OSC is seeking qualified Proposers to conduct an independent audit of the annual financial statements of the State for each of the five fiscal years ending March 31, 2026, 2027, 2028, 2029, and 2030 (see Section 5.2, below) and of eMedNY (see Section 5.3, below). Each examination that is part of this engagement is to be conducted in accordance with GAGAS. The audit should be planned so as to preclude the necessity for an exception arising from scope limitations and should include: i) the issuance of a report on the State’s internal control over financial reporting (see below, Section 5.4.A (The Report on Internal Control)); ii) a report on compliance with applicable State and/or Federal laws and regulations, contracts, and grant agreements; and iii) instances of fraud, if any (see below, Section 5.4.B (The Compliance Report)). Such audits shall not, however, include a review of economy and efficiency or program results. The scope of the audit, as detailed in a formal audit plan to be submitted after the award of a contract, must conform with and accomplish the objectives of this RFP and any resulting contract, and satisfy the requirements of SFL or Code of Federal Regulations (“CFR”) (as applicable to the eMedNY audit). OSC may also require the Auditor to provide cybersecurity risk assessment services (as more fully detailed in Section 5.16, below) for one or more State agencies, as designated by OSC. If OSC determines a specific need for cybersecurity risk assessment services, OSC will develop a work plan with the Auditor that will include the statement of work, term of the assignment, anticipated hours and hourly rates of each staff title necessary to complete the assignment (as set forth in Attachment C), and the total not-to-exceed cost for the cybersecurity risk assessment. Such work plan will be incorporated into the contract by written amendment.
