| Project | Agreed Upon Procedure Engagement of Web GAAP Application |
|---|---|
| Project No. | AOS-2025-003 |
| Location | Columbus |
| Description | Web GAAP is a web-based application used by clients, independent public accounting (IPA) firms, and the Auditor of State’s Local Government Services (LGS) team to prepare GAAP-based financial statements.
Originally designed for school districts, the software is now used by other entity types such as cities and counties. Web GAAP allows users to upload cash-basis data, post GAAP conversion journal entries, calculate trial balances, and generate financial reports.
The Auditor of State’s Office owns and maintains the software, which is securely hosted at the State of Ohio Computer Center (SOCC). |
| Proposal | Review the RFQ (pdf)
As mentioned in the RFQ, this project includes an explanation of Web GAAP Procedures (pdf) |
| Awarded To | Schneider Downs & Co. Inc. |
| Status | |
| Submit Bid |
Questions & Answers
Questions and answers were added below as they were received.
The inquiry period for this project was October 9, 2025 and extended to Oct. 27, 2025 1:00 p.m.
Send your questions to BidQuestions@ohioauditor.gov
Q1: Could you provide an estimated volume of the code change population applicable to the testing procedures? 10% sample for change management testing
Expanded Question
We would like to appropriately scope the level of effort required for the change management testing activities, with the understanding that 10% of the population will be sampled.
Answer
The Web GAAP application was re-platformed to the Auditor of State (AOS) from the State Software Development Team. There have been 10 code changes since the application was re-platformed and audited by AOS auditors. This is the version of Web GAAP the first AUP will cover.
In January, the rewritten Web GAAP will go into production and will be the version of the second AUP. Updates have been made to the user interface and not to the business logic. At this time, we do not have a way to quantify the code changes that will be made before the start of the second AUP, which is anticipated to start in August 2026.
Q2: Would AOS be willing to extend the response date for RFQ Reference Number 2025-003 by a week? Request for extension
Answer
Our office does not have plans to extend the submission deadline.
Q3: General & Scoping Questions Documentation availability and delivery process
Expanded Question
Documentation Availability: Could you please clarify the anticipated process for obtaining the required documentation (e.g., change tickets, access reports, policy documents)?
Specifically, will this documentation be provided to our team upfront at the start of the engagement (for instance, in a shared repository), or should our work plan assume that we will request items individually as we proceed through our test plan?
Answer
Vendor will request items individually.
Q4: IT Security Questions Procedures 1–10 population sizes, access, and dashboards
Expanded Question
Population Size (Procedures 5, 6, 10): In the "IT Security" section require a 10% sample. To accurately estimate our work effort, could you please provide the estimated total population size for the following items during the engagement period?
- New/Modified users requiring approval for access
- Terminated users requiring access removal
- Individuals with physical access to the server location
Point in Time Access (Procedures 1–4): To inspect screenshots and configurations, will our team be provided with documentation of the password policy settings with a date/time stamp? If the Period 1 is March 1, 2025, through December 31, 2025, and work is anticipated to begin in January 2026, we may not have the ability to observe the settings within the period.
Dashboards (Procedures 8, 9): To inspect the firewall and network monitoring dashboards, will we be provided with static screenshots, with a date/time stamp, or are there historical examples of these dashboards? We may not have the ability to observe the dashboards within the period.
Answer
Population Size (Procedures 5, 6, 10):
- New/Modified users requiring approval for access — 80
- Terminated users requiring access removal — 10 to 15
- Individuals with physical access to the server location — 4
Point in Time Access (Procedures 1–4): Yes
Dashboards (Procedures 8, 9): The AOS receives an annual SOC1 audit. This documentation is part of that review and will be provided.
Q5: How does the engagement address application functionality testing? Procedures 2–10: negative testing and report generation
Expanded Question
"Negative" Testing (Procedures 3, 4, 7, 10): Several procedures require us to attempt to perform an action to confirm an error is generated (e.g., posting an unbalanced entry, uploading a file with invalid data). Will we be performing these tests in the production environment?
Report Generation (Procedure 2): To test the "before and after" reporting for changes (e.g., adding a fund or department), will we be provided with historical examples of these reports? We may not have the ability to observe the report changes within the period.
Answer
"Negative" Testing (Procedures 3, 4, 7, 10): No, this testing will not be performed in the production environment.
Report Generation (Procedure 2): No, we will not be providing historical documents. This test will be performed in a test environment.