Technical Proposal For IT Audit
Technical Proposal For IT Audit
Technical Proposal For IT Audit
Submitted To
March 2019
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
TABLE OF CONTENTS
1. EXECUTIVE SUMMARY .............................................................................................................. 3
2. OUR UNDERSTANDING:............................................................................................................. 3
3. SCOPE:...................................................................................................................................... 3
4. METHODOLOGY AND WORK PLAN ............................................................................................ 4
4.1 TIMESTAMP’S IT AUDIT SERVICES - OVERVIEW ...................................................................... 4
4.2 TIMESTAMP’S IT AUDIT SERVICES .......................................................................................... 5
4.3 TIMESTAMP IT GENERAL CONTROLS AUDIT SERVICE .............................................................. 5
4.4 TIMESTAMP COMPLIANCE GAP ANALYSIS SERVICE ................................................................ 5
4.5 TIMESTAMP IT AUDIT FRAMEWORK ...................................................................................... 5
5. TIMESTAMP IT AUDIT SERVICES – OVER ALL METHODOLOGY ..................................................... 6
5.1 TIMESTAMP IT INFRASTRUCTURE AUDIT ............................................................................... 9
5.2 TIMESTAMP IT INFRASTRUCTURE ASSESSMENT ..................................................................... 9
5.3 TIMESTAMP IT ASSURANCE ................................................................................................... 9
5.4 BENEFITS OF OUR AUDIT, ASSESSMENT AND ASSESSMENT SERVICES ....................................10
6. TEAM COMPOSITION AND TASK ASSIGNMENTS ........................................................................10
7. TIMESTAMP AUDIT EXPERIENCE AND PREVIOUS ENGAGEMENTS ..............................................11
8. ASSUMPTIONS .........................................................................................................................14
9. ANNEXURE – TIMESTAMP IT AUDITOR PROFILES ......................................................................14
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
1. Executive Summary
Timestamp would like to thank Volta River Authority (VRA), for shortlisting our
organisation to submit our proposal to provide Consultancy Service for IT Audit. Having
served as external auditors for several organisations for the past two decades and
currently serving as internal auditors for various industries , we have gained valuable
insight. We feel that the knowledge can be used to provide valued input in assisting Volta
River Authority (VRA) in their internal IT audit function.
2. Our Understanding:
Volta River Authority (VRA) is looking for shortlisted IT Services & Consulting firms to
conduct a diagnostic study of its Information Technology infrastructure and provide
recommendations to enhance its Business and Corporate Strategy.
3. Scope:
The report shall clearly summarize among other findings, an independent professional
view of the short, medium and long-term strengths, weaknesses, opportunities, threats of
the current ICT assets of VRA and provide recommendations to the Management of VRA.
The specific Scope of Work will include:
The first step will be to review VRA’s Business Operations and Direction to establish the
characteristics of the organization such as core objectives, locations and business units.
It will also include a review of key stakeholders and customers, services, product offerings
and the channels (how and where) by which clients access the products and services.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
ICT Governance generally refers to the processes by which the ICT functions within
organizations are directed, controlled and held to account. It encompasses authority,
accountability, leadership, direction, and control exercised within the organization. ICT
functions utilize resources to achieve strategic and operational goals. The existing ICT
Governance management framework will be analyzed to determine how effectively it is
aligned with the general Corporate Strategy.
The consultant or firm will analyze the outcome of any previous ICT Strategic Plans and
other initiatives to see how they have impacted the organization. Lessons learned will be
used as a guide not to repeat mistakes but rather build on successes.
This review focuses on both the organizational structure (human resource, departments,
reporting relationships etc.), physical assets (servers, computers, storage devices etc.)
and processes (Business applications, network infrastructure, back office systems etc.).
It will include a technical environment summary as well as description and analyses of
the various applications and systems.
The team will review the technology interfaces, if any, with third parties. This will also
include an evaluation of the IT spend and how it is aligned to the business.
