Doing Consulting Work for Wife's Employer

nascar_paul

My wife's employer wants me to do an audit of their IT systems and make recommendations but I've got just a couple of small reservations.


First, what is this kind of audit normally called?
How much should I charge and how? Example: hourly/flat-fee?


I'm basically wondering if this a good idea or bad and how often it happens in the real world. Any advice and/or experience in this area would be appreciated.

EANx

You need to discuss with them the scope of the "audit" which will then lead to a quote for services. If there's a permanent IT person, I'd suggest avoiding any words in the title of the project that sound confrontational. Calling it an "Operations Investigation" is far more aggressive than calling it an "Operations Analysis" and the analysis is more likely to have the willing buy-in of the guy on-site.

While the boss probably has a sort of idea of what he wants done, if it were me, I would suggest at least the following topics:

Permissions auditing
- Agreement on what is an appropriate permission
- Agreement on whether use of an admin account for non-admin work is permitted
- Agreement on whether accounts can be set to never require password changes
Patch compliance
- Testing patches
- Patch application timelines
Disaster recovery (ensuring there is a plan then compliance with the plan)
- What gets backed up?
- How often does it get backed up?
- Where does it get get stored off-site and how often?

There's a ton of things that can be audited, you really need to be on the same page regarding scope of work. And it can be they're looking to you for suggestions, in which case the list above is a good starting point but definitely not enough.

OctalDump

For professional services, I'd charge an hourly fee. It works for lawyers, doctors, accountants etc. I'd also get them to prioritise what they actually want, so if it does start running longer than they expect, they will at least get what they want most.

If you've not done this before, it can be worthwhile getting a lawyer to draw up a contract you can use or to review a contract they give you. People regularly run into problems (nonpayment, for example) that a good contract can solve. Just factor the costs of that into whatever you charge.

I do think that you will have to be careful with the politics, since it's your wife's employer. Make sure that you get buy in from anyone important, particularly any existing IT staff and management.

yoba222

Disclaimer: I have only been doing audits for a few months and it is not my primary duty. In remembering what I thought audits might involve before I'd ever done one and in now considering what I've experienced in actually doing them, I would pass on this. The fact that it happens to be your bosses' wife I'd definitely pass.

Audits are vast and can deeply tie in with seemingly abstract legal requirements. It might make sense to you and I the technical side when auditing their patch management process. How often do they patch, how are the patches deployed, are they first deployed to a test environment, etc. This one is relatively straightforward.

But other facets of an audit are less obvious. Do they have an incident response plan? Let's see it. Would the way the plan is written foster the ability for the incident response team to gather a chain of documented evidence for a potential court trial months or years later?

Does the company handle credit card numbers? How about PHI? All kinds of other requirements the company may want to be part of the audit hinge on that. If the company deals with financial reporting, an accounting related audit to demonstrate Sarbanes-Oxley compliance needs to know details on the physical security--locks, cameras, etc. of the data center of the business! Audits get deep and the reasons for the questions can be rooted in legalese.
https://en.wikipedia.org/wiki/SSAE_16 for example.