MODIFICATION
99 -- FDA Internal Control and Audit Software - Amendment 2
- Notice Date
- 6/29/2017
- Notice Type
- Modification/Amendment
- Contracting Office
- Department of Health and Human Services, Food and Drug Administration, Office of Acquisitions and Grants Services - Jefferson, 3900 NCTR Road, HFT-320, Bldg 50 | Rm 421, Jefferson, Arkansas, 72079, United States
- ZIP Code
- 72079
- Solicitation Number
- FDA-SOL-17-1181159
- Archive Date
- 7/26/2017
- Point of Contact
- Karen L Conroy, Phone: 7815877452
- E-Mail Address
-
karen.conroy@fda.hhs.gov
(karen.conroy@fda.hhs.gov)
- Small Business Set-Aside
- N/A
- Description
- Questions and answers Part B Questions and answers - B 1181159 1. Can the Government provide process workflows, including all inputs and outputs which define the ICM system? a. Currently there are no documented workflows. The Internal Control and Audit Management System will be used to create an inventory of Internal Controls related to financial reporting. The system will also be used to document audits and assessments of these controls. The system will also be used to track the remediation of and control deficiencies identified through audits and assessments. b. Inputs are documents in various formats (Excel, Word, PDF, etc.). Auditors will also input and document observations and analysis directly to the system within forms. Attached are examples of required data fields. c. Outputs are primarily Word and Excel documents and reports. Attached is an example of a Tracking Report. 2. Does the ICM system require a portal interface for public request submission? If so, can the Government describe this envisioned process? a. No, the system does not require a public facing portal. All users will be internal to FDA. 3. Can the government provide forms to be filled out by users of the new ICMS system? Currently there are no forms. All forms will be developed in conjunction with the implementation of the system. 4. How will full users use the system? How will casual users use the system? a. Full users will have administrative access to the system in order to add/change: users, forms, workflows, etc. b. Casual users will be able to upload documents, edit information in forms, review changes, etc. 5. What are the role security requirements for full and casual users? Roles will be developed with system implementation however; examples of roles will be as follows: a. Full users: i. System Admin: Full access to system for all security functions ii. Audit Manager: Add/Change: forms, workflows, users, document signoff/approval b. Casual users: i. Auditor: Assign users to forms, groups, manage documents ii. Process Owner: Concur and Signoff on finalized control documents, assign users to controls, edit forms iii. Process POC: Upload documents, edit forms and documents, signoff on forms and documents 6. What is the expected ‘go live' date? A final go live date has not been determined. This will depend on final award and development of system processes. 7. Will data migration be required? If so, what is the type, size, and quality of the data to be migrated? a. Some data migration will be required. Currently the data is maintained in Excel spreadsheets and Word Documents. The total size is less than 500 MB 8. The RFP requests that the software assist with the agency's compliance with Federal Mangers Financial Integrity Act (FMFIA) and OMB Circular A-123. Does the Government expect the software to have guidelines and controls that incorporate these guidelines? The FDA will use the software to manage its audits and assessments of the internal controls, as mandated by the above mentioned policies. The software itself does not need to incorporate these guidelines. However, the functionality of the software should be sufficiently flexible in its roles, workflows, reviews, and storage capabilities to support the establishment of an audit process within the system. Examples of the functionality required for the audit process are: a. An orderly review that includes a work product review hierarchy based on the roles in item 5 above b. Locking of documentation once signed off to prevent changes of finalized work products c. Secure storage of documents d. An audit log to document user access and changes to forms and documents e. The ability to link documents to system forms and other documents f. The ability to generate reports to track the completion status of work products 9. Is the VPAT to be included in the 5 page limit requirement, or can the VPAT be included as an addendum to Volume One? The VPAT can be submitted as an addendum. The VPAT is not required as part of the proposal submission but will be a required document for OIMT's review and approval process. 1. How was the Deficiency Identified? Choice Options: 1. A-123 Appendix A Assessment 2. A-123 Appendix B Assessment 3. A-123 Appendix C Assessment 4. A-123 Appendix D Assessment 5. Acquisition Assessment 6. Entity-Level Controls Assessment 7. Other 2. Transaction Cycle Choice Options: 1. Financial Reporting 2. Grants Management 3. Procure to Pay 4. Reimbursable Activity 5. Budget, Execution and Monitoring 6. Property Management 7. Human Resources 8. IT Controls 9. A-123 Appendix B Assessment 10. A-123 Appendix C Assessment 11. A-123 Appendix D Assessment 12. Acquisition Assessment 13. Entity-Level Controls Assessment 14. Other/Not Applicable 3. Key Control Activity No./Deficiency No. Field Type: alphanumeric All control numbers will start with "FDA". The control activity field should allow multiple entries. In some cases, multiple controls are lumped into a single deficiency. 4. Key Control Activity Field Type: alphanumeric 5. Summary of Deficiency Field Type: alphanumeric 6. Type of Deficiency Choice Options: 1. Design 2. Operation 3. Process Improvement Opportunity 7. No Exceptions/ No. Tested Field Type: alphanumeric If Type of Deficiency is "Design," automatically mark "N/A" 8. Root Cause Field Type: alphanumeric 9. Deficiency Classification Choice Options: (only show first two letters once selected in the field, but drop down options should include entire name) 1. CD - Control Deficiency 2. SD - Significant Deficiency 3. MW - Material Weakness 4. NC - Non-Conformance 5. N/A - Not Applicable 10. Related Controls with Deficiencies Identified Field Type: alphanumeric Can this be made into a combination/selection box that will allow us to select existing controls in the system or to directly type an entry? 11. Assessment of Related Deficiencies Aggregated. Choice Options: (only show first two letters once selected in the field, but drop down options should include entire name) 1. CD - Control Deficiency 2. SD - Significant Deficiency 3. MW - Material Weakness 4. NC - Non-Conformance 5. N/A - Not Applicable 12. Accept the Risk? Choice Options: 1. Yes 2. No If Choice Option "Yes" is selected, the following fields will show N/A or grayed out: 3. Fields 13-18; 25-39 13. Deficiency Corrected? Choice Options: 1. Yes 2. No 3. N/A 14. CAP ID No. Field Type: 11 digit alphanumeric (e.g, 2008-FR-002) 15. Responsible Office/Division Choice Options: 1. DTS 2. OFEMS 3. DFSS 4. DUF 5. OAGS 6. DA 7. OIMT 8. OHR 9. DBEC Attachment B First FY ID'd Control Activity/ Deficiency No. Key Control Activity Summary of Deficiency Root Cause Type of Deficiency CAP Description Progress Milestones Internal Progress Update 3rd Party Resolution Required Compensating Procedures to Mitigate Deficiency Target Completion Date Notes DTS Response CAP Status CAP Lead (1) Internal Progress Update 3rd Party Resolution Required Compensating Procedures to Mitigate Deficiency Target Completion Date Notes DTS Response CAP Status CAP Lead (1)
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/FDA/NCTR/FDA-SOL-17-1181159/listing.html)
- Record
- SN04562499-W 20170701/170629235150-1e48975e95ba77be44ec3cf97aa6d21f (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |