CON | RFQ2023-07A IT Audit Services MTO

Background
The City and County of San Francisco, through the Controller’s Office (CON), is seeking qualified suppliers to provide information technology audits, assessments, and consulting services. This RFQ aims to re-open a prequalified consultant list established on October 31, 2023, for firms with demonstrated experience in IT Audit Services. The services will assist the Office of the Controller – City Services Auditor (CSA) and other city departments engaged in IT services. Proposers with experience in public sector IT audit and consulting services are encouraged to apply.

Work Details
The contract encompasses two service areas:

1) IT Audits and Assessments, which includes network penetration testing, web and mobile applications penetration testing, HIPAA assessments, IT general controls assessments, and other IT audit services;

2) IT Audit Consulting Services, which involves internal audit staff augmentation, providing technical expertise in cybersecurity and compliance areas, advising on internal IT audit organization structures, and performing quality assurance reviews. Proposers must ensure that at least 50% of project staff hold relevant certifications such as CISA or CISSP.

Period of Performance
The anticipated term of resulting contracts shall be non-exclusive with an original term determined at the time of contract award but shall not exceed ten (10) years.

Place of Performance
Services will be performed within the City and County of San Francisco.

Bidder Requirements
Proposers must have at least five years of experience in the requested services within the last seven years. They must possess a SOC-2 Type 2 Report or agree to complete a Cybersecurity Risk Assessment Questionnaire. Subcontracting is not allowed due to the sensitive nature of the work. Proposers must submit minimum qualifications documentation with their proposals.