Terms of Reference: Conduct Organizational ICT Systems Audit (REF: ACT-ICTA-17-2022)

1. About Act Change Transform (Act!)

Act! is a not-for-profit, non-governmental organisation established in Kenya in September 2001 and registered under the Non-Governmental Organisations Coordination Act of 1990. The vision of Act! vision is “empowered citizens and communities living a productive life in dignity” while the mission is to “support, partner with and develop local organisations to be effective agents of lasting positive change”. Our holistic approach to development is delivered through capacity development and grants management. Act! approaches its development work through three broad programmatic areas namely; Peace Building and Conflict Transformation, Democracy and Human Rights, Environment and Natural Resources Management.

2. Background Information

ICT Systems area a valued essential part of Act!’s internal processes. The information system is valued an essential part of Act!’s internal control systems. This does not merely record business transactions, but actually drives the key business processes and policies. Act! Through a Resiliency Organizational Capacity Assessment (ROCCs) process supported by Internews and facilitated by Partners global was able to realise the importance of strengthening the organizations ICT systems geared towards overall improvement of the organizations health and a move toward a resiliency pathway. Information systems at Act! have different functions and activities coupled with a number of computer installations at the two Act! Officers (Nairobi and Mombasa). The ROCCs process flagged out the need to optimize available ICT resources and to explore ways in which these resources can be used to propel Act! towards greater resiliency and find ways of cushioning the organization against a wide range of this risks. These include risks inherent to information systems, which may affect the information system in different ways.

3. Why ICT Systems Audit

As the world is being more connected digitally, and everyone is migrating to online services, there is an increased value placed on how the ICT systems can support in enhancing effectiveness, efficiency and contributing to organizational growth. This should also be in line with putting in place measures to counter any threats and vulnerabilities in the cybersecurity landscape. Act! believes that information systems audit is part of the overall organizational health check that seeks to contribute to organizational growth and resiliency, ensure control, maximization and risk mitigation. It seeks an independent and objective assurance to determine whether the information systems, related resources and the environment adequately support the organization’s needs in line with the strategic plan, embraces innovation, safeguards assets, maintains data and system integrity; provide relevant and reliable information; achieve organizational/information system goals and consume resources efficiently, and have internal controls that provide reasonable assurance that operational and control objectives will be met, undesired events will be prevented or detected & rectified in a timely manner.

4.0 Scope of Work

1. Review and provide feedback, assurances and suggestions that Summarizes the system architecture of Act! and components, and its overall level of security which Includes a list of threats and vulnerabilities and the ICT system’s current security controls together with its risk levels.
2. Making reference to the framework and standards on information systems developed by Information Systems Audit and Control Association (ISACA), look at Act’s ICT technology infrastructure, application and associated internal control framework by assessing computerized information system’s functionality, efficiency and security through risk assessment, internal control evaluation and detailed testing of associated data.
3. To conduct tests and analysis of the systems technical environments for sound architectures, correct configurations, and system-level vulnerabilities.
4. To assist the management to understand key risks by assigning each risk profile component a component risk score.
5. Develop an ICT systems audit report with recommendations that will provide a guideline to the organization leadership on how to build upon the information learned during the audit and provide a roadmap on how Act!’s ICT systems can be improved to contribute and aligned with the organization Strategic plan and build upon the overall Business plan for the organization.

The major elements of the ICT audit are as follows:

• Application software review – To provide assurance whether the financial and operational applications meet the current and future needs of the organization. The auditor must access control and authorizations, error and exception handling, business process flows within the application software and complementary controls (enterprise level, general, application and specialist IT control) and procedures and validation of reports (both operational and financial) generated from the system.
• Network security review – To provide assurance that the database and the web server system is fully secure and is corresponding to the controls objectives of control system. Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
• Data integrity review – To provide assurance that the database design and structure provides the best possible design for the organizational needs and corresponding application and future integration needs. The purpose is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews.
• Business continuity review – Includes existence and maintenance of fault-tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan, the effectiveness of disaster recovery plan, as well as ensuring the existence of well-defined information Systems Audit manual and its compliance thereon.
• Review of the Act! ICT Policy – To review existing ICT Policy against the industry best practices and identify current organizational needs (including minimum requirements for compliance) linking with how they may contribute to the overall sustainability and business growth of the organization.

5.0 Proposed Approach

In line with the above, IS Auditor is required to perform gap analysis of the business requirements and current functions available in MIS and FIS applications. Validation of business system controls in the MIS and FIS applications, covering documentation, transaction origination, input and output controls, processing controls, and most importantly, the accuracy of system-generated reports. In addition, the IS Auditor must analyze business process risks and controls based on an understanding of planned or implemented controls and identified control gaps.

The ICT Systems auditor is expected to adopt a risk-based approach to making an audit plan

The detailed approach will be as follows:

5.1 Desk review: This will include reviewing of the existing systems vis-à-vis the internal control systems based on Act!’s core functions across the organization. The consultant will review Act!s operating environment for better understanding which will include it’s strategies, key functional components & policies and consultations with the various key functions. Any gaps identified will inform the audit.

5.2 Reporting: The consultant will develop a detailed report with findings and recommendations. The report should also include an appendix section in which the recommendations are expounded with corresponding implementable actions for management.

6.0 Reporting and Supervision

Successful consultant(s) will be under the overall supervision of the Act!’s Operations Lead supported by the ICT personnel in charge. The deliverables will be assessed against the provisions of this scope of work set for the assignment.

7.0 Expected Deliverables

The final report on the information systems audit will have the following key sections:

7.1 An Inception report to be developed within 7 days of commencing the assignment.

7.2 Executive summary.

7.3 Methodology.

7.4 Findings from the Information Systems Audit.

7.5 Recommendations and strategies for improved/innovative ICT systems and ICT Policy in-line with Act!’s operating environment.

7.6 PowerPoint presentations on the ICT Audit findings & recommendations.

7.7 Appendices: (Implementation Plan/Action Plan).

Duration of Assessment

The assignment is expected to take 20 days from the date of signing the contract.

9.0 Key Qualifications of the ICT Consultant/Firm

The proposed team or experts must be made up of persons with professional experience and academic qualifications no less than the following:

• A degree in information technology/computer information systems or related. (essential).
• Master’s degree in ICT related field is preferred.
• Member ISACA in good standing.
• Professional qualification in IT Security; Certified Information Systems Auditor (CISA).
• 10 years’ experience in Governance and control work-related environment of which 5 years should be at a leadership level in external/internal audit managing ICT audits.
• Clear understanding of IT audit methodologies