IT Audit Request for Quote (RFQ) Client Questionnaire

Purpose: This questionnaire helps us understand your organization’s IT environment and audit needs to prepare an accurate quote for a partial or complete IT audit. Please provide detailed responses to ensure a tailored proposal. We can also help you to fill it up !

Please answer the IT Audit RFQ questionnaire to the best of your knowledge, providing as much detail as possible without falling into a deep analysis, to help us craft a precise and tailored quote for your organization’s needs.

Once the IT Audit Request for Quote (RFQ) questionnaire is submitted, our team will review your responses within 5 business days to assess your organization’s IT environment, audit objectives, and constraints. We will contact you to clarify any details or discuss specific requirements. Based on this, we will prepare a tailored quote outlining the audit scope (partial or complete), estimated timeline, deliverables, and costs. You will receive the quote via email, along with an invitation to discuss next steps, including scheduling and resource planning, to ensure the audit meets your needs.

Need assistance completing the form? Call our friendly team at 1-855-279-7754 for expert guidance and start securing your IT future today!

1. Organization Overview

First name

Last name

Company name

Email

Phone

Number of employees

Number of locations/offices

What is your industry or primary business focus (e.g., finance, healthcare, technology, NPO)

Who is the primary contact for this audit? Provide name, role, email, and phone number.

Does your organization have an internal IT team? If yes, describe their size and roles (e.g., network administrators, cybersecurity specialists).

Yes

No

2. IT Environment

Hardware: Number and type of servers, workstations, laptops, networking equipment (e.g., routers, firewalls).

Software: Key applications used (e.g., ERP, CRM, email platforms).

Operating Systems: Primary OS versions (e.g., Windows Server, Linux, macOS).

Do you use cloud services?

Yes

No

If yes, specify providers and services (e.g., AWS, Microsoft Azure, Google Cloud).

How many users (employees, contractors, or others) access your IT systems regularly?

Do you have a network diagram or IT asset inventory?

Yes

No

If yes, can you share it for audit planning?

Yes

No

Are third-party vendors managing any IT services (e.g., managed IT, hosting, security)?

Yes

No

If yes, list them and their roles.

What cybersecurity measures are currently in place? Examples include: Firewalls or intrusion detection/prevention systems. Antivirus/anti-malware software. Multi-factor authentication (MFA). Regular software updates and patch management.

Do you have a backup or disaster recovery system?

Yes

No

If yes, describe its scope (e.g., frequency, off-site storage, testing).

Are you seeking a partial or complete IT audit?

Complete Audit: Covers all IT areas (security, infrastructure, compliance, processes).

Partial Audit: Focuses on specific areas.

IF PARTIAL, please specify.

3. Audit Objectives and Scope

Which of the following areas do you want included in the audit? Check all that apply and note any specific concerns:

Network Security: E.g., firewalls, VPNs, network vulnerabilities.

Data Privacy and Compliance: E.g., GDPR, CCPA, or industry-specific regulations.

Hardware and Infrastructure: E.g., server performance, physical security.

Software and Applications: E.g., application vulnerabilities, patch management.

Disaster Recovery and Business Continuity: E.g., backup systems, recovery plans.

Employee Cybersecurity Practices: E.g., training, access controls, phishing defenses.

Cloud and Third-Party Vendors: E.g., cloud security, vendor risk management.

IT Governance and Policies: E.g., incident response, change management.

Other: Please specify.

Other areas

What are the primary goals of the audit?

Identifying security vulnerabilities.

Ensuring regulatory compliance.

Enhancing system reliability or performance.

Supporting a merger, acquisition, or funding requirement.

Are there specific risks or incidents prompting this audit (e.g., data breach, ransomware, system failure)?

Yes

No

If yes, describe

Do you require penetration testing or vulnerability scanning? If yes, specify internal, external, or both.

Yes

No

Specify

Internal

External

Both

Are there regulatory or compliance requirements your organization must meet? List them (Ex.: ISO 27001, PIPEDA, PCMLTFA, PIPA, LAW-25 Qc, PHIPA, GDPR)

Have you conducted an IT audit before?

Yes

No

When was the last audit?

What was its scope?

Can you share key findings or recommendations (if available)?

Were the recommendations implemented?

Yes

No

Partially

4. Timeline and Logistics

When do you need the audit completed? Select one

Immediate (within 1 month)

Short-term (1–3 months)

Flexible (3+ months)

Are there specific deadlines driven by business needs, contracts, or regulations?

Yes

No

If yes, provide details.

Can your staff accommodate on-site audit activities at your location?

Yes

No

If not, are remote audit methods acceptable?

Yes

No

What resources can you provide to support the audit? Examples include:

Access to IT systems or admin accounts.

Documentation (e.g., policies, logs, configurations).

Staff availability for interviews or coordination.

Are there any scheduling constraints (e.g., peak business periods, system downtimes)?

Yes

No

Specify

5. Budget and Financial Considerations

What is your budget range for the audit? Select one:

Less than $5,000

$5,000–$15,000

Over $15,000

Flexible/To be discussed

Are there funding constraints or specific budget allocations for this audit?

Yes

No

If yes, describe.

Would you prefer :

a fixed-price quote?

a quote based on time and materials?

Are there additional financial considerations (e.g., phased payments, cost-sharing)?

6. Deliverables and Support

What types of deliverables do you expect from the audit? Check all that apply:

Executive summary for non-technical stakeholders.

Detailed technical report with findings and recommendations.

Risk assessment or prioritized issue list.

Remediation plan or roadmap.

Presentation or workshop to discuss findings.

Who is the intended audience for the deliverables (e.g., executives, IT team, auditors)?

Do you need post-audit support, such as:

Assistance with implementing recommendations?

Employee training on cybersecurity?

Follow-up assessment after remediation?

How important is it for deliverables to be written in plain language for non-technical audiences? Rate from 1 (not important) to 5 (very important).

7. Additional Information

Are there specific technologies or systems you want the audit to prioritize (e.g., legacy systems, new applications)?

Do you have concerns about data confidentiality during the audit?

Yes

No

If yes, specify requirements (e.g., NDAs, secure data handling).

Are there upcoming IT changes (e.g., system upgrades, cloud migration) that the audit should consider?

What are your expectations for the vendor’s qualifications (e.g., certifications like CISSP, experience in your industry)?

Provide any additional details or requirements to help us prepare an accurate quote.

File upload

ASC-IA-2025

Considerations for Partial vs. Complete IT Audit

Use the client’s responses to tailor the audit scope and quote:

Complete IT Audit:
- Best For: Clients with no recent audits, complex IT environments, or strict compliance requirements.
- Scope: Includes all areas in 3.2 (network security, compliance, hardware, software, disaster recovery, etc.).
- Cost Factors: Higher due to comprehensive scope, increased staff time, and detailed deliverables.
- Example Use Case: A company with sensitive customer data needing a full risk assessment.
Partial IT Audit:
- Best For: Clients with budget constraints, recent audits, or specific concerns (e.g., a recent security incident).
- Scope: Focus on 1–3 areas from 3.2, prioritized based on:
  - Client Risks: E.g., weak network security or inadequate backups.
  - Compliance Needs: E.g., GDPR for customer data.
  - Budget: Adjust scope to fit (e.g., exclude penetration testing for lower budgets).
- Cost Factors: Lower cost, focused scope, fewer resources required.
- Example Use Case: A business needing only a cloud security review after adopting a new platform.