Transcription
YEHU MICROFINANCE SERVICES LIMITEDTERMS OF REFERENCEFORSYSTEM AUDIT1
TERMS OF REFERENCE (TOR)1.BackgroundYEHU MICROFINANCE SERVICE LIMITED is a microfinance which was started as part of CHOICEHumanitarian in 1998 with 300 female members in a small rural village in the Kwale County, Kikoneni located inthe former (before the promulgation of the new Constitution) Coast Province of Kenya.The initial group was formed to mobilize savings among its members to inculcate the saving culture, though theneed for credit provision quickly became apparent, and in the year 2000 the first loans were disbursed. Currentlythe institution has 15 branches with a clientele of over 50,000 spread out in Kwale, Kilifi, Mombasa, Taita -Taveta,Lamu County as Makueni and Meru countiesYMSL intends to procure/engage a competent and reputable firm to undertake an Information Systems (IS) Audit.The IS audit aims at ensuring that the information systems are safeguarding assets/resources, maintaining dataintegrity and improving systems effectiveness and system efficiency in order to achieve the Organization's goalsand objectives.2.Objectives of the IS AuditThe objective of the engagement will be to conduct comprehensive review and examination of the controls andinternal checks built into the systems as a measure to enhance quality and assurance on adequacy, appropriatenessof internal checks and controls in the systems. This will involve evaluating the system's internal control design andeffectiveness and an examination of the information systems’, inputs, outputs, and processing. This includes, butis not limited to, business applications, IT infrastructure, security protocols and IT governance.The specific objectives for the engagement include the following:a. Ensure that the intended objectives of the ICT systems and solutions are met and aligned to meet thebusiness objectives of the Organization.b. Evaluate the effectiveness of infrastructure, systems and application controls implemented by theOrganization.c. Establish the adequacy of IT infrastructure currently deployed for the business applications and possiblefuture needs.3.Scope of the AuditThe areas of review include but are not limited to:i)ICT Strategy & Resourcesa. Determine whether the ICT strategy is well aligned to strategic and business objectives of theYMSLb. Evaluate the extent of implementation of the strategy.2
ii)Business Applications Reviewa. Review the functionality of the implemented business applications and identify any system functionalitygaps.b. Conduct an assessment on software/hardware licenses to determine optimization of renewal costs andrealization of value for money.c. Review software development, infrastructure and patch management.d. Review the procedures and controls over input, processing and output to ensure that information capturedis complete and accurate, information processing complies with required business rules, and informationgenerated is accurate, reliable and timely.e. Review the existing system interfaces to determine that they are operating as required.f. Evaluate the integration/linkages of the YMSL systems to third parties such as Safaricom, Post Bank, CRB,IPRS trading and settlement systems.iii)ICT Infrastructure Reviewa. Evaluate the ICT Enterprise infrastructure to determine its alignment to business functions.b. Review Governance of ICT function.c. Review Network Design and Redundancy/Business Continuity (fail over/fail back).d. Review the LAN utilization and evaluate the adequacy of the YMSL’s WAN bandwidth.e. Review network capacity/speed and response times reports used by management and determine to inputinto budget / purchasing plans.f. Establish how systems are operated in terms of efficiency and effectiveness and compare it with bestpractice and benchmarks with ICT Authority standards.g. Review the LAN, firewalls used, IDS systems, spam filters and network monitoring tools. In addition,review the configuration of the routers, switches and firewalls.h. Review and make recommendations on traffic prioritization to ensure business efficiency.i.iv)Review of the system functionalities against the FRDSICT support and third partiesa. Establish the quality of ICT support service and IT Asset Management processes offered by the ICTdepartment and that of the System provider- Virmat.b. Establish whether the contracts and SLAs that YMSL have with third parties that provide ICT systemsand support services are adequate.c. Review operational constraints that may affect or are affecting the ICT systems performance in termsof:i.User proficiency (effectiveness of user training)3
