oregon state treasury internal audit services internal audit... · oregon state treasury internal...

Oregon State Treasury Internal Audit Services

Request for Proposal

For Information Technology Internal Audit Services

Issued 03/05/2013 Proposal due by 4:00 pm PST, on 04/26/2013

“Providing value-added,

professional auditing and

consulting services to the

management of the Oregon

State Treasury for the benefit

of the agency and its

stakeholders.”

Chief Audit Executive:

Byron Williams, CPA, CIDA

Senior Internal Auditor:

Mary Krehbiel

Request for Proposal Information Technology Internal Audit Services

I. INTRODUCTION

A. Purpose The purpose of this Request for Proposal (RFP) is to acquire the services of a highly qualified, independent contractor to conduct IT Internal Audit work for the Office of the Oregon State Treasurer. The selected contractor will work with the Treasury Chief Audit Executive to develop and execute the annual audit plan in a series of audits starting in July 2013 lasting through June 2019. B. Oregon State Treasury Background Oregon State Treasury Oregon State Treasury (Treasury) has roughly 85 employees, 140 workstations, and 60 servers. In addition to Treasury’s main Salem office, there are three offsite locations supported by internal IT services: the State Treasurer’s offices in the State Capitol Building; investment offices in Tigard, Oregon; and a data backup site in Liberty Lake, WA. It is expected that on-site work will occur primarily at the main Salem office. Treasury has adopted ISO 27000 as its security standard. As the state’s largest financial institution, Treasury maintains a significant amount of sensitive financial and personal information, classified as level 3 information. Although we have not formally adopted a standard above ISO 27001, 27002, and 27005 as formal security standards, the majority of PCI DSS controls would be applicable to this type of information. Finance Division The Finance Division provides banking services for Oregon state agencies and local governments. The division manages over 13 million financial transactions annually – including cash deposits, electronic fund transfers and check issuances – with over $120 billion flowing in and out of the division each year. Investment Division

The Investment Division manages a portfolio with a market value of approximately $75 billion. The division manages the Oregon Public Employees Retirement Fund, the State Accident Insurance Fund, the Oregon Short Term Fund, and numerous smaller funds. Debt Management Division The Debt Management Division provides central coordination for all state-issued debt. The division monitors local and national bond markets as well as financial and economic trends that influence bond issuance structures and interest rates.

Information Services Division The Information Services Division is the information technology management center for Treasury. The division designs, develops, and maintains computing infrastructures that support Treasury’s business operation. The Information Services Division provides networks, applications, databases, telecommunications, and other IT support services to conduct business between Treasury, state agencies, local governments, banks, and other financial institutions. Executive Division The Executive Division coordinates policy development, strategic planning, legislative initiatives, communications, internal audit, Information security, human resources, and budget. Internal Audit Services The Internal Audit Services (IAS) department for Treasury currently consists of two FTE that provide

independent, objective assurance and consulting services to Treasury management. Audits are conducted in conformance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Auditors utilize Teammate for audit management, and IDEA for Data Analysis. C. Treasury Business Systems and Information Technology Department Treasury’s IT division is involved in all aspects of Treasury business operations. The division is currently comprised of 14.5 FTE split between IT management, Application Services, Database Services, Network Services, and User Support. All systems are windows based, SQL server is the database standard. In-house applications are written in PowerBuilder, VB.net, or C# and include both client server and web applications. Major Applications Treasury has a number of commercial, off-the-shelf (COTS) applications as well as applications that have been developed in house. The majority of the applications that are managed in-house relate to banking services provided by the finance division. At the center of the banking function is the Phoenix application from Harland Financial Solutions. Treasury is currently upgrading to version I5. Treasury has built an application called “Operations App” that serves as a middleware between Phoenix and external systems. This application serves a number of purposes, including task initiation and management, validating and reformatting transactions files, and extracting data for reports. There are a number of external systems that Operations App interfaces with. These include, but are not limited to:

Data Comm – Transmits and receives files, manages daily file housekeeping tasks

Checks – Handles redeemed checks/warrants processing and matching to the state’s accounting system.

TES – Handles manual entry of financial transactions and enforces Treasury specific rules

Online Banking – This application provides online statements to state and local government customers.

State Treasury ACH Network – A COTS product suite for handling ACH origination, received transactions, and returned items.

Local Government Investment Pool – A customized off-the-shelf product that provides telephone-banking capabilities.

Two systems that do not integrate with Phoenix are the separately maintained Public Funds Collateralization Programs for both Banks and Credit Unions. These systems collect data from Banks and Credit Unions to determine total public funds deposits and required collateral levels, as well as to provide related reporting to participants. A third stand-alone system is the Employee Services System, which tracks employee training, evaluations, and development plans. There are a number of smaller systems, some of which interface with Phoenix or related applications. D. RFP Schedule

March 5, 2013 RFP issued.

March 27, 2013 Notification of Intent to Bid Requested

March 29, 2013 Requests for clarification or exceptions due at Treasury offices by 4 p.m.

April 26, 2013 Proposals due at Treasury offices by 4 p.m.

May 17, 2013 Evaluation of proposals completed and recommendation for the finalist made.

May 31, 2013 Announcement of successful proposer.

July 1, 2013 Engagement work commences or start date is agreed to.

II. DESCRIPTION OF REQUIRED SERVICES

A. Scope of Work The primary goal of the work to be conducted under this contract is to provide value added internal audit services specific to IT for Treasury. The contract will be awarded for a six-year period. The audit plan will be determined annually based on the annual risk assessment performed by the contractor in conjunction with the Chief Audit Executive (CAE). An integrated approach to IT auditing will be used as needed on engagements. Treasury may request non-IT staff to conduct portions of engagements that cover business operations. It is expected that audits will be performed on a three year cycle, with more frequent reviews performed as determined necessary. The results of prior audits will be available to the selected vendor as necessary. The successful respondent will provide specialized skills as well as industry and subject matter knowledge to perform engagements. The selected firm shall apply industry best practices and methodologies using applicable Information Technology frameworks and standards (e.g., Control Objectives for Information and related Technologies [COBIT], Information Technology Infrastructure Library [ITIL], Value IT [Val IT], National Institute of Standards and Technology [NIST]). Engagements should be planned to incorporate a "knowledge transfer"

process inclusive of the Treasury Internal Audit department. All responding firms must meet the highest standards of professional competence and ethics. All audits must be completed in compliance with the then current Government Auditing Standards as issued by the US Government Accountability Office. It is expected that reviews of applications will be coordinated with Treasury staff to allow an integrated approach that reviews both IT activities and the business process when applicable. As applicable, during each engagement, the respondent shall evaluate the efficiency and effectiveness of current IT services and infrastructure in meeting current and anticipated future business needs. This evaluation may include:

a. The appropriate internal IT staffing and skill levels b. The risks, costs and benefits of increasing or decreasing the use of commercial, off-the-shelf

(COTS) applications c. The risks, costs and benefits of increasing or decreasing the use of applications developed in-

house d. The availability, risks, costs and benefits of utilizing “cloud” computing resources e. Other issues that relate to the efficiency and effectiveness of IT services and infrastructure

It is anticipated that services will be required for the following subject matter areas:

1. Information Technology Governance -Anticipated services include the evaluation of controls over components of IT governance including:

a. Organization and governance structures b. Strategic and operational planning c. Service delivery and measurement d. IT organization and risk management

