REQUEST FOR EXPRESSIONS OF INTEREST

(CONSULTING SERVICES – FIRMS SELECTION)

(Consultant’s Qualification Based Selection (CQS)

MONGOLIA

E-HEALTH PROJECT

World Bank IDA Loan no.: 54890-MN

Project number: P131290

Assignment Title: Information Systems Development Audit

Reference No.: MN-MOH-279706-CS-CQS

Date: 15 April 2022

The Government of Mongolia has received financing from the World Bank toward the cost of the E-Health Project, and intends to apply part of the proceeds for consulting services.

The consulting services (“the Services”) include: to express an independent professional opinion on the PACS (Picture Archiving and Communication System) and the HIEP (Health Information Exchange Platform) development to date under the E-Health Project. The services are expected to commence about 25-30 May 2022 and continue for 40-45 calendar days.

The detailed Terms of Reference (TOR) for the assignment are attached to the Request for expressions of interest.

The Ministry of Health now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services. The shortlisting criteria are:

• Have at least 5 years of experience in information system audit field;
• Satisfactory performance of at least 2 information system audits at sectorial level;
• International experience in IT and information system audit in different countries is required, international experience in several regions will be an advantage;
• Proven knowledge of health data international standards such as ICD9, ICD10, LOINC, DICOM, HL7 FHIR, etc.; and
• Proven knowledge/compliance with the following international standards:
•        ISO 27001 – Information Security Management System;
•        ISO 27799:2016 – Health informatics - Information security management in health using ISO/IEC 27002;
•        ISO/IEC 27033:2015 – Information technology - Security techniques - Network security (using ISO/IEC 18028:2006);
•        ISO/IEC 27034 - Application Security Guideline;
•        ISO/IEC 27005 - Information Security Risk Management.

Key Experts will not be evaluated at the shortlisting stage.

The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” July 2016, revised October 2017 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest. In addition, please refer to the following specific information on conflict of interest related to this assignment. 

Consultants may associate with other firms to enhance their qualifications, but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected.

A Consultant will be selected in accordance with the Consultant’s Qualifications Selection (CQS) method set out in the Procurement Regulations.

Further information can be obtained at the address below during office hours 10:00 to 17:00 hours, Ulaanbaatar, Mongolia time.

Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by 17:00 hours (Ulaanbaatar, Mongolia time) of 02 May 2022.

Integrated Project Implementation Unit

E-Health and Mongolia COVID-19 Emergency

Response Integrated Projects financed by the World Bank

Attn: S.Munkh-Ochir, Procurement Specialist

#1103, 11th floor, Ayud tower, Olympic street 5, 1st horoo,

Sukhbaatar district, Ulaanbaatar, Mongolia

Tel: +976-7707 7793

E-mail: munkh@ehp.mn

Annex: Terms of Reference for the assignment

Terms of Reference for Information Systems Development Audit

BACKGROUND

The E-Health Project financed by the World Bank is implemented by the Ministry of Health to improve integration and utilization of health information and e-health solutions for better health service delivery. Main investments of the Project include the design, development, implementation and piloting of the health information exchange platform and picture archiving and communication system to be used in the health sector of Mongolia.  An integral part of this development is the electronic health record (EHR) that will be established to exchange health related data and information, in compliance with the personal data security regulations, regardless of location.

Implementation of any new system brings with it a number of risks, such as both time and cost overruns and ultimately the risk of failure to deliver. Whilst the contract may contain adequate mitigation measures (liquidated damages and retention of payments) the main aim of efficient contract management is to ensure this will not be necessary.  In addition, involving a professional entity specialized in the audit of system development (IT audit) during system development process will assist MOH to further mitigate and reduce these risks. Involvement of such and independent entity enables the evaluation of the system development to be carried out comprehensively and in sufficient detail to be able to provide assurance and comfort that all the risks both identified and unforeseen have been addressed satisfactorily for the system to go live. Such an entity, that is fully independent, and has the necessary technical skills and expertise and is not associated with any of the contractual parties will ensure the interests of the Ministry of Health.

