Provision of Information Technology and Other Internal Auditing Services on an Annual Contract

Location:	Georgia
Posted:	Feb 27, 2026
Due:	Apr 7, 2026
Agency:	Gwinnett County
Type of Government:	State & Local
Category:	R - Professional, Administrative and Management Support Services
Solicitation No:	RP011-26 INV
Publication URL:	To access bid details, please log in.

Attachment Preview

RP011-26

Page 1

February 27, 2026

REQUEST FOR PROPOSAL

RP011-26

The Gwinnett County Board of Commissioners is soliciting competitive sealed proposals from qualified service

providers for the Provision of Information Technology and Other Internal Auditing Services on an Annual

Contract with four (4) one-year options to renew for the Office of Internal Audit.

Proposals must be returned in a sealed container marked on the outside with the Request for Proposal number

and Company Name. Proposals will be received until 2:50 P.M. local time on April 7, 2026 at the Gwinnett County

Financial Services - Purchasing Division – 2nd Floor, 75 Langley Drive, Lawrenceville, Georgia 30046. Any proposal

received after this date and time will not be accepted.

The proposal opening will be virtual ONLY. To access the proposal opening virtually, visit the following link:

(https://gwinnettgov.webex.com/gwinnettgov/j.php?MTID=mcdf4e144a05d7be33039355e810e2d6d),

or dial 408-418-9388 and enter Conference ID 23380634913##. A list of firms submitting proposals will be

available the following business day on our website www.GwinnettCounty.com.

Questions regarding proposals should be directed to Dana Garland, CPPB, FOI, NIGP-CPP, Purchasing Manager at

Dana.Garland@GwinnettCounty.com or by calling 770-822-8723, no later than March 19, 2026. Proposals are

legal and binding upon the vendor when submitted. One unbound single sided original, four (4) identical copies,

and one digital copy on a flash drive should be submitted.

Gwinnett County does not discriminate on the basis of disability in the admission or access to its programs or

activities. Any requests for reasonable accommodations required by individuals to fully participate in any open

meeting, program or activity of Gwinnett County Government should be directed to the ADA Coordinator at the

Gwinnett County Justice and Administration Center, 770-822-8165.

The written proposal documents supersede any verbal or written prior communications between the parties.

Selection criteria are outlined in the request for proposal documents. Gwinnett County reserves the right to reject

any or all proposals to waive technicalities and to make an award deemed in its best interest.

Award notification will be posted after award on the County website, www.GwinnettCounty.com and companies

submitting a proposal will be notified via email.

We look forward to your proposal and appreciate your interest in Gwinnett County.

Dana Garland, CPPB, FOII, NIGP-CPP

Purchasing Manager

RP011-26

Page 2

INTRODUCTION AND BACKGROUND

Gwinnett County Board of Commissioners (the County) is soliciting proposals from qualified service providers to

provide staff augmentation to the Office of Internal Audit (IA) for Information Technology (IT) audit and advisory

services and other Internal Audit services as needed on an annual contract.

IA is responsible for auditing the County’s various departments, offices, operations, and systems according to an

annual audit plan that is approved by the Audit Committee each year. The 2026 audit plan is available on the

County’s website under County Administration – Internal Audit. IA reserves the right to adjust or amend plans

with Audit Committee approval for significant changes. As of January 2026, IA had 7 full-time positions, including

one that oversees and works closely with external staff to run the IT audit program. IA performed 14 engagements

in 2025. IA follows the Institute of Internal Auditors (IIA) Global Internal Auditing Standards (GIAS) in conducting

audit work and must demonstrate conformance with these standards.

The County’s Department of Information Technology Services (ITS) maintains the County’s network and owns

many of the County’s IT operations, working in tandem with departmental IT staff. As of January 2026, ITS had

approximately 152 full-time and 20 part-time employees, and there were 240 applications in the business

application portfolio.

The successful service provider will generally conduct IT audits that are generally guided by Center for Internet

Security (CIS) standards, augmented by County-specific risks and considerations and other relevant frameworks

such as the National Institute of Standards and Technology (NIST) framework. The IT audits consist of deep-

dives of control areas such as the following examples:

• Asset management

• User access

• Malware protection

• Incident response

• Disaster recovery

• Administrative accounts and elevated privileges

• Firewalls and perimeter defenses

• Monitoring and logging

• Security architecture and design

• Vulnerability scanning and patch management

• Application security

• Software management

• Helpdesk and project portfolio management

• Vendor Management

Risk assessments, planning, and test work will be conducted throughout the year. Audit fieldwork should be

completed according to schedules agreed-upon at the start of each audit. The successful service provider will

provide staffing continuity throughout the engagement to meet audit schedule deadlines. Service providers

(“External staff”) will be required to:

• Identify and document key controls specific to the County’s current state.

• Develop custom, risk-based audit plans designed to provide valuable insight.

• Develop test plans to evaluate the adequacy, design, and effectiveness of controls in place.

• Maintain work papers to IA standards to support audit assessments and conclusions.

• Provide actionable, effective recommendations based on evidence and root causes.

• Consider best practices to offer practical, cost-effective improvements when applicable.

• Use IA project management tools to store and manage audit work in a timely manner.

• Provide a secure channel or virtual environment for communication with IA.

• Collaborate with IA to perform risk assessments to prioritize audit work.

• Follow IA guidelines and IT audit best practices.

RP011-26

Page 3

• Collaborate with IA and support IA’s audit plan objectives.

• Maintain high ethical, quality, and professional standards throughout engagements.

• Provide experienced resources that require limited supervision and understanding audit methodology and

documentation

For the purpose of assessing staff fit for this engagement (and estimating hours), service providers should

assume that external staff will need to understand and document controls by working with County personnel

rather than obtaining a clean listing of controls from existing documentation or prior audits. Service providers

should assume Governance, Risk, and Compliance (GRC) software is not available. Service providers should

assume that external staff may not run automated scanning tools in the County’s IT environment. Service

providers should assume the use of Artificial Intelligence (AI) will not be permitted in conducting this work.

Beyond the IT audit program, there may be times when IA needs staff augmentation to complete additional

internal audits of County operations. This will depend on the County’s annual audit plan, risk assessment, and

available resources, at IA discretion. It is important that the service providers have internal audit experience.

II.

SCOPE OF WORK

IA reasonably expects the IT audit program to cover activities in three to four control areas in a typical year with

a combined total that may exceed 70 controls. Based on prior experience, IA expects total hours to range from

approximately 1,200 to 1,400 hours each year including any hours allocated for engagements beyond IT audit.

This includes all resources/positions and all requirements described. This is only an estimate for planning

purposes. Actual hours may vary based on operations and risk. Services providers should provide estimates

based on experience as well as the expectations outlined in this document.

External staff will analyze and evaluate controls under IA’s general supervision. The County does not anticipate

using significant partner or managerial resources from the successful service provider. IA expects to allocate IT

audit work throughout the year to minimize disruption to departmental operations and accommodate

departmental work schedules to the extent possible. Audit work will be performed according to schedule or on-

demand, depending on business needs.

The successful service provider should be prepared to provide in-person staffing. At IA discretion, hybrid or

remote work may be approved for specific resources. Audit work will be completed at County offices located in

Lawrenceville, GA within two miles of the Gwinnett Justice & Administration Center (GJAC), although fieldwork

may occasionally be conducted at other operational locations within the County. The County will not reimburse

external staff for travel to or from the service provider’s office.

General Expectations

External staff will be expected to work closely and collaboratively with County employees in all phases of the

audit. All work papers, notes, emails, documents, and any other audit evidence belong to the County and must be

available to IA throughout the audit for ongoing review and document retention. All audit documentation will be

housed and managed in an online project management portal provided and owned by IA, with permissions

granted to external staff. External staff will be expected to exercise project management and time management

skills to complete engagements within budgeted time frames. External staff should keep the management team

up to date on any issues that may impact the completion of a timely audit. External staff must engage in the IA

Quality Assurance process and produce deliverables to IA standards.

Staffing

External staff must have the technical expertise, audit experience, and professional acumen to successfully audit

IT and other operational controls. External staff must be able to effectively apply relevant auditing concepts such

as audit risk and sampling to ensure audit quality and reliability. External staff must be prepared to conduct

hands-on, manual testing and analysis that does not rely on the use of automated tools. External staff should be

adept at communicating technical concepts to audiences without relevant technical background, both verbally

and in writing. External staff should be adept at engaging in discussion that may include detailed questions,

constructive criticism, or differences of opinion. Proficiency in SharePoint is desired.

RP011-26

Page 4

IA is seeking service providers who already have a presence in-state and local staffing availability.

IA may need staff with various levels of experience and billable rates throughout the year to achieve audit plan

goals and manage costs. The successful service provider will be required to maintain and follow a resource plan

approved by IA. Staffing levels and expertise may vary depending on the engagement scope, type and phase of

audit work, technical requirements, and available budget. The following is a summary of anticipated staffing

requirements:

IT Senior Auditor

- Four or more years of recent experience conducting IT audits or internal audits, including three years

leading IT audits.

- Experience conducting IT audits for at least three different medium to large client organizations.

- Active ISACA certification as a Certified Information Systems Auditor (CISA) preferred. CISA certification

may be substituted with Certified Internal Auditor (CIA) or Certified Public Accountant (CPA) credentials

with sufficient, relevant IT audit experience.

- Demonstrated mastery of IT audit principles.

- Demonstrated success forming and sharing evidence-based results with clients.

