NEBRASKA LOTTERY

Document Sample
NEBRASKA LOTTERY Powered By Docstoc
					                           NEBRASKA LOTTERY
                     REQUESTS FOR PROPOSALS
             ELECTRONIC DATA PROCESSING AUDIT SERVICES
                      QUESTIONS AND ANSWERS
                         FEBRUARY 17, 2006


1.   Is there a maximum number of pages for the entire response? If there is, does
     that number include appendices?

     There is no limit on the number of pages that can be included in a proposal
     response.

2.   In your RFP, you indicate that the response must be on plain white paper. We
     are assuming that this means not to use colored paper but that we are allowed to
     use our graphics and charts to demonstration our abilities. Is this correct?

     The response must be on white paper, not colored paper. Any charts or graphs
     included in a proposal response may be in color.

3.   Are the most current audit of the Nebraska Lottery and the associated
     management comments available for review?

     The most recent EDP review was conducted in 2000. We have chosen not to
     make those results available for public review as a security-related record. The
     on-line and instant vendors’ systems have changed since that last audit. Our
     most recent financial audit was conducted by the Auditor of Public Accounts and
     was issued October 13, 2005. That report can be found on the Auditor’s Web
     site at www.auditors.state.ne.us using the APA Reports Issued tab and selecting
     2005 reports while using “lottery” as the search keyword.

4.   Please provide a description of the operating system used for the network.

     A description has been provided in Sections 2.5.3 and 2.5.4 of the Request for
     Proposal.

5.   Please provide a description of the mainframe/host system.

     A description has been provided in Sections 2.5.3 and 2.5.4 of the Request for
     Proposal.

6.   There are a number of references to this engagement as an “audit” yet in certain
     areas it is also referred to as an “assessment”. Do you see a separation in the
     two terms or is it one and the same?

     The terms “audit” and “assessment” are considered one and the same.



                                         1
7.    Has the Nebraska Lottery identified specific internal controls for the systems and
      topics in question?

      The list of internal controls has been identified in Section 2.6.2.

8.    Have current SAS 70 reports been issued for GTECH and Intralot? Are these
      available for review?

      At this time, we are not aware of any SAS 70 audits that have been completed
      for GTECH and INTRALOT.

9.    From the information provided, is Georgia the backup location for Intralot?

      Yes.

10.   Is a visit to Intralot in Georgia expected as part of the assessment?

      No, you would not need to visit the INTRALOT headquarters in Georgia.

11.   EDP Audit in the spring of 2000, RFP 1.3. Can the Lottery provide information
      about the previous audit, namely: Who conducted that audit? What was the
      cost of that audit? Are those audit results publicly available for review?

      The audit was conducted by RSM McGladrey, Inc. and the cost of the audit was
      $84,995. We have chosen not to make those results available for public review
      as a security-related record. The on-line and instant vendors’ systems have
      changed since that last audit.

12.   Nature of the Audit, RFP 2.2. Is the audit expected to be of any particular known
      type such as a SAS_70 (AICPA)?

      The audit is not to be of any particular type. We need a comprehensive study
      and evaluation of our electronic data processing systems as well as the systems
      of our two lottery vendors.

13.   Control Objectives, RFP 2.6.2. What is the source of the particular set of control
      objectives? Is this set from a published standard?

      The source of the controls is from in-house review. The controls are not from a
      published standard.

14.   EDP Audit Experience, RFP 2.9. Is the auditor required to be a CPA firm? Is the
      auditor required to hold an information systems audit certification, such as the
      CISA (Certified Informations Systems Auditor) as issued by ISACA (Information
      Systems Audit and Control Association)?




                                            2
      The vendor selected would not need to be a CPA firm nor would CISA
      certification be required.

15.   Compensation, RFP 3.1 and 3.2. If the project is a fixed price contract (RFP
      3.1), then why itemized invoices with hours by staff and rate per staff hour (RFP
      3.2)? Shouldn’t the invoice simply reference the completion of a project
      milestone, signaling appropriateness for billing the fixed price associated with
      that milestone?

