GRAND RIVER DAM AUTHORITY
RFQ/RFP# 9461
Solicitation Cover Page
1. Solicitation #: 9461
2. Solicitation Issue Date: 6.16.26
3. Brief Description of Requirement:
The Grand River Dam Authority is seeking responses for Audit Services – Information Technology
4. Response Due Date: 7.6.26 Time: 2:00 P.M. CDT
5. Contracting Officer:
Name: Melissa Rickman
Phone: 918.370.6969
Email: melissa.rickman@grda.com
Grand River Dam Authority is an agency of the State of Oklahoma.
GRDA Engineering & Technology Center • 9933 E 16th Street • Tulsa, Oklahoma 74128 •918-256-5545
Request for Proposal
Audit Services – Information Technology
I. SCOPE OF WORK
The Grand River Dam Authority (the “Authority” or “GRDA”), a non-appropriated state
agency, was created by the State of Oklahoma in 1935 as a conservation and reclamation
district. The Authority has the power to control, store, preserve, and distribute the waters
of the Grand River and its tributaries for any useful purpose and to develop and generate
water power, electric power, and electric energy within the boundaries of the Authority
and to buy, sell, resell, interchange, and distribute electric power and energy.
GRDA’s Information Technology (IT) team formally adopted and implemented 117 of
the safeguards from the CIS Critical Security Controls - version 8 framework (see
enclosed document identifying the safeguards). The Internal Audit Services (IAS) team is
seeking proposals from qualified firms to provide professional IT assurance services on
the effectiveness of this implementation. The engagement shall be performed in
accordance with the Global Internal Audit Standards, including all relevant elements of
the Cyber Security Topical Requirement, with work anticipated to begin October 1,
2026.
II. INSTRUCTIONS FOR SUBMITTING A PROPOSAL
Proposals must be emailed to Melissa Rickman (melissa.rickman@grda.com) by July 6,
2026 . All questions and correspondence should be directed to her no later than June 29,
2026. Contact with GRDA personnel other than Ms. Rickman regarding this RFP may be
grounds for elimination from the selection process.
III. DELVERABLES
The Respondent selected will be responsible for the following:
• Conducting an entrance conference with the key stakeholders from IT and Internal
Audit Services
• Developing a formal audit objective, audit plan and virtually discussing them with the
Director of Internal Audit Services prior to execution
• Providing written status updates biweekly via email to the Director of Internal Audit
Services
• Developing and discussing draft audit results with the Director of Internal Audit
Services, including:
Executive summary
Detailed observations with risk ratings
• Recommendations for improvement and an overall conclusion
• Presenting the audit results to IT senior management and the Director of Internal
Audit Services as well as addressing questions
• Seeking and incorporating management’s responses to recommendations into the
final work product
• Providing an electronic version of the final work product to the Director of Internal
Audit Services.
IV. PROPOSAL REQUIREMENTS
There shall be six (6) parts to the proposal;
1. Qualifications - The Respondent should state the size of the Respondent firm, and nature
of the professional staff to be employed in this engagement. The principal supervisory
and management staff, including engagement partners, managers, and other supervisors
and specialists, who would be assigned to the engagement, should be identified. Describe
the IT auditing experience of each person. The engagement team must include certified
professionals holding one or more of the following credentials: Certified Internal Auditor
(CIA); Certified Information Systems Auditor (CISA); Certified Information Security
Manager (CISM); or Certified in Risk and Information Systems Control (CRISC).
2. Experience and References– The Respondent must have a minimum of five (5) years of
experience performing audits of a similar nature and have completed at least three (3)
information technology audits within the last three (3) years. Preference may be given to
Respondents with specific experience in evaluating the CIS Critical Security Controls
framework. These audits should be conducted in accordance with Global Internal Audit
Standards or the International Standards for the Professional Practice of Internal
Auditing.
Identify the scope of work, date, engagement partners, total hours, and the name and
contact information of the principal client contact.
3. Cost Proposal - Provide a total all-inclusive maximum price to complete the engagement
including all direct and indirect costs including all out-of-pocket expenses. Include a
schedule of professional fees and expenses that supports the total all-inclusive maximum
price. Out-of-pocket expenses for Respondent personnel (e.g., travel, lodging and per
diem) will be reimbursed for itemized actual and necessary expenses (with detailed
supporting receipts). All expense reimbursements will be charged against the total all-
inclusive maximum price submitted by the Respondent. The Authority will not be
responsible for expenses incurred in preparing and submitting responses to this proposal.
Such costs should not be included in the proposal.
4. Engagement Letter- Provide a sample format engagement letter that may be similar to
what would be used for this engagement along with any supplemental terms and
conditions. Please note that state law prohibits the Authority from entering into contracts
with indemnification and/or limitation of liability provisions. The agreement shall be
governed in accordance with the laws of the State of Oklahoma.
5. Certificate of Non-Collusion and Business Relationships - Submit the provided
Certificate of Non-Collusion and Business Relationships affidavit with the proposal.
6. Insurance Requirements – Commencing with the performance of the Services and
continuing until the earlier of acceptance of the Services or termination of this
Agreement, Respondent shall maintain the following types of insurance coverage with
limits as indicated below. All insurance required in this Agreement shall be obtained
from insurance companies that are duly licensed or authorized in the State of Oklahoma
and rated A– or better by A.M. Best Company or otherwise reasonably acceptable to
GRDA.
6.1.1 Workers' Compensation
Workers’ compensation insurance sufficient to meet Respondent’s obligations
under the laws of the State of Oklahoma and any other state where the Services
are being performed, including employer’s liability coverage for injury, disease
and death with coverage limits of at least One Million Dollars ($1,000,000) per
accident and per employee/policy limit by disease.
6.1.2 Commercial General Liability
Commercial general liability insurance (including contractual liability coverage)
on an occurrence basis for bodily injury, death, “broad form” property damage,
and personal injury, with coverage limits of at least One Million Dollars
($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the
aggregate.
6.1.3 Professional Liability Insurance
Professional liability insurance with limits of at least One Million Dollars
($1,000,000) per claim and in the aggregate covering Respondent against sums
which Respondent may become legally obligated to pay on account of
professional liability caused by negligent acts, errors, and omissions during the
performance of this Agreement.
6.1.4 Excess Liability
Excess Liability or Umbrella Insurance coverage written over the underlying
employer’s liability, commercial general liability, and professional liability
insurance described above on an occurrence form with a limit of at least Three
Million Dollars ($3,000,000) per occurrence and aggregate.
6.1.5 Certificates
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.