4.ii.Capacity and capability of first level supportiii.Level of transfer of knowledgeInformation Systems in placea. Enterprise Resource Planning (ERP) - To manage Procurement, Payroll and Finance.b. Risk Based Supervision System (RBSS) - Used in licensing and approvals and financial reporting,inspections, risk analysis, investigations and enforcement processes.c. Human Resources Management Information System (HRMIS) -To manage HR functions including leaveapplications, staff performance, benefits and recruitments.d. Surveillance system- For real-time monitoring and reporting of the market activities.e. ICT Infrastructure Integrated Primary and DR site LAN/WAN network (Switchers, Routers, Wi-Fi, etc.) Call Manager Servers, Backup systems UPS and Cooling Systems Biometric and CCTV surveillance systems Firewall Security Nature of hardware & software.f. Review of the security of the IT systems. E.g. passwords, security settings, user rights5.Outputs expected from the auditThe Audit Firm shall submit an audit report, which shall include but not limited to the following:i.Statement of objectives of the audit.ii.Scope, nature, timing and extent of audit work performed.iii.Detailed audit findings based on the scope above with appropriate recommendations and animplementation plan agreed on with Management to correct any deficiencies.6.Proposed DatesThe Audit shall be undertaken during the period between March 2022 and April 2022. Specific dates will beagreed on in consultation with the Firm.7.Requirements from the ICT Systems Audit FirmYMSL is inviting a suitably qualified and experienced Firm to carry out an Information Systems Audit. The firmshould display and proof experience in carrying IS audits and the human capital resources employed by the auditorshould have appropriate qualifications including professional and suitable practical experience.The firm should demonstrate an understanding of the scope and intent of the audit that is consistency with theoverall objectives, comprehensiveness and adequacy of the audit work plan, and its availability and ability to meetthe timeline.The Firm will be required to submit the following for consideration by the Authority:a. An IS Audit proposal should demonstrate relevant competency and expertise and as a minimum shouldprovide the following:4
i.ii.iii.iv.v.vi.vii.b.Company profile indicating the nature of IS Audits undertaken (Company history, contacts,products/services, affiliations). Firm must have been in existence for at least 10years.Evidence of firm experience in provision of IS audits for at least three entities of similar size withMicrofinance within the last five years. IS experience in public sector will be preferred. (Pleaseprovide proof in form of either LPOs/LSOs, Contracts or reference letter showing names of acontact person(s), their contacts, nature of assignment and period undertaken etcDetailed CVs of the team who will undertake the IS Audit in the format provided.The methodologies to be used to successfully undertake the audit.A detailed clear and precise work plan showing activities to be undertaken, timelines anddeliverables to achieve the tasks above.The tenderer is expected to provide a tentative project plan which shall be finalized on signingof the contract.Proposed team members and their role in this exercise.Qualification and competency of the key staffi. Team Leadera) Advance degree from a recognized Universityb) Relevant professional qualification in internationally recognized certification in systemaudits e.g., CISA, or its equivalent.c) Over 10 years IS Audit experienceii. Other Team Membersa) University Degreeb) Relevant professional qualification in internationally recognized certification in systemaudits e.g. CISA, or its equivalent.c) Over 5 years IS Audit experienceNote: Key staff on the assignment should have participated in the assignments conducted at thereferences quoted.c.A financial quotation based on the terms of reference listed and as per table below.d.Fill the enclosed Confidential Business Questionnaire formBids that score equal to or above 56 marks of the 80 possible marks in the Technical evaluation stage will proceedto financial evaluation stage. Bids that score less than 56 marks shall be treated as non-responsive and will not beevaluated further.5