      The breakdown was requested for the benefit of INTRALOT and GTECH. They
      share in the cost of the audit and the billing for the work on each of their
      systems. The detailed breakdown would be helpful to them in analyzing their
      portions of the audit costs. Both of these vendors have been contacted and are
      willing to accept a percentage of project break-down.

16.   Lowest Cost and Best Award, RFP 4.21. Does this terminology mean that a
      combination of technical merit and price will be used to select the apparent
      winner? The proposal with the highest technical merit (“best”) might not be the
      “lowest cost.”

      A contract award will be based on a combination of “best” and “lowest cost
      proposal.” The lowest cost proposal is not necessarily the best proposal. A
      contract will be awarded to the responsible vendor who submits the lowest and
      best proposal which maximizes the benefits to the state in relation to the cost in
      the areas of security, competence (experience, financial responsibility, minority
      and female participation, quality of product or services, capability, timely
      performance), and price. Whether the vendor is based in Nebraska and such
      other factors as may be deemed appropriate for the particular contract are also
      considered.

17.   Selection Factors for the Award, RFP 4.21. Are the selection factors weighted
      and scored in the evaluation? Are scoring details available for potential bidders
      to consider?

      Selection factors are scored based on each bidder response by the members of
      the Evaluation Committee. Scoring details are not available for consideration by
      potential bidders prior to completion of the evaluation and recommendation by
      the Committee, or before the final decision by the Director and Tax
      Commissioner. Scores of all bidders are available for public review after a
      winning proposal has been awarded and announced.

18.   Late Report Liquidated Damages, RFP 4.29.22.1. Does the $1,000 liquidated
      damage term apply to the weekly progress report (RFP 2.7.1) as well as to the
      final report (RFP 2.8.3)?




                                           3
      Yes, the liquidated damages provided under RFP Section 4.29.22.1 applies to
      any reports required by the RFP.

19.   Minority Participation, RFP 4.30.1. To what extent does minority participation,
      particularly of Nebraska based minorities, figure into the proposal evaluation
      process? Is this one of the evaluation criteria (RFP 4.21)?

      The level of minority and female participation, whether residents of Nebraska or
      elsewhere, is an evaluation criteria specifically set forth in Lottery regulations.
      This criteria is not accorded greater or lesser consideration than any other
      criteria under evaluation in the category of competence.

20.   Local Office, RFP 4.35. Is it sufficient if a Contractor has an office in the State of
      Nebraska, but that office is not affiliated with EDP audits in general, nor this
      project?

      As long as the contractor maintains an office in Nebraska at all times during the
      contract term, this requirement is satisfied. The State Lottery Act requires that
      the contractor establish a permanent office in this state. The local office does
      not have to be affiliated with EDP audits in general, but it must be able to handle
      communications, contacts, deliveries and daily business relating to the project.

21.   Local Office, RFP 4.35. Is there an evaluation preference for firms with major
      operations in Nebraska?

      There is an evaluation preference for vendors based in Nebraska pursuant to
      legislative intent under the State Lottery Act. Preference is given for contracts to
      bidders based in Nebraska if the costs and benefits are equal or superior to
      those available from competing persons based outside the state.

22.   Do we need to visit the 5 regional claims centers?

      It would not be necessary to visit all of the five regional claims centers.

23.   Can we submit a soft copy of progress reports in PDF format instead of Word?

      Yes, progress reports can be submitted in .PDF format instead of Word.

24.   In section 2.6.2 – Scope, can you add some clarification for what you mean by
      systems controls and how these would be differentiated from application
      controls? Do you mean the operating system and its software components?

      System controls would be associated with the operating system and related
      components. Application controls would be associated with the operating
      application such as LOTOS, ICS and NEIPS.




                                            4
25.   In section 2.6.2 – Scope, when you include application controls in the scope of
      the review what applications should be reviewed? (LOTOS, Internal Control
      System, NEIPS, VISION)

      The four applications noted should be included in the review.

