Specifications include, but are not limited to: 1. Risk Assessments The Consultant shall conduct an annual Risk Assessment for a three year period that will cover the years 2017, 2018, and 2019. For the current year, 2017, the Consultant shall conduct both an enterprise-wide and fraud risk assessment (“Risk Assessment”). The Risk Assessment shall identify both internal and external risks that prevent Metra from achieving its mission and objectives. The Risk Assessment shall review, identify, and analyze the effectiveness or gaps with current internal controls, processes and procedures, current practices, technology and data management, and other pertinent risks to the agency. In addition, the Consultant shall conduct an analysis of Metra’s ability to properly address, prevent, and detect fraudulent activities throughout the agency. For the following years in 2018 and 2019, the Consultant will only be required to conduct an enterprise-wide risk assessment and update the existing Audit Plan accordingly. 2. Audit Plan Based on the results of the current year’s Risk Assessment, the Consultant shall develop and provide a three-year audit plan that addresses the specific risk areas identified in the Risk Assessment. At a minimum, the Audit Plan shall include the following: • Yearly proposed audit activities • Proposed objective and scope for each audit activity • Estimated resources required and the skills needed to perform each proposed audit activity • Identification of which Metra User Departments are required to be involved in each audit activity and their potential roles and responsibilities After the initial Audit Plan is created in the current year, the Audit Plan should be updated to include each succeeding year’s Risk Assessment results. 3. Qualifications The Consultant shall meet the minimum qualification requirements to be eligible for contract award. The minimum qualification requirements are: • Principle (Lead) o Must be a Certified Public Accountant (State of Illinois) o Must have at least (5) five or more years of experience conducting and leading risk assessment engagements o Must have at least (5) five or more years of experience interacting with senior-level management and Board of Directors o Must have at least (5) five or more years of conducting risk assessments for public sector entities • Staff o Must have at least one (1) year of experience conducting risk assessments o One (1) or more years of experience in providing consulting services - public sector experience preferred o One or more applicable certifications preferred: Certified Public Accountant (CPA) Certified Internal Auditor (CIA) Certified Fraud Examiner (CFE) Certified Information Systems Auditor (CISA) Certified Business Continuity Professional (CBCP)