What does a standard tech audit include and what is a reasonable price for it?

Question

I am a programmer, but the company I am working for has been growing and has outgrown the 2 man IT contractor team that has been servicing us.

We are looking into several different solutions for our IT needs now (smallish company 30 computers, 3 servers).

I have been presented with a proposal from an IT company for a Tech Audit. The problem is I don't know if they are covering all of the bases that they should, and if they are quoting us a reasonable price.

Here is a list of what they say is included in their tech audit:

IT Roadmap and Budget Plan

• Immediate needs
• Short term needs
• Long term needs

Network information

• Visio diagram of complete network
• IP addresses
• DHCP
• Router
• Firewall
• Switches
• Server Access
• VPN / Remote Access
• DNS
• Wireless Connectivity
• Website

Asset Inventory

• Server (Warranty)
• Application (email, line of business applications databases, accounting
• Desktops
• Storage
• Software licensing and renewals
• Printers / Toner

Security

• Compliant with IT standards
• Antivirus
• Password Policies
• Windows updates
• Encryption
• Physical Access
• Content Filter

Backups and Disaster Recovery

• Backup System
• Test / restore
• Recovery point Objectives
• Recovery time objectives
• UPS / battery backups

Telco and Phone System

• Internet Provider
• Bandwidth speed
• Phone system

I know what most of those are and I think they need to be checked but some of them I'm sorta in the dark on. Like 'Compliant with IT standards' -- what IT standards? Where would be best to look those up?

Finally they say that to do this they will charge us $3500. That's a decent amount of change for a company our size.

So is that a fair price for the services listed?

Are there any glaring omissions from this list that should be included?

Is there anything that I should be aware of when determining if this company would be a good fit for our IT needs? (The tech audit would be a precursor for them becoming our permanent IT provider.)

Answer 1

I suspect this question is out-of-scope for Server Fault, since it's really about scoping the delivery of IT services. Having said that, the scope seems reasonable (if a little "sales-ey"-- "IT Standards"... heh heh). The scope seems inclusive enough to show that this isn't this company's first rodeo (or, alternatively, that they bought some rather inclusive sales template documents).

I couldn't comment on pricing w/o knowing more about the metes and bounds of your infrastructure. It doesn't seem out of line, just off the cuff. It depends on how much "stuff" you have and how thorough they're going to be. Whether or not the report will be of use to you is probably more of a good factor to assess the value for the price paid.

I would ask to see a sample report that has coverage for all of the areas they intend to cover for you. (I prepare a sample for every type of report / audit that I provide as part of developing the "product" and I find it to be a handy "sales" tool.) This will give you an idea of how thorough they're planning on being (and gives you a standard to hold them to when you get your report).

I would evaluate the sample report to see if it is helpful as a standalone resource. If it doesn't provide sufficient detail to be worth the cost then I'd be wary of purchasing the offering they're proposing. I don't think it's sensible to pay them for delivering a service if, ultimately, the service only helps them scope the "opportunity" with you and doesn't give you an actionable resource. I've seen "managed IT services" firms use reports like this as a way to start a contractual service arrangement. If it's being "sold" as a report to you with usefulness that stands on its own, and not as just part of the contract fees for starting an IT support contract with this provider, I'd be very, very sure that the sample report stands up as being a useful resource on its own (and, if it doesn't, I would immediately be suspicious of the "character" of the provider).

When I prepare audits for prospective Customers I impress upon them that my report can be taken to any vendor of IT services as part of a Request for Proposal. I think that's the only honest way to do it. I write my report hoping that I'm going to be the future vendor to act on the report's recommendations, but I don't assume it. I prepare most of my reports as work-for-hire, with the Customer "owning" the report's "intellectual property" after they pay for the report. You should find out what the license you're going to receive is like to determine if you can redistribute, "remix", or otherwise make use of the report for your own purposes.

IT services is a largely unregulated industry, and although there have been various attempts at "standardizing" the methodology and delivery of IT service provision (ITIL, etc), there is really no guarantee that any provider is going to follow any particular methodology or reporting standard. The onus is on you, as a consumer of IT services, to assess how applicable the services are to your needs.

Answer 2

The scope is pretty common, looks like they're hitting the big things.

Even for a small company with a small server footprint, doing the assessment is about 4-8 hours of work minimum, and writing the report and recommendations and getting a review is probably another 4-8. So, 1-3 man-days worth of work.

The pricing isn't out of line with that, depending on your geographic area. If you want to know more, ask some other vendors for their price in doing an audit, and finding out what it covers. Of course, as you know, price can be inverse to quality, but for an assessment, it might be seen as a loss-leader for a services firm if they assume that they'll get the business.