Provision of Information Technology and Other Internal Auditing Services on an Annual Contract
Project Information
- Bid Title
- Provision of Information Technology and Other Internal Auditing Services on an Annual Contract
- Issuing Agency
- Gwinnett County
- Location
- Georgia
- Published Date
- Feb 27, 2026
- Closing Date
- Apr 7, 2026
- Government Level
- State & Local
- Status
- Closed
- Ref. #
- RP011-26 INV
- Original Source
- Join to Access Full Details
- Bid Inquiries
- Join to Access Full Details
- Bid Documents
- Join to Access Full Details
- Project Description
-
Provision of Information Technology and Other Internal Auditing Services on an Annual Contract
Buyer Contact : Dana.Garland@GwinnettCounty.com
Opening Date : 04/07/2026 03:00 PM EST
0
- Attachment Preview
-
RP011-26Page 1February 27, 2026REQUEST FOR PROPOSALRP011-26The Gwinnett County Board of Commissioners is soliciting competitive sealed proposals from qualified serviceproviders for the Provision of Information Technology and Other Internal Auditing Services on an AnnualContract with four (4) one-year options to renew for the Office of Internal Audit.Proposals must be returned in a sealed container marked on the outside with the Request for Proposal numberand Company Name. Proposals will be received until 2:50 P.M. local time on April 7, 2026 at the Gwinnett CountyFinancial Services - Purchasing Division – 2nd Floor, 75 Langley Drive, Lawrenceville, Georgia 30046. Any proposalreceived after this date and time will not be accepted.The proposal opening will be virtual ONLY. To access the proposal opening virtually, visit the following link:(https://gwinnettgov.webex.com/gwinnettgov/j.php?MTID=mcdf4e144a05d7be33039355e810e2d6d),or dial 408-418-9388 and enter Conference ID 23380634913##. A list of firms submitting proposals will beavailable the following business day on our website www.GwinnettCounty.com.Questions regarding proposals should be directed to Dana Garland, CPPB, FOI, NIGP-CPP, Purchasing Manager atDana.Garland@GwinnettCounty.com or by calling 770-822-8723, no later than March 19, 2026. Proposals arelegal and binding upon the vendor when submitted. One unbound single sided original, four (4) identical copies,and one digital copy on a flash drive should be submitted.Gwinnett County does not discriminate on the basis of disability in the admission or access to its programs oractivities. Any requests for reasonable accommodations required by individuals to fully participate in any openmeeting, program or activity of Gwinnett County Government should be directed to the ADA Coordinator at theGwinnett County Justice and Administration Center, 770-822-8165.The written proposal documents supersede any verbal or written prior communications between the parties.Selection criteria are outlined in the request for proposal documents. Gwinnett County reserves the right to rejectany or all proposals to waive technicalities and to make an award deemed in its best interest.Award notification will be posted after award on the County website, www.GwinnettCounty.com and companiessubmitting a proposal will be notified via email.We look forward to your proposal and appreciate your interest in Gwinnett County.Dana Garland, CPPB, FOII, NIGP-CPPPurchasing ManagerRP011-26Page 2I.INTRODUCTION AND BACKGROUNDGwinnett County Board of Commissioners (the County) is soliciting proposals from qualified service providers toprovide staff augmentation to the Office of Internal Audit (IA) for Information Technology (IT) audit and advisoryservices and other Internal Audit services as needed on an annual contract.IA is responsible for auditing the County’s various departments, offices, operations, and systems according to anannual audit plan that is approved by the Audit Committee each year. The 2026 audit plan is available on theCounty’s website under County Administration – Internal Audit. IA reserves the right to adjust or amend planswith Audit Committee approval for significant changes. As of January 2026, IA had 7 full-time positions, includingone that oversees and works closely with external staff to run the IT audit program. IA performed 14 engagementsin 2025. IA follows the Institute of Internal Auditors (IIA) Global Internal Auditing Standards (GIAS) in conductingaudit work and must demonstrate conformance with these standards.The County’s Department of Information Technology Services (ITS) maintains the County’s network and ownsmany of the County’s IT operations, working in tandem with departmental IT staff. As of January 2026, ITS hadapproximately 152 full-time and 20 part-time employees, and there were 240 applications in the businessapplication portfolio.The successful service provider will generally conduct IT audits that are generally guided by Center for InternetSecurity (CIS) standards, augmented by County-specific risks and considerations and other relevant frameworkssuch as the National Institute of Standards and Technology (NIST) framework. The IT audits consist of deep-dives of control areas such as the following examples:• Asset management• User access• Malware protection• Incident response• Disaster recovery• Administrative accounts and elevated privileges• Firewalls and perimeter defenses• Monitoring and logging• Security architecture and design• Vulnerability scanning and patch management• Application security• Software management• Helpdesk and project portfolio management• Vendor ManagementRisk assessments, planning, and test work will be conducted throughout the year. Audit fieldwork should becompleted according to schedules agreed-upon at the start of each audit. The successful service provider willprovide staffing continuity throughout the engagement to meet audit schedule deadlines. Service providers(“External staff”) will be required to:• Identify and document key controls specific to the County’s current state.• Develop custom, risk-based audit plans designed to provide valuable insight.• Develop test plans to evaluate the adequacy, design, and effectiveness of controls in place.• Maintain work papers to IA standards to support audit assessments and conclusions.• Provide actionable, effective recommendations based on evidence and root causes.• Consider best practices to offer practical, cost-effective improvements when applicable.• Use IA project management tools to store and manage audit work in a timely manner.• Provide a secure channel or virtual environment for communication with IA.• Collaborate with IA to perform risk assessments to prioritize audit work.• Follow IA guidelines and IT audit best practices.RP011-26Page 3• Collaborate with IA and support IA’s audit plan objectives.• Maintain high ethical, quality, and professional standards throughout engagements.• Provide experienced resources that require limited supervision and understanding audit methodology anddocumentationFor the purpose of assessing staff fit for this engagement (and estimating hours), service providers shouldassume that external staff will need to understand and document controls by working with County personnelrather than obtaining a clean listing of controls from existing documentation or prior audits. Service providersshould assume Governance, Risk, and Compliance (GRC) software is not available. Service providers shouldassume that external staff may not run automated scanning tools in the County’s IT environment. Serviceproviders should assume the use of Artificial Intelligence (AI) will not be permitted in conducting this work.Beyond the IT audit program, there may be times when IA needs staff augmentation to complete additionalinternal audits of County operations. This will depend on the County’s annual audit plan, risk assessment, andavailable resources, at IA discretion. It is important that the service providers have internal audit experience.II.SCOPE OF WORKIA reasonably expects the IT audit program to cover activities in three to four control areas in a typical year witha combined total that may exceed 70 controls. Based on prior experience, IA expects total hours to range fromapproximately 1,200 to 1,400 hours each year including any hours allocated for engagements beyond IT audit.This includes all resources/positions and all requirements described. This is only an estimate for planningpurposes. Actual hours may vary based on operations and risk. Services providers should provide estimatesbased on experience as well as the expectations outlined in this document.External staff will analyze and evaluate controls under IA’s general supervision. The County does not anticipateusing significant partner or managerial resources from the successful service provider. IA expects to allocate ITaudit work throughout the year to minimize disruption to departmental operations and accommodatedepartmental work schedules to the extent possible. Audit work will be performed according to schedule or on-demand, depending on business needs.The successful service provider should be prepared to provide in-person staffing. At IA discretion, hybrid orremote work may be approved for specific resources. Audit work will be completed at County offices located inLawrenceville, GA within two miles of the Gwinnett Justice & Administration Center (GJAC), although fieldworkmay occasionally be conducted at other operational locations within the County. The County will not reimburseexternal staff for travel to or from the service provider’s office.General ExpectationsExternal staff will be expected to work closely and collaboratively with County employees in all phases of theaudit. All work papers, notes, emails, documents, and any other audit evidence belong to the County and must beavailable to IA throughout the audit for ongoing review and document retention. All audit documentation will behoused and managed in an online project management portal provided and owned by IA, with permissionsgranted to external staff. External staff will be expected to exercise project management and time managementskills to complete engagements within budgeted time frames. External staff should keep the management teamup to date on any issues that may impact the completion of a timely audit. External staff must engage in the IAQuality Assurance process and produce deliverables to IA standards.StaffingExternal staff must have the technical expertise, audit experience, and professional acumen to successfully auditIT and other operational controls. External staff must be able to effectively apply relevant auditing concepts suchas audit risk and sampling to ensure audit quality and reliability. External staff must be prepared to conducthands-on, manual testing and analysis that does not rely on the use of automated tools. External staff should beadept at communicating technical concepts to audiences without relevant technical background, both verballyand in writing. External staff should be adept at engaging in discussion that may include detailed questions,constructive criticism, or differences of opinion. Proficiency in SharePoint is desired.RP011-26Page 4IA is seeking service providers who already have a presence in-state and local staffing availability.IA may need staff with various levels of experience and billable rates throughout the year to achieve audit plangoals and manage costs. The successful service provider will be required to maintain and follow a resource planapproved by IA. Staffing levels and expertise may vary depending on the engagement scope, type and phase ofaudit work, technical requirements, and available budget. The following is a summary of anticipated staffingrequirements:IT Senior Auditor- Four or more years of recent experience conducting IT audits or internal audits, including three yearsleading IT audits.- Experience conducting IT audits for at least three different medium to large client organizations.- Active ISACA certification as a Certified Information Systems Auditor (CISA) preferred. CISA certificationmay be substituted with Certified Internal Auditor (CIA) or Certified Public Accountant (CPA) credentialswith sufficient, relevant IT audit experience.- Demonstrated mastery of IT audit principles.- Demonstrated success forming and sharing evidence-based results with clients.IT Staff Auditor (As needed)- One to three years of recent experience conducting IT audits or internal audits.- Relevant professional certifications desired.IT Audit Manager or Director (Security Expert)- Five or more years of experience evaluating IT security controls and providing specific IT securityrecommendations, including three years leading formal IT security reviews or audits.- Industry or governmental experience in managing IT operations desirable.- Active certification as a Certified Information Systems Security Professional (CISSP) and/or CertifiedInformation Systems Manager (CISM).