26.   Can you confirm that program change control and application/system
      development is not included in the scope of the review as I did not see them
      specifically mentioned?

      The review should include evaluation of GTECH and INTRALOT’s program
      change control procedures. This review should include version controls.

27.   Do we need to test all the games identified? (on-line games, Nebraska Pick 5,
      Nebraska Pick 3, Powerball (in conjunction with MUSL), 2by2 (in conjunction
      with MUSL)

      If the audit review procedures necessitate reviewing all of the games, then all
      games should be reviewed. If the Lottery’s electronic data processing system
      can be properly reviewed without testing all games, then all games would not
      need to be tested.

28.   Instant win games (how many, what are the games)?

      The number of instant games can vary depending on the time of the year and the
      life of the game. We have price points for instant games ranging from $1 to $10.

29.   Do we need to visit corporate headquarters GTECH location?

      No, you would not need to visit the GTECH headquarters in Rhode Island.

30.   Do we need to visit corporate headquarters INTRALOT?

      No, you would not need to visit the INTRALOT headquarters in Georgia.

31.   On page 39, section 4.35, it states that the contractor will be required to maintain
      an office in Nebraska at all times during the terms of the contract – what exactly
      does that mean?

      The RFP requires the contractor to maintain a permanent, local office in
      Nebraska during the contract term. This is required by state law. The purpose
      of this requirement is to provide the Nebraska Lottery with a local, in-state
      contact point and person(s) through which to communicate and conduct
      business pertaining to the contractor's duties, obligations and performance under
      the contract.




                                           5
32.   Can we use/rely on the recent background investigations we had performed for
      Visa and the Colorado Lottery?

      The background investigations that were performed for other lotteries would not
      be sufficient for the Nebraska Lottery’s background policies and procedures.

33.   The RFP refers to the project as an audit. Are you considering this work a
      SAS70 or Agreed Upon Procedures review or is it more of a consulting project?

      The audit is not to be of any particular type. We need a comprehensive study
      and evaluation of our electronic data processing systems as well as the systems
      of our two lottery vendors.

34.   Section 1.1.1 and other sections of the RFP state that the audit will include the
      evaluation of the INTRALOT USA, GTECH, and ELSYM systems. What level of
      cooperation does the Nebraska Lottery require these contractors to provide to
      the successful bidder?

      The instant ticket and on-line gaming system vendors and their subcontractors
      are obligated by contractual agreement to subject their systems to independent
      audits performed by auditors selected by the Lottery.

35.   Section 1.1.2 suggests a May 1 commencement and June 23 completion for the
      audit. There have been recent cases where security audits and SAS 70 audits
      have been delayed more than a month because of the nondisclosure
      agreements the lottery system vendors have requested the auditors sign. Can
      the Nebraska Lottery provide copies of its three system vendors’ proposed (if
      any) non-disclosure agreements with the responses to these questions? (i.e., as
      the Lottery had done in Appendix D)

      At this time, non-disclosure agreements for each of the Lottery vendors will not
      be provided. When a bidder is selected for this project and if such agreements
      are required by the various contractors, they will be secured at that time.

36.   Section 2.5 lists several lottery functions and regional offices. Section 2.6.1
      mentions the Nebraska Lottery’s internal LAN. We assume the Lottery has PCs
      that are connected via its LAN to both the INTRALOT system and GTECH
      system. Do any Lottery PCs contain client software for both of these systems,
      or does each Lottery PC only allowed to communicate to only the on-line or
      instant system?

      Each Lottery PC has access to each vendor’s back office application via client
      software.

37.   Does the Nebraska Lottery require all regional claim centers to be audited?




                                           6
      Each regional claim center only has a Coronis terminal (Intralot) and a warrant
      printer (GTECH). They are staffed by Department of Revenue employees who
      process lottery claims in conjunction with their regular duties. It would not be
      necessary to visit all of the five regional claims centers.