Review and document the relevant International ICT and Modern Management Methods
that can be leveraged by VRA to drive positive, manageable and sustainable results over
the long term.
Timestamp’s IT internal audit services help organisations understand their key technology
risks and how well they are mitigating and controlling those risks. We also provide insight
into the threats inherent in today’s highly complex technologies. Timestamp provides a
wide range of services of IT internal audit outsourcing and co-sourcing. The Timestamp
methodology, which is both COSO - and COBIT®-based, facilitates an overall IT internal
audit management team with the execution of individual projects by subject-matter
experts in each IT audit area. Timestamp estimates to conduct the IT audit and submit
the final report in a period of 12 weeks from the date of commencement. The following
are the reports that are delivered in phased approach:
1. Baseline Report
2. Draft Final Report
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
3. Final Report (IT Development Strategy Document)
The audit scope depends primarily on the size and scope of the client’s operation and the
specific needs of the client. The project manager and auditors work directly with the client
to ensure cost-effective and timely delivery of our auditing services.
During the IT controls audit process, Timestamp IT Auditors collect and evaluate evidence
of the client’s information systems controls, policies and procedures, and other related
documentation to ensure the availability, confidentiality, and integrity of mission-critical
systems and data.
Timestamp IT Audit framework contains technical policies, guidelines and standards for
achieving interoperability between the technical systems in the government. The
developed framework contains in excess of 100 technical standards. The framework also
provides guidelines for implementation and compliance. The COBIT framework provides
a tool for the business process owner that facilitates the discharge of this responsibility.
The framework starts from a simple and pragmatic premise: To provide the information
that the organization needs to achieve its objectives, IT resources need to be managed
by a set of naturally grouped processes. IT service management is concerned with
delivering and supporting IT services that are appropriate to the business requirements
of the organization. ITIL provides a comprehensive, consistent and coherent set of best
practices for IT service management and related processes, promoting a quality approach
for achieving business effectiveness and efficiency in the use of IS. ITIL service
management processes are intended to underpin, but not dictate, the business processes
of an organization.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
5. Timestamp IT Audit Services – Over All Methodology
Activities: Timestamp Team shall conduct current state assessment with respect to
COBIT Process Maturity Model in the following broad areas:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Organizational Structures
o Develop COBIT based Organizational Structure & RACI Matrix
o Define IT & IS Roles and Structure
Define the targeted to-be state. Determine the identified gaps between the as-is and the
to-be positions and translate these gaps into improvement opportunities.
Activities:
Activities:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Prepare documentation with respect to amendments in IT Strategy, IT Policy and
supporting guidelines
Run a Program Management Office (PMO) to facilitate VRA Management in
monitoring the identified projects
Organize potential projects into the initiative.
Guide the allocation and prioritization of business resources necessary to
achieve initiative and project objectives
Define the required deliverables, considering the full scope of activities required
to meet objectives
Establish project plans and reporting procedures to enable progress to be
monitored
Prepare KPIs for the target state Deliverables: Project Definitions, Detailed
Project Plan (including baselined schedule), Reporting Procedures, Identified
Quick Wins, KPI for the target stage, Various documents generated through the
abovementioned activities
Activities:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
5.1 Timestamp IT Infrastructure Audit
An IT audit is to evaluate the system's internal control design and effectiveness against
relevant standards and best practices. This includes but is not limited to, design,
implementation, performance, efficiency, security protocols and IT governance or
oversight. Installing controls are necessary but not sufficient to provide adequate security.
Periodic review of the infrastructure and the processes is mandatory to ensure
compliance to these controls.
Timestamp, in its role as an IT infrastructure consulting company has been responsible
for building out and upgrading number of information technology infrastructure projects
for its clients in India and Overseas. Our IT consulting staff is specially trained for
assessment of network, data centre, compute, storage and security solutions.