- Demonstrated cybersecurity and network security expertise, including knowledge of the latest risks,threats, and tools.- Preferred: Offensive security (penetration testing) experience and/or certification as Offensive SecurityCertified Professional (OSCP) or Certified Ethical Hacker (CEH).- Expertise in specific areas of Information Security as needed.Senior Internal Auditor (As needed for non-IT engagements)- Four or more years of recent experience conducting internal audits, including two years leading internalaudits.- Experience conducting internal audits for medium to large client organizations.- Active Certified Internal Auditor (CIA), Certified Professional Accountant (CPA), or Certified FraudExaminer (CFE) certification.- Demonstrated mastery of internal audit principles.- Demonstrated success working with clients.The total number of audit hours per year is expected to be 1,200-1,400. IT Senior Auditor will be used primarily onmost audits and should have sufficient IT security knowledge to successfully conduct engagements withoutadditional expertise or extensive oversight. To promote efficiency, an IT Staff Auditor may be used as appropriateto request data and test controls with general supervision. The IT Audit Manager or Director (Security Expert)may be used for consultation or participation in walkthroughs and test design as needed in certain areas. Forplanning purposes, IA anticipates approximately 50-150 hours for the Manager or Director.External staff should have sufficient tenure with respondent service provider to validate expertise and workproduct quality.RP011-26Page 5Project ManagementIA generally schedules assignments based on the annual audit plan. However, some engagements could occuror change on short notice. The County may also modify or cancel engagements based on business needs andrisks to critical services. The County requires the capability and flexibility to respond to schedule changes. Serviceproviders should possess sufficient depth of qualified resources.This staff augmentation model is not expected to involve a multi-layered approach from the service provider. IAexpects external staff to produce clear and accurate deliverables with minimal need for review. IA will internallydesignate an IT Audit manager to oversee work product quality and delivery, working closely with external staff.Depending on audit work and available resources, IA may designate an additional County employee to workalongside external staff as IT senior auditor. IA personnel assigned to the engagement should be copied on allengagement communications and invited to all meetings.The service provider must not assign staff to this contract with an expectation of full-time utilization or futurefull-time placement. The service provider must inform any staff assigned to this engagement that hours will vary.It is up to the service provider to manage its internal resources to balance workloads and billing.External Auditors will submit detailed time summaries to support billing. IA should approve the resources timecards prior to submission for billing. Time summaries should be consistent with audit progress and deliverablesas visible in the IA project management tool. Service providers should not expect to bill a flat number of hoursper week, as workloads can vary throughout audit phases. Time summaries will be agreed to invoices and usedfor planning purposes.The County has found that continuity of staffing is important based on departmental feedback as well as IAexperience. Successful performance requires ongoing collaboration with County personnel and an understandingof County-specific risks and controls. Excessive turnover may result in waste and/or disruption to the project.The awarded service provider will be responsible for re-work or onboarding resulting from turnover of serviceprovider personnel assigned to Gwinnett during an engagement.Deliverables and Performance ExpectationsExternal staff must exercise sound judgment and be adept at successfully working in a diverse environment withemployees from all organizational levels. Audit objectivity is paramount, but audits should also be collaborativeand contain results and recommendations that are fully vetted with control owners to ensure quality andrelevance.Typical IT and internal audit activities and deliverables may include, but are not limited to the following:Develop a risk control matrix (RCM) tailored to the County operations in scope. Include a preliminaryassessment of risk for each control and suggested test plans. Confirm controls with management and addor adjust controls according to IA and management input. Submit the RCM to IA for approval prior to startingtest work.Prepare detailed control narratives using information gathered at each interview, walkthrough, or observation.Formulate and perform test plans for review and feedback from IA and the department. Effectively managedata requests to obtain timely and sufficient data while minimizing disruption to departmental operations.Follow IA sampling and data request standards.Document test procedures and results with logical conclusions supported by evidence. Use the IA projectmanagement tool to document all outputs from the assessment.Promptly review each potential finding or issue with departmental management and determine its root cause.Develop practical and cost-effective recommendations to remediate control deficiencies. Maintain a list ofthe issues, the risks the issues pose, and recommendations. Track remediation statuses at least quarterlyand validate corrective action with evidence.
Empower Your Bidding Strategy
Unlock Government BidHub's unparalleled access to high-quality, tailored bid information.
- Access an extensive database of bids, including comprehensive local and state opportunities.
- Receive customized alerts for the bids that matter most to your business.
- Explore detailed specifications to ensure precise and competitive submissions.
- Gain a competitive edge with up-to-date information and exclusive opportunities.
See Also
RFP 26-045 Positive Behavior ...
Project: RFP 26-045 Positive Behavior Interventions and Supports (PBIS) Recognition and Student Engagement
Bibb County School District
Bid Due: 7/06/2026
AN/ALM-280, Enhanced Automate...
Follow AN/ALM-280, Enhanced Automated Special Test Equipment (EASTE) Engineering Support Active Contract Opportunity
DEPT OF DEFENSE
Bid Due: 7/24/2026