Enterprise Risk Management and Internal Audit Services

The Vendor is required to provide for enterprise risk management and internal audit services.
- This engagement represents the Trust’s firstever, organization-wide Enterprise Risk Management exercise.
- Consultant to partner with us in building that foundation: identifying and documenting organization-wide risks, establishing our risk tolerance, strengthening internal controls, and ultimately developing and executing a risk-based Internal Audit Plan.
- The Trust is in the process of building out an integrated program to deliver on all four of our strategic capabilities which are Capital Project Delivery, Financing, Resident Partnerships, and Oversight and Asset Management.
- The engagement is structured in four distinct phases spanning approximately twelve (12) months, and is designed to culminate in an approved, risk-based Internal Audit Plan and the initial execution of high-priority audits, followed by corrective action implementation and a framework for annual Enterprise Risk Assessment refresh cycles.
- This engagement will complement the project-level analysis and mitigation.
- The ERM phase, the Consultant will work collaboratively with and report progress and findings directly to Executive Management. Upon commencement of Internal Audit services, the Consultant shall operate with independence from management and report directly to the Audit Committee, consistent with internal audit best practices and applicable governance standards.
- The Not-to-Exceed amount for the first six (6) months of the engagement—encompassing all ERM activities and the development of the Internal Audit Plan through its presentation to the Audit Committee and Board of Trustees—shall be $200,000.
- Conduct an organizational assessment to understand the Trust's mission, strategic objectives, governance structure, staffing, and operational environment.
- Engage Executive Management and key staff through structured interviews, workshops, and document review to elicit an understanding of the Trust's risk environment and appetite.
- Review and analyze all existing capital project-level Risk Registers previously developed. Determine the extent to which identified project risks have organization-wide implications, assess the degree of overlap between project-level risks and enterprise risks, and document the interdependencies and risk correlations that the enterprise Risk Register should reflect.
- Document the Trust's risk tolerance and risk appetite in each identified scope area, reflecting both qualitative and quantitative thresholds where applicable.
- Evaluate the adequacy and design of existing internal controls relevant to identified risk areas, and provide recommendations to strengthen, create, or modify internal controls to address gaps or deficiencies.
- Develop a comprehensive, risk-based Internal Audit Plan that sets forth the strategy, objectives, scope, resource requirements, and estimated timeline for conducting internal audits. The Plan shall address, at a minimum, the highest-risk areas identified in the Risk Register.
- Refine the Internal Audit Plan as necessary to incorporate feedback from the Audit Committee and/or Board of Trustees prior to execution.