Timestamp has relevant skills and experience to carry out the audit for
Network Design and Performance
Datacentre Design and Performance
Security Solutions and Policies
Technology
Operation and Maintenance Processes
Assurance is the process of getting the right information to the right people at the right
time with Information Risk Management, Trust Management, Resilience, appropriate
Architecture, system safety, and security.
Our professionals provide independent, pragmatic advice and advanced technology
capabilities to help you proactively and reactively manage your technology risks and use
the data to its full potential. Our Information Assurance services help customers secure
their information with 5 pillars of security namely Integrity, Availability, Authentication,
Confidentiality, Nonrepudiation.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
We can help provide high levels of assurance and insights in respect of your technology,
including:
IT infrastructure internal and external audit services.
IT infrastructure assessment and benchmarking services.
IT infrastructure certification services.
IT infrastructure security and business resilience services.
IT Data privacy and protection services.
Support Staff
Name Position Task
Weeks
Number of
1 2 3 4 5 6 7 8 9 10 11 12
Months
Reports
Name Position
Due/Activities
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
6.2 Activity Work Schedule
Duration in Weeks
1 2 3 4 5 6 7 8 9 10 11 12
Activity (Work)
Reports Date
1. Baseline Report 10th week from the date of
commencement of engagement
2. Draft Final Report 11th week from the date of
commencement of the engagement
3. Final Report (IT Development 12th week from the date of
Strategy Document) commencement of engagement
Client Situation:
A mid-size company with many entities was concerned about network security.
Management wanted an internal and external network security audit of each entity.
Timestamp Solution:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Risk assessment, risk analysis, and risk treatment
Policies, procedures, plans, and related documents
Use of service providers
Security of servers, firewalls, and network infrastructure
Protection against malicious software (viruses, spyware, etc.)
Security mechanisms and practices
Controls over removable media and USB devices
Incident response and business continuity
Client Benefit
Timestamp network security audit documented several areas that placed the organization
at risk to both internal and external threats. The prioritized Action Plan helped the
telephone company increase security and protect its information assets.
Client Situation
A county needed assurance that its sensitive information was protected against hackers
and other Internet threats. County management was concerned about compliance related
issues and wanted assurance its systems were protected against external threats.
Timestamp Solution
Timestamp provided an External Network Security Audit. Our services included a variety
of hacker type tools and techniques that identified and evaluated the county’s external
risks:
Timestamp compared the county with industry benchmarks and determined the type of
security infrastructure in place. We tailored our attacks to take advantage of gaps.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Client Benefit
Timestamp external network security audit documented several areas that placed the
organization at risk to external threats. The prioritized Action Plan helped the organization
increase security while increasing protection of its information assets.
Client Situation
A software developer provided on-line marketing solutions including web design, content
management, and e-commerce solutions. The software developer was notified by a third
party that its software was not secure. When negative publicity appeared in the media,
clients and prospects became concerned and revenue declined. The software
developer’s President wanted assurance that its code, with interfaces to internal database
systems, was secure and protected from threats.
Timestamp Solution
Emulating the approach used by hackers, Timestamp used a variety of manual and
automated tools to perform a controlled real-life attack on the organization's web
application and web server for vulnerabilities. Timestamp evaluated the application for
over 35,000 types of risks including SQL injection, cross site scripting, buffer overflow,
authentication, encryption, JavaScript, and many others. Timestamp provided a Web
Application Security Audit Report with our findings, an analysis of vulnerabilities, and
solutions to enhance security.
Client Benefit
Timestamp web application security audit identified several areas that placed the
organization at risk to hackers and other external threats. With Timestamp report, the
organization eliminated software bugs and enhanced security by implementing changes
to their code and procedures. As a Certified Information Systems Auditor, Timestamp
provided a follow-up web application security audit and verified that the security issues
identified in the first audit had been addressed. Timestamp provided the software
developer with our Auditor Opinion Letter that the client distributed to their prospects and
clients. The organization’s enhanced image and reputation helped it increase revenue
both by retaining current customers and by converting new prospects into client.