38.   Are telemarketing, ticket receiving, warehousing, pick and pack, delivery to
      retailers outsourced to one of more of the Lottery’s contractors? Where are
      these activities conducted?

      All of these activities are performed by GTECH through the instant-ticket
      contract. These activities are conducted at the GTECH warehouse on Bair
      Avenue in Lincoln, Nebraska.

39.   Section 2.5.3.4 discusses GTECH’s primary Instant Production System, is there
      a secondary Instant Production System?

      Yes, it is located at GTECH.

40.   Does the GTECH Instant Production System communicate to retailers through
      dial-up and through GTX front-end processors?

      Yes.

41.   Does the instant ICS system have any specific production applications aside
      from balancing sales, cashing, and inventory levels?

      Yes, it includes Telesales and Distribution as part of the inventory application.

42.   Section 2.5.4.4 states that INTRALOT has a backup system in Duluth. Is this a
      hot backup? Does the Nebraska Lottery desire the audit to include a physical
      inspection of that system?

      The site in Duluth is considered to be a “warm” backup. No, you would not need
      to visit the INTRALOT headquarters in Georgia.

43.   Section 2.6.2 discusses the review of electronic data processing policies,
      procedures, and practices. Does the Nebraska Lottery develop, maintain, or
      operate any computer applications not provided by INTRALOT or GTECH (i.e.
      back office, customer services, etc) that need to be included in this audit?

      No.

44.   Is the Nebraska Lottery using a computerized random number generator to draw
      numbers for Pick 3 and Pick 5? If so, is this system to be included in the audit?




                                            7
      Yes, we use a random-number generator to draw the numbers for Pick 5 and
      Pick 3. This system does not need to be included in the review.

45.   Do the ICS systems (instant and on-line) perform in real time, near real-time, or
      batch-mode?

      Batch-mode.

46.   Section 2.7.1 requires interim reports be submitted to the Nebraska Lottery
      Director every Monday. Will there need to be separate functional reports for
      each audit area as required by section 2.8.5? Will the periodic conferences need
      to be conducted such that certain individuals do not hear all findings?

      For the interim reports requested as part of 2.7.1, they do not need to be broken
      down into functional areas as required by 2.8.5. If periodic conferences are
      requested, they may need to be conducted such that certain individuals do not
      hear all findings.

47.   Section 3.1 states that the Nebraska Lottery will compensate the Contractor by
      payment of a fixed fee. Section 3.2 states invoices will be submitted after a
      satisfactory progress report has been forwarded, and stipulates that the invoices
      contain detailed information including number of hours worked per person. It
      also requires a breakdown between the auditing activity for the lottery, GTECH
      and INTRALOT systems.
         a. Does the Nebraska Lottery intend to pay the Contractor for unanticipated
             hours worked? No, the Lottery will pay only the fee as negotiated and
             signed in the contract.
         b. Does the Nebraska Lottery intend to reduce the Contractors compensation
             if the actual hours worked is less than those bid? No, the Lottery will pay
             only the fee as negotiated and signed in the contract.
         c. Attributing percentages of the costs to each of the three entities will not be
             difficult (assuming we can prorate the common costs to coincide with
             identifiable costs). However, the requirement to do a full accounting by
             person will add overhead to the cost of the audit. If the Contractor is willing
             to only get paid upon successful completion of the project, would the
             Nebraska Lottery consider requiring the final invoice be broken down by
             the three systems, and not require the hourly accounting? The breakdown
             was requested for the benefit of INTRALOT and GTECH. They share in
             the cost of the audit and the billing for the work on each of their systems.
             The detailed breakdown would be helpful to them in analyzing their
             portions of the audit costs. Both of these vendors have been contacted
             and both are willing to accept a percentage of project breakdown.




                                            8
48.   Section 4.16 requires a performance bond. Performance bonds are prohibitively
      expensive for smaller companies. Will the Nebraska Lottery accept a cash bond
      in the full amount of the contract to be held by the State of Nebraska until the
      successful completion of the contract?