IT Staff Auditor (As needed)

- One to three years of recent experience conducting IT audits or internal audits.

- Relevant professional certifications desired.

IT Audit Manager or Director (Security Expert)

- Five or more years of experience evaluating IT security controls and providing specific IT security

recommendations, including three years leading formal IT security reviews or audits.

- Industry or governmental experience in managing IT operations desirable.

- Active certification as a Certified Information Systems Security Professional (CISSP) and/or Certified

Information Systems Manager (CISM).

- Demonstrated cybersecurity and network security expertise, including knowledge of the latest risks,

threats, and tools.

- Preferred: Offensive security (penetration testing) experience and/or certification as Offensive Security

Certified Professional (OSCP) or Certified Ethical Hacker (CEH).

- Expertise in specific areas of Information Security as needed.

Senior Internal Auditor (As needed for non-IT engagements)

- Four or more years of recent experience conducting internal audits, including two years leading internal

audits.

- Experience conducting internal audits for medium to large client organizations.

- Active Certified Internal Auditor (CIA), Certified Professional Accountant (CPA), or Certified Fraud

Examiner (CFE) certification.

- Demonstrated mastery of internal audit principles.

- Demonstrated success working with clients.

The total number of audit hours per year is expected to be 1,200-1,400. IT Senior Auditor will be used primarily on

most audits and should have sufficient IT security knowledge to successfully conduct engagements without

additional expertise or extensive oversight. To promote efficiency, an IT Staff Auditor may be used as appropriate

to request data and test controls with general supervision. The IT Audit Manager or Director (Security Expert)

may be used for consultation or participation in walkthroughs and test design as needed in certain areas. For

planning purposes, IA anticipates approximately 50-150 hours for the Manager or Director.

External staff should have sufficient tenure with respondent service provider to validate expertise and work

product quality.

RP011-26

Page 5

Project Management

IA generally schedules assignments based on the annual audit plan. However, some engagements could occur

or change on short notice. The County may also modify or cancel engagements based on business needs and

risks to critical services. The County requires the capability and flexibility to respond to schedule changes. Service

providers should possess sufficient depth of qualified resources.

This staff augmentation model is not expected to involve a multi-layered approach from the service provider. IA

expects external staff to produce clear and accurate deliverables with minimal need for review. IA will internally

designate an IT Audit manager to oversee work product quality and delivery, working closely with external staff.

Depending on audit work and available resources, IA may designate an additional County employee to work

alongside external staff as IT senior auditor. IA personnel assigned to the engagement should be copied on all

engagement communications and invited to all meetings.

The service provider must not assign staff to this contract with an expectation of full-time utilization or future

full-time placement. The service provider must inform any staff assigned to this engagement that hours will vary.

It is up to the service provider to manage its internal resources to balance workloads and billing.

External Auditors will submit detailed time summaries to support billing. IA should approve the resources time

cards prior to submission for billing. Time summaries should be consistent with audit progress and deliverables

as visible in the IA project management tool. Service providers should not expect to bill a flat number of hours

per week, as workloads can vary throughout audit phases. Time summaries will be agreed to invoices and used

for planning purposes.

The County has found that continuity of staffing is important based on departmental feedback as well as IA

experience. Successful performance requires ongoing collaboration with County personnel and an understanding

of County-specific risks and controls. Excessive turnover may result in waste and/or disruption to the project.

The awarded service provider will be responsible for re-work or onboarding resulting from turnover of service

provider personnel assigned to Gwinnett during an engagement.

Deliverables and Performance Expectations

External staff must exercise sound judgment and be adept at successfully working in a diverse environment with

employees from all organizational levels. Audit objectivity is paramount, but audits should also be collaborative

and contain results and recommendations that are fully vetted with control owners to ensure quality and

relevance.

Typical IT and internal audit activities and deliverables may include, but are not limited to the following:

Develop a risk control matrix (RCM) tailored to the County operations in scope. Include a preliminary

assessment of risk for each control and suggested test plans. Confirm controls with management and add

or adjust controls according to IA and management input. Submit the RCM to IA for approval prior to starting

test work.

Prepare detailed control narratives using information gathered at each interview, walkthrough, or observation.

Formulate and perform test plans for review and feedback from IA and the department. Effectively manage

data requests to obtain timely and sufficient data while minimizing disruption to departmental operations.

Follow IA sampling and data request standards.

Document test procedures and results with logical conclusions supported by evidence. Use the IA project

management tool to document all outputs from the assessment.

Promptly review each potential finding or issue with departmental management and determine its root cause.

Develop practical and cost-effective recommendations to remediate control deficiencies. Maintain a list of

the issues, the risks the issues pose, and recommendations. Track remediation statuses at least quarterly

and validate corrective action with evidence.

This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.

Provision of Information Technology and Other Internal Auditing Services on an Annual Contract

Attachment Preview

See also