Interesting. Do you mind if I ask what sort of audits you were working on?
I can understand the 2 week pre-audit familiarization period. How would you price this out instead? I was operating under the assumption that the pre-audit familiarization was priced into the first week as threat modeling and discovery. This would also lend credence to the report admitting that they did not have time to investigate as thoroughly as they would have liked.
I did forget to include the post-audit report-writing period, it's been a while since that was a thing for me. I've never billed for that in my own practice because I disagree with the idea of billing for five days of work that essentially boils down to "fill in findings and application details into a long-form, templated PDF." I've also never seen a consultant really need five days to complete one of those :). I'm sure folks like Tom will come in shortly to beat me over the head for not charging for this part of the assessment.
I don't understand what you mean by this though:
> And from TFA: Conservancy and the phpMyAdmin project are proud of the results and thank Mozilla for funding and initiating the audit.
I do agree it's likely that there is a discount here for future or publicly recognizable work.
Banking. But there was a standard policy, regardless of department - HR, Operations, Technology, Sales, everything. What was important was the scope.
I may have read the article wrongly, however. On second reading, it seems audit in the sense of check. Not audit as I assumed on an institutional level. In this case, certainly not everything is checked. Tires are kicked in the first couple of days, and if something seems like it has a leak, an extremely deep dive will be taken, for example checking thousands of records by hand (well, probably in Excel) looking for something missed - a signature, a verifier, etc. Non-cooperation results in the audit being extended in time until the auditor is satisfied with their findings.
I can understand the 2 week pre-audit familiarization period. How would you price this out instead? I was operating under the assumption that the pre-audit familiarization was priced into the first week as threat modeling and discovery. This would also lend credence to the report admitting that they did not have time to investigate as thoroughly as they would have liked.
I did forget to include the post-audit report-writing period, it's been a while since that was a thing for me. I've never billed for that in my own practice because I disagree with the idea of billing for five days of work that essentially boils down to "fill in findings and application details into a long-form, templated PDF." I've also never seen a consultant really need five days to complete one of those :). I'm sure folks like Tom will come in shortly to beat me over the head for not charging for this part of the assessment.
I don't understand what you mean by this though:
> And from TFA: Conservancy and the phpMyAdmin project are proud of the results and thank Mozilla for funding and initiating the audit.
I do agree it's likely that there is a discount here for future or publicly recognizable work.