THECB will issue work by Work Orders (i.e., Project Plan Template as referenced in Attachment E), as needed. All Work Orders shall be in writing, signed by both parties, and shall include a scope of services, list of tasks to be performed, a time schedule, a list of deliverables, and such other information or special conditions as may be necessary for the work requested. THECB makes no guarantee of volume, usage, or total consumption to be paid to the successful Respondent under this awarded Contract, if any, resulting from this Solicitation. IT audit and advisory engagements may consider a wide variety of objectives, such as evaluating IT general controls, evaluating information technology general controls (e.g., access, security, physical controls, service/support processes, change management, etc.), assessing application controls, and reviewing IT project processes (e.g., planning, acquisition, implementation, post-implementation), evaluating cybersecurity incident response, privacy incident response, portable and remote computing, etc. in accordance with applicable laws, regulations, contract provisions, and best practices (e.g., NIST, Cybersecurity framework, Texas Cybersecurity Framework, and COBIT). The IT audits shall consist of an objective and systematic examination of evidence to provide an independent assessment of the performance and management of a program or function against objective criteria. The audit findings, conclusions, and recommendations will be summarized in a final report consistent and acceptable to THECB IA’s standards. Upon request, THECB IA will be provided with working papers to support the findings, conclusions, and recommendations contained within the report. Presentations to the THECB Board or agency management may be requested.
