| Project | Agreed Upon Procedure Engagement of Web GAAP Application |
|---|---|
| Project No. | AOS-2025-003 |
| Location | Columbus |
| Description | Web GAAP is a web-based application used by clients, independent public accounting (IPA) firms, and the Auditor of State’s Local Government Services (LGS) team to prepare GAAP-based financial statements.
Originally designed for school districts, the software is now used by other entity types such as cities and counties. Web GAAP allows users to upload cash-basis data, post GAAP conversion journal entries, calculate trial balances, and generate financial reports.
The Auditor of State’s Office owns and maintains the software, which is securely hosted at the State of Ohio Computer Center (SOCC). |
| Proposal | Review the RFQ (pdf)
As mentioned in the RFQ, this project includes an explanation of Web GAAP Procedures (pdf) |
| Awarded To | Schneider Downs & Co. Inc. |
| Status | |
| Submit Bid |
Questions and answers were added below as they were received.
The inquiry period for this project was October 9, 2025 and extended to Oct. 27, 2025 1:00 p.m.
Send your questions to BidQuestions@ohioauditor.gov
We would like to appropriately scope the level of effort required for the change management testing activities, with the understanding that 10% of the population will be sampled.
The Web GAAP application was re-platformed to the Auditor of State (AOS) from the State Software Development Team. There have been 10 code changes since the application was re-platformed and audited by AOS auditors. This is the version of Web GAAP the first AUP will cover.
In January, the rewritten Web GAAP will go into production and will be the version of the second AUP. Updates have been made to the user interface and not to the business logic. At this time, we do not have a way to quantify the code changes that will be made before the start of the second AUP, which is anticipated to start in August 2026.
Our office does not have plans to extend the submission deadline.
Documentation Availability: Could you please clarify the anticipated process for obtaining the required documentation (e.g., change tickets, access reports, policy documents)?
Specifically, will this documentation be provided to our team upfront at the start of the engagement (for instance, in a shared repository), or should our work plan assume that we will request items individually as we proceed through our test plan?
Vendor will request items individually.
Population Size (Procedures 5, 6, 10): In the "IT Security" section require a 10% sample. To accurately estimate our work effort, could you please provide the estimated total population size for the following items during the engagement period?
Point in Time Access (Procedures 1–4): To inspect screenshots and configurations, will our team be provided with documentation of the password policy settings with a date/time stamp? If the Period 1 is March 1, 2025, through December 31, 2025, and work is anticipated to begin in January 2026, we may not have the ability to observe the settings within the period.
Dashboards (Procedures 8, 9): To inspect the firewall and network monitoring dashboards, will we be provided with static screenshots, with a date/time stamp, or are there historical examples of these dashboards? We may not have the ability to observe the dashboards within the period.
Population Size (Procedures 5, 6, 10):
Point in Time Access (Procedures 1–4): Yes
Dashboards (Procedures 8, 9): The AOS receives an annual SOC1 audit. This documentation is part of that review and will be provided.
"Negative" Testing (Procedures 3, 4, 7, 10): Several procedures require us to attempt to perform an action to confirm an error is generated (e.g., posting an unbalanced entry, uploading a file with invalid data). Will we be performing these tests in the production environment?
Report Generation (Procedure 2): To test the "before and after" reporting for changes (e.g., adding a fund or department), will we be provided with historical examples of these reports? We may not have the ability to observe the report changes within the period.
"Negative" Testing (Procedures 3, 4, 7, 10): No, this testing will not be performed in the production environment.
Report Generation (Procedure 2): No, we will not be providing historical documents. This test will be performed in a test environment.