2. System Development Life Cycle Management – The firm will evaluate the SDLC methodology in place at

Treasury and determine if completed projects contain documentation that illustrates compliance with the methodology.

a. Benchmark methodology against required phases and key elements b. Evaluate compliance of projects with SDLC methodology

3. Information Security Governance - The firm will design audit procedures to evaluate controls over

management's governance activities specifically related to the governance of information security. Considerations will include:

a. Benchmark against security governance standards b. Information security governance strategy and alignment with business objectives c. Information security risk management d. Information security resource management e. Performance measurement and reporting

4. Data Management - Data Management considers ensuring the integrity and security of enterprise data.

The anticipated services include the evaluation of risks and corresponding controls for data management activities including:

a. Data governance

b. Data architecture

c. Data security and privacy

d. Data quality and integrity

e. Assessment of adequacy to current business requirements

5. Change and Patch Management - Change and patch management includes the processes executed and designed to manage enhancements, updates, incremental fixes and patches to production systems. The firm will assist in evaluating risks and corresponding controls for change and patch management activities including:

a. Policy and process documentation

b. Metrics and indicator monitoring

c. Change management lifecycle

d. Communication and coordination

e. Scoping of assets subject to management

6. Network Infrastructure Administration -Network infrastructure administration includes network management and support of network systems. The firm will assist in evaluating risks and corresponding controls for activities such as:

a. Network device configuration management (servers, routers, firewalls)

b. Intrusion prevention and detection

c. Network perimeter configuration and monitoring

d. Wireless and remote access administration

e. Virtual private network (VPN) encryption management

f. Backup and recovery including disaster recovery (Including an on-site review of the data backup site)

7. Identity and Access Management - Identity and access management (IAM) considers the operational

management of access to information throughout the organization. The firm will evaluate risks and controls over organization wide identity and access management activities including:

a. Tracking and recording of IAM activity

b. Segregation of duties c. Non-person (functional or service) accounts

d. Enforcement activities

e. Privileged account management

8. End-User Computing - End user computing involves the use of department-developed spreadsheets and databases for forming the basis of reporting, driving transactions, and data used in performing critical tasks. The firm will evaluate risks and controls for end-user computing considering:

a. Management oversight processes

b. Training and awareness

c. Security and access control (version control, change control, password access and protection)

d. Development life cycle and testing

9. Penetration Testing- Penetration testing involves evaluating the security posture against a simulated attack. The firm will conduct testing including:

a. External Network Penetration Testing b. Internal Network Penetration Testing

c. Web Application Penetration Testing d. Incident Response Testing e. Social Engineering f. Physical Security Testing

10. Risk Assessment – Evaluation of the IT audit universe and design of the annual audit plan. The firm will

assess the risks specific to IT including: a. Establish IT Audit Universe b. Conduct interviews with IT management and relevant business management c. Document key processes and controls related to IT d. Evaluate the design of key operational controls

B. Annual Audit Plan Year 1: The goal of the first year of audit work is to develop a baseline understanding and documentation of the Treasury IT services program. The first engagement will be for the selected vendor to develop an IT risk assessment. It is expected that this risk assessment will be more in-depth than in future years due to the need to develop sufficient baseline documentation. This assessment will be updated by June 1 in preparation for the annual audit risk assessment. The remaining two engagements for the year will include 1) an assessment of the design of entity wide IT controls and 2) a review of IT governance practices Years 2-6 Annual Deliverables On an annual basis, the contractor shall complete an IT risk assessment. The contractor will work with the CAE to define the IT Audit Universe, and then conduct the necessary work to produce a risk assessment of the IT Audit Universe. The Risk Assessment process must include a test of the design of entity wide IT Controls. Based on the results of the risk assessment, an audit plan will be developed. It is anticipated that one to three engagements will be performed per year. These engagements should be segmented so that all high risk areas are covered at least once every three years. C. Reporting Each engagement will require an audit report. Engagement reports must include sections for engagement results, including any auditor conclusions, findings and recommendations, criteria and/or requirements, objectives, scope and methodology, and management’s response. The report will document the prioritized list of risks and recommendations for improvement. Engagement reports will be issued in the firm’s name. Treasury Internal Audit Services uses Teammate to track audit findings and follow-up. The selected contractor will be required to provide sufficient detail to complete the necessary fields in the software as established by Internal Audit Services. In addition, if a report contains details exempt from public disclosures, such as information security details, the engagement will also require an Executive Summary Report. The Executive Summary must contain an overview

of tests and test results. Significant findings will be highlighted in the summary and include items that Treasury is performing well and items that need improvement. The summary will be written in language appropriate for executive management and legislature understanding. The report must include clear information on potential impacts and likelihood of occurrence of any significant findings. This report will be provided to agency management, legislative leaders and staff, as well as interested third parties. The report shall be addressed to the Oregon State Treasurer. At the completion of the annual risk assessment, a report shall be provided to the Chief Audit Executive outlining the work performed and the results of the risk assessment. This report shall be used to help prepare the OST Internal Audit Annual Assessment Report. A formal audit report with signature is not required for the risk assessment as the work will be incorporated into the report prepared by the CAE.

The contractor will be required to provide three bound and numbered copies of all reports, properly marked as confidential as necessary as well as electronic copies of each report. The contractor will be required to be available via phone for audit committee meetings to present the results of each engagement and any necessary follow up from prior engagements. Currently the Treasury audit committee meets six times per year. On-site presentations to the audit committee and management are expected to be minimal, and will be discussed on a case-by-case basis. All reports provided are subject to disclosure under Oregon’s public records laws although sensitive or security information may be redacted as allowed by law. D. Engagement Work Timeline The Treasury internal audit year runs from 7/1 through 6/30. The annual Risk Assessment shall be completed no later than June 1 of each year, to establish the work plan for the following year. The audit plan for the first year has been established in B above. All remaining work can be performed during the year at a time determined in conjunction with Treasury. Due to the time and information sensitive nature of work performed at Treasury, audit work must be coordinated with IS managers so as not to interfere with daily work production. Work may be performed on-site or remotely as determined necessary.

E. Staffing During the term of the contract Treasury will provide the contractor access to Treasury personnel and records necessary to complete the engagement work. Access will be coordinated with Treasury’s Chief Audit Executive and IT managers as appropriate. Treasury’s Internal Audit Services shall allocate part of their time to assisting with the review. This will benefit the contractor due to their knowledge of the agency and its operations and allow Internal Audit Services to obtain more detailed knowledge of the testing performed. Treasury requires all contractor employees working on the engagement to sign confidentiality agreements and be prepared to present evidence that all staff working on the engagement have had background checks conducted by the Contractor. Prior to beginning each engagement, the contractor will provide Treasury with the staffing assigned to the engagement. Treasury retains the right to request staffing modifications as it feels necessary.

F. Status Reporting The contractor will report orally or in writing, as requested, to Treasury’s Chief Audit Executive at least quarterly. For each engagement, the Contractor will establish an update meeting schedule with Treasury’s Chief Audit Executive as determined necessary. These meetings can be conducted in-person or via phone as determined necessary. G. Work paper Retention A copy of all process and policy documentation and evaluation work papers created by the contractor will be provided to Treasury and will become part of the internal audit records. All testing will be the property of the contractor, but will be made available to the CAE upon request for review. All materials provided to Treasury are subject to disclosure under Oregon public records laws although some sensitive or security information may be redacted as allowed by law. H. Deliverables

1. Prior to beginning any engagement, the contractor will provide Treasury’s Chief Audit Executive with the scope of work and detailed test plan for the engagement for review and approval.

