REQUEST FOR PROPOSALS

RFP # 19-04-25

Audit Information Management System

PART II

The Houston Independent School District (“HISD” and/or the “District”) is soliciting proposals for Audit Information Management System as more fully set out in this Request for Proposals (“RFP”). One (1) hard copy original of the proposal, one (1) hard copy duplicate of the original, and two (2) USB drives of the proposal must be submitted in accordance with the instructions set out herein to:

Houston Independent School District Board Services - Room 1C03Attn: Heather March - Purchasing Services RFP / 19-04-25 Audit Information Management System 4400 West 18th Street Houston, TX 77092

The following schedule and timelines apply to this RFP. The following timelines are subject to change at the District’s discretion:

TimelineRelease RFP July 18, 2019Pre-Proposal Conference

August 1, 2019 at 4400 WEST 18th Street, Houston, Texas 77092, in Conference Room 2E26 10:30 am

Last date for questions:

Thursday, August 8, 2019 at 10:00 a.m. CST

Proposals Due Wednesday, August 21, 2019 at 10 a.m. CSTEvaluation Period August 22, 2019 to August 29, 2019Board Meeting Date October 10, 2019 (Subject to Change)

Each set of the proposal must be submitted in a binder. The original proposal must be labeled “ORIGINAL” and contain original signatures. The copies of the original must be labeled “COPY.” Response submission must be delivered in a sealed folder or container (i.e. envelope, box, or bin). If documents are submitted in an unsealed container or folder, the District is not responsible for any unsealed/unlabeled documents and materials.

Each binder and any container for the binder(s) must be labeled on the outside with the Proposer’s name, address, the RFP number and the RFP name. Each USB drive must be labeled with the RFP number and the vendor name.

Proposals will be received at the above address until Wednesday, August 21, 2019, at 10 a.m. Central Standard Time. A Pre-Proposal Conference will be held in conjunction with the RFP on Thursday, August 1, 2019 at 10:30 a.m. at 4400 WEST 18th Street, Houston, Texas, 77092, in Conference Room 2E26.

Submitting proposals prior to the pre-proposal conference is not recommended, and such proposals may be rejected by HISD. Proposals will be reviewed as received in a manner that avoids disclosure to competing proposals. Contents of proposals will remain confidential during the negotiation period.

Faxed or emailed proposals will not be accepted . Proposals must be submitted in sufficient time to be received and time-stamped at the above location on or before the proposal due date and time. HISD will not be responsible for proposals delivered late by the United States Postal Service, or any other delivery or courier services. Proposals received after the Proposal due date and time will NOT be considered. All proposals must remain open for one hundred twenty (120) days from the proposal due date pending acceptance by HISD.

Heather March shall serve as your designated Category Specialist during the proposal process and is available via email at heather.march@houstonisd.org. All communications pertaining to the RFP shall be addressed in writing to the Category Specialist

Questions concerning the RFP will be answered only if sent to the Purchasing Services Department, in writing via email to the designated Category Specialist no later than 2 p.m. Central Standard Time on August 6, 2019. All questions submitted in writing to the following email address heather.march@houstonisd.org prior to the deadline will be answered in the form of an addendum. All Addenda will be posted on the HISD Purchasing Services website.

Part I General Terms and Conditions for Requests for Proposals governs this RFP and any contract(s) awarded under this RFP.

The District will award this RFP to one or more supplier(s) based upon the evaluation of all proposals received. More details regarding the evaluation of proposals are included in Section II below.

7/18/2019Date

SECTION I:PROPOSAL RESPONSE REQUIREMENTS

The Proposal shall be submitted in a binder with tabs as set forth below:

Title PageShow the RFP number and title, the name of the Proposer’s firm, address, telephone number, name of contact person, and date.

Tab 1 – Table of ContentsClearly identify the materials by sections and page numbers

Tab 2 – Proposal Submission Forms

Complete and return forms listed below as set forth in Part III of this RFP. The set of forms submitted in the proposal marked “ORIGINAL” requires original manual signatures. Copies of the forms bearing original signatures should be included in each additional proposal.