8. Resource PlanTo be able to undertake the audit the proposals should indicate the skill sets available in the team tomatch the assignment and the expected duration.ActivityResource PersonHoursComments9. The Schedule of Prices/CostingGiven the scope outlined above, the costing of the proposal should include an itemization of the variousaspects of the Information System Audit where necessary using the format tabulated below. Note thatthis shall be a fixed fee contract.Notes on pricingThe following schedule of prices has been prepared for the purpose of identifying the costs of workto be undertaken for the contract and for the progress payments:Item.1.2.3.4.5.CMA Requirements/DescriptionQtyICT Strategy and Resources Evaluationand drafting reportBusiness Applications Review anddrafting reportICT Infrastructure Review and draftingreportICT Support and third parties anddrafting reportAny other applicable costs e.g.,mobilization, training etc.Grand Total Cost (VATInclusive)Total Cost in Words (VAT Inclusive)6UnitPrice(KSHs.)VATTotal Price(VATInclusive)
7SECTION IV-TECHNICAL PROPOSAL (TP)Notes on the Preparation of Technical ProposalThe technical proposal shall be prepared and submitted by the candidates. Itshall contain the following: (a)(b)(c)(d)(e)Submission letterComments and suggestions of the consultant on the terms of reference,personnel, facility and other requirements to be provided by the procuringentity.Description of the methodology and work plan for performing theassignment.The proposed key staff for the assignment.Consultancy services activities times schedule.(to be prepared by the consultant as per the standard formats below)
81. TECHNICAL PROPOSAL SUBMISSION FORM[To:Date][Name and address of Client)Ladies/Gentlemen:We, the undersigned, offer to provide the consulting services for[Title of consulting services] inaccordance with your Request for Proposal dated[Date] and ourProposal. We are hereby submitting our Proposal, which includes this Technical Proposal,[and a Financial Proposal sealed under a separate envelope-where applicable].We understand you are not bound to accept any Proposal that you receive.We remain,Yours sincerely,[Authorized Signature][Name and Title of Signatory][Name of Firm][Address]
242. FIRM’S REFERENCESRelevant Services Carried Out in the Last FiveYears That Best Illustrate QualificationsUsing the format below, provide information on each assignment for which your firmeither individually, as a corporate entity or in association, was legally contracted.Assignment Name:CountryLocation within Country:Professional Staff provided by YourName of Client:Firm/Entity(profiles):Clients contact person for the assignment.Address:No of Staff-Months; Duration ofAssignment:Start Date (Month/Year): Completion Date Approx. Value of Services (Kes.)(Month/Year):Name of Associated Consultants. If any:No of Months of ProfessionalStaff provided by Associated Consultants:Name of Senior Staff (Project Director/Coordinator, Team Leader) Involved andFunctions Performed:Narrative Description of project:Description of Actual Services Provided by Your Staff:Firm’s Name:Name and title of signatory;(May be amended as necessary)
3.COMMENTS AND SUGGESTIONS OF CONSULTANTS ON THETERMS OF REFERENCE AND ON DATA, SERVICES AND FACILITIESTO BE PROVIDED BY THE CLIENT.On the Terms of Reference:1.2.3.4.5.On the data, services, and facilities to be provided by the Client:1.2.3.4.5.NOTE:YMSL will provide Office space and access to Internet services
4. DESCRIPTION OF THE METHODOLOGY AND WORKPLAN FOR PERFORMING THE ASSIGNMENTNote: The consultant should indicate any critical success factor for the audit5. TEAM COMPOSITION AND TASK ASSIGNMENTS1. Technical/Managerial StaffName2.PositionTaskPositionTaskSupport StaffName
6.FORMAT OF CURRICULUM VITAE (CV) FOR PROPOSEDPROFESSIONAL STAFFProposed Position:Name of Firm:Name of Staff:Profession:Date of Birth:Years with Firm:Nationality:Membership in Professional Societies:Detailed Tasks Assigned:Key Qualifications:[Give an outline of staff member’s experience and training most pertinent to taskson assignment. Describe degree of responsibility held by staff member on relevantprevious assignments and give dates and locations].Education:[Summarize college/university and other specialized education of staff member,giving names of schools, dates attended and degree[s] obtained.]
Employment Record:[Starting with present position, list in reverse order every employment held. List allpositions held by staff member since graduation, giving dates, names of employingorganizations, titles of positions held, and locations of assignments.]Certification:I, the undersigned, certify that these data correctly describe me, myqualifications, and my experience.Date:[Signature of staff member]Date:[Signature of authorized representative of the firm]Full name of staff member:Full name of authorized representative:
7. TIME SCHEDULE FOR PROFESSIONALPERSONNEL Weeks (in the Form of a Bar Chart)NamePositionReportsDue/Activities1 2 34Number5 6 7 8 9 10 11 12 of weeksReports Due:Activities Duration:Signature:(Authorized representative)Full Name:Title:Address:
8. ACTIVITY (WORK) SCHEDULE(a). Field Investigation and Study Items1st,2nd, etc., are weeks from the start of assignment1st 2nd 3rd th 5th 6th 7th 8th9th10th 11th 12th4Activity(Work)(b). Completion and Submission of ReportsReportsI.II.III.IV.Date
SECTION V-FINANCIAL PROPOSAL (FP)Notes on the Preparation Financial QuotationThe financial quotation shall be prepared and submitted by the candidates. It shallcontain the following;a) Submission letter indicating total feesb) Summary of costsc) Breakdown of fees per activity (As per schedule of Prices/Costing)(to be prepared by the consultant as per the format below)
1. FINANCIAL PROPOSAL SUBMISSION FORM[ Date]To:[Name and address of Client]Ladies/Gentlemen:We, the undersigned, offer to provide the consulting services for() [Title of consulting services] in accordance with your Request for Proposaldated () [Date] and our Proposal. Our attached Financial Proposal isfor the sum of () [Amount in words and figures] inclusive of all the taxes.We remain,Yours sincerely,[Authorized Signature][Name and Title of Signatory][Name of Firm][Address]
2. PRICE SCHEDULE OF SERVICES (SUMMARY OF COSTS)Name of TendererTender NumberItem Description1.2.3.4.5.Unit PriceQuantity (KSHs)VATTotal Price(VATInclusive)ICT Strategy and ResourcesEvaluation and drafting reportBusiness Applications Reviewand drafting reportICT Infrastructure Reviewand drafting reportICT Support and third partiesand drafting reportAny other applicable costse.g., mobilization, training etc.Grand Total (VATInclusive)Total Amount in Words (Vat Inclusive) .Signature of tenderer Note: In case of discrepancy between unit price and total, the unit price shall prevail.
3. BREAKDOWN OF PRICE PER ACTIVITYActivity NO.:Description:Price ComponentRemunerationSubtotalAmount(s)
SECTION VI1.-STANDARD CONTRACT FORMSTANDARD CONTRACT FORMINDIVIDUAL PROFESSIONAL CONSULTANTS (lump-sumpayments)This Agreement, [hereinafter called “the Contract”) is entered into this [insertstarting date of assignment], by and between[insert Client’s name] of [or whoseregistered office is situated at] [insert Client’s address] (hereinafter called “theClient”) of the one part AND[insertConsultant’s name] of[or whose registered office is situated at][insert Consultant’s address] (hereinafter called “the Consultant”) of the otherpart.WHEREAS the Client wishes to have the Consultant perform the services [hereinafterreferred to as “the Services”, andWHEREAS the Consultant is willing to perform the saidServices, NOW THEREFORE THE PARTIES hereby agree asfollows:1. Services(i) The Consultant shall perform the Services specified inAppendix A, “Terms of Reference and Scope ofService, “which is made an integral part of this Contract.(ii)The Consultant shall provide the personnel listedAppendix B, “Consultant’s Personnel,” to perform theServices.(iii)The Consultant shall submit to the Client the reportsin the form and within the time periods specified inAppendix C, “Consultant’s Reporting Obligations.”
(Appendices A, B, and C to be prepared as appropriate)2.Term3.The Consultant shall perform the Services during theperiod commencing on[insert starting date] andthrough to[insert completion date],or any other period(s) as may be subsequently agreed bythe parties in writing.Payment A.CeilingFor Services rendered pursuant to Appendix A, theClient shall pay the Consultant an amount not toExceed[insert amount]. This amounthas been established based on the understandingthat it includes all the Consultant’s costs andprofits as well as any tax obligation that may beimposed on the Consultant.B.Schedule of PaymentsThe schedule of payments is specified below(Modify in order to reflect the output requiredas described in Appendix C.)KSHs.upon the Client’s receipt of theDraft report, acceptable to the Client; andKSHs.upon the Client’s receipt of theFinal report, acceptable to the Client.KSHs.C.TotalPayment ConditionsPayment shall be made in Kenya Shillings unlessotherwise specified not later than thirty (30) daysfollowing submission by the Consultant of invoices induplicate to the Coordinator designated in Clause 4 herebelow. If the Client has delayed payments beyond thirty(30) days after the due date hereof, simple interest shall bepaid to the Consultant for each day of delay at a rate threePercentage points above the prevailing Central
Bank of Kenya’s average rate for base lending.4.ProjectA.AdministrationB.CoordinatorThe Client designates[insert name] as Client’s Coordinator; theCoordinator will be responsible for theCoordination of activities under this Contract,for acceptance and approval of the reports and ofother deliverables, by the Client and for receivingand approving invoices for payment.ReportsThe reports listed in Appendix C, “Consultant’sReporting Obligations,” shall be submitted in theCourse of the assignment and will constitute thebasis for the payments to be made under paragraph 3.5PerformanceStandardsThe Consultant undertakes to perform the Serviceswith the highest standards of professional andethical competence and integrity. The Consultantshall promptly replace any employees assignedunder this Contract that the Client considersunsatisfactory.6.ConfidentialityThe Consultant shall not, during the term of thisContract and within two years after its expirationDisclose any proprietary or confidential Informationrelating to the Services, this ContractOr the Client’s business or operations without thePrior written consent of the Client.7.Ownership ofMaterialAny studies, reports or other material, graphic,software or otherwise prepared by the Consultant forthe Client under the Contract shall belong to andremain the property of the Client. The Consultant mayretain a copy of such documents and software.