2. Treasury requires that all documentation, including notes, test results, letters, memorandums, and paper or computer files be retained by the contractor for a period of not less than six (6) years from the date of Treasury’s final acceptance of the engagement report from the selected contractor. Treasury will retain copies of all workpapers provided as required in section G according to its record retention schedule.

3. Treasury requires supporting detail for all invoices billed to Treasury for all professional services rendered on a percentage of completion basis in accordance with the Personal/Professional Services Contract. A DRAFT Personal/Professional Services Contract is attached as Exhibit C.

4. Contractor will properly secure all Treasury information. Contractor will not send any potentially sensitive information through a non-secure medium such as e-mail.

5. Contractor will provide all reports, workpapers, and finding details as required above.

III. PROPOSAL REQUIREMENTS

Treasury has the sole discretion and reserves the right to reject any and all proposals received in response to the RFP and to cancel this solicitation if it is deemed in the best interest of Treasury to do so. Issuance of an RFP in no way constitutes a commitment by Treasury to award a contract, or to pay proposer’s costs incurred either in the preparation of a response to the RFP or during negotiations, if any, of a contract for services. Treasury reserves the right to make amendments to the RFP by giving written notice to all proposers who received the RFP, and to request clarifications, supplements, and additions to the information provided by any proposer. By submitting a proposal or proposals in response to this solicitation, each proposer understands and agrees that any selection of a contractor, or any decision to reject any or all responses or to establish no contract, shall be at the sole discretion of the Treasurer. Additionally, by submitting a proposal, each proposer agrees that it waives any claim against the State of Oregon, the Office of the State Treasurer, and their officers, employees and agents, for the recovery of any costs or expenses incurred in preparing and submitting their proposals. The proposer agrees that the proposal submitted in response to this request is legally binding and shall be an irrevocable offer for the period of 30 days following close of the solicitation, or until a final contract is executed

with the successful proposer, whichever is later. Treasury shall use the proposer’s relevant staff experience, proposal’s costs, personnel time estimates, dates and other related items for evaluating proposals and developing the contract. The proposer agrees that false statements made in a proposal are cause for proposal rejection and terminating contract negotiations or the contract. In recognition of the fact that each proposer will offer a different combination of senior and associate engagement staff, with differing abilities to perform the necessary work as efficiently as possible, Treasury reserves the right to negotiate the contractor's maximum compensation. It is expected that a prospective contractor will be selected and a contract executed. Should a contract fail to be negotiated and executed, Treasury may terminate such negotiations and commence the same with another proposer. Treasury also reserves the right to issue a subsequent RFP if it is believed to be in the best interest of Treasury. Proposer must substantially agree to the terms and conditions of the sample contract (and corresponding exhibits) attached hereto. Treasury will determine, in its sole discretion, whether a proposer substantially complies with the sample contract. Treasury and a successful proposer may ultimately negotiate the terms and conditions of the contract, provided substantial alteration of the contract does not occur. Any exceptions to the terms of the contract should be submitted to Treasury as an exception in the manner set forth in this RFP. Treasury generally will not completely review or analyze proposals which on their face fail to comply with the requirements of the RFP or which clearly are not the best proposal, nor will Treasury generally investigate the references or qualifications of those who submit such proposals. Therefore, neither the return of a response, nor acknowledgement that the selection is complete, shall operate as a representation by Treasury that an unsuccessful proposal was complete, sufficient, or lawful in any respect. Treasury may reject, in its discretion, any proposals that fail to meet the proposal contents and submission requirements set forth herein. Proposers must submit all inquiries for clarification of any of the terms of the RFP to Treasury by 4:00 pm PDT on March 29, 2013. ORAL REPRESENTATIONS MADE BY TREASURY’S CONTRACT PERSON(S) WILL NOT BE BINDING ON TREASURY UNLESS SUCH STATEMENTS ARE CONFIRMED BY WRITTEN ADDENDA TO THIS RFP. Proposers are cautioned that proposal requirements will change only if confirmed by a written addendum to their RFP issued by Treasury. It is the responsibility of the proposer to notify Treasury in writing of any ambiguity, conflict, discrepancy, omission or other error of the RFP that requires clarification or correction by addenda. A Proposer who fails to so notify Treasury shall assume the full risk of such failure and shall not be entitled to additional time or compensation by reason thereof. Exceptions to any of the terms of this RFP to which proposer will not or does not agree should be presented by the proposer in writing as provided in this section. Such exceptions must be specific. Any terms of the sample contract that the proposer will not accept exactly as set forth should be stated as an exception. Alternative language and a reason for the refusal must be included in the exception. Exceptions to any of the terms or conditions of this RFP and the sample contract must be in writing and delivered to Treasury by 4:00 pm, PDT on March 29, 2013. The official contact for submitting questions or exceptions is Byron Williams; he can be contacted at 503-373-1485 or at the following e-mail address: [email protected]. The purpose of the exception period is to permit Treasury to correct, prior to the opening of the proposals, any technical or contractual requirement, provision, ambiguity, or conflict in the RFP and related documents, which may be unlawful, improvident, unduly restrictive of competition or otherwise inappropriate. Unless timely submitted as an exception, any such ambiguity, conflict or problem shall be resolved in favor of Treasury.

A. Minimum Qualifications The following will be reviewed by the Evaluators to determine whether the proposer has the qualifications to perform the services required by Treasury. Exhibit A is to be completed in affirmation that minimum qualifications of this RFP have been met.

1. As of December 31, 2012, and continuing through the course of the audit, the respondent must be a professional services firm providing internal audit outsourcing services, information technology audits, and advisory services for a minimum of five (5) years.

2. As of December 31, 2012, the respondent is a legal business entity licensed to do business in Oregon, or will become licensed prior to beginning work.

3. Firm and principal professionals are not currently the subject of any regulatory investigation.

4. Firm and principal professionals have not been subject to any sanctions by a regulatory body within the last five (5) years.

5. If applicable, respondent has attached a disclosure of pending litigation and litigation that has been settled or had a judgment issued within the three (3) years preceding December 31, 2012 brought against the respondent by any person or entity for fraud, malpractice, misrepresentation (intentional or negligent), negligence, or similar cause of action.

6. The respondent agrees to disclose all potential conflicts of interest and/or independence impairments at least annually.

7. Using the form provided in Exhibit B, please list at least three references in the subject matter area of IT audits. Preference will be given to work performed for governmental, pension, or financial institution clients. All references should be for work performed within the last three (3) years.

B. Proposal Contents: Technical and Qualifications Please provide written responses to the following items which must be included in the proposal and will be used as a basis of selection:

1. Professional Staffing

a. Provide a listing of the proposed personnel that will be responsible for servicing the Treasury relationship and state the roles they will perform. The resume and qualifications of each proposed individual should be included and any professional designations or certifications attained, and mention of any similar projects including the personnel's role on the engagement. Please provide information regarding the accounting, IT audit, and operational IT experience of proposed staff. Preference will be given to staff with applicable designations or certifications, as well as operational experience. The experience and qualifications of the primary contact assigned to Treasury will be a key consideration in the evaluation of proposals.

