Consultancy - Cyber Security Audit of SACCOs/MFIs MIS Software Applications for improved systems effectiveness and mitigation of cybercrime risks.

SNV is a mission-driven global development partner, rooted in the contexts and societies where we work. Inspired by the transformational principles and objectives set out by the SDGs, we are committed to building resilient agri-food systems that deliver food security and adequate nutrition; to increasing the reliability and availability of water and sanitation at an acceptable quantity and quality; and to improving access to affordable and sustainable energy for all. In doing so, we aim to strengthen institutions, markets and effective governance within and across the agri-food, energy, and water sectors, reducing gender inequalities and barriers to social inclusion, and enabling adaptation and mitigation to the climate and biodiversity crises.

We are one team of over 1,600 people, the vast majority of whom come from the contexts where we work, in more than 20 countries in Africa and Asia. In Uganda SNV operates through a decentralised approach with a country office in Kampala and regional offices in Fort Portal, Lira, Jinja and Mbarara. SNV implements donor-funded activities across more than 100 districts in Uganda, ensuring broad and diverse impact.

Our core values of people-centeredness and respect, equity and equality, and diversity and inclusion, are fundamental to who we are, and what we do. This is reflected in our vision and mission, and strategy, which sets out our aspirations and commitments as our compass towards 2030. For more information on our operations in Uganda and SNV visit our website: www.snv.org.

About INCLUDE

1. Introduction

SNV was granted by EKN to implement the INCLUDE (Inclusive Livestock Development for smallholder farmers) which is implemented in 21 Districts in Rwenzori, Greater Ankole, Kigezi and Busoga plus 3 Districts in Kampala where only the school milk program) is implemented. The project targets 90,000 Small-Holder Farmers (SHFs) with increased productivity & access to markets and 300,000 children for the school milk program in these four sub-regions.

INCLUDE adopted a farming systems approach integrating livestock and crops with livestock as an intervention entry point. Through a participatory approach (Participatory Integrated Planning, PIP), which will be the basis for all interventions, smallholder farmers will strengthen their adaptive management capacity and develop strategies and plans that increase their sustainable land use, productivity, and access to markets, contribute to improved access to nutritious food. This will ensure farmers' effective engagement and contribution to finding solutions to their challenges and ownership of the interventions. The project focuses on three key outcome areas:

• Sustainable production
• Inclusive livestock markets
• School milk programme and milk market

2. Background of Uganda Dairy(/Livestock) Credit Facility.

The Uganda Dairy(/Livestock) Credit Facility of Euros 3million is managed by Pearl Capital Partners (PCP) since 2022 with capitalization from the Embassy of the Kingdom of Netherlands (EKN) in Uganda to improve financial inclusion for smallholder dairy/livestock smallholder farmers in Uganda through provision of affordable credit. The Uganda Dairy credit facility (UDCF) targeting 18,000 smallholder farmers under livestock sub-sectors over 8 years of the facility period.

 The fund’s objective is to provide customized medium-term loans to dairy/livestock smallholder farmers through SACCOs, Cooperatives and farmer organizations in Uganda. The credit facility enables SACCOs to offer tailor made loans that meet the needs of the farmers, with a range of loan product services to finance activities along the dairy and other livestock value chains.

The UDCF was designed to support dairy/livestock smallholder farmers under the Integrated Smallholder Dairy Development Program (ISDAP) implemented by SNV until its end in March 2024; and INCLUDE from April 2024 to March 2029.  

3. Background to the Assignment 

ISDAP/INCLUDE commissioned 2 scoping studies on Tier-IV Microfinance Institutions (especially SACCOs) whose findings informed the strategy for sustainable and inclusive access to finance by smallholder farmers. The scoping studies assessed the status and performance of Tier-IV Microfinance Institutions for potential partnership with ISDAP/INCLUDE/PCP in the four regions of Rwenzori, Kigezi, Ankole and Busoga. The scoping studies identified 47 SACCOs, the majority of which are operating with computerised management information systems (MIS) Software, several with functionality of digital financial services using MSACCO mobile banking and others using full-fledged core banking systems. However, most SACCOs still struggle with multiple issues related to cyber security.

It is against this background that the INCLUDE project has planned to carry out the external audit of 18 SACCOs MIS systems to promote the cyber risk management good practice of external audit of management information systems software applications to contribute to safety of smallholder farmers funds entrusted with the SACCOs/MFIs by the fund manager PCP.  The selection criteria for the SACCOs for audit will be based on their history of obtaining a loan from PCP in the past, which includes having signed a non-disclosure agreement (NDA) during the loan application process. Additionally, the SACCOs must have a computerized Management Information System (MIS) software application.

Description of the MIS Software Applications Audit Assignment

Purpose

The purpose of the Management Information Systems Software applications audit is to provide an independent evaluation of the conformance of the MIS Softwares and their supporting elements to user defined requirements, software industry standards and performance expectations for management of an effective digital finance software system not vulnerable to cybercrime risks.

