confirm thefirm has run a background check within the past year and has an NDA on file with theindividual(s).Describe the size and capabilities of your firm’s available staff and the turnover rate.Describe the staffing plan should personnel assigned to this contract leave the firm. Theawarded firm will be responsible for engagement onboarding should there be any changesto personnel assigned to Gwinnett County.D. Understanding and ApproachExplain your understanding of the work outlined in this proposal and describe your firm’s ITaudit approach and methodology. State how your firm will help the County achieve itsobjectives. Explain what uniquely qualifies the firm to serve Gwinnett County and anyrelevant experience the firm has that may set apart from other firms. Provide your firm’squality assurance standards, programs, and/or practices.Describe other recent, similar engagements that demonstrate the qualifications of the firmand the individuals proposed for this contract. Include only those examples that relate to thenature of the proposed contract. Include as many different examples as needed.E. ReferencesProvide a minimum of three (3) references from recent engagements that involved similaraudit work. The reference form attached to the proposal document specifies what details toinclude. Please specify whether the audit work for these references was conducted by anyof the same staff members that will be assigned to Gwinnett County.F. Fee SchedulePlease complete the attached Fee Schedule and submit in a separate sealed envelope with“RP011-22 fee proposal" and your firm’s name written on the outside. This can be submittedin the same container, but should not be included in the technical proposal documents.Please note, that ALL costs associated with these services MUST be included in the hourlyrates including but not limited to travel, supplies, etc. The County will not pay any feesoutside of what is listed on the Fee Schedule.IV.SELECTION PROCEDUREProposals will be evaluated based on their relative responsiveness to the criteria described aboveand with the criteria values weighted as shown.

RP011-22PAGE 8A. Firm Experience- Breadth/depth of resources, client diversity and size, experience,history, quality standards, and stability. Experience and approach in providing staffaugmentation services.B. Resource Management - Performance evaluations, required continuing professionaleducation (training), and staffing flexibility. Staffing flexibility includes ability to respond tourgent or unscheduled requirements and adaptability to changes in departmentalavailability.C. Experience, Skills and Qualifications – Experience and professional qualifications ofproposed staff assigned to engagement.D. Understanding and Approach - Understanding of and commitment to achievingCounty's objectives.E. ReferencesF. FeesSUB TOTALG. Optional Interview20 points15 points25 points20 points10 points10 points100 points15 pointsTOTAL115 pointsGwinnett County will select the firm that best demonstrates that it would provide the most value towardsachieving the objectives listed in this document. The proposals will be reviewed by a selection committeeand ranked based on the criteria identified above.Part I – Initially, proposals will be evaluated based on their relative responsiveness to criteria A-E above andwith those point values weighted as shown above.Part II – Firms may be short-listed for further consideration. The fee schedules of the short-listed firmsfrom Part I will be opened, reviewed and scored. At the discretion of the County, or as deemed in its bestinterest, firms may be short-listed a second time for an interview/presentation.Part III – If interviews are necessary for selection, evaluation will be performed and will be worth anadditional 0-15 points in the selection process. The number of firms short listed and interviewed will be atthe discretion of the selection committee. The consultant will be responsible for any cost associated withthe request for an interview.Upon completion of the qualifications-based evaluation and ranking of proposals, the County will initiatenegotiations with the highest scoring firm to arrive at a fair and reasonable compensation for the solicitedservices which considers the scope, complexity, professional nature and estimated value of the services tobe rendered. If the County and the highest scoring firm are unable to negotiate a fair and reasonablecontract, the County may terminate negotiations and undertake negotiations with the next highest scoringfirm, continuing the process until an agreement is reached.

RP011-22PAGE 9FAILURE TO RETURN THIS PAGE AS PART OF YOUR PROPOSAL DOCUMENT MAY RESULT IN REJECTION OF PROPOSAL.ITEM#1.2.3.4.FEE SCHEDULE(Return In a Separate Envelope)APPROX. ANNUALDESCRIPTIONQTYStaff augmentation services: IT Senior1,450 HRSAuditorStaff augmentation services: IT150 HRSManager or DirectorStaff augmentation services: IT Staff80 HRSAuditorNon-IT Related Auditing Services120 HRSHOURLY RATETOTAL PRICE TOTALIn compliance with the specifications outlined in the RFP, the undersigned acknowledges all requirementsoutlined in the "Instructions to Proposers" and all documents referred to therein. The undersigned offersand agrees, if this proposal is accepted by the Board of Commissioners within one hundred twenty (120)days of the date of proposal opening, to furnish any or all of the items upon which prices are quoted, atthe price set opposite each item, delivered to the designated point(s) within the time specified in the feeschedule.Gwinnett County requires pricing to remain firm for the duration of the initial term of the contract. Failure tohold firm pricing for the initial term of the contract will be sufficient cause for Gwinnett County to declareproposal non-responsive. This contract is anticipated to begin April 1, 2022 or upon award.Unless otherwise noted, quoted prices will remain firm for four (4) additional one (1) year periods.If a percentage increase or decrease will be a part of this bid, please note this in the space providedtogether with an explanation:Option 1 Renewal % IncreaseOption 2 Renewal % IncreaseOption 3 Renewal % IncreaseOption 4 Renewal % Increase% Decrease% Decrease% Decrease% DecreaseExplanation:COMPANY NAME:

RP011-22PAGE 10Failure to return this page as part of your proposal document may result in rejection of proposal.CONSULTANT INFORMATIONPlease include this page as part of the technical proposal document and NOT with the Cost Schedule.Termination for Cause: The County may terminate this agreement for cause upon ten days prior written notice to theservice provider of the service provider’s default in the performance of any term of this agreement. Such terminationshall be without prejudice to any of the County’s rights or remedies by law.Termination for Convenience: The County may terminate this agreement for its convenience at any time upon 30 dayswritten notice to the service provider. In the event of the County’s termination of this agreement for convenience, theservice provider will be paid for those services actually performed. Partially completed performance of the agreementwill be compensated based upon a signed statement of completion to be submitted by the service provider, whichshall itemize each element of performance.The undersigned acknowledges receipt of the following addenda, listed by number and date as issuedappearing on each:Addendum No. DateAddendum No. DateCertification Of Non-Collusion in Bid PreparationSignatureDateLegal Business Name(If your company is an LLC, you must identify all principals to include addresses and phone numbers in your submittal)Federal Tax IDAddressDoes your company currently have a location within Gwinnett County? YesRepresentative SignatureTelephone NumberNoPrinted NameFax NumberE-mail address

RP011-22PAGE 11FAILURE TO RETURN THIS PAGE AS PART OF YOUR BID DOCUMENT MAY RESULT IN REJECTION OF BID.REFERENCESGwinnett County requests a minimum of three (3) references where work of a similar size and scope hasbeen completed.Note: References should be customized for each project, rather than submitting the same set of referencesfor every project bid. The references listed should be of similar size and scope of the project being bid on.Do not submit a project list in lieu of this form.1.Company NameBrief Description of ProjectCompletion DateContract Amount Start DatesContact PersonTelephoneE-Mail Address2.Company NameBrief Description of ProjectCompletion DateContract Amount Start DateContact PersonTelephoneE-Mail Address3.Company NameBrief Description of ProjectCompletion DateContract Amount Start DateContact PersonTelephoneE-Mail AddressCompany Name

RP011-22PAGE 12RP011-22: Provide Information Technology and Other Internal Auditing Services on an Annual ContractCODE OF ETHICS AFFIDAVIT(THIS FORM SHOULD BE FULLY COMPLETED AND RETURNED WITHYOUR SUBMITTAL AND WILL BE REQUIRED PRIOR TO EVALUATION)In accordance with Section 54-33 of the Gwinnett County Code of Ordinances the undersignedbidder/proposer makes the following full and complete disclosure under oath, to the best of his/herknowledge, of the name(s) of all elected officials whom it employs or who have a direct or indirectpecuniary interest in or with the bidder/proposer, its affiliates or its subcontractors:1.(Company Submitting Bid/Proposal)2. (Please checkone box below) No information to disclose (complete only section 4 below) Disclosed information below (complete section 3 & section 4below)3. (if additional space is required, please attach list)Gwinnett County Elected Official NameGwinnett County Elected Official NameGwinnett County Elected Official NameGwinnett County Elected Official Name4.BY:Authorized Officer or Agent SignaturePrinted Name of Authorized Officer or AgentSworn to and subscribed before me thisday of, 20Notary PublicTitle of Authorized Officer or Agent of Contractor(seal)Note: See Gwinnett County Code of Ethics Ordinance EO2011, Sec. 54-33. The ordinance will beavailable to view in its’ entirety at www.gwinnettcounty.com7.14.17

RP011-22PAGE 13RP011-22: Provide Information Technology and Other Internal Auditing Services on an Annual ContractCONTRACTOR AFFIDAVIT AND AGREEMENT(THIS FORM SHOULD BE FULLY COMPLETED AND RETURNED WITH YOUR SUBMITTAL)By executing this affidavit, the undersigned contractor verifies its compliance with The

01/05/2022 REQUEST FOR PROPOSAL RP011-22 The Gwinnett County Board of Commissioners is soliciting competitive sealed proposals from qualified service providers to Provide Information Technology and Other Internal Auditing Services on an Annual Contract with four (4) one-year options to renew. Proposals must be returned in a sealed container marked on the outside with the Request for Proposal