Internal IT Audit Support Services

The Vendor is required to provide technical IT audit support services.
- This engagement is intended to complement the university's Internal Audit activities by bringing specialized expertise in information technology systems, networks, databases, cloud services (SaaS, PaaS, and IaaS), cybersecurity, and infrastructure controls.
- Several IT audits are scheduled for the upcoming year, including:
•    Device Management – Assessing security controls for devices connected to the OU network, covering both university-managed devices and personal devices used by students and employees in the distributed environment.
•    Information Security – Evaluating security controls related to applications and data repositories across the OU environment.
•    Additional IT Audit (Tentative) – An additional audit may be conducted depending on available remaining budget.
- These audits will be conducted through a co-sourced model, with the co-source provider leading the majority of the execution. 
- Each audit will follow a risk-based approach, focusing on the top three to four key risks identified during the planning phase. 
- The audits are expected to be completed within four to six weeks: approximately two to three weeks of part-time work followed by three to four weeks of full-time effort.
- The co-source provider will take primary responsibility:
•    Identifying key risks and controls, including developing the Risk and Control Matrix
•    Designing and developing the audit program
•    Executing the audit program
•    Presenting audit observations to the client for feedback
•    Summarizing findings and providing a risk assessment
•    Conducting the initial review of staff work papers
•    Documenting the audit work products for retention by the operating unit (OU)
- OU Internal Audit will be responsible:
•    Communicating with clients regarding audit timing, deliverables, and key milestones
•    Coordinating system and facility access for the co-source provider and establishing a data repository area
•    Drafting the audit report and engaging key stakeholders for feedback
•    Finalizing the report content in alignment with the client, including client responses and distribution
•    Performing the final review of work papers
•    Conducting follow-up on audit findings
- IT audit support may be provided through a staff augmentation arrangement to assess application and hardware controls in both central and distributed environments.

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: July 31, 2025