      We cannot accept a cash bond in lieu of a performance bond. State law
      explicitly requires that each lottery contractor for a major procurement shall, at
      the time of executing the contract, post a performance bond with the Director
      using a surety acceptable to the Director in an amount equal to the full amount
      estimated to be paid annually to the contractor under the contract.

49.   Section 4.17 requires $1,000,000 in Property insurance. Insurance companies
      will not issue insurance for property insurance in excess of the value of property
      a company has. Also, financially solvent companies usually self-insure. We
      have never been asked by a lottery client to have property insurance. Will the
      Nebraska Lottery considering dropping this requirement or changing this
      requirement to require “Property insurance in an amount to be agreed to by the
      Nebraska Lottery.”? This will provide the Lottery with the ability to ensure it is
      adequately covered during the negotiations.

      The level of property insurance to be carried by the contractor will remain at
      $1,000,000 as stated in the RFP.

50.   Section 4.29.13 requires bonds and insurance be issued by companies or
      financial institutions which are financially rated “A” or better and duly licensed in
      the State of Nebraska. Some of the bond and insurance requirements asked for
      in the proposal are not available from “A” rated firms. Would the Lottery consider
      changing the reference to “A” to “A or other rating acceptable to the Nebraska
      Lottery?”

      All required bonds and insurance must be issued by companies or financial
      institutions which are financially rated “A” or better and duly licensed, admitted,
      or authorized to do business in the State of Nebraska.

51.   Has the Nebraska Lottery passed the security review performed by the Multi-
      State Lottery Association? If so, can bidder’s proposals take this into
      consideration in developing our audit approach?

      Yes, the Nebraska Lottery has passed MUSL’s security review. Yes, the bidder
      may take this into consideration in developing the audit approach.

52.   Section 4.29.22.2 allows the Nebraska Lottery to assess $10,000 in liquidated
      damages in the event of the unauthorized or confidential materials without
      written approval. Are we correct in assuming that this stipulation does include
      information that is learned by GTECH, INTRALOT, or Elsym as a result of their
      interaction (via interviews and investigations) with the auditor?



                                            9
      The assessment of liquidated damages for the release of unauthorized or
      confidential materials pertains to any materials obtained or produced by the
      contractor in performance under the contract and released to an outside party
      without prior written approval from the Nebraska Lottery. Such materials may
      include information either directly obtained from the Nebraska Lottery or its
      audited vendors, or information developed or gathered by the contractor in the
      course of the audit, and concerning either the Nebraska Lottery or any of the
      audited vendors.

53.   Most portions of the audit will be much faster to perform (and, consequently less
      expensive for the Lottery) if certain information is readily available to the audit
      staff. Will the following information be available for review by the audit staff after
      the contract is signed and the auditors have received security clearances:
         d. Previous audit report No
         e. Contracts/proposal for INTRALOT and GTECH Yes
         f. Incident reports Yes
         g. Hotline reports Yes
         h. System logs Yes
         i. Operations turnover logs Unknown
         j. Lottery, INTRALOT and GTECH plans, policies, and procedures (as they
             relate to the Nebraska Lottery-related operations). Yes
         k. Physical and logical access lists Yes
         l. Detailed network diagrams for systems and connectivity between systems
             Yes

54.   Our company is a multi-national partnership with hundreds of office. Can you
      give clear direction on what type of liens we would need to report against, as due
      to our size there could be numerous spanning the globe.

      There is no distinction as to the type of liens under the RFP requirement to
      disclose any liens filed against the vendor or any person with a substantial
      interest in the vendor. State law requires that a vendor disclose "a list of all liens
      filed on or filed against the entity or filed on or filed against persons with a
      substantial interest in the entity." It is up to the submitting vendor to adequately
      provide such information in order for the Nebraska Lottery to be able to evaluate
      financial soundness to satisfactorily perform under the proposed contract.




                                            10

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:261
posted:2/4/2010
language:English
pages:10