The forms provided in Part III should be submitted in the following order: FORM A: Supplier InformationFORM B: Attachment B - M/WBE Instructions and Participation ReportFORM C: Certificate of Insurance (Acord Form) or a letter from its insurance provider stating that Proposer can provide the levels of insurance required in this RFP.FORM D: Reference Survey InstructionsFORM E: Reference SurveyFORM F: Price Schedule (if applicable)FORM G: General CertificationsFORM H: EDGAR CertificationsFORM I: Conflict of Interest Instructions and Questionnaire (Form CIQ)FORM J: Instructions for Completion of Disclosure of Interested Persons Certification (HB 1295)FORM K: IRS Form W‐9 (updated October 2018)FORM L: ExceptionsFORM M: Criminal History Background Check CertificationFORM N: Acknowledgement Form

Tab 3 – Profile of the Proposera. Indicate the key people in your organization assigned with a hierarchy chart to

provide this service to the District and their level of experience and qualifications and the percentage of their time that will be dedicated to this project.

b. Provide the last three years of financial statements. c. Provide a list of any prior work done for HISD, if any. Include contact name.

Tab 4 – Scope Section

Respond in detail to the Scope of Work in Section II for the goods and / or services required.

Tab 5 – Questionnaire Response Respond to the questionnaire included in the RFP attachments (Please note: There are seven (7) tabs on the spreadsheet).

Tab 6 – Invoice Procedurea. Describe the proposer’s invoicing procedures. b. Include documentation identifying all of the Proposer’s fees. c. Payment terms. The District’s standard payment terms are 30 days after invoice is

received. State any payment discounts that your company offers, i.e., 2% 10 days – net 30; or 5% 7 days – net 30

d. Payment discounts will be applied to invoices under all projects where a proposer has been approved as a vendor.

Tab 7 – PriceAny and all pricing information, including any alternate pricing proposals that may be acceptable for some projects. Include a hard copy of Form F (Price Schedule) in this section, if applicable.

Tab 8 – AddendaInsert all addenda under this section. (Download, print, sign and include a copy of each addendum with your proposal under Tab 8).

Tab 9 – Criminal Background Check Form Insert one of the certifications that applies to your company:

a. Criminal History Background Check Form - With direct contact with Students

b. Criminal History Background Check Form – No direct contact with students

The supplier’s proposal will be considered non-responsive if the supplier fails to submit one of these Forms at the moment of submitting said proposal. Refer to Part I General Terms and Conditions, Section 1.19 Supplier Nationwide Criminal Background Check.

SECTION II:SCOPE OF WORK

2.1 SCOPE OF WORK :

The HISD Office of Internal Audit (OIA) is seeking a more robust technology solution to their current processes for audit planning, fieldwork, audit scheduling, audit execution, audit reporting, human resource management, and administrative reporting needs, i.e. time or expense reporting.This project consists of the procurement of a software-based, audit management solution. At a minimum, the Respondent’s responsibilities include, but are not limited to, the following:

1. Assigning a Project Manager or an Account Management Team to serve as OIA’s advocate and a single point of contact and accountability partner through the life span of the project.

2. Implement a solution that meets business as needs identified in Section V Specifications and capable of accommodating nineteen (19) concurrent end- users.

3. Providing system administrative and end-user training for select personnel identified by the OIA and the Information Technology Department (ITD).

4. Working collaboratively with the OIA and ITD to develop Go Live Acceptance Criteria and coordinating Go Live Acceptance Testing.

5. Providing ongoing software support for the proposed solution.

2.2 SPECIFIC CONDITIONS: The District intends to award this bid to a single or multiple firm(s) selected to provide the “best value “to HISD per section 2.5 Evaluation Factors.

2.3 SPECIFICATIONS: Department Background Information and Definitions

2.3.1 Department Background:A. The Office of Internal Audit is an independent and objective assurance and

consulting activity that is guided by a philosophy of adding value to improve the operations of the Houston Independent School District (HISD). It assists the Board of Education and senior management in accomplishing the district’s strategic objectives by bringing a systematic and disciplined approach to evaluate and improve the design and effectiveness of the organization's governance, risk management, and internal control processes.

