Electronic Procurement (eProcurement) is the use of Information and Communication Technology (specially the Internet) by the buyer (in this case Government) in conducting their procurement processes with supplier for the acquisition of goods (supplies), works and services.
The factors driving the adoption of eProcurement are -
- Reduced purchasing cost and improved efficiency
- Standardized purchasing processes across the organization
- Reduced administrative costs with better effectiveness
- Significant reduction in the procurement cycle
- Reduced discretion & increased transparency
eProcurement involves a set of technology solutions which concentrate on different key areas of procurement such as -
- e‐Auction or Reverse Auction,
- e-Market Place,
- e‐Invoicing etc.
4. What are the key requirements of an e-Procurement System for an organization (or Government in particular)?
The key requirements are:
- Compliance to GFR guidelines
- Confidentiality and Integrity of Information
- Address Vigilance Guidelines – adherence to CVC Guidelines and IT Act
- System Adaptability & Customization
5. What is the objective of standard document “Guidelines for compliance to Quality Requirements of eProcurement Systems”?
The objective of the document is to provide guidelines for assuring Quality and Security of an e‐Procurement system so that confidence can be provided to its stakeholders that the system is secure, transparent, auditable & compliant with government procurement procedures.
The document provides guidelines that could be followed for designing/developing some critical functionality in an e‐Procurement system. It recommends the necessary process for monitoring adherence to the security and transparency requirements of an e‐Procurement system during the implementation and post implementation by the e‐procurement application developers, service providers and other stakeholders.
6. Who is the Target Audience for “Guidelines for Compliance to Quality Requirements of eProcurement Systems”?
- Purchase/ Head of Public Service Organization
- e-Procurement Service Provider
- e-Procurement Solution Provider/ Application Developer
- Third Party Testing and Audit Organization
There are four operating models for eProcurement:
i. Dedicated e‐Procurement System
ii. Partial Outsourcing – Managed Services
iii. Partial Outsourcing – Infrastructure Support
iv. Full Outsourcing (Application Service provider - ASP) Model
For more details, please refer Section 2.0 of notified document ‘Guidelines for compliance to Quality requirements of e-Procurement Systems’.
a. It is assumed that invoices transmitted electronically will be stored electronically. If public service organisation wish to store invoice in the paper form, same shall be provisioned in local purchase procedure approved from competent authority.
b. For VAT purpose records must be retained for years as provided in the respective Act.
c. The records may be stored anywhere State Data Centre/PSU own data center.
The only requirement is that of security and strategic control in which all record must be made available to public service organization on demand within two working days.
A Brief description of the layers (from outermost to inner) is as given below:
- ISO 27001 Processes Audit #
- Monitoring against agreed SLAs #
- Architecture Review #
- Vulnerability Assessment (Servers & Network Devices) #
- Penetration Testing of the System #
- Performance Testing of the System #
- Application Design Review #
- Application Code review *
- Application Functional Testing #
- Application Security Testing #
- Application Usability Testing *
- Application Interoperability and Compatibility Testing *
- Data Storage Security Audit #
- Data Communication Security Audit#
(Note: # means Essential requirements & * means Desirable requirements)
The applicant shall submit the request to Testing and auditing agency (like STQC) to get eProcurement System assessed. The application should specify whether testing is required ‘only for the e‐procurement application’, or for ‘the complete e-Procurement system, viz the application along with the server in a specific hosting environment’. Application for the former case can be made by the application software developer or licensor, and the ‘developmental aspects’ and ‘security related issues’ will be reviewed.
The application for the latter case can be made by the service provider, or the organization which is procuring the system for its dedicated use. In addition to the ‘developmental aspects’ and ‘security related issues’, the system architecture, security architecture and the detailed network & IT Infrastructure will be reviewed.
For more details, please refer Section 6.0 of notified document ‘Guidelines for compliance to Quality requirements of e-Procurement Systems’.
eProcurement life cycle consist of following activities:
Purchase to pay
- Contract management
- Content management
- Management information
- Expression of interest
- Invitation to tender
- Negotiate/reverse auction
Generally, the activities under e-Procurement Life Cycle are covered in various modules, for example -
- Supplier Registration
- Reverse Auction
- e-Catalogue Management
- Contract Management
13. While using PKI based Bid Encryption in eProcurement systems, what are the implementation practices to address risk(s) related to integrity of persons in purchase (buyer) organization & e‐Tendering Service Providers organization?
The following are the typical implementation practices in this scenario:
- Private Key with which decryption is done, is available with the concerned officer before the Public Tender Opening Event
- Public Key with which bid‐encryption is done is available publicly.
- Public Key algorithms are slow.
- Copy of the decryption‐key (i.e. private key of the encryption‐certificate issued by a CA) is generally available (i.e. backed up) with the CA. Duplicate can generally be requested in case of loss, however, this can also be misused.
Any eProcurement/e‐tendering services must provide the facility of Time Stamping which is critical for establishing data and time of document submission and its acknowledgement. Time Stamping feature should be built within the application and synchronization of e‐tendering/ e‐procurement server should be done with master-server at the data‐center where the e‐procurement system is hosted. Alternatively, the e‐procurement service provider can take Time Stamping services being provided by licensed CAs.
The compliance to applicable GFR requirements may be verified as follows:
- In case of manual procurement system, compliance verification may be done through process audit of the policy & procedures of the client’s (buyer) organization. It is up to the client to perform the process audit to ensure compliance.
- In case of eProcurement system, compliance verification shall be done through testing and audit of the functionalities in the EPS solution.
- It is recommended that internal verification may be done by the EPS solution provider and also be externally verified by Third Party Agency for client’s acceptance.
All the terms, conditions, stipulations and information to be incorporated in the bidding document are to be shown in the appropriate chapters as below:
- Chapter–1: Instructions to Bidders.
- Chapter–2: Conditions of Contract.
- Chapter–3: Schedule of Requirements.
- Chapter–4: Specifications and allied Technical Details.
- Chapter–5: Price Schedule (to be utilized by the bidders for quoting their prices).
- Chapter–6: Contract Form.
- Chapter–7: Other Standard Forms, if any, to be utilized by the purchaser and the bidders.
Preparation of Terms of Reference (TOR) should include:
- Precise statement of objectives;
- Outline of the tasks to be carried out;
- Schedule for completion of tasks;
- The support or inputs to be provided by the Ministry or Department to facilitate the consultancy; and
- The final outputs that will be required of the Consultant.
RFP is the document to be used by the Ministry/ Department for obtaining offers from the consultants for the required work/ service. The RFP should be issued to the shortlisted consultants to seek their technical and financial proposals. The RFP should contain:
- A letter of Invitation
- Information to Consultants regarding the procedure for submission of proposal
- Terms of Reference (TOR)
- Eligibility and pre‐qualification criteria in case the same has not been ascertained through Enquiry for Expression of Interest (EOI)
- List of key position whose CV and experience would be evaluated
- Bid evaluation criteria and selection procedure
- Standard formats for technical and financial proposal
- Proposed contract terms Procedure proposed to be followed for midterm review of the progress of the work and review of the final draft report