Audit Management Software

Request for Information (RFI)

This RFI is issued by the Veterans Affairs Office of Inspector General (VA OIG), Office of Audits and Evaluations (OAE) for market research and planning purposes only. It is not a solicitation, and no contract will be awarded from this RFI. The purpose is to gather information on industry capabilities, best practices, and potential solutions for audit management software.

The VA OAE has used audit management software for over 20 years and is seeking a commercial off-the-shelf (COTS), web-based, cloud-hosted, FedRAMP-authorized solution. This solution may replace their current system and could involve migrating existing projects and data. The current contract for this software ends in August 2027.

In addition to the software, OAE seeks:

• Installation and configuration services.
• Training for users and administrators.

Vendors are asked to provide:

• Company details (Name, Address, Point of Contact, CAGE Code, etc.).
• Recommended NAICS Code.
• Business size and certifications (Small Business, Woman-Owned, 8(a), HUBZone, Veteran-Owned, SAM Registration).

Respondents should address:

• Overview of their solution, capabilities, and offerings.

• Typical pricing information for similar-sized clients (approx. 300 users).

• Installation and configuration services, including licenses, implementation, training, support, and maintenance.

• Solution compliance (cloud-based, FedRAMP-authorized, and timeline for certification).

• Integration capabilities (e.g., with MS365, PDF editing).

• Migration services and typical timelines.

• Implementation timeframe and resources required.

• Training options and post-implementation support.

• How they handle continuous monitoring and customer feedback.

• Upgrade schedules.

• Experience providing audit management software solutions, including three customer examples similar in size and scope to VA OIG.

• Participation is voluntary and will not affect eligibility for future solicitations.

• Any future contract will follow a competitive process.

• The Government is not responsible for any costs incurred in responding.

• All submissions become Government property and will not be returned.

• Refer to the attached draft Statement of Work (SOW) for further details.

Statement of Work (SOW) / Performance Work Statement (PWS)

This Statement of Work (SOW) outlines the requirements for an Audit Software System for the VA OIG Office of Audit and Evaluations (OAE).

The software solution must provide comprehensive capabilities for managing audit projects, including:

• Dashboards: Project-specific and general database dashboards for monitoring project information, status, milestones, and findings.

• Reporting: Ability to generate various reports on milestones, projects, findings (including monetary impact), and recommendations, with export options to Word and Excel.

• Project Management: Features for distinct projects, including permissions, attributes, scheduling, and a project browser for searching and filtering.

• Documentation: Ability to document audit work, interact with various file types (Microsoft Office, PDF), and manage items within projects.

• System Configurability: A user-friendly interface, ability to create and manage project templates, user roles, and permissions for centralized management.

• Electronic Linking: Functionality to link items within projects, conduct cross-indexing, and link findings/recommendations to supporting documentation.

• Findings and Recommendations: Tools to create and document findings, multiple recommendations per finding, and custom fields for tracking.

• Review Processes: Features for preparer and reviewer sign-offs, comment management, and audit trails.

• Security: Capabilities for flagging sensitive information, restricting access, and supporting secure authentication methods.

• Infrastructure: Support for a minimum number of concurrent and licensed users, ongoing support services, and compatibility with standard software.

• Operational: Configurable client applications, error handling, identity management integration, and adherence to federal security requirements.

• The system must support a minimum of 200 concurrent users and 300 total licensed users.

• The system must meet or exceed 95 percent availability.

• Ongoing support services are required, including security updates, patches, and bug fixes.

• Vendor must provide a patch or mitigation within 30 calendar days for published vulnerabilities with a CVSS score between 7.0 and 10.0.

Not explicitly stated in this document, but it pertains to the VA OIG Office of Audit and Evaluations.

• Compliance with Federal Information Security Management Act, NIST standards, and FedRAMP moderate requirements.
• Support for PIV/PIV-A authentication and integration with VA's active directory.
• Data migration capabilities for existing audit software.
• Optional features include notifications, data migration, data exchange/API, strategic planning/risk management, and project approval systems.