B. The OIA performs internal audits based on an annual audit plan and requested audits, as deemed appropriate. Audit reports are provided to the District-wide stakeholders and are posted on the HISD OIA website.

C. How the work is documented often differs among the staff. The OIA seeks to leverage a technology solution to help facilitate standardized work paper documentation methodology across the entire audit staff. Key factors governing the operation of Internal Audit are:

1. Audit practice areas include Education Programs, Construction Services, Finance and Operations, and Information Technology. Audit procedures are driven by industry standards such as the IIA, GAGAS, COSO and COBIT.

2. Audit objectives generally determine whether controls over financial related transactions or regulatory compliance were adequate.

3. Audit objectives are driven by laws and regulations, policies and procedures and contract provisions, such as TEA, FASB and GASB are the standards used when evaluating the accuracy and completeness of transactions.

D. Annual Audit Plan - An audit plan is prepared using risk assessment techniques applied to the entire population or universe of programs or departmental processes for HISD. The plan also takes into consideration known changes in personnel in key positions as well as upcoming changes in laws and regulations. Interim changes to the plan will occur from time to time due to changes in business risk, local and regulatory mandates, and staff availability.

E. Scheduling and Assignment – Scheduling is primarily driven by statutory requirements, policies and procedures, and contracts. Additionally, information received from outside sources about alleged wrong doing or other significant changes will trigger a special project.

F. Audit Execution, Fieldwork, and Reporting – Audit execution contains three phases: 1) planning, 2) fieldwork, and 3) reporting. Once planned, an auditor will be assigned to an audit project. Audit execution begins with project planning and the auditor will assess risk and significance within the context of the audit objective by gaining an understanding of the following:1. The nature and profile of the program and the potential needs of users

of the audit report.2. Internal controls as they relate to the specific objectives and scope of

the audit.3. Information system controls specific to audit objectives.4. Legal and regulatory requirements, contract provisions, potential

fraud, or abuse that are significant to the objectives.5. Previous audit observations or findings.

G. The auditor will prepare a written Audit Program to test relevant controls or compliance requirements identified during the planning phase to collect artifacts to draw a conclusion. These artifacts are called work papers. Using ACL by Galvanize for data analytics may be used to look for trends or test 100 percent of the data against criteria identified.

Page 6 of 19

Audit work papers are generally the primary output of fieldwork performed by an auditor and retained in accordance with paperwork retention policies.

H. Audit Reporting – Audit reports are the documents presented to The Board and Audit Committee and posted to the HISD Office of Internal Audit website.

I. Resource and Workflow Management and Administrative Reporting – The tracking and management of these assignments and schedules is currently done manually with support from Microsoft Excel.

J. Document retention – All documents supporting or related to an internal audit MUST be retained in perpetuity. As long as there are outstanding issues, the documents MUST be retained.

2.3.2 GLOSSARY AND ACRONYMS

Define all terms, acronyms, and abbreviations used in this document

Acronyms Descriptions

Audit Plan A report or list of potential audits by process or department that isdeveloped each year based on the results from the audit universe risk assessment.

Audit Project The process or department selected for review and/or audit.Audit

Program

Audit program refers to the collection of agreed upon objectives and their associated list of steps that are followed to obtain sufficient audit evidence to support any observations, recommendations, opinions or findings.

AuditUniverse

Refers to the entire portfolio of departments or entities subject toInternal Audit.

B### Business Specification; A Business Specification labeled as “MUST” is a requirement that MUST be met to qualify for award.

COBIT Control Objectives for Information Technology

COOP Continuity of Operations Plan used to ensure that agencies are ableto continue performance of essential functions under a broad range of circumstances.

COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Acronyms Descriptions

Page 7 of 19

Evergreen Evergreen IT refers to running services comprised of components that are always up to date. Evergreen IT encompasses not only the services at the user level but all of the underlying infrastructures, whether on-site or outsourced.