The proposed auditor will provide the Ministry of Health with an independent assessment of the development process early enough to enable effective remedial action to be undertaken, as necessary. This should comprise a system audit looking at, to the extent possible:

The audit should take into consideration:

•       The contractor’s understanding of the requirements of the Description of Services (DoS);
•       The contractor’s management procedures;
•       Effectiveness of the overall development process;
•       Adequacy of developed functionality and level of development;
•       Whether the system will be able to meet the outcomes indicated in the DoS;
•       Whether control and security arrangements built into the system are adequate and cost effective and will meet regulatory requirements;

The general objective of the IT audit is to assist the Ministry of Health through examination and evaluation of the contractor’s development and implementation process, to ensure that any new systems meet the expectations and outputs outlined in the DoS, regulatory requirements where specified and are aligned with the MOH overall vision.

OBJECTIVE

To undertake independent verification, review and evaluation of the Picture Archiving and Communication System (referred to as “PACS”) developed and piloted in 5 hospitals and the new Health Information Exchange Platform (referred to as “HIEP”) under development against the planned outcomes and the DoS, and to express a professional opinion on the adequateness of the relevant systems including data integrity and security.

SCOPE OF SERVICE

The scope of service under this TOR is limited to undertaking a verification, evaluation and validation of the deliverables submitted by the contractor, expressing an independent professional opinion on the PACS and the HIEP development to date under the E-Health Project. This work should also assess the capacity of the implementation team to deliver the expected results and outline any errors and deviations from the agreed scope of services and advising on possible actions to rectify this relating to design, development and implementation the HIEP based on the Scope of Services defined in the subject contract and subsequently confirmed in the Inception report issued by the Contractor.

The auditor’s involvement includes, but is not limited to:

Systems analysis, requirements definition:

•       Undertake review of the contract documents, analyze project objectives and outcomes against the inception and monthly reports of the contractor;
•       Review the project management methodology proposed by the contractor, timeline, key deliverables, and milestones and how these relate to the outcomes;
•       Identify any shortcomings, if such exist, and propose remedial measures;
•       Review levels of effort indicated by the contractor and whether these are justified by the results achieved;
•       Issue an opinion on adequacy of the contractor’s reports and whether these is an assurance that the objectives and outcomes specified in the HIEP contract (11 objectives and 11 outcomes) and the PACS contract

Systems design:

•       Review the proposed system features in detail, including functional hierarchy diagrams, functional and non-functional requirements defined contractor, screen layout diagrams /mockups, tables of business rules, business process diagrams, pseudo-code, and a complete entity-relationship diagram with a full data dictionary.
•       Review modules and sub-systems being developed as part of the solution including demonstrations.
•       Issue an opinion whether system solution proposed by the contractor fully addresses the objectives and requirements specified by the MOH in the DoS.

Development:

•       Review the coding, configuration and execution systems
•       Review user acceptance testing environment, where the MOH can test against their original requirements;
•       Review production environment, where systems finally get deployed for final use by their intended end users.
•       Issue an opinion whether the systems are being developed in accordance with generally accepted standards for system development. 
•       Issue an opinion whether the system is likely to fully meet the stated objectives and outcomes specified in the HIEP contract (11 objectives and 11 outcomes) and the PACS contract

Integration and testing:

•       Review the planned testing of the system user acceptance testing, as relevant:

•             Path testing
•             Data set testing
•             Unit testing
•             System testing
•             Integration testing
•             Black-box testing
•            White-box testing
•             Regression testing
•             Automation testing
•             User acceptance testing
•             Software performance testing
•             Usability testing
•             Penetration testing

•      Issue an opinion on adequacy of the planned integration and testing.

Acceptance, installation, deployment:

•       Review the implementation plan proposed by the contractor
•       Review scope and content of operational training for those who will be responsible for supporting the system as well as training for end users who will be using the system after its delivery to a production environment.
•       Review transition plan of the system to its final production environment.
•       Issue an opinion whether the system testing proposed is adequate.

Maintenance and post implementation review:

•       Evaluate the developed system and the entire process as to whether the newly implemented system meets the initial requirements and objectives, if the system is reliable and fault-tolerant, and if it functions according to the approved functional requirements.
•       Assess the effectiveness of the development process and if there are any aspects of the entire process (or certain stages) that did not meet with generally accepted standards.
•       Assess the effectiveness of the system.
•       Assess the proposed disaster recovery plan to ensure business continuity
•       Issue an opinion whether the system is functional, reliable and fault-tolerant, and whether it is evident that the objectives and outcomes specified in both PACS and HIEP contract are fully met.