Specific objectives

1. To test that the system software, hardware, and networks have been installed and set up correctly.
2. To test functional elements and assess whether the system meets all user defined requirements under all anticipated conditions of operation.
3. To conduct penetration tests and vulnerability assessments on networks, web applications and other critical infrastructure.
4. To examine the conformance of the system’s implementation to software industry standards such as testing, change logs, documentation among other things.
5. To examine system hardware, software and network connections for potential failures and security risks.
6. To assess the risk mitigation measures put in place by the system developers.
7. To obtain and document sufficient, reliable, and relevant evidence of the current state of the system through inspection, observation, inquiry, and confirmation.
8. To examine and advise on the Human Resource Skills requirements for the management/maintenance software infrastructure.

Audit Scope:

1. Licencing status of operating systems
2. Vault and server room access.
3. User account management controls  
4. Management of business continuity and disaster recovery activities  
5. IT Governance and Strategic management issues      
6. Information security user training and awareness programs
7. Training and development for IT personnel.  
8. Server system and organizational computers protection.      
9. Digital Certificate Status.         
10. Preventive maintenance activities.     
11. Network connectivity mechanism 
12. CCTV-surveillance  
13. Reliability of power supply

Approach

The general guideline to this assignment is to undertake a step-by-step review of the various aspects of MIS Softwares / core banking applications by giving insight on the test procedures to be carried out to assure the adequacy and effectiveness of technical, system and operational/process controls in and around the applications and business service functions.

Timeline and Deliverables

The timeline for the assignment is expected not to exceed 70 calendar days from the date of signing the contract.  Here below are the key specific deliverables:

1. Audit plan presenting proposed methodologies and approaches to conduct the audit of MIS Software applications of the 18 SACCOs.
2. The 18-draft individual SACCOs MIS Software applications audit reports highlighting findings, and recommendations.
3. Disseminate draft audit reports to respective SACCOs/MFIs Board of Directors, Management in formal validation meeting and INCLUDE staff.
4. The 18-final individual SACCOs MIS software applications audit reports with findings and actionable recommendations.

Qualifications of Consultant

The locally sourced consultant shall be a firm or a team of individual information systems auditors. To be eligible to conduct the MIS Software applications audit, the lead Auditor shall possess:

1. Bachelor Honours degree of Science in Information Technology or Computer Science from a reputable University. Any relevant master’s degree will be added advantage.
2. Certification in Information Systems Audit (CISA). Any additional certifications in IT field will be added advantage.
3. Membership to IT professional associations and demonstrated experience in conducting similar information systems auditing will be added advantage.
4. At least 10 years practical postgraduation work experience and proven track record in undertaking auditing in financial institutions.
5. The proposed audit team must have a strong knowledge of Uganda financial system and in particular Micro Finance Institutions and savings & credit cooperatives.
6. Demonstrated ability to provide timely, quality assured technical reports. (For avoidance of doubt, a sample of at least two (2) past assignments audit reports written by the consultant shall be annexed to the technical proposal.
7. Good communications skills in English.

Reporting

The audit team will provide regular progress updates to the INCLUDE Project Manager with close supervision from INCLUDE Credit Advisor, culminating in a final audit report(s) with actionable recommendations.

Evaluation criteria

The technical proposal submitted will be scored out of 80% and a shortlist of responsive proposals will be made for further analysis. Financial quotes will be scored out 20% only for bids that will make it to a shortlist.

Contract and Payment terms

1. Parties will enter into a 70 calendar days contract, with days falling between 1st March to 31st May 2025
2. The consultant will be paid 60% of the contract sum upon signing the contract and submission of inception report and invoice.
3. The second and final 40% of the contract sum will be paid based on invoice and an approved consolidated audit report detailing findings and actionable recommendations among other deliverables.

Role of the INCLUDE Project team.

This audit is commissioned by the INCLUDE project under the Leadership of the Project Manager, supported by relevant Advisors who will ensure compliance of the Consultant with the Terms of Reference of the Audit. The role of INCLUDE will be.

1. 1. Write letters introducing the Consultant to the different auditee SACCOs/MFIs.
   2. Mobilisation of the auditee SACCOs/MFIs.
   3. Payments for the auditor’ professional fees and logistics.
   4. Coordinate management feedback on draft audit reports.

Mode of Submission of Technical and financial proposals.

How to apply

Interested individuals and eligible firms are requested to submit technical & financial proposals in a sealed envelope clearly marked with "T&FP for 18 SACCOs/MFIs MIS Software Applications Audit" by 17:00 hrs. 3rd March 2025 and or by email to: ugandatenders@snv.org with the subject line “Cyber Security Audit of SACCOs/MFIs MIS Software Applications for improved systems effectiveness and mitigation of cybercrime risks”. 

Disclaimer. 
SNV reserves the right to accept or reject any or all applications submitted. SNV can stop this procurement at any time without the need to explain or extend the deadline for submission once it sees fit. In case you do not hear from SNV within three weeks of the closure of the application process, consider yourself unsuccessful. SNV also reserves the right to reject and cancel this call-in in case any illegal, corrupt, coercive, or collusive practices are noticed. Late applications will be rejected. Please note that viewing, downloading or otherwise using the TOR constitutes acceptance on your part of all the above-noted statements and conditions.

We do not appreciate third-party mediation based on this advertisement.