Audit Management System

The Vendor is required to provide for an audit management system for use by the office.
- Services include:
•    The system shall store and manage audit related documents and evidence, providing version control and access permissions.
•    The system shall provide workflow for control design, implementation, review, and approval.
•    The system shall provide templates for Objectives, Risks, Controls that support the use of multiple financial auditing frameworks (ex.,  Institute for Internal Auditing (IIA) Red Book and US Government Accountability Office (GAO) Yellow Book)
•    The system shall provide templates which allow user to document controls, including control objectives, descriptions, and associated risks.
•    The system shall enable categorization of control by type (ex. Preventive, detective, corrective) and by domain (ex. Financial, operational, IT)
•    The system shall allow for automatic updates of controls when the versions change.
•    The system shall maintain historical versions of controls.
•    The system shall allow the user to create audit plans/universal risk assessment based on a business process, software system, or functional area.
•    The system shall allow the use of universal risk assessments to determine type and frequency of audits.
•    The system shall provide a risk registry that will be used to identify, assess, and document risks.
•    The system shall support the documentation and tracking of risk incidents, including root cause analysis and resolution.
•    The system shall provide templates and checklists for documenting audit findings and evidence.
•    The system shall provide customizable online questionnaires.
•    The system shall allow mapping of controls to risks, processes, and compliance requirements to support the evaluation of controls based on control policy and operations effectiveness.
•    The system shall provide tools for evaluating, assessing, and scoring risks based on predefined criteria (ex., impact, likelihood) where risk is defined as possibility of incident and severity of results.
•    The system must generate customizable audit reports built on risks and findings. 
•    The system shall provide reports showing the effectiveness of control performance and compliance.
•    The system shall automate audit workflows, including task assignments an approval processes.
•    The system shall allow user to customize review and report approval workflows based type of audit being conducted.
•    The system should allow for customizable work flows based on the type of audit being conducted.
•    The system shall allow users to create and manage audit plans, including scheduling and assigning audit tasks.
•    The system shall provide the user the ability to track time based on the type of work that is being completed (in predefined time increments) .
•    The system shall document and track audit findings, issues and recommendations, and monitor the status of corrective actions.
•    System must allow users to view all the audit activities, statuses and final results per audit.
•    The system shall provide dashboards to monitor control performance and compliance.
•    The system must provide configurable notifications and alerts to inform users of important events and deadlines.
•    The system shall send automated email notifications and alerts to auditors and auditees when audits are scheduled.
•    The system shall send automated notifications on audit/task status when deadline has passed.
•    The system shall allow users to refer to previously created audits to allow cross reference in documents
•    System allow information to be searchable by audit, client, processes and keyword-less search
•    The system shall allow users to import data from SAP into the software solution.
•    The system shall allow the ability to upload attachments in the different formats to be able to review them at a later time
•    The system shall maintain version history for audit reports, including changes and approvals.
•    The system shall maintain version history for controls, including changes and approvals.
•    The system shall support version control for control standards, tracking changes and allowing rollback to previous versions if necessary.
•    The system should be able to pull information from Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities database via integration or API
•    The system shall allow the reviews to be assignable to software systems within the Client Universe and can be linked to more than one department or business process
•    The system shall have a dashboard that allows linkage between defined data points including test results, compliance with frameworks and from external systems 
•    The system shall integrate with other enterprise systems (ex., ERP, GRC, and financial systems) to pull relevant data and automate control monitoring.
•    The system should be configurable to allow it to be connected to an API.
•    The system must be able to store and process customer defined data 
•    They system shall allow the ability to set schedule based on annual, cyclical requirements
•    They system shall allow the ability to generate reports off of pre-selected options.