2. Firm Background

a. Provide contact information for the primary professional that your firm proposes will be responsible for overseeing the services in question:

i. Name of primary professional ii. Title of primary professional

iii. Tenure of primary professional iv. Phone number v. Email

vi. Firm website

b. State how many years the firm has provided IT audit services similar to those requested by this RFP. Response should specifically include the length of time the primary professional has provided IT audit services. Include descriptions of projects within the last three (3) years.

c. Please provide the following information regarding your firm's history and ownership:

i. Firm history. ii. Legal structure.

iii. Date and place of incorporation. Please also state with which, if any, regulatory authority your firm is registered.

iv. Headquarter locations and/or branch offices that would be providing services under the contract. If the office providing services is not in Oregon, describe how the organization would serve Treasury if awarded a contract.

v. Ownership structure or corporate structure changes over the past five (5) years, including acquisitions, joint ventures, mergers, personnel lift-outs, etc., and any planned changes.

vi. Does your firm serve in a sub-advisory capacity to other firms? Do other firms serve as sub-advisors or outsourced service providers for any of your clients? Please identify such relationships and briefly describe the terms of the arrangements.

3. Operational Due Diligence

a. Independence

i. Does your firm have a written independence policy? If so, who is required to attest to its compliance and how often? Please attach a copy of the policy. If you do not have a written policy, explain how you prevent and address internal or external conflicts and potential impairments of independence.

ii. Disclose any potential impairments of independence, in fact or appearance, which might arise if Treasury were to engage the firm's service(s) for this contract.

b. Regulatory

i. When were your firm's three most recent regulatory examinations or inspections? Is the firm undergoing any routine, targeted or sweep review by a regulatory body such as the PCAOB?

ii. Have any deficiencies been noted in any internal or external (e.g., peer review, PCAOB) reviews? Please include any deficiency letter(s) and your firm's response, and describe any other significant findings and corrective action taken.

iii. Has your firm, affiliate(s), parent company, or any individual aligned with the services under consideration for this RFP (including any officers and/or principals of such entities) been the subject of a regulatory investigation? If yes, please describe the nature of the investigation and status or final disposition.

iv. Has your firm, affiliates(s), parent company, or any individual aligned with the services under consideration for this RFP (including any officers and/or principals of such entities) been the subject of any litigation, arbitration, or legal proceeding, or received any subpoenas related to the provision of audit services? If yes, please describe the nature of the proceeding and the final disposition/status. (If you cannot fully answer the question

because of existing court orders regulating the dissemination of information, please note that.)

v. Has your firm, affiliate(s), parent company, or any individual aligned with the services under consideration for this RFP (including any officers and/or principals of such entities) ever been disciplined or sanctioned for substantive misconduct, or a legal or professional violation or misconduct, by any court, federal or state regulatory body or any quasi-judicial or administrative agency, whether by judgment, decree, order, citation, consent decree, or stipulated settlement or resolution. If so, please provide full details for each instance.

c. Training

i. Describe your firm’s training requirements for auditors and specialists, including if the firms training program is designed to be compliant with GAGAS.

4. Firm Methodology & Experience

a. Respondent should describe the specific methodology to be used for the required services identified in section IIA, Scope of Work. In addition to providing the specific methodology, respondent should provide a written response to each of the following questions:

i. Describe the proposed segmentation of the audit(s). ii. Describe the process that would be used in conducting each of the services described in

section IIA of this RFP. Include any expected involvement of Treasury staff beyond those responsibilities stated in this RFP.

iii. Describe the process that would be used in conducting the risk assessment process, and the level of work expected to be performed in the assessment.

iv. Describe how the respondent will maintain and ensure the integrity, confidentiality, and security of Treasury's information.

v. Describe the respondent's approach for ensuring tasks stay on-track and within time and budget constraints.

vi. Describe how the respondent will utilize the Control Objectives for Information and related Technology (COBIT) and Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks during each proposed engagement.

b. Describe any experience the respondent has with any of the specific systems listed in Section I C.

c. Describe the firm's experience in supporting internal audit departments with audits of IT governance, risk management, and controls in general, and within a public pension fund, governmental, and financial institutions or similar environments pertaining to required services under section III, Technical Specifications.

d. Describe the firm's experience and knowledge of Government Auditing Standards and International Standards for the Professional Practice of Internal Auditing.

e. Describe the firm’s experience and knowledge of the ISO 27000 family of standards. In addition, please provide information regarding if the firm employs ISO 27001 certified lead auditors.

f. Describe the firm’s experience and knowledge of PCI-DSS requirements. Please state if the firm is a Qualified Security Assessor (QSA).

g. Describe the firm’s experience and knowledge of Control Objectives for Information and related Technology (COBIT).

h. Describe the firm’s experience and knowledge of IT Infrastructure Library (ITIL).

i. Describe your firm’s experience and knowledge of requirements of financial institutions, including requirements from the Federal Financial Institutions Examination Council (FFIEC).

j. State whether any subcontractors will be utilized in the performance of the work. If so, provide the name of each subcontractor and a description of the specific services that will be provided.

5. Reporting

a. Describe the types of reports you have provided for similar engagements commonly associated with the services described in this RFP.

b. Provide an example of reporting to management and those charged with governance when performing services similar to those described in this RFP.

c. Provide an example of a risk assessment as it relates to IT.

d. Oregon rules require internal audit reports to contain an overall high, medium, or low risk ranking. Treasury practice is to also assign a risk ranking to individual findings. Describe how your firm would work with Internal Audit Services at Treasury to include these details into reports as well as reporting auditor conclusions as required by The Institute of Internal Auditors International Professional Practices Framework Standard 2410.

C. Proposal Contents: Pricing Provide your fee proposal based on requirements outlined in section IIA, Scope of Work, of this RFP. Include a "not to exceed" price, professional hourly rates based on staff classification (partner, principal, manager, staff) for both IT and general auditors, and a clear itemization of estimated fees and expenses. All anticipated fees for travel should be included in the itemization. As the number of hours each year may fluctuate, proposers may submit a tiered rate structure based on the total number of hours for the audit year. Any additional work and any reduction in the work, negotiated by Treasury and the Contractor will be agreed to in writing and will be provided at, or deducted from the contract price in accordance with, the hourly rates specified in the pricing commitment D. Conditions An officer or partner who is authorized to execute agreements on behalf of the proposer must sign each proposal. An unsigned proposal will be rejected. The proposal may be signed by an agent of the proposer only if such agent is a corporate officer and is authorized to sign the proposal and related contract on its behalf; a partner of a partnership who is authorized to sign the proposal and related contract on behalf of the partnership; or if such agent is properly authorized by a power of attorney or an equivalent document submitted to the Treasury prior to the submission of the proposal. A company signature will not be accepted. All submitted proposals shall include a cover letter by an authorized individual. The proposal will be sent in a sealed envelope All proposals must be received no later than 4:00 P.M., on April 26th, 2013. Proposals, modifications, or addenda to original proposals received by Treasury after the specified time and date for proposal closing will not be considered. The proposer is responsible for ensuring that the proposal reaches the designated place before the time and date set for closing. Proposers should submit a sealed proposal containing three copies to:

Byron Williams, CPA Chief Audit Executive Oregon State Treasury 350 Winter Street, NE, Suite 100 Salem, OR 97310 All proposals become the property of the Treasury. Proposals must set forth full, accurate, and complete information as required by this RFP. Oral instructions or offers will not be considered. No changes will be allowed following the closing, unless it is in the best interest of Treasury to do so. Questions of significance should be directed to: Byron Williams at (503) 373-1485. Proposers shall not contact, directly or indirectly, any other Treasury employee. Contact shall be limited to inquiries and exceptions as set forth herein. Treasury reserves the right to eliminate from consideration any proposer who does not comply with these requirements. E. Proposal Modifications Any proposal may be modified or withdrawn by written notice received in the office designated in this RFP at any time prior to the proposal due date, provided the identity of the person withdrawing or modifying the proposal is established and a receipt for the proposal is signed. F. Contract The signature of an officer of the proposer’s company who is authorized to execute agreements on its behalf must be affixed, in ink, to all three copies of the contract upon award of the contract. G. Legal Requirements See Personal/Professional Services Contract, Exhibit C. H. Public Records Proposers are advised that this RFP and three (3) copies of each proposal submitted in response to it, together with copies of all documents pertaining to the award of the contract, shall be filed and subject to public inspection and disclosure under the State Public Records Law (ORS 192.410 and 192.505). An exemption from disclosure is provided for trade secrets. A trade secret is information which: • is not patented; • is known only to a limited number of individuals within a commercial concern who have made

efforts to maintain the secrecy of the information; • derives actual or potential economic value from not being disclosed to other persons; and • gives its users a chance to obtain a business advantage over competitors not having the information.

(See ORS 192.501 (2) and ORS 646.461 - 646.475.) Cost or price information, which must be open to public inspection, may not be included in the exemption.

EACH PROPOSER MUST CLEARLY MARK, AS “CONFIDENTIAL” THOSE PORTIONS OF ITS PROPOSAL, IF ANY, WHICH CONTAIN TRADE SECRETS FOR WHICH THE PROPOSER DESIRES TO MAINTAIN CONFIDENTIALITY, OR ANY OTHER BASIS ON WHICH PROPOSER ASSERTS THAT MATERIALS ARE EXEMPT FROM REQUIRED DISCLOSURE UNDER THE OREGON PUBLIC RECORDS LAW. Proposers must be prepared to advance the reasons why the

material is a trade secret. The State agrees to maintain the confidentiality of information, which is a trade secret to the extent permitted by law. I. Confidentiality Some of the material pertinent to this engagement may be confidential. The firm awarded the contract must maintain confidentiality.

IV. EXHIBITS

Exhibit A Minimum Qualification Affirmations

1) As of December 31, 2012 and continuing through the course of the audit, the respondent is a professional services firm providing internal audit outsourcing services, information technology audits, and advisory services for a minimum of five (5) years.

Yes No

2) As of December 31, 2012, the respondent is a legal business entity licensed to do business in Oregon, or will become licensed prior to beginning work.

Yes No Oregon License No.:

3) Firm and principal professionals are not currently the subject of any regulatory investigation.

Yes No

4) Firm and principal professionals have not been subject to any sanctions by a regulatory body within the last five (5) years.

Yes No

5) If applicable, respondent has attached a disclosure of pending litigation and litigation that has been settled or had a judgment issued within the three (3) years preceding December 31, 2012 brought against the respondent by any person or entity for fraud, malpractice, misrepresentation (intentional or negligent), negligence, or similar cause of action.

Yes No

6) The respondent agrees to disclose all potential conflicts of interest and/or independence impairments at least annually.

Yes No

7) The respondent has provided at least three references in the subject matter area of IT audits, preferably for work performed for governmental, pension, or financial institution clients. All references are for work performed within the last three (3) years.

Yes No

Exhibit B Reference Authorization Please list at least three references in the subject matter area of IT audits. Preference will be given to work performed for governmental, pension, or financial institution clients. All references should be for work performed within the last three (3) years. This information may be used in evaluating the respondent's capabilities, prior performance, and other indicators of respondents probably performance under any engagement resulting from this RFP. Each reference should include company or entity name, address, contact name and phone number, email address and website, dates of service, name of project or contact, and a brief description of the service(s) provided. If three references cannot be provided, please explain. Use additional sheets for references and explanations if necessary. In providing these references, the firm authorizes Treasury to contact any or all of the listed parties. Failure to provide this information will cause your proposal to be rejected

REFERENCE 1

Reference Company:

Company Address:

City/State/Zip:

Contact Name & Title:

Phone Number:

Email Address:

Project Cost and Duration:

Project Name and Description of Service(s):

REFERENCE 2

Reference Company:

Company Address:

City/State/Zip:


Phone Number:

Email Address:


REFERENCE 3

Reference Company:

Company Address:

City/State/Zip:


Phone Number:

Email Address:


Exhibit C Draft Personal Service Contract

STATE OF OREGON PERSONAL/PROFESSIONAL SERVICES CONTRACT This Contract is between the State of Oregon, acting by and through the Oregon State Treasury hereafter called “Treasury,” and (firm) hereafter called “Contractor.” Treasury’s supervising representative for this Contract is (employee), (title). 1. Effective Date and Duration. This Contract shall become effective on the date this Contract has been signed by every

party hereto and, when required, approved by the Department of Justice. Unless terminated or extended, this Contract shall expire when Treasury accepts Contractor's completed performance or on (DATE) whichever date occurs first. Expiration shall not extinguish or prejudice Treasury’s right to enforce this Contract with respect to any breach of a Contractor warranty or any default or defect in Contractor performance that has not been cured.

2. Statement of Work. The statement of work (the “Work”), including the delivery schedule for such Work, is contained in

Exhibit A attached and incorporated by reference into this Contract. Contractor agrees to perform the Work in accordance with the terms and conditions of this Contract.

3. Consideration

a. Treasury agrees to pay Contractor not to exceed the sum of $(AMOUNT) for accomplishing the Work required by this Contract, including any allowable expenses.

b. Interim payments to Contractor shall be made only in accordance with the schedule and requirements in Exhibit A. 4. Contract Documents. This Contract consists of the following documents which are listed in descending order of

precedence: this Contract less all exhibits, attached Exhibits A, B, and C [and other requirements as set forth in attached Exhibits ___ and ___]. All attached Exhibits are hereby incorporated by reference.

5. Independent Contractor; Responsibility for Taxes and Withholding

a. Contractor shall perform all required Work as an independent contractor. Although Treasury reserves the right (i) to determine (and modify) the delivery schedule for the Work to be performed and (ii) to evaluate the quality of the completed performance, Treasury cannot and will not control the means or manner of Contractor's performance. Contractor is responsible for determining the appropriate means and manner of performing the Work.

b. If Contractor is currently performing work for the State of Oregon or the federal government, Contractor by signature to this Contract declares and certifies that: Contractor’s Work to be performed under this Contract creates no potential or actual conflict of interest as defined by ORS 244 and no rules or regulations of Contractor’s employing agency (state or federal) would prohibit Contractor’s Work under this Contract. Contractor is not an "officer", "employee", or "agent" of the Treasury, as those terms are used in ORS 30.265.

c. Contractor shall be responsible for all federal or state taxes applicable to compensation or payments paid to Contractor under this Contract and, unless Contractor is subject to backup withholding, Treasury will not withhold from such compensation or payments any amount(s) to cover Contractor's federal or state tax obligations. Contractor is not eligible for any social security, unemployment insurance or workers' compensation benefits from compensation or payments paid to Contractor under this Contract, except as a self-employed individual.

6. Subcontracts and Assignment; Successors and Assigns

a. Contractor shall not enter into any subcontracts for any of the Work required by this Contract, or assign or transfer any of its interest in this Contract, without Treasury’s prior written consent. In addition to any other provisions

Treasury may require, Contractor shall include in any permitted subcontract under this Contract a requirement that the subcontractor be bound by Sections 6, 10, 11, 15, and 17 of this Contract as if the subcontractor were the Contractor. Treasury’s consent to any subcontract shall not relieve Contractor of any of its duties or obligations under this Contract.

b. The provisions of this Contract shall be binding upon and shall inure to the benefit of the parties hereto, and their respective successors and permitted assigns, if any.

7. No Third Party Beneficiaries. Treasury and Contractor are the only parties to this Contract and are the only parties

entitled to enforce its terms. Nothing in this Contract gives, is intended to give, or shall be construed to give or provide any benefit or right, whether directly, indirectly or otherwise, to third persons unless such third persons are individually identified by name herein and expressly described as intended beneficiaries of the terms of this Contract.

8. Funds Available and Authorized; Payments

a. Contractor shall not be compensated for work performed under this Contract by any other agency or department of the State of Oregon. Treasury has sufficient funds currently available and authorized for expenditure to finance the costs of this Contract within the Treasury’s biennial appropriation or limitation. Treasury shall employ good-faith efforts to request and seek funding, appropriations, limitation, allotments, or other expenditure authority sufficient to allow Treasury to perform its payment obligations throughout the term of this agreement.

b. Treasury will only pay for completed work that is accepted by Treasury. 9. Representations and Warranties.

a. Contractor’s Representations and Warranties. Contractor represents and warrants to Treasury that (1) Contractor has the power and authority to enter into and perform this Contract, (2) this Contract, when executed and delivered, shall be a valid and binding obligation of Contractor enforceable in accordance with its terms, (3) the Work under this Contract shall be performed in a good and workmanlike manner and in accordance with professional standards, (4) Contractor shall, at all times during the term of this Contract, be qualified, professionally competent, and duly licensed to perform the Work, (5) all computer hardware and software delivered under this Contract will, individually and in combination, correctly process, sequence, and calculate all date and date related data for all dates prior to, through and after January 1, 2000, and (6) any software products delivered under this Contract that process date or date related data shall recognize, store and transmit date data in a format which explicitly and unambiguously specifies the correct century.

b. Contractor’s Limitation of Liability. Contractor’s liability with respect to items (5) and (6) of 9a. above shall not exceed: (1) twice the total contract amount (including any amendments) or (2) $100,000, whichever is greater.

c. Warranties Cumulative. The warranties set forth in this section are in addition to, and not in lieu of, any other warranties provided.

10. Ownership of Work Product. All work product of Contractor that results from this Contract (the “Work Product”) is the

exclusive property of Treasury. Treasury and Contractor intend that such Work Product be deemed “work made for hire” of which Treasury shall be deemed the author. If for any reason the Work Product is not deemed “work made for hire,” Contractor hereby irrevocably assigns to Treasury all of its right, title, and interest in and to any and all of the Work Product, whether arising from copyright, patent, trademark, trade secret, or any other state or federal intellectual property law or doctrine. Contractor shall execute such further documents and instruments as Treasury may reasonably request in order to fully vest such rights in Treasury. Contractor forever waives any and all rights relating to the Work Product, including without limitation, any and all rights arising under 17 USC §106A or any other rights of identification of authorship or rights of approval, restriction or limitation on use or subsequent modifications.

11. Indemnity. Contractor shall defend, save, hold harmless, and indemnify the State of Oregon and Treasury and their

officers, employees and agents from and against all claims, suits, actions, losses, damages, liabilities, costs and expenses of any nature whatsoever resulting from, arising out of, or relating to the activities of Contractor or its officers, employees, subcontractors, or agents under this Contract.

12. Insurance. Contractor shall provide insurance as indicated on Exhibit B, attached hereto and by this reference made a part

hereof.

13. Termination

a. Parties' Right to Terminate For Convenience. This Contract may be terminated at any time by mutual written consent of the parties.

b. Treasury’s Right To Terminate For Convenience. Treasury may, at its sole discretion, terminate this Contract, in whole or in part, upon 30 days notice to Contractor.

c. Treasury’s Right to Terminate For Cause. Treasury may terminate this Contract, in whole or in part, immediately upon notice to Contractor, or at such later date as Treasury may establish in such notice, upon the occurrence of any of the following events: (i) Treasury fails to receive funding, or appropriations, limitations or other expenditure authority at levels sufficient

to pay for Contractor's Work; (ii) Federal or state laws, regulations or guidelines are modified or interpreted in such a way that either the Work

under this Contract is prohibited or Treasury is prohibited from paying for such Work from the planned funding source;

(iii) Contractor no longer holds any license or certificate that is required to perform the Work; or (iv) Contractor commits any material breach or default of any covenant, warranty, obligation or agreement under

this Contract, fails to perform the Work under this Contract within the time specified herein or any extension thereof, or so fails to pursue the Work as to endanger Contractor's performance under this Contract in accordance with its terms, and such breach, default or failure is not cured within 10 business days after delivery of Treasury’s notice, or such longer period as Treasury may specify in such notice.

d. Contractor's Right to Terminate for Cause. Contractor may terminate this Contract upon 30 days' notice to Treasury if Treasury fails to pay Contractor pursuant to the terms of this Contract and Treasury fails to cure within 30 business days after receipt of Contractor's notice, or such longer period of cure as Contractor may specify in such notice.

e. Remedies (i) In the event of termination pursuant to Sections 13.a, 13.b, 13.c(i), 13.c(ii) or 13.d, Contractor's sole remedy shall

be a claim for the sum designated for accomplishing the Work multiplied by the percentage of Work completed and accepted by Treasury, less previous amounts paid and any claim(s) which State has against Contractor. If previous amounts paid to Contractor exceed the amount due to Contractor under this subsection, Contractor shall pay any excess to Treasury upon demand.

(ii) In the event of termination pursuant to Section 13.c(iii) or 13.c(iv), Treasury shall have any remedy available to it in law or equity. If it is determined for any reason that Contractor was not in default under Section 13.c(iii) or 13.c(iv), the rights and obligations of the parties shall be the same as if the Contract was terminated pursuant to Section 13.b.

f. Contractor's Tender Upon Termination. Upon receiving a notice of termination of this Contract, Contractor shall immediately cease all activities under this Contract, unless Treasury expressly directs otherwise in such notice of termination. Upon termination of this Contract, Contractor shall deliver to Treasury all documents, information, works-in-progress and other property that are or would be deliverables had the Contract been completed. Upon Treasury’s request, Contractor shall surrender to anyone Treasury designates, all documents, research or objects or other tangible things needed to complete the Work.

14. Limitation of Liabilities. EXCEPT FOR LIABILITY ARISING UNDER OR RELATED TO SECTIONS 13.(e)(ii) or 9(a), NEITHER

PARTY SHALL BE LIABLE FOR (i) ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES UNDER THE CONTRACT OR (ii) ANY DAMAGES OF ANY SORT ARISING SOLELY FROM THE TERMINATION OF THIS CONTRACT IN

ACCORDANCE WITH ITS TERMS. 15. Records Maintenance; Access. Contractor shall maintain all fiscal records relating to this Contract in accordance with

generally accepted accounting principles. In addition, Contractor shall maintain any other records pertinent to this Contract in such a manner as to clearly document Contractor's performance. Contractor acknowledges and agrees that Treasury and the Oregon Secretary of State's Office and their duly authorized representatives shall have access to such fiscal records and other books, documents, papers, plans and writings of Contractor that are pertinent to this Contract to perform examinations and audits and make excerpts and transcripts. Contractor shall retain and keep accessible all such fiscal records, books, documents, papers, plans, and writings for a minimum of six (6) years, or such longer period as may

be required by applicable law, following final payment and termination of this Contract, or until the conclusion of any audit, controversy or litigation arising out of or related to this Contract, whichever date is later.