FASB Financial Accounting Standards Board is a private, non-profit organization standard setting body whose primary purpose is to establish and improve generally accepted accounting principles (GAAP) within the United States in the public’s interest.

FNC### Functional Specification; A Functional Specification labeled as “MUST” is a requirement that MUST be met to qualify for award.

GAAP Generally Accepted Accounting Principles (GAAP)GAGAS The Generally Accepted Government Auditing StandardsGASB Government Accounting Standards Board is the source of

generally accepted account practices (GAAP) used by state and local governments in the United States.

GAAS Generally Accepted Auditing Standards.Galvanize, aka ACL forAnalytics

A data analysis tool designed to help auditors, accountants, and other professionals perform data analysis quickly to help improve audits and identify control breakdowns.

IIA The Institute of Internal AuditorsITD Information Technology DepartmentNAS Network-Attached Storage is a file-level computer data storage

server connected to a computer network providing data access to HISD Office of Internal Audit staff and is secured by access control listings.

NFN Non-Functional SpecificationOIA Office of Internal AuditRPT### Reporting Specification; A Reporting Specification labeled as

“MUST” is a requirement that MUST be met to qualify for award.Runbook In a computer system or network, a runbook is a compilation of

routine procedures and operations that the system administrator or operator carries out. Runbooks can be in either electronic or in physical bookform.

SaaS Software as a Service (SaaS) is a software licensing and delivery model in which software is licensed on a subscription basis and iscentrally hosted.

SLA Service Level AgreementTEA Texas Education Agency

Page 8 of 19

2.3.3 BUSINESS & FUNCTIONAL SPECIFICATIONS

ANY SPECIFICATION IN THIS SECTION LABELED AS “MUST” IS A REQUIREMENT OF THIS SOLICITATION.

Ref. # Description

B001 The solution MUST have role-based security.FNC001The solution MUST allow a local administrator to set permissions for

licensed users.FNC002The solution MUST allow users with the appropriate permission level to

update or add/delete data.B002 The solution MUST provide the ability to record and store information

associated with each audit project, including all supporting audit work papers, including planning, fieldwork and reporting.

FNC003The solution MUST provide a means or method by which users can easilydetermine when an audit was last performed.

FNC004The solution MUST provide the ability to assign specific audit step(s) to individual auditor(s).

FNC005The solution MUST provide two-way cross referencing between documents, and support point-to-point hyperlinks for Word, Excel, PowerPoint, PDF and other file types.

FNC006The solution MUST provide the ability for individual sign-off by reviewers and management.

FNC007The solution MUST support the ability to print completed work papers, review notes, and audit programs, and other electronic documentation created within the system.

FNC008The solution MUST provide the ability to document and resolve review notes.

FNC009The solution MUST provide the ability to view a secured audit trail or history of changes made upon request.

FNC010The solution MUST provide search capabilities within audit findings,projects, and the document library.

B003 The vendor MUST provide advanced notification when the solution will no longer be supported and is approaching the end of its useful life.

NFN003

The vendor MUST provide improvements to the acquired product via updated versions throughout the useful life of the solution.

B004 The solution MUST support workflow and task assignment needs.FNC011The solution MUST provide users with the ability to add or delete audit

steps to an existing audit program.FNC012The solution MUST manage, track and report on task assignments of

specific audit steps, audit sections or entire audit projects, to individualauditors.

Ref. # Description

FNC013The solution MUST provide electronic event-based notifications and alerts.

Page 9 of 19

B005 The solution MUST store, retain and track audit reports in a secure manner.

RPT001 The solution MUST support the output of editable audit reports via Microsoft Word

RPT002 The solution MUST allow customization of audit report format, including margins, fonts, and organization of information.

RPT003

The solution MUST support e-mail distribution of reports using Microsoft Outlook.

RPT004

The solution MUST support the ability to have more than one management response or auditee for each observation or finding.

RPT005

The solution MUST allow users the ability to capture, save, and print a draft report to present observations to the auditee.

B006 The solution SHOULD generate administrative reports, such as time reports or budgets.

RPT006

The solution MUST capture details of auditor assigned, audit project assigned, completion dates, initiation dates, projects currently in progress.