Client Situation
Timestamp Solution
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Timestamp provided a "hand on" security audit of the mobile application. We evaluated
security risks related to:
User use of the device
Mobile software coding issues
Interfaces to servers and databases
Configurations of servers, firewalls, and network segmentation
Authentication issues
Backups and recovery
Timestamp Mobile Application Security Audit Report documented security risks and
provided recommendations to enhance security.
Client Benefit
Patrick Mosiatlhaga
PROFESSIONAL QUALIFICATIONS
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Registered PRINCE2® Practitioner, APMG, Registration No. P2R/883592
EXECUTIVE SUMMARY
Patrick has been a professional for the past thirty years with more than 20 spent at Senior
and Executive Management levels. He gained his first 15 years of his professional career
at Eskom where he progressed from Junior Programmer to head of the Systems
Development and Support Department. He was previously the Chief Information Officer
at the City of Johannesburg, and his last fixed term contract of employment was as Chief
Information Officer at Gauteng Enterprise Propeller. This career progression is testament
his visionary leadership and continuous self- improvement philosophy.
QUALIFICATIONS
Achievements
Experience
Strong acumen in aligning IT vision and strategy with business strategy, ensuring benefits
realization from IT investments, managing IT risks optimally, and building teams and
organizations that create and deliver value. He has a proven track record in, amongst
others, IT Strategy, IT resource optimization, Business Process Reengineering and
Management, IT Security and Risk Management, successful implementation of complex
projects and development and implementation of IT Governance frameworks and related
processes.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Responsibilities:
Member of the Executive Committee and provided vision and leadership for
developing and implementing information systems and communications
technologies to enable and support the GEP achieve its business objectives.
Responsible for all aspects of the organization’s Information and Communications
Technologies using industry best practices, standards and frameworks such as
COBIT, ITIL, PMBOK, PRINCE2, TOGAF Architecture Development Method
(ADM) and the ISO/IEC 27000 series.
Formulating and delivering the IT Vision and Strategy
Defining and implementing the Enterprise Architecture
Application Development, support and maintenance
IT Service Management
IT Governance, Risk and Compliance
Project/Program and Portfolio Management
Manage Stakeholders, Relationships and Suppliers
Manage Resources (Human, Financial, Physical and IT Assets)
Technical Consultant to the business, including the Board and Board Committees
Responsibilities:
Consulting Services
Responsibilities:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Responsible for providing vision and direction, enabling the Johannesburg
Metropolitan Council (Enterprise) to achieve strategic technology and business
objectives.
Reported to the City Manager (CEO) and was a member of the Executive
Committee and various other sub- committees and interacted a lot with the Board,
as constituted by the Mayoral Committee.
Projects undertaken ranged from R1 Million to R800 Million. During the last year
(July 2010 – August 2011) of my 5 Year contract, I was seconded to City Power,
an Agency / Company of the Joburg Metropolitan Council, to head the IT Function
and be part of the Executive Team that sought to position Joburg Metro as the
Regional Electricity Distributor (RED4) leader.
Formulation and implementation of the IT Strategy to align IT plans and operations
with the City’s objectives and operations.
Ensuring a cost effective and efficient IT service delivery to the City through
management of own resources and IT Outsourced Contracts and ensuring end-
user satisfaction
Developing and implementing Enterprise Architectures, including enterprise
technology standards to ensure systems compatibility and integration throughout
the enterprise
Project and Programme Management of Enterprise-wide Technology initiatives.
Developing and implementing IT Governance, Risk Management and ensuring
compliance with Information
Security Laws, regulations and other relevant statutes
Engaging and collaborating with other government entities, professional and
international agencies to craft business solutions.
Responsibilities:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Responsibilities:
Responsible for the operational aspects and strategic delivery alliances of the
company.
Generation and maximization of shareholder value by integrating operational
strategies, plans, budgets, operational guidelines and procedures.