16. Compliance with Applicable Law. Contractor shall comply with all federal, state and local laws, regulations, executive

orders and ordinances applicable to the Work under this Contract. Without limiting the generality of the foregoing, Contractor expressly agrees to comply with: (i) Title VI of Civil Rights Act of 1964; (ii) Section V of the Rehabilitation Act of 1973; (iii) the Americans with Disabilities Act of 1990 and ORS 659.425; (iv) all regulations and administrative rules established pursuant to the foregoing laws; and (v) all other applicable requirements of federal and state civil rights and rehabilitation statutes, rules and regulations. Treasury’s performance under this Contract is conditioned upon Contractor’s compliance with the provisions of ORS 279.312, 279.314, 279.316, 279.320, and 279.555, which are incorporated by reference herein.

17. Force Majeure. Neither Treasury nor Contractor shall be held responsible for delay or default caused by fire, riot, acts of

God, or war where such cause was beyond the reasonable control of Treasury or Contractor, respectively. Contractor shall, however, make all reasonable efforts to remove or eliminate such a cause of delay or default and shall, upon the cessation of the cause, diligently pursue performance of its obligations under this Contract.

18. Survival. All rights and obligations shall cease upon termination or expiration of this Contract, except for the rights and

obligations set forth in Sections 1, 9, 10, 11, 13, 14, 15, 18 and 25. 19. Time is of the Essence. Contractor agrees that time is of the essence under this Contract. 20. Notice. Except as otherwise expressly provided in this Contract, any communications between the parties hereto or

notices to be given hereunder shall be given in writing by personal delivery, facsimile, or mailing the same, postage prepaid, to Contractor or Treasury at the address or number set forth on the signature page of this Contract, or to such other addresses or numbers as either party may hereafter indicate pursuant to this Section 20. Any communication or notice so addressed and mailed shall be deemed to be given five (5) days after mailing. Any communication or notice delivered by facsimile shall be deemed to be given when receipt of the transmission is generated by the transmitting machine. To be effective against Treasury, such facsimile transmission must be confirmed by telephone notice to Treasury’s Supervising Representative. Any communication or notice by personal delivery shall be deemed to be given when actually delivered.

21. Severability. The parties agree that if any term or provision of this Contract is declared by a court of competent

jurisdiction to be illegal or in conflict with any law, the validity of the remaining terms and provisions shall not be affected, and the rights and obligations of the parties shall be construed and enforced as if the Contract did not contain the particular term or provision held to be invalid.

22. Counterparts. This Contract may be executed in several counterparts, all of which when taken together shall constitute

one agreement binding on all parties, notwithstanding that all parties are not signatories to the same counterpart. Each copy of the Contract so executed shall constitute an original.

23. Other Agency Approvals Department of Justice approval may be required before any work may begin under this Contract. 24. Disclosure of Social Security Number. Contractor must provide Contractor's Social Security number unless Contractor

provides a federal tax ID number. This number is requested pursuant to ORS 305.385, OAR 125-20-410(3) and OAR 150-305.100. Social Security numbers provided pursuant to this authority will be used for the administration of state, federal and local tax laws.

25. Governing Law; Venue; Consent to Jurisdiction. This Contract shall be governed by and construed in accordance with the

laws of the State of Oregon without regard to principles of conflicts of law. Any claim, action, suit or proceeding (collectively, "Claim") between Treasury (and/or any other agency or department of the State of Oregon) and Contractor that arises from or relates to this Contract shall be brought and conducted solely and exclusively within the Circuit Court of

Marion County for the State of Oregon. Contractor hereby agrees to the in personam jurisdiction of such court and waives any claims of an inconvenience forum.

26. Confidentiality Contractor, may, in the course of its duties as requested by Treasury staff (staff), have in its possession information

relating to financial, accounting and investment matters of State agencies and local governments. All such information is confidential and unless permitted by the Treasury in writing, Contractor shall not disclose such information, directly or indirectly, to any party, its counsel or any representatives, or use it in any way, except as required to perform their duties as requested by staff.

27. Key Person Contractor acknowledges and agrees that Treasury selected Contractor, and is entering into this Contract, because of

the special qualifications of Contractor’s key people. In particular, Treasury through this Contract is engaging the expertise, experience, judgment, and personal attention of (insert names of all key persons) (“key person”). Contractor’s key person shall not delegate performance of the management powers and responsibilities he/she is required to provide under this Contract to another (other) Contractor employee(s) without first obtaining the written consent of Treasury. Further, Contractor shall not re-assign or transfer the key person to other duties or positions such that the key person is no longer available to provide Treasury with his/her expertise, experience, judgment, and personal attention, without first obtaining Treasury’s prior written consent to such re-assignment or transfer. In the event Contractor requests that Treasury approve a re-assignment or transfer of the key person, Treasury shall have the right to interview, review the qualifications of, and approve or disapprove the proposed replacement(s) for the key person.

28. Merger Clause; Waiver. This Contract and attached exhibits constitute the entire agreement between the parties on

the subject matter hereof. There are no understandings, agreements, or representations, oral or written, not specified herein regarding this Contract. No waiver, consent, modification or change of terms of this Contract shall bind either party unless in writing and signed by both parties and all necessary State approvals have been obtained. Such waiver, consent, modification or change, if made, shall be effective only in the specific instance and for the specific purpose given. The failure of Treasury to enforce any provision of this Contract shall not constitute a waiver by Treasury of that or any other provision.

CONTRACTOR DATA, CERTIFICATION AND SIGNATURE

(please print or type)

Name (tax filing): Address: Facsimile #: Social Security #: or

Federal Tax ID #: State Tax ID#:

Citizenship, if applicable: Non-resident alien [ ] Yes [ ] No Business Designation (check one): [ ] Corporation [ ] Sole Proprietorship [ ] Limited Partnership [ ] Limited Liability Partnership [ ] Partnership [ ] Limited Liability Company Above payment information must be provided prior to Contract approval. This information will be provided to the Internal Revenue Service (IRS) under the name and taxpayer ID number submitted. Information not matching IRS records could subject Contractor to 31 percent backup withholding.

CONTRACTORS: YOU WILL NOT BE PAID FOR SERVICES RENDERED PRIOR TO NECESSARY STATE APPROVALS CONTRACTOR, BY EXECUTION OF THIS CONTRACT, HEREBY ACKNOWLEDGES THAT CONTRACTOR HAS READ THIS CONTRACT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS.

