Procurement Opportunity: Information Technology Needs Assessment (IT Audit)

Download the full ToR in WORD | PDF

Deadline: July 30, 2023, 6 pm EDT

1. Introduction

This document sets forth the Terms of Reference (ToR) on which the Disability Rights Fund (DRF, the organization) and the Disability Rights Advocacy Fund (DRAF) proposed to engage a contractor to perform an assessment of the organization’s information technology (IT) needs, with a view to progress and determining specific actions for improvement.

DRF and DRAF are sister organizations. They operate as grant-makers supporting persons with disabilities in the developing world to advance legal frameworks to realize their rights. The scope of the assessment encompasses both the DRF and the DRAF. For the purposes of this ToR, DRF and DRAF are collectively referred to as “DRF”.

These ToR will become an integral part of the contract concluded between DRF and the selected contractor.

2. Background information

The Disability Rights Fund is a grantmaking collaborative between donors and the global disability rights community that provides financial and technical resources to organizations of persons with disabilities to advocate for equal rights and full participation in society.

Since 2008, DRF and its sister organization, the Disability Rights Advocacy Fund (DRAF), have funded organizations of persons with disabilities (OPDs) across the developing world – primarily in Africa, Asia, the Pacific Islands, and the Caribbean – to participate in ratification, implementation, and monitoring of the Convention on the Rights of Persons with Disabilities (CRPD).

Through grantmaking, advocacy, and technical assistance, our funds support OPDs to use global rights and development frameworks, such as the CRPD and the Sustainable Development Goals (SDGs), in their work, ensuring no one is left behind.

As a pooled fund, the Disability Rights Fund:

  • Combines the resources of multiple governmental, private, and public donors.
  • Enables donors to harmonize their efforts towards disability-inclusive funding.
  • Reaches grassroots, marginalized, and high-risk organizations that larger donors cannot reach.
  • Facilitates feedback about donor investments in this neglected area of human rights and development.
  • Demonstrates results of disability-inclusive development.

For more information on DRF, follow this link:

3.   Objectives of the assessment

The overall purpose of the assessment is to support DRF’s IT transformation and modernization, in line with the current and expected needs of the organization and its stakeholders, focusing on DRF’s IT infrastructure, policies, and operations, as well as on recommendations for action. The contractor will verify how the systems meet or don’t meet the objectives of the organization and will recommend measures to ensure that DRF’s IT environment is developed in accordance with generally accepted standards for systems development. 

The specific objectives of the IT audit are to:

  1. Evaluate the systems and processes in place that secure and manage company data.
  2. Determine risks to the DRF’s information assets and help identify methods to minimize those risks.
  3. Ensure information management processes are in compliance with the highest laws, policies and standards on data protection and security.
  4. Determine inefficiencies in IT systems and associated management.
  5. Recommend specific measures to address the  IT gaps with different degrees of urgency and timelines.

Tentatively, IT audit shall address, but not limited to, the following areas:

  1. IT system security policy
  2. IT security functions, including cyber and data security management
  3. IT organization
  4. Authorization of IT functions (ie. developers, system administrators etc.)
  5. IT and associated technologies risk management
  6. Data classification
  7. Logic and managing control access management
  8. Network and remote access of the IT system control
  9. Cryptographic key management
  10. IT property management
  11. Operative and system record management
  12. Data backup management
  13. Service providers’ relations management
  14. Equipment suppliers’ relations management
  15. IT system development management and project management
  16. Physical security of primary and secondary location; secondary location assessment
  17. Password policy and configuration management
  18. Change management and Operations continuity planning
  19. IT systems disaster recovery plan in case of unplanned incidents, incidents management
  20. Applying malicious code protection
  21. Internal policies, procedures and instructions
  22. IT and digital accessibility for persons with disabilities

3.1 Expected deliverables

The contractor is expected to review all DRF’s IT infrastructure, software in use, policies, and operations, as well as to engage in individual and/or team interviews with key staff to eventually issue:

  1. One (1) inception report (max. 2,000 words), including the assessment’s work plan.
  2. One (1) IT audit report (around 11,000-12,000 words) of DRF’s IT systems, identifying strengths, issues, and points for improvement. The report shall contain, at least:
    1. One (1) set of urgent actions to implement to ensure full compliance with IT-specific laws, policies, and standards, including sensitive data privacy and protection.
    1. One (1) set of recommendations to improve the organization’s IT environment, including but not limited to:
      1. Hardware and network.
      1. Data security and protection.
      1. IT applications and software in use, and data entry methods.
      1. IT organization, roles, processes, and operations (coordination and interconnectivity, use of ERPs and/or other software, IT management and remote support, etc.).
      1. Accessibility for persons with disabilities.
      1. Possible outsourcing of IT services.

The final versions of the deliverables will have to be produce in accessible formats for screen readers.

4.   Minimum requirements for the contractor

The contractor must have:

  • A minimum of 7 years’ demonstrated experience in IT audit processes.
  • A minimum of 3 years’ demonstrated experience in digital and IT accessibility for persons with disabilities.

5.   Assessment process and methodology

5.1 Preparatory phase

Kick of Meeting: The contractor shall contact DRF’s contact person (see below) as soon as possible and no later than seven (7) calendar days after the formal conclusion of the contracting procedure, to prepare the assessment, discuss the work steps, and agree on the timing for carrying out the work. No later than five (5) calendar days after the kick-off meeting the contractor will provide DRF with the inception report and the work plan for the assessment.

Upon request, DRF will provide the contractor with:

  • A full list of available internal relevant documents for the audit.
  • Access to DRF’s IT tools and software.

5.2 Review phase

The audit must lead to:

  • Obtaining a sufficient understanding of the engagement context
  • Performing a risk analysis, with particular regard to potential legal or fiscal compliance issues, if any.
  • Establishing a set of urgent action points and a set of recommendations.

5.3 Final report

The contractor will submit the draft final report to DRF by September 20th, 2023. By September 30th, 2023, DRF will submit comments and requests for amendments to the report, if any. No later than 10 working days after receiving the comments, the contractor will submit the final report to DRF.

The final report format shall reflect the above-mentioned deliverables, points 2 to 4f (see par. “Expected deliverables”, page 3).

Following the presentation of the final report, a debriefing meeting will be organized with the relevant DRF staff and, possibly, the Board of Directors.

6. Duration of the assignment and expected schedule for the deliverables

The assignment is expected to require 30 working days beginning on the day of the signature of the contract:

Synthetic inception report and work plan7 calendar days after the contract is signed
1st draft report, containing the three sections indicated aboveBy September 20th, 2023DRF will submit comments and requests for amendments, if any, by September 30th, 2023 
Final report, containing the three sections indicated above and responding to DRF’s comments and requests for amendments, if anyNo later than 10 working days after receiving DRF’s comments

7. Consultancy fees

The maximum budget for the IT audit is 18,000 US Dollars. The payment schedule is as follows:

Synthetic inception report and work plan10%
1st draft report, containing the three sections indicated above30% 
Final report, containing the three sections indicated above and responding to DRF’s comments and requests for amendments, if any60%

8. Governance and support from DRF

The contractor will provide the above services and will provide progress updates upon DRF’s request. At the beginning of the assignment, a focal point will be designated within the DRF management to serve as the assessment lead and will work with the contractor.

DRF will ensure the timely submission of relevant materials for assessment and guidance to the contractor.

9.  Evaluation and qualification criteria

In addition to complying with the mandatory requirements, the following criteria will be assessed in the evaluation of the proposal received according to the following grid: 

PrerequisiteMeeting of the minimum requirements: please refer to par. “Minimum requirements”, par. 4. 
Financial offer Formula:Points = MPs x (Tfo/Lvo) Where:Points = Points given to the tenderer’s financial offerMPs = Maximum value attributed to the financial offerTfo = Tenderer’s financial offerLvo = Lowest valid offer 20% 
Technical proposalEvaluation by the advisory committee on a scale from 0 (minimum score) to 50 (maximum score)50%
Experience in IT audits, additional to the minimum requirement2 points per demonstrated year of experience, up to a maximum of 10 points10%
The applicant is a member of the International Association  for  Information  Systems  Audit  and Control Association (ISACA)Yes: 10 pointsNo: 0 points10%
The applicant possesses one or several of the following certifications:Certified Information Systems Auditor (CISA)Certified Information Security Manager (CISM)Certified in the Governance for Enterprise IT (CGEIT)Certified Information System Security Professional (CISSP)Certified in Risk and Information Systems Control (CRISC)2 points per Certification, up to a maximum of 10 points10%

10. Process for Interested Parties

Interested parties shall submit:

  • Curricula Vitae of the team members.
  • A synthetic technical proposal of assessment outline (max. 5 pages).
  • All pieces of evidence to demonstrate compliance with the minimum requirements and additional assessment criteria listed above.

All documents shall be submitted in English by email only to by July 30th, 2023 at 6:00 pm Boston ET time. All inquiries on the selection process shall be submitted to the same email address.

11.   Additional information

Interested parties must comply with the proposal requirements described in this ToR in order for DRF to fully and properly evaluate each proposal.  DRF reserves the right to reject any proposal that is not in compliance with the ToR, including without limitation any proposal that is incomplete, is conditional, or contains irregularities of any kind; provided, however, that DRF also reserves the right to waive any such non-compliance.

Before submitting a proposal, interested parties must thoroughly examine the ToR and familiarize itself with applicable laws and regulations and any other circumstances or conditions that may affect the cost or performance of the requested services.  Failure to familiarize itself with the ToR will not relieve the proposer from any obligation with respect to its proposal or any contract that may be entered into with DRF. The submission of a proposal will constitute a representation by the bidder that it understands and has complied with every requirement of the ToR.

DRF reserves the right to amend the ToR at any time. Any amendments to the ToR will be issued through written addenda. DRF will provide copies of each addendum to all interested parties who, according to DRF’s records, received the ToR. Addenda will be sent via e-mail to the e-mail address provided by the bidder. Any addenda so issued will become part of the ToR.  Each bidder is responsible for determining that it has received all addenda issued, and failure of a bidder to receive an addendum will not relieve such proposer from any obligation under its proposal as submitted or any contract subsequently entered into with DRF.

Any clarifications or interpretations and any supplemental instructions or forms, if issued, will be issued in the form of written addenda prior to the deadline for submitting proposals. Oral clarifications, interpretations, instructions, or other communications will be of no effect. DRF will not be responsible for, and a proposer may not rely upon, any information, explanation, or interpretation of the ToR rendered in any fashion except as provided herein.

The ToR is not binding on DRF.  DRF reserves the right to amend or withdraw the ToR at any time its sole discretion before the execution of a contract. In such event, DRF will not be liable to any bidder for any costs incurred by it as a result of the amendment or withdrawal of the ToR.  The ToR has been prepared solely to solicit proposals and is not a contract offer. The only document that will be binding on DRF is the contract duly executed by DRF and the selected service provider after the completion of the selection process and the award and negotiation of the contract.

Time is of the essence in submitting proposals. Interested parties are cautioned to allow ample time to prepare and transmit their proposals.  All portions of and attachments to any proposal must be received by the proposal deadline.

Any proposal may be withdrawn by the bidder or its duly authorized representative by written notice received prior to the proposal deadline by DRF at the address specified above for receipt of proposals.

At any time prior to the proposal deadline, a bidder may submit an amendment to a proposal previously submitted. Any such amendment must be submitted in writing in the same manner as the original proposal. DRF reserves the right to disregard any amendment submitted that does not indicate clearly and precisely the proposed modifications to the original proposal.

DRF reserves the right to reject any or all proposals if it determines that such action is in the best interests of DRF.