1. Background
Children International Zambia (CIZ) seeks to modernize its payroll management processes by transitioning to a secure, cloud‑based payroll system hosted on a dedicated server. This modernization aims to improve efficiency, strengthen data security, ensure compliance with statutory requirements (ZRA, NAPSA, NHIMA), and empower authorized teams to manage payroll through a well‑controlled and auditable platform.
This transition aligns with CIZ’s broader strategy to adopt modern cloud‑based systems that enhance data integrity, reduce manual processes, and enforce strong internal controls such as segregation of duties.
2. Objective
To procure and implement a secure, scalable, dedicated‑server cloud payroll system that delivers full statutory compliance, robust data protection, operational efficiency, Azure Active Directory (Azure AD) Single Sign‑On, and strong internal financial controls through segregation of duties.
The Information Technology (IT) Department will be responsible for overall project management, ensuring coordination between the vendor, Finance, Talent Growth, and other internal stakeholders throughout the implementation lifecycle.
3. Scope of Work
3.1 Payroll Processing
The system must:
- Process monthly payroll for employees.
- Manage salaries, allowances, deductions, overtime, benefits, and leave payouts.
- Automatically compute statutory obligations including:
- ZRA PAYE, tax tables, and annual returns
- NAPSA pension contributions
- NHIMA health insurance contributions
- Generate secure electronic payslips accessible through a portal or via email.
- 3.2 Statutory Compliance
- The solution must:
- Produce all statutory reports required by ZRA, NAPSA, and NHIMA.
- Support accurate calculations aligned with Zambia Labour Laws.
- Update statutory tables promptly when regulations change.
- Maintain audit‑ready records.
- 3.3 Dedicated Server Hosting Requirements
- The payroll system must operate on a single‑tenant, dedicated server, with:
- Hosting Standards
- Exclusive server resources (CPU, RAM, storage, database).
- No multi‑tenant or shared infrastructure.
- ≥99% uptime SLA.
- Encrypted transmission (TLS 1.2+) and encrypted data storage.
- Dedicated firewall and intrusion detection.
- Regular patching and vulnerability management.
- Automated backups and disaster recovery capabilities.
- Fully comply with the Zambia Data Protection Act.
- Align with Children International’s global security and privacy standards.
- Guarantee strict isolation of CIZ’s payroll data
3.4 Azure Active Directory (Azure AD) Single Sign‑On
The system must:
- Support SSO via Azure AD (SAML 2.0 or OpenID Connect).
- Enforce MFA through existing CI security policies.
- Map system roles to Azure AD security groups.
- Support centralized access control and automated account lifecycle management.
3.5 Segregation of Duties (SoD)
The system must enforce a strict, auditable Inputter → Reviewer → Approver workflow.
Inputter
- Enters payroll data and updates employee information.
- Cannot review or approve payroll.
Reviewer
- Validates all inputs for accuracy and compliance.
- Cannot enter or approve payroll items.
Approver
- Provides final authorization for payroll execution and statutory submission.
- Cannot enter or review payroll data.
Workflow & Control Requirements
- Mandatory sequential flow with no skipping or bypassing.
- Full timestamping and digital signature at each stage.
- Role separation strictly enforced (no user may hold multiple roles).
- Delegation permitted with audited traceability.
- Complete workflow audit trail must be available at all times
3.7 Security & Data Protection
The solution must enforce
- Role‑Based Access Control (RBAC).
- MFA via Azure AD.
- Encrypted data storage and communication.
- Immutable audit logs.
- Secure self‑service portal for employees.
- Compliance with CI internal policies and national privacy regulations
3.8 Implementation & Migration
The vendor must provide:
- Migration of historical payroll data
- Configuration of payroll rules, workflows and statutory tables
- Configuration of system roles mapped to Azure AD.
- A full parallel payroll run for at least one cycle.
- User Acceptance Testing (UAT) with Finance and Talent Growth teams.
- Go‑Live support and stabilization phase.
Project management oversight, coordination, scheduling, and stakeholder alignment will be handled by the IT Department, which will serve as the primary technical liaison between the vendor and internal teams
3.9 Training & Support
Vendor must deliver:
- Comprehensive training for Finance, Talent Growth, and administrative users.
- Technical and administrative training for IT personnel.
- User guides, manuals, and digital documentation.
- Minimum three‑month post‑Go‑Live support.
- Defined SLAs for incident response and issue resolution.
4. Deliverables
- Fully deployed cloud‑based payroll system hosted on a dedicated server
- Migrated historical payroll data
- Azure AD SSO implemented
- Enforced segregation‑of‑duties workflow
- UAT documentation and sign‑off
- Training materials and job aids
- Post‑implementation support plan
5. Vendor Qualifications
Vendors must demonstrate:
- Experience delivering payroll systems compliant with ZRA, NAPSA, and NHIMA requirements
- Ability to host systems on dedicated servers
- Proven Azure AD SSO integration capability
- Experience with NGOs or similar organizations (preferred)
- Availability of local or regional support channels
6. Evaluation Criteria
Technical Evaluation (60%)
- Compliance with statutory, functional, security, and hosting requirements
- Strength of Azure AD SSO implementation
- Quality and reliability of the segregation‑of‑duties controls
- Hosting architecture and uptime assurances
- Reporting depth and usability
Financial Evaluation (30%)
- Licensing structure and pricing
- Implementation, migration, and training costs
- Ongoing support and maintenance fees
Vendor Experience (10%)
- Relevant client references
- Demonstrated history of successful deployments
- Support capacity and response capability
7. Submission Requirements
Vendors must submit:
- Company profile
- Detailed technical proposal
- Dedicated hosting and security architecture overview
- Azure AD SSO approach
- Implementation plan & timeline
- Financial proposal (detailed)
- At least three references
1. Deadline for Submission
§ Submissions should be in hardcopy (One Original and Four Copies) which must be dropped at Children International Zambia, Central Office, No. 18 Mulombwa Close, Off Bwinjimfumu Road, Rhodespark, Lusaka. The deadline for submission is Friday 13th March 2026 at 12:00hrs