RPT007

The solution MUST support the creation and tracking of project milestones within audit projects and allow users to run reports on variances between the planned audit schedule and its actual executed schedule.

RPT008

The solution MUST provide ad hoc reporting capabilities, e.g. customized reports.

RPT009

The solution MUST provide a method or means whereby an auditor may track and follow-up on audit observations and recommendations.

RPT010

The solution MUST capture and track actual time an auditor may spend by at least, but not limited to, the following criteria: By specific audits performed By individual auditors By projects or engagement By departments By planned and unplanned hours for an audit assignment By direct time and administrative time an auditor spends on an audit By budgeted time

B007 The solution MUST allow users to import external documents, with no file size limitations. File types include, but are not limited to Microsoft Word, Microsoft Excel, scanned images, ACL output files, flow charts from Microsoft Visio, pdf files, as well as other documents associated with audit work papers.

FNC014

The solution MUST allow users to hyperlink to specific documents within the project or solution, including but not limited to: current or legacy versions of Microsoft Word or Microsoft Excel documents, scanned images, and data mining output files, as well as flow chart (i.e. current or legacy versions of Microsoft Visio) documents associated with audit work papers.

Page 10 of 19

Ref. # Description

FNC015

The solution MUST allow users to make annotations, if desired, on imaged (i.e., pdf or scanned) documents.

FNC016

The solution MUST support indexing of work papers, attachments, or other documents.

FNC017

The solution MUST capture all observations, recommendations and corrective actions, created as stand-alone documents, and store them in an internal, secured database.

FNC018

The solution MUST manage, track, and capture audit observations, which may include criteria, condition, cause, effect, recommendation, and management response.

FNC019

The solution MUST provide a means or method whereby an auditor may assign risk severity ratings to observations.

B008 The solution MUST support risk-based audit project planning and scheduling.

FNC020

The solution MUST allow annual audit plan development, including, but not limited to the following elements: budgeting support and reporting ofdeviations to actual project time.

FNC021

The solution MUST provide a means or method for auditors to perform qualitative and quantitative risk assessment of the audit universe.

FNC022

The solution MUST support project specific customized risk assessments using risk criteria defined by audit personnel.

FNC023

The solution MUST have a means or method for the creation of draft yearly audit plans.

2.3.4 IMPLEMENTATION SPECIFICATIONS

1. Respondent MUST provide guidance and assistance in the development of an “evergreen” operational manual or “RUN BOOK” to assist with routine support and administrative functions required by the HISD OIA.

2. Respondent MUST engage in a knowledge transfer process and deliver a set of materials to guide the relationship and information sharing with the OIA. Knowledge Transfer is achieved but not limited to the following:

1. Transition Plan documentation and training2. Test knowledge transfer for transition planning3. Disaster Recovery Plan and documents4. Service Level Agreement (SLA) and expect remediation timeline(s)

Page 11 of 19

2.3.5 SECURITY SPECIFICATIONS

1. Software MUST support strong password encryption, password complexity guidelines (for example: minimum of 8 characters, alphanumeric, numeric, etc.).

2. Software MUST support integration with Microsoft Active Directory Services or Azure Active Directory Domain Services.

2.3.6 SUPPORT SPECIFICATIONS

1. Software MUST contain online and offline self-help functions.

2. Respondent MUST offer flexible Customer Service support options including telephone or e-mail support.

2.3.7 END-USER TRAINING

1. Software maintenance agreement MUST include end-user training.

2. End-user training MUST include user friendly comprehensive documentation and downloadable end-user guide(s).

3. End-user training MUST consist of computer-based training or software that provides interactive, self-paced training at the desktop, workstation, or laptop computer level.

4. End-user training MUST consist of web-based training that provides on-demand classes that are accessible via the Internet.

DOES YOUR RESPONSE MEET ALL REQUIREMENTS STATED ABOVE IN SECTION 2.3.3 SPECIFICATIONS?

YES NO

IF YOU ANSWER “NO” TO THIS QUESTION, INCLUDE EXPLANATIONS IN YOUR ANSWERS.

