IT Auditor

Position: IT Auditor

Duration: 7 months

Location: Minnesota (Remote Work)

Description of Project:

The Minnesota Department of Information Technology Services (MNIT) partnering with Department of Correction (DOC) is seeking an independent vendor to perform project audits on a large program known as the Transformation program. This is a large effort with 3 main goals.

First is the setup of a central data repository for the department, second is the implementation of a purchased software for incarcerated persons management, and lastly is small supporting efforts related to the first two.

At a high level, the vendor will perform a structured reviews to determine whether project activities comply with applicable policies and standards and assess how well-positioned the project is to be successful. The audits will identify issues affecting the project's likelihood of success, investigate the root causes of the issues, and develop actionable recommendations to guide on-going management of the project.

Transformation Program Audit Contractor Deliverable-Based Event:

The following document contains the deliverables and qualifications for the Transformation Program Project Audit efforts. This request is for services to be provided on a deliverable's basis.

Phase 1 is for an initial project audit. Additional audits may be needed as the Transformation Program is set to deliver the final deliverables in 2028.

Phase 1 Deliverable:

Initial Project Audit:

Structured reviews to determine whether project activities comply with applicable policies and standards and assess how well-positioned the project is to be successful. The audits will identify issues affecting the project's likelihood of success, investigate the root causes of the issues, and develop actionable recommendations to guide on-going management of the project.

The initial project audit should, at a minimum, produce the following deliverables:

• Audit Plan: Description of how the vendor will conduct the audit, including but not limited to:
• the methods and methodology used to perform the audit
• how findings will be validated
• timeline for work and ETA for deliverables

• Audit Findings
• Remediation Plans
• Final Audit Report that summarizes the work performed and outcomes, and includes supporting materials

Future Phases Deliverables:

To be determined scope of future phases will come at the completion of Phase 1 but may include additional project audits as defined in this document for the Transformation Program.

Desired Qualifications of Vendor

Vendor has completed a minimum of 3 Project/Program Audit engagements

Desired Qualifications of Resource(s):

Key vendor resources should have certifications related to their area of responsibilities to include:

• PMP Certification Project Management Professional
• CBAP Certified Business Analysis Professional
• CCMP Certified Change Management Professional

Scope:

This document provides MNIT and state consolidated agencies with guidance relating to statutorily mandated independent (third-party) project audits undertaken for IT projects with a total cost of $10 million or more.

Objectives for Project Audits:

Independent IT audits, also known as IT project audits, are essential for evaluating MNIT's information technology systems, controls, and processes to ensure they are operating effectively and securely.

Minnesota statute 2024, 16E.01, subd. 3.(e) states that "For any active information and telecommunications technology project with a total expected project cost of more than $10,000,000, the state agency must perform an annual independent audit that conforms to published project audit principles adopted by the department."

Independent IT project audits should assess and evaluate various aspects of the project to ensure it is on course to meet its intended goals and the project management and development methodologies adhere to MNIT's established policies, standards, and best practices. A post-audit report will provide an objective review of the project's performance and progress.

Specific objectives of an IT project audit should include the points in the three sections below. Please note MNIT expects the auditor to adhere to these objectives, guidelines/principles, and reporting standards. Variations from this guidance document must be listed in the final audit report.

• Assess Project Compliance Verifies the project management activities comply with state statutes, MNIT policies and industry best practices.
• Ensure Business Alignment Verifies the project's objectives align with the organization's (agency's) overall strategic goals and that it provides value to the business.
• Evaluate Project Scope Verifies the project scope is well-defined and aligns with the initial project objectives and business requirements.
• Review Project Management Examines project management practices to ensure that project planning, scheduling, and resource allocation are effective and meet MNIT PPM policies.
• Monitor Budget and Cost Control Evaluates budget management to ensure the project is on track in terms of cost control and financial resources are being used appropriately.
• Assess Risk Management Identifies and assesses potential risks associated with the project and evaluates the effectiveness of risk mitigation strategies.
• Review Project Timeline Evaluates project timelines and milestones to ensure the project is progressing according to the planned schedule.
• Analyze Quality Assurance Examines the quality control processes in place to ensure project deliverables meet specified quality standards.
• Validate Deliverables Verifies project deliverables meet the project's specified requirements and standards.
• Evaluate Stakeholder Communication Assesses communication and reporting mechanisms to ensure stakeholders are informed of the project's status, changes, and challenges.
• Identify Issues and Challenges Identifies any problems, challenges, or deviations from the project plan and recommends corrective actions.
• Ensure Security and Compliance Evaluates the project's adherence to State and MNIT security protocols and data privacy policies to protect sensitive information.
• Provide Recommendations Offers recommendations for improving the project's performance, methods of addressing issues, and optimizing project outcomes.
• Verify Documentation Reviews project documentation and records to ensure they are accurate, complete, and up to date.

