Established in 1976 by 36 member States of the African Union and the African Development Bank Group (AfDB), The African Reinsurance Corporation (AFRICA RE), the leading reinsurance company in Africa and the Middle East, is a pan-African financial institution whose shareholding is split between African (75%) and Non-African (25%) investors. African shareholding comprises 41 African states, the AfDB, and more than 117 African insurance / reinsurance companies from the 41 member countries. Headquartered in Lagos (Nigeria), Africa Re has a continental network of regional and local offices in Lagos (Nigeria), Casablanca (Morocco), Nairobi (Kenya), Abidjan (Côte d’Ivoire), Ebène (Mauritius), Cairo (Egypt), Addis Ababa (Ethiopia) and Kampala (Uganda), as well as two subsidiaries: Africa Re (South Africa) Ltd in Johannesburg and Africa Retakaful Ltd in Cairo (Egypt).
Africa Re has invested in an IT infrastructure upgrade with a primary data center in Lagos, Nigeria and a redundancy / recovery site in Casablanca, Morocco. Both of these sites are hosted by third parties. All the eight regional and local offices of Africa Re and two subsidiaries connect to either the primary data center or the recovery site via dedicated VPN links. All the core business applications are implemented at both the Primary and Recovery sites and the data mirrored continuously. The regional office locations and subsidiary locations, however, maintain network infrastructure and communication systems to enable them to connect with either of the primary or recovery data centers. The Corporation has also outsourced the hosting of its email system and website to 2 different offshore companies, each with its own redundancy sites.
However, important changes are to be effective by the beginning of the audit.
The Corporation recently subscribed to a Software-Defined Data Center (SDDC) on VMware Cloud on Amazon Web Services (AWS). The VMware Cloud on AWS is an integrated cloud offering jointly developed by Amazon Web Services (AWS) and VMware. The benefit to the Corporation is that it allows us to continue to run our traditional virtualization servers and workloads in the AWS cloud while providing us scalability and efficiency with direct, high-speed access to AWS services.
The Corporation will then have two of such data centers: The London SDDC which is the primary, and the North Virginia SDDC, USA which is the secondary. The essence of these two SDDCs is to provide a disaster recovery platform for the Corporation, as data would continually be replicated between the two SDDCs. The advantage of this is that in event that one SDDC is down, business operations would easily be failed over to the second SDDC for production to continue.
In addition to the above, the Corporation has subscribed for Citrix cloud solution and has integrated this with the SDDC. We currently use the Citrix platform to render the SICS business applications to users, although SICS is still in the implementation stage.
The Citrix platform also has the capabilities to securely render existing production applications to users such that they can access them from anywhere and at any time, hence boosting productivity.
The Consultant or Consulting Firm, herewith both called the “Consultant”, who shall perform the Internal Audit is expected to conduct a comprehensive review of the entire ICT infrastructure, systems and applications of the Corporation, its subsidiaries, Regional and Local Offices.
The Consultant will be required to adhere to the terms of reference stated below and where necessary expand the scope.
The ICT Internal Audit will include, but not be limited, to the following:
a) Alignment of IT and business strategy
b) Delivery of IT services in line with business requirements
c) Long term and short term IT strategies
d) Review of IT Budgeting process
e) IT organization, policies, and processes
f) IT human resources management
g) IT performance monitoring and reporting
h) IT risk management, and its integration in the Corporation’s Enterprise Risk Management
i) Necessity of implementing an IT Service Management System, like ITIL & ISO 20000, and advice on the adequate system for the Corporation and the best way to go about this
j) Logical access controls
k) User access management & security
l) Set up and maintenance of system parameters
m) Patch and update management
n) Benchmarking of security configuration
o) Network access control
p) Intrusion prevention & detection systems
a) Logical access controls
b) User access management & security
c) Set up and maintenance of system parameters
d) Patch and Update Management
e) Benchmarking of security configuration
a) Program library, documentation and record management
b) Input and origination controls
c) Processing, file & output controls
a) IT asset management (acquisition and disposal of IT equipment)
b) Help Desk
c) Information systems acquisition, development, and maintenance
d) IT incident management
e) Network performance management
f) Backup & media management
g) Enterprise antivirus management
h) Vendor selection
i) Third-party service delivery management
a) We are not certified ISO, it will be more a gap analysis between the current situation and ISO. Information security roles and responsibilities
b) Vulnerability management practices
c) Applications security configurations & management
d) LAN and Wireless LAN security
e) Mobile computing security review
f) Physical security review
g) Security training and awareness
h) Internal and external Intrusion test using black and white box conditions
a) /DR plans and their testing Business continuity plan is not only an IT issue, it requires a separate plan.
b) DRP sites and locations
c) Communication and awareness of /DRP
8) Review the existing policy documents of the corporation such as IT Policy, IT Standard Operating Procedures, IT Security Policy, etc., and suggest required changes.
The audit assignment is anticipated to take place between June and July 2021.
One week after the confirmation of selection, the Consultant must submit an Assignment Letter to the Corporation for discussions and possible amendments before the opening meeting.
One week after the beginning of the fieldwork, the Consultant must provide a Description of the Corporation’s IT System and a Risk assessment. Subsequently, Progress Reports are expected each week.
At the end of the fieldwork, the consultant shall hold an exit meeting and issue a Draft Report for comments by auditees. This draft report must include the following at the minimum a(n):
• Executive Summary.
• Detailed Report highlighting the findings, Criteria, Impact / Risks, Causes, and Recommendations.
• Intrusion Test Report
One week after receiving comments from the corporation, the Final Report should be submitted.
Responses to this request for proposal (RFP) will be evaluated and scored based on the following criteria:
a. In-depth knowledge of the Reinsurance/Insurance industry gained through the provision of IT audits and relevant consulting services.
b. In-depth knowledge of the International Professional Practices Framework (IPPF) of Internal Audit.
c. In-depth knowledge of the control frameworks developed by ISACA in mainly Assurance, Governance, Risk and Innovation, Information and Cybersecurity.
d. Experience & Expertise in IT Audit, concerning similar projects delivered previously.
e. Organization and staffing of the proposed project team.
f. Proposed cost.
g. Certified financial information provided.
h. Quality, clarity, and presentation of the proposal.
To facilitate the analysis of responses, the responding firms are required to prepare their proposals following the instructions outlined in this section. Proposals that deviate from these instructions may be disqualified at the discretion of Africa Re.
Proposals should be clear, accurate, comprehensive, and should provide a straightforward, concise description of the consulting firm’s capabilities to meet the requirements of the RFP.
All parts, pages, figures, and tables should be properly numbered and labeled. The proposals should be organized into the following major sections:
