Specifications include, but are not limited to: T audit consulting services pertaining to a cybersecurity business process audit and an IT vulnerabilities process audit and assessment, both to be combined into one audit engagement. The selected service provider must provide a risk assessment for both process, an audit program, work plan, fair and balanced audit results (both positive and constructive), and an audit engagement report that lists all audit findings, recommendations, and management responses (listed in Attachment A) that meet all Information Systems Audit and Control Association (ISACA), Institute of Internal Auditors’ (IIA), Association of Certified Fraud Examiners (ACFE), and American Institute of Certified Public Accountants (AICPA) standards and guidelines, as well as all applicable laws and regulations (federal, state, and local). The selected provider must also produce and provide Internal Audit with regular written updates, audit findings and recommendations, and any observations made pertaining to the audit engagement and those that would fall outside the scope of the audit and would require follow-up by Internal Audit. All of this must be provided to Internal Audit prior to engaging with the process owners, unless otherwise directed by Internal Audit
