Questions & Answers

Request for Proposals for Internal Auditing Services - Fiscal Years 2017 - 2019

This Question and Answer document was last updated February 22, 2017

Question 1:  Responder Background and Information – “J – Describe the Responder’s experience and ability to provide professional training services and include pricing.” – Please clarify, who is the audience for the training (e.g., internal audit personnel, other University personnel, or both)?

Response 1: The audience would be both internal audit personnel as well as other college or university personnel.

Question 2:  Pricing – In the provided table, may we add additional levels and/or descriptions beyond what is requested? We are specifically wanting to distinguish partner and director-level rates from these other areas.

Response 2: Yes, you may add additional levels and/or descriptions beyond what was requested.

Question 3:  Most recent published Q&A – “Response 4: We are looking for the Responder to provide the most current External Quality Assurance Review report of their own firm.” To clarify, are you seeking results of the AICPA peer review of the firm? Unfortunately, as we understand it, recent IIA guidance clarifies that firms themselves cannot obtain QAR reports in accordance with IIA Standards. (See FAQs at - section of questions labeled “External QAs and Internal Audit Activities.)

Response 3: If a QAR under IIA standards does not apply, please provide any other relevant external quality assessment review(s). If they do not apply, please provide any internal quality assessment review(s).

Question 1: Is there an anticipated volume of hours Minnesota State will use the co-source provider on an annual basis? Also, is there an anticipated resource mix Minnesota State is anticipating on an annual basis (i.e., % of resource usage across different staff classes and specialized skills)?

Response 1: Anticipated volume of Hours: We estimate we could need 700 to 1,000 hours per quarter.

Resource Mix: It is difficult to estimate the resource mix at this time. However, we anticipate our earliest projects will focus on risk assessments to help us identify future audits, projects, and resource needs. In some cases, the contracted firm may provide a portion or all the resources depending on the project. Resource needs will be identified in a work order between Minnesota State and the contracted firm.

Question 2: Can you provide an overview of the process Minnesota State will use to determine when and to what extent external resources will be needed to assist with Internal Audit activities?

Response 2: The Office of Internal Auditing plans to continually assess risks. Initial risk assessments will likely focus on information technology risks and compliance risks.

Question 3: Does Minnesota State currently have an Internal Audit methodology and tools which will be relied upon for all work performed, or is Minnesota State looking for the Responder to bring a methodology and tools which can be leveraged to improve Minnesota State's Internal Audit process?

Response 3: The Office of Internal Auditing performs work in accordance with International internal auditing standards. However, we do not currently use auditing software tools such as electronic workpapers. We hope to leverage the contracted firm’s best practices for audit methodologies and tools.

Question 4: Proposal Requirements - Section B: [Include evidence of successful completion of an external quality assurance review.] Is Minnesota State looking for examples of where the Responder has performed external assurance reviews for other organizations?

Response 4: We are looking for the Responder to provide the most current External Quality Assurance Review report of their own firm.

Question 5: Vendor Requirements - Section D: Responder Background and Information, [Section D: Include the Responder’s experience with information technology environments, including any system replacements or conversions.]  Are you able to provide an overview of Minnesota State's information technology environment so the Responder can provide qualifications related to Minnesota State's specific technology solutions?

Response 5: Minnesota State’s largest enterprise systems include a commercial learning management system (D2L Brightspace), a commercial vulnerability management system (Tripwire IP360), and a custom developed ERP system called the Integrated Statewide Records System or ISRS. These systems run on common commercial operating and database management systems that are managed by Minnesota State’s system office.

ISRS consists of many modules that support a variety of key business processes including student class registrations, student grades and transcripts, student financial aid, student payroll, employee payroll, human resources, accounting, accounts receivable, accounts payable, and more. Minnesota State is currently in the planning stage of replacing ISRS. Tentatively, the work is expected to begin in fiscal year 2019 and be completed in fiscal year 2021.

Each college and university manages their own data center(s), local area networks, and wide variety of both custom and commercial software.

Question 6: Vendor Requirements - Section F: [Describe the depth of expertise the Responder has in providing data analytics, continuous auditing, institutional research analysis and fraud investigations.]  Please provide an overview of data analysis tools currently used by Minnesota State and available to Minnesota State's Internal Audit function so the Responder can align our capabilities to the specific tools used by Minnesota State?

Response 6: Data analysis is generally conducted for each audit using tools such as Microsoft Access and Microsoft Excel. The Office of Internal Auditing would like to build a more robust data analytics function. We anticipate additional software tools will likely need to be acquired.

Question 7: Do you anticipate the external firm to participate in Minnesota State's risk assessment process to determine the Internal Audit Plan, and if so, to what extent and role do you anticipate the external firm's participation in the risk assessment process?

Response 7: The Office of Internal Auditing plans to continually assess risks including information technology, compliance, fraud, financial, and operational risks across the enterprise. We anticipate the external firm will participate in many of these, particularly those where the Office of Internal Auditing lack expertise. We believe the most pressing assessments are of information technology and compliance risks and would expect the contracted firm to participate in those.

Question 8: The RFP mentions the external firm may participate in a variety of Internal Audit activities related to operational, financial, information technology, and compliance audits, risk assessments, fraud investigations, advisory and consulting, data analytics, and professional training. Does Minnesota State have an estimated allocation of time that is anticipated for the external firm to support each of these areas?

Response 8: No, at this time we do not know the exact allocation of time for each area. We anticipate having needs in all of these areas, but initially we see the greatest need in the areas of information technology and compliance.

Question 9: Does Minnesota State have any restrictions on using remote resources from countries with a lower labor cost (e.g. India) to support Internal Audit activities such as routine testing, routine data analytics, etc., assuming these resource are operating as part of the external firm's engagement team and are subject to the same quality standards as all other team members?

Response 9: At this point we do not anticipate projects that would be routine enough to lend themselves to remote resources from countries with a lower labor cost.

Question 1: Regarding the Internal Audit RFP, approximately how many total hours are you expecting to co source with the successful RFP firms?

Response 1: Minnesota State has determined that it may have need for Internal Auditing services, but does not commit to issuing work orders under the master contract.  However, we estimate could need 700 to 1,000 hours per quarter.