Appointment of a Service Provider - National Library

Returnable Documents:

4.1. INTERNAL AUDIT RISK AND COMPLIANCE MANAGEMENT Internal Audit Features: • The software should provide capabilities that allow Internal Audit to plan and allocate its projects and resources at the beginning of each financial year in line with the approved internal Audit plan. • The software should have audit documentation templates/capabilities that allow for documentation of audit projects from planning, fieldwork through to reporting. • The software should provide report generation capabilities that allow Internal Audit to generate an Audit report from the working papers completed on the tool during fieldwork. • The software should have Audit finding tracking capabilities that allow both Internal Audit and the business process owners who own the findings visibility on such findings. • The software should provide for adequate segregation of uses within the system, e.g., work paper preparers, reviewers at various levels (audit supervisor, audit manager etc.), administrators etc. • The software should have backup and storage capabilities that allow it to consistently backup data to enable recovery in the event of a disruption. • The software should have the capability of allowing more than one auditor to work on the same project at the same time. • The software should include dashboards for real-time reporting and stakeholder communication. • The software must be able to facilitate continuous monitoring and a data-driven approach to audit processes. • The software should incorporate built-in functionality to run data analytics to provide deeper insights and anomaly detection. • The software should include dashboards for real-time reporting and stakeholder communication. • The software must be able to facilitate continuous monitoring and a data-driven approach to audit processes. • Integration with compliance processes for Combined Assurance visibility Risk Management Features • Adequate risk analysis and dashboards (e.g., heatmaps, age analysis, escalation of overdue mitigations). • Capability to map risks to the lines of defence in line with the Combined Assurance Model. • Support for multiple levels of risk assessments: Strategic, Operational, and Project. of 15 • Determination and monitoring of risk appetite and tolerance levels. • Reminders and escalations to line management for due actions and mitigations. • Integration of risk management with Internal Audit and Compliance Management for a combined assurance view. • Automated risk scoring and prioritization based on likelihood, impact, and control effectiveness. • Trend analysis and historical risk reporting to identify emerging risks over time. • Real-time notifications and alerts for new, modified, or critical risks. • Capability to link risks to organizational objectives, KPIs, and strategic initiatives for performance monitoring. Compliance Management Features • Import and maintenance of legislation from third-party compliance content providers. • Capture and classification of internal policies, procedures, and provisions. • Categorisation of acts and regulations as core, secondary, or topical. • Risk-based prioritisation using probability and seriousness ratings. • Real-time compliance tracking and continuous self-assessments by business owners. • Issue and action-plan tracking with automated reminders. • Registers for non-compliance incidents, losses, conflicts of interest, gifts, and complaints. • Early-warning alerts for overdue or high-risk items. • Compliance dashboards and reports by act, provision, or responsible unit. • Capability to perform internal compliance audits and generate compliance ratings. • Integration with risk and audit modules for combined assurance visibility. of 15

Project Governance Detailed project plan, including milestones, deliverables, and timelines. Roles and responsibilities of the implementation team. Reporting and communication mechanisms with NLSA project stakeholders. Installation and Configuration Step-by-step process for installation of the software. Configuration plan to align the tool with NLSA’s audit, risk, and compliance workflows. Data migration strategy, if applicable, including validation and reconciliation steps. User Onboarding and Training Approach for onboarding NLSA users, including administrators and key stakeholders. Training plan and materials for five (5) users, covering all modules: Internal Audit, Risk Management, and Compliance. Support for training evaluation and feedback. System Testing and Commissioning Plan for functional testing, integration testing, and user acceptance testing (UAT). Issue resolution and mitigation approach. System go-live checklist and commissioning activities. Post-Implementation Support Ongoing maintenance and support model, including online support. Service Level Agreement (SLA) commitments. Process for software upgrades, security patches, and continuous improvement. TOTAL POINTS 100 Minimum points to pass this evaluation stage 70 8.3.2 Second Stage: Demonstration Demonstration of the Software or Tool Bidders that meet the minimum threshold as per stage 1 evaluation will be invited to conduct a demonstration of the proposed Software/Tool. The demonstration must clearly show how the solution meets the functional and technical requirements outlined in this Terms of Reference, including but not limited to the user requirements listed in the table below. of 15 The demonstration should refer directly to these requirements and illustrate the Software/Tool’s capabilities, features, workflows, configuration options, and relevant integrations. The bidder may refer to the method of demonstration outlined below, which may be conducted physically or via Microsoft Teams, as determined by the Bid Evaluation Committee (BEC). INTERNAL AUDIT DEMONSTRATION FEATURES Yes No 1 The Software/ Tool must be cloud based or has capabilities to be hosted in the cloud. 2 The Software/ Tool should enable Internal Audit to allocate or assign employees to a specific audit as well as the total hours allocated to the project. 3 The Software/ Tool should have audit documentation templates/capabilities that allow for documentation of audit projects from planning, fieldwork through to reporting. At a minimum the tool should provide templates for the following: Planning: working paper templates that enable the auditor to document system description, audit risks, audit objectives, controls, audit procedures including resource planning (team allocation and project hours). Fieldwork: working paper templates that enable the auditor to document audit results as well as conclusion. Exception/Finding creation capability: The tool should have capability to create audit exceptions/findings and hyperlink/reference them to the relevant working papers containing audit results and conclusion. The exception/finding should contain the criteria/ standard, finding, root cause, impact/risk, recommendation, management comments/Agreed action plans and actions dates 4 The Software/ Tool should have audit finding tracking capabilities that allow both Internal Audit and the business process owners who own the findings visibility on such findings. Moreover, business units should be able to update status update and attached evidence for resolved findings. 5 The Software/ Tool should provide for adequate segregation of users within the system, e.g. work paper preparers, reviewers at various levels (Internal Audit specialist (supervisor), Head/ Senior Manager reviews, etc.). 6 Compliance Management module: dashboards, CRMP, issue tracking, legislation and policy management integrated with audit and risk. RISK AND COMPLIANCE MANAGEMENT DEMONSTRATION FEATURES Yes No 7 The Software/ Tool should provide for adequate risk analysis and dashboards (e.g. heatmaps and age analysis of overdue findings) 8 The Software/ Tool should provide for adequate capability to map the risks to the lines of defence in line with Combined Assurance Model of 15 9 The Software/ Tool should integrate and generate a report on risks, strategic objective, Organizational Performance (KPI) 10 The Software/ Tool should provide for reminders and escalation to line management when the actions items and mitigations become due 11 The Software/ Tool should provide for levels of risk assessments i.e. Strategic Risk Assessments, Operations Risk Assessments and Project Risk Assessments 12 The Software/ Tool should provide for determination and monitoring of risks appetite and tolerance levels 13 Risk Module integration with audit and compliance for combined assurance 14 Automated risk scoring and prioritization 15 Trend analysis and historical reporting 16 Real-time alerts for new/critical risks 17 Linking risks to objectives and KPIs Yes No SECURITY REQUIREMENTS DEMONSTRATION FEATURES Access The Software/ Tool must have a capability to provide the following management • Authentication of users through user name and password before a user is granted access to the system. Enforce standard access control principles such as segregation of duties, role-based access control based on least privilege and need to know principle. Audit The Software/ Tool must enable the logging of the following capabilities activities undertaken by users and systems at a minimum: Working paper sign offs; User last logins. Audit Tool The Software/ Tool should have a capability of being hosted on Hosting cloud on either of the following platforms: Microsoft Azure If the service provider prefers own hosting, the service provider must bear the cost of self-hosting. Session It is important to have a stringent mechanism that accurately Management identifies each user. This ensures that every action they undertake is directly linked to their profile/user. This is to safeguard both user integrity and system security. 8.3.3 Stage 3: Price Evaluation Preference Point System In terms of Regulation 5 of the Preferential Procurement Regulations of 2022/23, Gazette Number 47452 dated 4 November 2022 pertaining to the Preferential Procurement Policy Framework Act, 2000 (Act 5 of of 15 2000), responsive bids will be adjudicated by the State on the 80/20-preference point in terms of which points are awarded to bidders based on: - The bid price (maximum 80 points) Specific Goals (maximum of 20 points): The following formula will be used to calculate the points out of 80 for price in respect of an invitation for a tender, inclusive of all applicable taxes. Specific Goals (maximum of 20 points): - Company Ownership: Companies with 100% black ownership will receive 20 points. Companies with less than 100% black ownership will receive 10 points. NB . Submit certified sworn affidavit or BEE certificate as evidence. Item Pricing Component Description / Notes Year 1 Year 2 Year 3 No. (Price (Price (Price Unit) Unit) Unit) 1 Software Licensing Costs Covers Internal Audit, Risk, and Compliance modules. 2 Implementation and Includes all work related to Configuration Costs installing and configuring the software for NLSA. 3 User Training Costs Training for a minimum of 5 users across all relevant modules. Support and Maintenance Annual support fees, SLA Costs commitments, and ongoing maintenance. Hosting Costs Costs if bidder proposes self- hosting instead of Microsoft Azure. 8 TOTAL (VAT Inclusive) of 15