2.3.8 ASSUMPTIONS & DEPENDENCIES

1. Respondent is expected to analyze and trace their recommended solution capabilities to all requirements referenced in section V. Specifications.

Page 12 of 19

2. The Respondent’s solution is constrained to follow the data retention policies as set by the district. No removal, deletion or archival of data may occur without prior consultation and written approval.

3. Respondent will adhere to best practice project management methodology to ensure all phases of projects are completed on time, within budget and meet the stakeholders’ business requirements.

4. All project planning will reflect alignment with HISD Change Management processes and procedures.

5. Respondent will collaborate with the OIA, ITD, and Purchasing to conduct meetings, as needed, including planning sessions, key employee group briefings, and individual and group briefings.

6. Respondent will provide North America-based ongoing software support in accordance with an agreed service level agreement. This includes the use of a help desk and method of tracking reported issues that is visible to the OIA.

7. The OIA retains absolute data access and ownership including return of all data upon engagement termination.

8. Respondent will provide recommendations for the inclusion of the proposed solution into existing business continuity and disaster recovery processes including Continuity of Operations Plan (COOP).

9. For SaaS, Web- or Cloud-based Subscription Services

1. Software supports the District preferred Internet-browsers, i.e. Microsoft Edge, Internet Explorer, and Chrome or Browser Agnostic.

2. Services reliability and availability should include 99.9% uptime, in accordance with established services level agreements.

3. Respondent will schedule any maintenance windows affecting the OIA data or functionality within a pre-determined scheduled downtime.

Page 13 of 19

2.3.9 PROJECT DELIVERABLES

DELIVERABLE

EXPLANATIONFINAL APPROVAL PROCESS

Project Kickoff/Closeout

Project Initiation Project Closure (to include all final sign-

off/acceptance)OIA, IT & Purchasing

Project Supporting Project Documents/ Artifacts

Provide project planning and support documentation with accountable resources. Project Management Plan Project Schedule Implementation Plan

OIA, IT & Purchasing

Testing

Provide a Test Plan documenting detailed objectives, and processes for testing the proposed solution.

Work collaboratively with OIA to develop Go Live Acceptance Criteria and coordinating Go Live Acceptance Testing

OIA & IT

Data Conversion/Migration

The digital or electronic conversion of archived audit reports, summaries and/or working papers for insertion into District’s enterprise content management system

The migration/import of archived audit reports, summaries and/or working papers into the new audit management software solution.

Integration with any applicable District applications

OIA & IT

Knowledge Transfer

Knowledge Transfer is achieved but not limited to the following: Transition Plan documentation and System

Administrative training. Test knowledge transfer for transition planning

OIA & IT

Deliverable Explanation Final Approval

Page 14 of 19

Process

Support

Operational Manual or “Run Book” to include Application Configuration Information, Network/System Design documentation, how to support the application, common start of day tasks, Scheduled tasks, Report Definition, unique characteristics of the application.

System Administration Documentation

a. design specification detailing system functionality, as well as the design of the central database, to include entity relationship diagrams and table definitions.

Service Level Agreement (SLA) with estimated resolution timeframes.

OIA &/or IT

2.3.10 PRODUCT DELIVERIES

Page 15 of 19

DELIVERABLE EXPLANATION FINAL APPROVAL PROCESS

Audit Management Solution

Implementation, configuration and/or customization of proposed audit management solution based on requirements stated in section V. Specifications and per the recommendation of the chosen solution provider.

OIA & IT

End-User Training

Provide a training Plan which MUST include one or more of the following training options:

a. Custom training materials.b. Training class type (i.e. Admins, Power &

Standard End-Users)/location, if known Provide Administrative and end-user training

for select personnel identified by HISD OIA personnel.

Provide customized user documentation that describes core functions and user interactions of the proposed solution product.

OIA

Ongoing Support Provide ongoing technical support as per annual maintenance agreement.

