Provision of ICT Audit Services for Kenya Human Rights Commission Consultancy Opportunity

 Provision of ICT Audit Services for Kenya Human Rights Commission

Terms of Reference

A. Overview

The objective of this audit is to review the general ICT infrastructure of KHRC, system security employed, controls and policy decisions required to ensure the protection of all internal information systems and data.

The expected output of this audit will be a report that details the dependability of existing systems at the commission, recommends improvements to these systems and provide a basis for the formulation of an ICT policy.

B. Audit Scope

The scope will entail conducting an assessment of ICT systems as per Section C: Audit Services Required.

This includes: identification and evaluation of both hardware and software of the commission and recommending/assist in implementing a set of best practices and tools governing the ICT systems within the commission.

The Auditor will inform the Commission as soon as possible of any limitations in the scope of work he/she may find prior to or during the audit.

C. Audit Services Required

The IT Audit shall include, but not be limited, to the following:-

I. Operating System (OS) for servers, Databases, network equipment, Security Systems and Storage Area Networks.

a. Set up and maintenance of system parameters

b. Patch Management

c. Change Management Procedures

d. Logical Access Controls

e. User Management & Security

f. OS Hardening

g. Performance, Scalability and Availability

h. Firewall efficiency

II. Review of IT Processes and ICT Management Tools

a. I.T Asset Management

b. Enterprise Management System

c. Change Management

d. Incident Management

e. Network Management

f. Data and Systems Backup Management

g. Enterprise Anti-Virus Management

h. Vendor & SLA Management

i. Disaster recovery

j. Hardware Power Backup Management

III. Security Management

a. Security Equipment Configurations & Policies Penetration testing and Vulnerability Assessment (PT / VA) of various security zones.

b. Network & systems audit

c. Network architecture review

d. Network traffic analysis and base lining

e. Virtual LANS (VLANs)

IV. Network & systems audit

a. Network architecture review

b. Network traffic analysis and base lining

c. Virtual LANS (VLANs)

V. Review the existing policy documents of the commission such as IT Policy, IT Procurement Policy, IS Security Policy etc., and suggest required changes.

VI. Review of installed applications and web portals at the commission, with emphasis on security. Though these systems have already been tested by the developers and end-users, an audit is required as a measure to enhance quality and assurance on adequacy, security, appropriate internal checks and controls in the systems. A list of the applications to be audited will be provided to the Auditor prior to engagement.

D. Audit Planning & Reporting:

The consultants/consulting firms should deliver at the end of the Audit exercise, a complete Audit Report comprising an Executive Summary, Findings and Recommendations which should include, but not limited to, System Vulnerabilities, Security Program Management of Information Technology Resources and Application Life Cycle Controls.

The Auditor should in accordance with ISAE 3000, prepare audit documentation and obtain sufficient appropriate audit evidence to support audit findings and to draw reasonable conclusions on which to base the audit report.

The Auditor should use professional judgment to determine whether audit evidence is sufficient and appropriate.

This report should be submitted to the Director, Finance & Administration.

Any significant deviation from the formally approved work schedule shall be communicated to the director through periodic activity reports.

E. Knowledge & Skills requirements

The consultant/ consulting firm should have a minimum of 5 years work experience in computer systems audit.

The key personnel who will be handling this assignment should be graduates in Computer Science, Computer Technology or its equivalent.

They should also include their resumes in the proposal which will be considered during the initial evaluation process.

They must also be members of professional bodies such as CISA, CISCO and ISACA.

The consultant/ consulting firm should have undertaken similar engagements previously and have ready references to corroborate.

Curricula Vitae (' CVs')

The Auditor will provide the Commission with CV's of the partner or other person in the audit firm who is responsible for the audit and for signing the report together with the CVs of the other audit team members. CVs will include appropriate details on the type of audits carried out by the staff indicating capability and capacity to undertake the audit as well as details on relevant specific experience.

The Commission will examine the CV's before it signs an order form or other applicable contractual document for this engagement and reserves the right to reject them if they are not considered suitable for the requirements of the engagement.

F. Standards and Guidance

The Auditor who performs this systems audit is governed by: The IFAC International Framework for Assurance Engagements and International Standard on Assurance Engagements ('ISAE') 3000 for Assurance Engagements other than Audits or Reviews of Historical Financial Information insofar as these can be applied in the specific context of a systems audit intended to provide assurance that risks to the achievement of the objectives of the Project are properly managed and controlled.

The IFAC Code of Ethics for Professional Accountants (issued by IFAC's International Ethics Standards Board for Accountants (IESBA), which establishes fundamental ethical principles for Auditors with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behaviour and technical standards; though the auditor needn’t be an accountant, adherence to these fundamental ethical principles is paramount during the audit.

The IFAC International Standards on Quality Control (ISQCs), which establish standards and provide guidance on an Auditor's system of quality control.

G. Deliverables and Timelines

The duration of the IT Audit exercise is expected to take around 10 weeks.

Work will begin January 2013.

The end of the contract will be determined as the audit progresses.

H. Application Procedures

    If you meet the criteria above submit an application to admin@khrc.or.ke by 4th January 2013 that includes: Your company profile
    Resumes of the key personnel to handle this assignment.
    3 Professional referees of whom you have done a similar assignment for.

Costing based on the work described above