Audit Principles and Guidelines

The MNIT body who ordered the IT project audit should ensure the audit vendor is following these audit principles:

• Independence The IT audit team must be a third-party (contractor, in this case) with no association with the project or system being audited.
• Objectivity Auditors should approach the audit free from bias or preconceived notions and base their findings on their examination and resulting facts.
• Competence Audit staff should possess the necessary knowledge, skills, and experience to understand and assess MNIT IT systems and controls.
• Professional Integrity Auditors should exercise reasonable care and diligence when conducting audits, including thorough planning and documentation. Audit staff should also adhere to a strict code of professional ethics, including honesty and integrity, in all interactions and reporting.
• Confidentiality Auditors should maintain the confidentiality for both the agency's and MNIT's sensitive information and data obtained during the audit process.
• Compliance Auditors should ensure IT audits comply with relevant State of Minnesota statutes, MNIT policies and standards, and industry best-practices.
• Scope Definition Before audit work begins, clearly define the audit's scope and objectives, ensuring all relevant areas are investigated and stakeholder expectations are managed.
• Documentation Thoroughly document the audit process, including planning, procedures, testing, and findings, to support the audit's conclusions and share recommendations with MNIT and agency staff, if applicable.
• Testing and Facts Use appropriate audit techniques and testing procedures to gather necessary evidence to form conclusions.
• Reporting Prepare clear and well-structured audit reports that communicate findings, recommendations, and MNIT's responses, if applicable.
• Communication Maintain open and effective communication with MNIT and agency stakeholders (if applicable) throughout the audit process, addressing any concerns and providing updates.
• Continuous Improvement Assess the IT audit process for opportunities to enhance MNIT's effectiveness and efficiency.
• Evidence Preservation Safeguard all audit evidence and workpapers to support the audit findings and protect against potential legal challenges.
• Quality Assurance Implement quality-control processes within the audit function to ensure the reliability and consistency of the audit work.
• Legal and Regulatory Awareness Stay informed about relevant laws, regulations, and industry standards that may affect the IT audit process.

Mandatory Reporting Standards

Independent project-audit reports should contain the following sections. The auditor may include additional sections, at their discretion.

• Executive Summary A short document or section of a document produced for business purposes.
• Audit Report Summary Provides a brief understanding of the audit's key findings and conclusions without going into detail.
• Audit Findings and Recommendations Overview A concise presentation of the audit's most important discoveries and suggestions.
• Audit Components and Methodology Components and approach used in conducting an audit.
• Evaluation Methodology The approach used to gather information, analyze data, and assess the validity, relevance, and significance of facts or evidence.
• Interviews In the context of the audit, refers to a method of gathering information.
• Document Review Processes Processes used for examining and evaluating materials, documents, and other relevant sources of information to gather insights, verify facts, or assess the content for various purposes.
• Stakeholder Interview Results Summary An overview of the results from the project stakeholder interviews.
• Audit Risk and Issue Evaluation The processes used to evaluate and assign scores or ratings to risks and issues identified during an audit.
• Definitions Definitions of risks, issues, and findings-along with definitions for possible impact, probability, and severity.
• Risk Scoring Methodologies The approach or rule sets used to assess and assign numerical values or scores to risks-based on various criteria.
• Issue Scoring Methodologies The approach or rule sets used to assess and assign numerical values or scores to issues-based on various criteria.
• Risks and Recommendations Specifics The comprehensive descriptions and explanations in the report on identified risks and the corresponding recommendations for mitigating or addressing those risks.
• List of Meeting Attendees The list of meetings, dates, and interview participants.
• Glossary: Abbreviations and Acronyms The definitions of terms and acronyms used in the audit report that may be helpful when discussing the audit results.

Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.