TERMS OF REFERENCE
CONSULTANCY FOR INFORMATION SYSTEM (IS) AUDIT
IS AUDIT CONSULTANT

The company is seeking proposals from firms or individual consultants interested in conducting an IS audit for the company taking into consideration the background narrated below.

BACKGROUND

Our client is a local registered Tanzanian private firm offering high class consulting services. Ever since it was established, in 1998, this year at 25th Anniversary, it has been on the leading edge of introducing innovative solutions in the field of Information & Communication Technology (ICT), Research & Statistics) and Digital Payments & Card Services for local and international clients from small businesses to large enterprises.

Due to advanced skills demands, the company has added a new business line in its portfolio. Professional Development Services (PDS) was established to deal with knowledge harvesting and skills learning initiatives.

The company has developed and implemented several information systems in supporting the business operations. The information systems are highly valued as essential part of the company internal control as well as for external reporting purposes whilst entirely driving the key business processes and policies.

Consequently, the management is greatly concerned about the quality status of its information systems, therefore, is calling for independent audit to review and provide feedback, assurances and suggestions for fixing any identified anomalies.

OBJECTIVE

The company seeks an independent and objective assurance to determine whether the information systems, related resources and the operating environment adequately safeguard the business assets of the company as well securely maintain its business data integrity, provide relevant and reliable information for informed decision making and planning. The company would also wish to ensure it achieves its organizational goals delivered by the use of the information systems, consume resources efficiently, and have internal controls that provide reasonable assurance that operational and control objectives are met, whilst undesirable events are adequately prevented or timely detected and destroyed or rectified promptly.

SCOPE OF WORK

The information system deployed at the company cater for multiple system comprising of several functions and activities, and their installations are located at different geographical locations using various technologies. This establishment, therefore, acquire inherent risks that may affect the information system in different ways. The competent IS auditor is, therefore, required to provide assurance on technology, network infrastructure, application and associated internal control framework by adopting best practice assessment tools and methodology for the software applications:

It is envisaged that the IS auditor will perform the following tasks:

(1) Validation of Reports: Provide assurance that the reporting modules of the systems are working according to the user expectation and specifications, are error free and can be trusted. That is, the reports produced by the systems and the formulas used for different calculations are correct and are in line with industry best practices nationally and internationally.

(2) Application software review: Provide assurance whether the business applications meet the current and future needs of the company.

The IS auditor must assess the following:

• control and authorizations,
• error and exception handling,
• business process flows within the application
• procedures and validation of reports generated from the systems.

(3) Network security review: Provide assurance that the database and the web server system is fully secure. Review the internal and external connections to the system covering area such as:

• Security perimeters
• Firewall settings
• Router access control lists
• Port scanning and intrusion detection

(4) Data integrity review: Provide assurance that the database design and structure provide the best possible design for the company needs and future integration requirements. The main purpose of task is the scrutiny of live data to verify adequacy of controls and impact of weaknesses that may be uncovered from any of the above reviews.

(5) Business continuity review: Provide assurance that business operations can continue, even in the occurrence on an unexpected event or a full-blown crisis.

(6) Infrastructure Review: Provide detailed review of the broad design, architecture, and key controls of the network infrastructure and systems.

(7) Vulnerability assessment/penetration tests: conduct vulnerability assessments and penetration tests on the company’s network and systems; identify any vulnerabilities and make feasible recommendations to close the vulnerabilities.

(8) System Interfaces: Provide a review of the system interfaces; confirm if the systems are adequately interfaced; identify any weaknesses; their root causes and make
recommendations for improvements.

(9) Risk Management: Undertake a wide risk assessment, to identify broad risks and specific risks on information system. Thus:

• Assess the adequacy of the design of the existing controls and test the operating effectiveness of the existing controls.
• Review & test the adequacy of the controls to mitigate the cyber security risks.
• Establish whether information systems are
  ∙ safeguarding corporate assets
  ∙ maintaining the integrity of stored & communicated data, and that they are reliable, efficient, secure and effective.
• Report any exceptions uncovered and make suitable recommendations.

SKILLS REQUIRED

• The company seeks services of a firm or an individual consultant who works in the field of IS auditing.
• The hired consultant is expected to have at least three years of work experience in relevant areas.

DELIVERABLE

At the end of the consultancy work, the IS Auditor is required to submit a report containing detailed observations on aforementioned areas as well as suggested areas during preliminary meetings with the management. In addition, a detailed roadmap/recommendations for improvements in risk areas identified are also required.

TIMEFRAME

The audit assignment is expected to be completed, on average within three (3) to four (4) weeks for each system allocated.

INTELLECTUAL PROPERTY RIGHTS

The report generated through this study would be the intellectual property of the company.

BUDGET AND PAYMENT

The estimated cost as envisaged in the scope of work have been estimated by management and will be negotiated with the winning consultant.

ELIGIBILITY

To be considered, Consultancy must currently be legally operating in Tanzania. Ability to deliver the items/services specified in Terms of Reference no later than the date(s) required of the assignment.