Information security and risk assessment:

•       Assess the development of information security and risk assessment to prevent, correct and address potential risk factors at all levels, including:

•             Software level - risk identification (coding, user level, attack prevention) at all levels, starting from the coding of the system being developed;
•             Hardware level - connectivity to server computers and hardware where the system is located; technical environment (VPN) of the data transmission network;
•             Post-training knowledge and skills assessment to ensure sustainable operation of the system deployed.

• Issue an opinion whether the system is secure and safeguards the health information and data according to the international standards.

DELIVERABLES

The deliverables under these terms of reference are specified below:

In the first stage, which will review work undertaken to date (in the English language):

•       An opinion on adequacy of the contractor’s inception and monthly reports within 2 weeks upon receipt of the reports,
•       An opinion whether system solutions proposed by the contractor fully addresses requirements specified by the TOR and MOH within 2 weeks upon receipt of the detailed system design documents;
•       An opinion whether the system is being developed in accordance with generally accepted standards for system development within 4 weeks upon receipt of the contractor’s deliverables and demonstration of the system development progress;
•       An opinion whether the system is likely to fully meet the stated objectives and outcomes specified in the HIEP contract (11 objectives and 11 outcomes) and the PACS contract within 4 weeks of demonstration of the system development progress;
•       An opinion on adequacy of integration and testing within 2 weeks upon receipt of the contractor’s deliverables,
•       An opinion whether the system is functional, reliable and fault-tolerant within 2 weeks of the initial system demonstration.
•       An opinion whether the system is secure and safeguards the health information and data according to international standards within 2 weeks of the system demonstration.
•       An opinion whether the system is achieving Value for Money, based on a realistic assessment of the results achieved (to date) and the invoices issued at the conclusion of the initial assessment.
•       An opinion on actions, if any, to be undertaken ensure the system meets the DoS.

In the second stage, which will be undertaken upon receipt of the final deliverables (in the English language):

•       An opinion whether the system has met the stated objectives and outcomes specified in contracts within 4 weeks of demonstration of the system development progress;
•       An opinion whether the final system testing is adequate within 2 weeks upon receipt of the contractor’s deliverables
•       An opinion whether the system is functional, reliable and fault-tolerant within 2 weeks of the final system demonstration.
•       An opinion whether the system has achieved Value for Money, based on a realistic assessment of the results achieved.

Minimum Qualifications requirements for the Consulting Firm:

• Have at least 5 years of experience in information system audit field;
• Satisfactory performance of at least 2 information system audits at sectorial level;
• International experience in IT and information system audit in different countries is required, international experience in several regions will be an advantage;
• Proven knowledge of health data international standards such as ICD9, ICD10, LOINC, DICOM, HL7 FHIR, etc.; and
• Proven knowledge/compliance with the following international standards:

•      ISO 27001 – Information Security Management System;
•      ISO 27799:2016 – Health informatics - Information security management in health using ISO/IEC 27002;
•      ISO/IEC 27033:2015 – Information technology - Security techniques - Network security (using ISO/IEC 18028:2006);
•      ISO/IEC 27034 - Application Security Guideline;
•      ISO/IEC 27005 - Information Security Risk Management.

Minimum Qualifications requirements for key personnel:

It is expected that the assignment will be carried by a team of specialists led by an auditor.  As a minimum the team should comprise:

• Lead Auditor and team lead should be a certified information systems auditor (CISA) and have at least 10 years’ experience in Internal Audit of which at least 5 years should be in Systems Audit;
• IT Security Auditor, specializing in cybersecurity with at least 7 years’ experience in Internal Audit of which at least 5 years should be in Systems security audit;
• System and Business Requirements specialist;
• Enterprise Architect and Data Standards specialist;
• Systems Analyst.

Some of the roles may be duplicated among the specialists, however, at least 3 of the key staff should be certified Auditors.  All key staff should have at least 7 years of relevant experience in their specialist areas.

It is expected that due to the COVID situation this work will largely be carried out virtually, it is expected that the task should require a total of no more than 14-16 person weeks for total duration of 45 calendar days after the signature date of the Contract.  Any requested demonstrations will be facilitated by MoH who will also be responsible for furnishing all of the required reports to allow the auditor to conduct the audit.

CLIENT’S INPUT AND COUNTERPART PERSONNEL

(a) Services, facilities and property to be made available to the Consultant by the Client: NONE

(b) Professional and support counterpart personnel to be assigned by the Client to the Consultant’s team: NONE

(c) Client will provide the following inputs, project data and reports to facilitate preparation of the Proposals: All the data available with Government.