Internal Audit Services

The Vendor is required to provide outsourced internal audit services to be carried out over the next four years, 2027-2030.
- Requirement:
1. Strategic and annual audit planning
• Strategic risk based audit plan (RBAP): developing two-year strategic internal audit plan based on a comprehensive assessment of the organization's critical risk areas, current operations, and risk management strategy.
• Annual internal audit plan (IAP): formulating a detailed annual plan that identifies specific audit projects for the year, allocates necessary resources, budgets and sets anticipated commencement and completion dates.
• Framework and charter development: creating or reviewing the internal audit framework and the internal audit charter bi-annually to ensure alignment with organizational goals and global audit standards.
• Pre-audit preparation: meeting with management to agree upon schedules, audit scope, information requirements, and project deadlines as needed.
2. Execution of assurance and audit services
• Compliance audits: independently evaluating whether the organization adheres to external laws, regulations, and internal policies, and identifying any compliance gaps or violations.
• Operational audits: examining day-to-day operating activities to assess process efficiency, resource utilization, and risk mitigation effectiveness.
• Financial and it audits: reviewing the reliability and integrity of financial and operating data, including cash receipts, payroll processes, system access, data integrity, and it cybersecurity frameworks.
• Governance and internal controls review: testing and verifying that the organization’s risk management and internal controls are functioning as intended to safeguard assets and ensure accurate reporting.
3. Reporting and communication
• Audit reports: preparing and issuing formal written reports at the conclusion of each engagement.
• These reports contain findings, observations on internal controls, and actionable recommendations for remediation.
• Management letters: providing a post-audit management letter that details specific system deficiencies, areas of weakness, and includes management's responses and action plans.
• Presentations to governing bodies: regularly presenting audit progress, risk categorizations, and systemic issues to the audit and risk committee, board of directors, and senior management.
4. Monitoring and follow-up
• Action tracking: providing periodic (twice per year) reports to the audit committee monitoring the status of corrective actions and recommendations issued in past internal and external audit reports.
• Annual internal audit report to audit committee: providing an annual summary of internal audit activities to the audit committee as well as preliminary plans for coming year.
5. Advisory, consulting, and quality assurance
• Ad-hoc advisory services (as needed): offering guidance to management on the design and implementation of new policies, processes, and internal controls without assuming management responsibilities.
• Ad-hoc fraud and investigations (as needed): overseeing investigations into suspected fraudulent or corrupt activities and identifying indicators of fraud through control weakness analysis.
• Quality assurance and improvement program (QAIP): maintaining a program that includes internal and external assessments to evaluate the internal audit function's efficiency and strict conformance with global internal audit standards.
• Independence assurances: providing written declarations, at least annually, confirming the internal audit team's independence and objectivity.