Management of customer and supplier relationships
Formulation of strategic technology relationships
Ensure optimal utilization of resources and effective SLA delivery
Responsibilities:
Managed the Application Development and Support division, which comprised about
340 professionals (including contractors) with qualifications ranging from bachelors to
doctorate degrees. Projects managed range from R1M – R350M.
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
JUNIOR PROGRAMMER UP TO ANALYST DESIGNER, Eskom (ITS), 1987 –
1993
COMMITTEES
Has served and been a member of Senior Management and Board Committees,
Labour/Management forums and served as an Executive Council member of the
then Computer Society of South Africa in the year 2001.
REPRESENTATION
9.2 Profile – 2:
SUMMARY: A mature Computer Science graduate with both academic and proven
practical I.T skills in I.T security, systems support, systems analysis and design, project
management as well as training. Offering proven problem solving skills and strong client
focus, with ability to relate to individuals across all levels is one form of expertise I
possess. Experienced in working both independently and in a team providing solutions
in a pressurised, deadline- driven setting. Looking for an opportunity to build on existing
skills and simplifying business processes through the use of technology so as to ensure
maximum business efficiency.
TECHNOLOGY SUMMARY:
ACADEMIC QUALIFICATIONS:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Post-Grad Diploma: Project Management
PROFESSIONAL CERTIFICATIONS:
WORK EXPERIENCE:
March 2016 – Present: Africa’s Best 350 (AB350) Bus Company, Mthatha
ICT Manager
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Supply Chain Management Evaluations, ICT/Infrastructure, Resource planning
committees member
Project management and administration for I.C.T projects
Contract and stakeholder management for I.C.T-related matters
Maintenance of the Office365 and related infrastructure
Server and network monitoring and management (WAN and LAN)
Training staff on the old and new technologies that exist at the college
Researching on ways of ensuring business process efficiency using existing
technologies within the institution and in the market
I.T governance and compliance for all systems and I.T processes
Providing 2nd line support for all the technicians and mentoring of staff
I.C.T-related projects design and specifications drafting
Advising management with regards to policy making which affects ICT
In-charge of the systems’ backups and disaster recovery processes
I.T systems security management and administration
Maintaining all IT hardware and software for users including networking, servers,
Windows Vista, XP, Windows 7, 8, 8.1
IT Support Engineer
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Maintaining all IT hardware and software for users including networking, servers,
Windows Vista, XP and Windows 7
9.3 PROFILE – 3
Professional Qualifications
ITSM PROJECTS:
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Meet or exceed qualitative and quantitative Key Performance indicators for
Consultant performance
Owner of the Service Desk Service.
Dimension Data
Operations Manager: 01/04/2014 (1 Year)
Ensure delivery of all Contact Centre services supporting internal and external
clients.
Championed service management project team responsible for rolling out
ISO27000 in the Network operations business unit.
Planning service transitions.
Engineering of policies and procedures according to ISO: 9000 standards.
Adopting appropriate workforce management techniques.
Adopting best practice processes.
Application owner for opentext Assure ITSM Tool.
Management of Human capital and service assets.
Global Incident Manager interfacing into problem management teams
Budgetary forecasting and service costing
Responsible for the daily operations of service desk support teams. Supervisory
responsibilities included
Planning and scheduling workforce
Monitoring performance of staff
Creating and managing service knowledge content
Assist management with new service take on and transitions
KPA assessments and training for -+ 20 support agents
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019
Domain password support.
Contribute to FCR targets or escalate to 2nd line field engineers.
Provide in room catering services for guest making sure that food served was
well-presented
Contribute to maintain high service excellence in 5 star environments.
Adherence to health and safety regulation
Assistance with waiting at Banqueting events
Worked at G20 international summit
Worked at British open Golf event
RESPONSE FOR RFP No: 11606 – CONSULYANCY SERVICES FOR IT AUDIT MARCH 2019