Certification: The individual signing on behalf of Contractor hereby certifies and swears under penalty of perjury: (a) the number shown on this form is Contractor’s correct taxpayer ID and (b) Contractor is not subject to backup withholding because (i) Contractor is exempt from backup withholding or (ii) Contractor has not been notified by the IRS that Contractor is subject to backup withholding as a result of failure to report all interest or dividends, or (iii) the IRS has notified Contractor that Contractor is no longer subject to backup withholding; (c) s/he is authorized to act on behalf of Contractor, s/he has authority and knowledge regarding Contractor’s payment of taxes, and to the best of her/his knowledge, Contractor is not in violation of any Oregon tax laws (including, without limitation, those listed in Exhibit B); (d) Contractor is an independent contractor as defined in ORS 670.600; and (e) the above Contractor data is true and accurate. Signed by the Contractor: ________________________________________________________________________ Signature/Title Date

TREASURY & OTHER SIGNATURES

Approved by Treasury: _______________________________________________ Treasury Representative Date Approved as to legal sufficiency by the Attorney General’s Office: (when required) _______________________________________________ Assistant Attorney General Date

Contract EXHIBIT A PERSONAL/PROFESSIONAL SERVICES CONTRACT

Contractor: (firm) STATEMENT OF WORK: a. Statement of Work: ***Be specific and complete*** b. Delivery Schedule:

***Detail of what and when to be delivered*** CONSIDERATION: a. Payment not to exceed the sum of $(amount) including any travel and other expense reimbursement when

noted below. Travel time will not be compensated.

b. Contractor shall not exceed, and Treasury will not pay, any amount in excess of the maximum compensation amount set forth above. If this maximum compensation amount is increased by amendment of this Contract, the amendment must be fully effective before Contractor performs work subject to the amendment. Contractor shall notify Treasury’s supervising representative in writing thirty (30) calendar days before this Contract expires of the upcoming expiration of the Contract. No payment will be made for any services performed before the beginning date or after the expiration date of this Contract.

c. Contractor shall submit interim billings for work performed. The billings shall describe all goods and services for

which payment is claimed, with particularity, by whom each specific item of work or task was performed, the number of hours or fraction thereof worked by each person on each item of work or task, the hourly rate charged (if applicable), and shall itemize and explain all expenses for which reimbursement is claimed, if allowed under the Contract. Billings shall be sent to the Treasury’s supervising representative.

REIMBURSEMENT OF TRAVEL AND OTHER EXPENSES: Treasury will not reimburse contractor for travel or other expenses.

Contract EXHIBIT B

OAR 150-305.385(6)-(B) For purposes of this certificate, ‘Oregon tax laws’ means the state inheritance tax, gift tax, personal income tax, withholding tax, corporation income and excise taxes, amusement device tax, timber taxes, cigarette tax, other tobacco tax, 9-1-1 emergency communications tax, the homeowners and renters property tax relief program and local taxes administered by the Department of Revenue (Multnomah County Business Income Tax, Lane Transit District Tax, Tri-Metropolitan Transit District Employer Payroll Tax, and Tri-Metropolitan Transit District Self-Employment Tax). INSURANCE

During the term of this Contract Contractor shall maintain in force at its own expense, insurance as noted below: 1. Workers’ Compensation insurance in compliance with ORS 656.017, which requires subject employers to provide Oregon

workers’ compensation coverage for all their subject workers (contractors with one or more employees, and as defined by ORS 656.027);

2. [ X ] Required by Treasury [ ] Not required by Treasury Professional Liability insurance with a combined single limit, or the equivalent, of not less than $1,000,000 each claim,

incident or occurrence. This is to cover damages caused by error, omission or negligent acts related to the professional services to be provided under this Contract.

3. [ ] Required by Treasury [ X ] Not required by Treasury General Liability insurance with combined single limit, or the equivalent, of no less than $1,000,000 each occurrence for

Bodily Injury and Property Damage. It shall include contractual liability coverage for the indemnity provided under this Contract. It shall provide that the State of Oregon, Treasury and their divisions, officers and employees are Additional Insureds but only with respect to the Contractor’s services to be provided under this Contract.

4. [ ] Required by Treasury [ X ] Not required by Treasury Automobile Liability insurance with a combined single limit, or the equivalent, of not less than [ ] Oregon Financial Responsibility Law (ORS 806.060), [ ] $200,000, [ ] $500,000, [ ] $1,000,000 each accident for Bodily

Injury and Property Damage, including coverage for owned, hired or non-owned vehicles, as applicable. 5. Notice of cancellation or change. There shall be no cancellation, material change, reduction of limits or intent not to renew

the insurance coverage(s) without 30 days written notice form the Contractor or its insurer(s) to the Treasury. 6. Certificates of insurance. As evidence of the insurance coverage’s required by this Contract, the Contractor shall have on file

and furnish upon request acceptable insurance certificates to the Treasury prior to commencing the work. The certificate will specify all of the parties who are Additional Insureds. Insuring companies or entities are subject to State acceptance. If requested, complete policy copies shall be provided to the State. The Contractor shall be financially responsible for all pertinent deductibles, self-insured retentions and/or self-insurance.

Contract EXHIBIT C CERTIFICATION STATEMENT FOR CORPORATION OR INDEPENDENT CONTRACTOR (Contractor complete A or B below)

A. CONTRACTOR IS A CORPORATION

Corporation Certification: I, undersigned, authorized to act on behalf of the entity designated below, hereby certify under penalty of perjury that entity is a corporation.

Signature Date Entity

(If Contractor is NOT a Corporation, Contractor must complete B below)

B. CONTRACTOR IS INDEPENDENT

Contractor certifies he/she meets the following standards: 1. The individual or business entity is registered under ORS 701 to provide labor or services for which such registration is required. 2. The individual or business entity filed federal and state income tax returns in the name of the business or a business Schedule C as part of

the personal income tax return, for the previous year, or expects to file federal and state income tax returns, for labor or services performed as an independent contractor in the previous year.

3. The individual or business entity furnishes the tools or equipment necessary for the contracted labor or services. 4. The individual or business has the authority to hire and fire employees who perform the labor or services. 5. The individual or business entity represents to the public that the labor or services are to be provided by an independently established

business as four (4) or more of the following circumstances exist. (check all that apply) [ ] A. The labor or services are primarily carried out at a location that is separate from the residence of the individual who performs the labor

or services, or are primarily carried out in a specific portion of the residence, which portion is set aside as the location of the business. [ ] B. Commercial advertising or business cards are purchased for the business, or I have a trade association membership. [ ] C. Telephone listing is used for the business that is separate from the personal residence. [ ] D. Labor or services are performed only pursuant to written contracts. [ ] E. Labor or services are performed for two or more different persons within a period of one year. [ ] F. The individual or business entity assumes financial responsibility for defective workmanship or for service not provided as evidenced by

the ownership of performance bonds, warranties, errors and omission insurance or liability insurance relating to the labor or services to be provided.

__________________________________________ __________________ Contractor Signature Date

C. TREASURY APPROVAL (completed if Contractor completes B above)

ORS 670.600 Independent contractor standards. As used in various provisions of ORS chapters 316, 656, 657 and 701, an individual or business entity that performs labor or services for remuneration shall be considered to perform the labor or services as an “independent contractor” if the standards of this section are met. Treasury certifies the contracted work meets the following standards:

1. The Contractor providing the labor is free from direction and control over the means and manner of providing the labor or services, subject only to the specifications of the desired results.

2. The Contractor is responsible for obtaining all assumed business registrations or professional occupation licenses required by state law or local government ordinances.

3. The Contractor furnishes the tools or equipment necessary for performance of the contracted labor or services. 4. The Contractor has the authority to hire and fire employees to perform the labor or services. 5. Payment to the Contractor is made upon completion of the performance of specific portions of the project or is made on the basis of an

annual or periodic retainer. __________________________________________ __________________ Oregon State Treasury Signature Date

(Treasury’s certification is solely for the State’s benefit and internal use.)