OIA

2.3.11 COMPANY EXPERIENCE

This section should detail your firm’s experience in providing the same type of services to other clients. Relevant experience should be for work done on a similar scale as HISD. Additionally, experience with a government entity is preferred. The description provided should include enough detail to allow us to determine whether your firm has the sufficient experience and other qualifications.

1. How much cyber insurance does your firm have?2. Does your firm have clients with more than 30,000 employees?3. Does your firm have clients with more than $2B in revenue?4. Does your firm have clients with more than 300 locations?5. Does your firm have clients with large food services operations?6. Does your firm have clients with a police department?7. Does your firm have clients that receive federal funds/grants?8. Does your firm have clients that receive state funds/grants from Texas?

2.3.12 INFORMATION TECHNOLOGY HOSTED OR CLOUD SOLUTION:

A. The following is only applicable when Vendor is providing an Information Technology hosted or cloud solution:1. Confidentiality, Integrity, Availability (CIA)

Vendor shall protect the Confidentiality, Integrity, and Availability (CIA) of all HISD Office of Internal Audit Data ensuring extra levels of

Page 16 of 19

security. All HISD Office of Internal Audit information MUST remain private and permit redaction of protected information before publication. Audit trails cannot be altered.

2. Breach Notification Vendor agrees that upon discovery of unauthorized access to HISD Office of Internal Audit Data, Vendor shall notify HISD Office of Internal Audit both orally and in writing. In no event shall the notification be made more than forty-eight (48) hours after Vendor knows or reasonably suspects unauthorized access has or may have occurred. In the event of a suspected unauthorized access, Vendor agrees to reasonably coordinate with HISD Office of Internal Audit to investigate the occurrence.

3. Data All HISD Office of Internal Audit data will remain in the 48 contiguous states at all times.

4. Right to Audit HISD Office of Internal Audit reserves the right to audit vendor datacenters which house HISD Office of Internal Audit data or receive SSAE 18 or SOC 2 Type II audits from a reputable independent security advisory service firm (e.g. EY, Deloitte, KPMG, PWC etc.

2.4 COST:

Price is to remain firm/fixed for the term of the contract. Price is to be provided on Form F and inserted in Tab 7.

2.5 EVALUATION FACTORS:

The evaluations committee will conduct a comprehensive, fair and impartial evaluation of all proposals received in response to this RFP. Each proposal received will be analyzed to determine overall responsiveness and completeness as defined in the scope section and in the instructions on submitting a proposal. Failure to comply with the instructions or to submit a complete proposal may deem a proposal non-responsive and may at the discretion of the Evaluation Committee be eliminated from further evaluation.

If the evaluation committee has reasonable grounds to believe that the Proposer is unable to perform the required services to the satisfaction of HISD, HISD reserves the right to make an award to another proposer. Some indicators (but not a complete list) of probable supplier/proposer performance concerns are:  past supplier performance; the proposer’s financial resources and ability to perform; the proposer’s experience or demonstrated capability and responsibility; and the supplier’s ability to provide a reliable on-going business relationship and the maintenance of on-going agreements and support.

Criteria #

Criteria Description Weighted Value

Page 17 of 19

1 the purchase base price 30%

2 the reputation of the Proposer and of the Proposer’s goods or services

10%

3 the quality of the Proposer’s goods or services 20%

4 the extent to which the goods or services meet the District's needs

20%

5 the Proposer’s past relationship with the District 5%

6 the impact on the ability of the District to comply with laws and rules relating to historically underutilized businesses

10%

7 the total long-term cost to the District to acquire the Proposer’s goods or services

0%

8 for a contract for goods and services, other than goods and services related to telecommunications and information services, building construction and maintenance, or instructional materials, whether the supplier or the supplier's ultimate parent company or majority owner: (A) has its principal place of business in this state; or (B) employs at least 500 persons in this state

0%

9 any other relevant factor specifically listed in the request for bids or proposals.

5%

2.6 QUESTIONNAIRE: If applicable, please include responses in Tab 5 of the proposal response.

2.7 THIS SECTION INTENTIONALLY LEFT BLANK

Page 18 of 19

19-04-25 RFP / Audit Information Management System

Page 19 of 19Rev 04/30/2019