Request for Proposal: Audit of Active Directory related risks and controls at CGIAR System (Extension: 5 Dec 2018)


  • Position: Audit of Active Directory related risks and controls at CGIAR System
  • Duty Station: Home-based with remote working arrangements
  • EXTENSION Closing date for applications: 5 December 2018
Download detailed RFP description

CGIAR is a global research partnership for a food-secure future. CGIAR science is dedicated to reducing poverty, enhancing food and nutrition security, and improving natural resources and ecosystem services. Its research is carried out by 15 CGIAR centers in close collaboration with hundreds of partners, including national and regional research institutes, civil society organizations, academia, development organizations and the private sector.

CGIAR research centers are independent legal entities. The CGIAR partnership is supported by the CGIAR System Organization that interacts on behalf of the Centers with the CGIAR Funders through their representative body, System Council. The System Management Board (SMB) is the governing body of the System Organization, and the System Management Office is responsible for the day-to-day operations of the System Organization.

Additional information about the CGIAR is available at

CGIAR Centers share the tenancy of Active Directory domain which is managed by a third-party provider. The System Organization holds a contract with the third-party provider on behalf of the CGIAR Centers.

The SMB, through its Audit and Risk Committee (ARC) that has an oversight responsibility over cross-CGIAR System risks and controls, requested CGIAR System Internal Audit Function (IAF) to conduct an assessment of the measures in place to manage risks around CGIAR Active Directory.

The Active Directory audit/assurance review will aim to provide SMB with:

  • an evaluation of the adequacy of the Active Directory implementation and management; and design of security controls;
  • an independent assessment of the operating effectiveness of the security controls;
  • actionable and feasible recommendations for improvements.
What we are seeking

We are currently seeking an experienced IT audit professional to conduct the assessment of the Active Directory governance, risks and controls including the configuration settings established during Active Directory implementation, and the maintenance of this configuration during the life cycle of the Active Directory.  Informed by a CGIAR System IAF Charter and the results of the audit 2018 ‘Collectively managed ICT Systems’, key responsibilities include, through assurance activities to:

Assess risks related to Active Directory including but not limited to:

  • Disruption of computing services;
  • Destruction of enterprise data;
  • Disclosure of sensitive information, including identities, intellectual property, etc.;
  • Reputational risk and loss of confidence by stakeholders due to disclosure of information or related publicity;
  • Fines and penalties;
  • Lost productivity due to inefficient security administration;
  • Security breaches
  • Third party failure.

Assess controls to manage the identified risks including but not limited to controls necessary to secure Active Directory infrastructure to support the servers and workstations within the enterprise focusing on the configuration controls relating to but not limited:

  • Active Directory management;
  • Secure Active Directory boundaries;
  • Secure domain controllers;
  • Physical security of the domain controllers;
  • Secure domain and domain controller configuration settings;
  • Secure administrative practices
  • Third party provider management controls.

Make practical recommendations to make improvements for safe, efficient and effective use of Active Directory.

Scope excludes:

  • Windows server configurations
  • Workstation configurations
  • Domain Name Service (DNS) management
  • Controls at the Center level.

Please note:

  • The work is to be delivered remotely drawing on the available technology to interact with relevant stakeholders, to review documents and systems.
  • 20 days are allocated to this work including planning, field work and reporting.

The Charter of the CGIAR System Internal Audit Function is attached at Appendix 1 .

Deliverables and timeline

Deliverables Under the direction and overall guidance of the Head, CGIAR System Internal Audit Function:

  • By end December 2018, develop Terms of References for the engagement based on preliminary review of existing documents and interviews with responsible staff and managers.
  • By end January 2019, finish the audit activities according to the approved Terms of References of the engagement.
  • By mid-February 2019, deliver a draft audit report detailing audit findings, recommendations and agreed actions to improve controls relating to CGIAR Active Directory.
  • Hold weekly update meetings on the progress of work with the Head, CGIAR System Internal Audit Function.
  • Document work in audit software used by CGIAR System Internal Audit Function, MKInsight. Training will be provided.


  • The consultancy is anticipated to begin by not later than mid December 2018 and the duration of the assignment will be 20 working days of elapsed time. Most of the assignment work should finish by mid-February 2019.
Knowledge, skills and abilities
  • For a full description, please see the detailed RFP description provided via the link above.
Consultancy Details
  • Home-based with remote working arrangements
  • Virtual consultations are expected to be undertaken by Skype and/or through a portal.  Access to the latter will be facilitated by the CGIAR System Internal Audit Function.
  • Consultants are responsible for all tax liabilities arising from this assignment.
  • Consultants are responsible for securing their own insurance arrangements.
Evaluation and Selection Criteria
  • For a full description, please see the detailed RFP description provided via the link above.
How to submit a proposal

Please submit a narrative proposal and a budget proposal as two separate documents to Both documents can be attached to the same email.

  • The narrative proposal must consist of no more than 10 pages (excluding annexes) using Microsoft Word or similar format. Font size must not be smaller than 11pt Arial normal. Margins should be set to the standard Microsoft ‘A4 Normal’ setting. The format of the narrative proposal is set out in table 1 below. Please see the full RFP description via the link above for a detailed format of the narrative proposal.
  • The budget proposal must be presented using Microsoft Excel or similar format and consist of, at a minimum, the following line items: consultant time, resources, travel (if any). The budget must be presented in Euros.

All proposals must be received no later than Wednesday 5 December 2018, 16:00 Paris time, France. Only electronically submitted proposals will be considered. 

Late proposals will not be considered.

Enquiries on the consultancy may be submitted in writing only, addressed to Responses will be provided within 1 working day of receipt.