8.Consultant Notto be Engagedin certainActivitiesThe Consultant agrees that during the term of thisContract and after its termination the Consultantand any entity affiliated with the Consultant shallbe disqualified from providing goods, works orservices (other than the Services and anycontinuation thereof) for any project resultingfrom or closely related to the Services.9.InsuranceThe Consultant will be responsible for taking outany appropriate insurance coverage.10.AssignmentThe Consultant shall not assign this Contract or subcontract any portion of it without the Client’s priorwritten consent.11.Law GoverningContract andLanguageThe Contract shall be governed by the laws ofKenya and the language of the Contract shall beEnglish language12. DisputeResolutionAny dispute arising out of the Contract whichcannot be amicably settled between the partiesshall be referred by either party to the arbitrationand final decision of a person to be agreedbetween the parties. Failing agreement to concurin the appointment of an Arbitrator, the Arbitratorshall be appointed by the chairman of theChartered Institute of Arbitrators, Kenya branch,On the request of the applying party.For the ClientFor the ConsultantFull nameFull nameTitleTitleSignatureSignatureDateDate
CONFIDENTIAL BUSINESS QUESTIONNAIREYou are requested to give the particulars indicated in Part 1 and either Part 2 (a), 2(b) or2(c) whichever applied to your type of business.You are advised that it is a serious offence to give false information on this form.Part 1 GeneralBusiness Name.Location of Business Premises .Plot No, .Street/Road.Postal address .Tel No. .Fax Email .Nature of Business .Registration Certificate No. .Maximum value of business which you can handle at any one time – KSHs. .Name of your bankers .Branch .Part 2 (a) – Sole ProprietorYour name in full . Age .Nationality Country of Origin .Citizenship details .Part 2 (b) – PartnershipGiven details of partners as followsNameNationalityCitizenship DetailsShares1. 2. 3. 4. Part 2 (c) – RegisteredCompany Private or PublicState the nominal and issued capital ofcompany Nominal KSHs.Issued KSHs.Given details of all directors as followsNameNationalityCitizenship DetailsShares1. 2. 3. 4. Date . Signature of Candidate
Submission of the ProposalsBidders are requested to submit (1) one ORIGINAL and (3) Three COPIES clearly marked “ORIGINAL” or “COPY”for each technical and financial offer; and,Bidders are reminded to clearly mark technical and financial offer in separateenvelopes.Interested external IS audit firm with reputable recognitions should submit their proposals,clearly indicating ‘Proposal for the Provision of External Audit Services’ on or before31st July 2022 to the following address:The Chief Executive OfficerYehu Microfinance Services LimitedAvenue Building, 2nd Floor, Avenue Road, Nyali.P.O. Box 82,120 – 80100Mombasa – KENYAApplication can also be submitted for both the Technical and Financial Proposals to info@yehu.org.NOTE: Every proposal must meet all the requirements as indicated in this TORs document. Incomplete proposals andProposals received after this date shall not be considered.
b) Relevant professional qualification in internationally recognized certification in system audits e.g., CISA, or its equivalent. c) Over 10 years IS Audit experience ii. Other Team Members a) University Degree b) Relevant professional qualification in internationally recognized certification in system audits e.g. CISA, or its equivalent.
