Specifications include, but are not limited to: provide information technology (IT) internal audit services to perform its internal IT audit risk assessment process and execute IT internal audits, consulting projects and other engagements. ; 3.1 Perform an annual internal audit IT risk assessment under the direction of MD Anderson's Vice President and Chief Audit Officer or designee. This risk assessment will then be used to identify high and critical risk areas, upon which potential audits will be based. 3.2 Identify and propose potential IT internal audits and other advisory/consulting projects based upon the annual risk assessment, available hours, financial budget, and the results of the risk assessment performed each fiscal year. ; Report on results and conclusions in mutually agreed upon formats, including interim status updates and final reporting/presentations for each project. An audit report is the expected deliverable, and should meet the Standard.