The vendor is required to provide that it audit services seeking a successful candidate/firm for an internal auditor with the ability to perform it audits in accordance with commonwealth of state (COV) information security audit standard (sec502), generally accepted government auditing standards (GAGAS, yellow book within the state department of fire programs.
-Scope of work:
•Conducts information security audits consistent with sec502.
•Analyze and review sensitive system information security controls as defined in COV information security standards.  
•Analyze and review sensitive system information security controls as defined in COV information security standards.
•Agency will require up to six sec502 related to be conducted over 3 years as sec502 requires sensitive systems to be audited at least once every three years.   
current systems designated as sensitive include:
oSaaS (software as a service) - LMS/training application
oSaaS - online testing application
oSaaS - social media aggregation application
oSaaS - image management application
oSaaS – financial management application to assist with internal agency operations
oSaaS – social media archiving application
•An understanding of the national institute of standards and technology (NIST) special publication 800-53 revision 5 - recommended security controls for federal information systems and organizations
•Provide the state department of fire programs with an audit report to include all findings associated with each sensitive system information technology audit.
-Contract Period/Term: 1 year