Spring is the right time to put your IT environment under the microscope. Tax season is winding down, Q2 budgets are set, and summer projects are still weeks away, which makes April one of the best windows of the year to catch problems before they become expensive emergencies. Here are the ten areas we audit for every client we onboard, and the questions you should be asking about your own systems right now.
1. Are Your Backups Actually Working?
Most businesses have backups. Far fewer have tested them recently. A backup that has never been restored is a promise you haven't verified.
This spring, confirm three things: your backup jobs are completing without errors, at least one full restore test has been completed in the past 90 days, and offsite or cloud copies exist that are separate from your primary systems. If a ransomware event encrypted your servers today, how long would it take to recover? If you don't have a confident answer, start here.
2. Who Has Access to What?
User access sprawl is one of the most common vulnerabilities we find during audits. An employee who left six months ago may still have an active Microsoft 365 account. A contractor who finished a project last year may still be in your VPN. A shared admin password may have circulated to half the office.
Pull a report of all active user accounts across your core systems: Microsoft 365, your line-of-business applications, your VPN, and any cloud platforms. Disable accounts for anyone who is no longer active. Review admin-level access and confirm it's limited to the people who genuinely need it.
This is one of the fastest wins in any IT audit. It costs nothing and removes real attack surface.
3. Is Multi-Factor Authentication Turned On Everywhere?
MFA has become the baseline expectation for cyber insurance, compliance frameworks, and basic security hygiene. But many businesses that think they have MFA enabled have only applied it to certain apps or certain users.
Check that MFA is required for email, remote access (VPN or RDP), cloud storage, and any administrative consoles. Microsoft 365 Conditional Access policies can enforce this across your tenant. If you're still relying on legacy authentication methods that bypass MFA entirely, those should be blocked.
If your cybersecurity posture hasn't been reviewed in the past year, a formal assessment will surface these gaps faster than a checklist.
4. What Software Licenses Are You Actually Using?
Unused software licenses are money leaving your account every month. But the flip side is equally important: unlicensed or expired software running in your environment creates compliance exposure and support gaps.
Run an inventory of your software subscriptions against active users. Microsoft 365 seat counts drift over time as staff turns over. Third-party SaaS tools accumulate. Unused seats on per-user licenses should be removed. Software running without valid licenses, especially in regulated industries, should be addressed before an audit catches it first.
5. Are All Systems Fully Patched?
Patch management is one of the IT fundamentals that sounds obvious but is routinely incomplete. Operating system patches, firmware updates, and third-party application updates (browsers, PDF readers, Office add-ins, Java) each have their own update cycle and their own history of exploited vulnerabilities.
Pull your patch compliance report. If you don't have one, that's the problem. Any device more than 30 days behind on critical patches should be considered at elevated risk. Pay special attention to network devices. Routers, switches, and firewalls often go years without firmware updates because nobody owns that task.
6. What's the State of Your Hardware?
Hardware that's three to five years old doesn't fail all at once. It fails at the worst possible time, usually mid-project or right before a deadline. A spring audit is a good moment to flag aging equipment before it becomes an emergency purchase.
Walk your server room and run a report on workstation ages. Identify anything past its manufacturer end-of-life date, anything still running spinning hard drives in a role that should have SSDs, and anything showing early signs of failure (slow boot times, frequent error logs, excessive heat). Building a one-year and three-year hardware refresh plan now is far cheaper than emergency replacements.
7. Are Your Endpoint Security Tools Current?
Antivirus is no longer sufficient. Modern endpoint protection means EDR (Endpoint Detection and Response) that can detect behavioral anomalies, not just signature matches. If your endpoints are running legacy antivirus from a few generations ago, you have a meaningful gap.
Check that EDR agents are deployed on every managed device, definitions are current, and alerts are being actively reviewed. If you're using Microsoft Defender for Business, confirm it's properly configured. Default settings leave significant detection capability on the table.
8. Do You Have a Written Incident Response Plan?
When something goes wrong (a ransomware attack, a data breach, a business email compromise) the last thing you want to do is figure out your response process in real time. An incident response plan doesn't need to be a 50-page document, but it does need to exist and be known to the people who will use it.
At minimum, the plan should define who gets called first, who makes decisions, how you'll communicate internally and with clients, and what your restoration priorities are. If you operate in a regulated industry (healthcare, finance, legal) your plan may also need to meet specific framework requirements.
9. Is Your Network Segmented?
Flat networks, where every device can talk to every other device, are a gift to attackers. If malware lands on one machine, segmentation determines how far it can spread before you can contain it.
Review whether your guest Wi-Fi is isolated from your main network, whether your server environment is in a separate VLAN, and whether IoT devices (printers, cameras, HVAC controllers) are segregated from your core infrastructure. If your network has never been segmented, this spring is a good time to have the conversation with your IT team.
10. Are You Covered for Cyber Insurance Requirements?
Cyber insurance applications have gotten significantly more detailed over the past three years. Carriers now ask specifically about MFA, EDR, backup frequency, privileged access controls, and patch management. Gaps in any of these areas can result in policy exclusions or denial of claims.
Before your next renewal (typically 90 days out) review your policy's security requirements against your actual environment. If there's a mismatch, you have a window to close the gap and potentially reduce your premium at the same time.
How to Use This Checklist
Work through each item with whoever manages your IT environment. Some of these can be self-assessed in an afternoon. Others, particularly network segmentation, EDR configuration, and incident response planning, benefit from a third-party perspective.
If you complete this audit and find more than two or three gaps, that's a signal that your IT environment needs more systematic attention than a checklist can provide.
FAQ
How long does an IT audit take for a small business?
For a business with 10–50 employees, a thorough internal IT audit typically takes one to two days if you have good documentation and access to all your systems. If documentation is incomplete, expect to spend more time tracking down license information, user accounts, and hardware details. A managed IT provider can compress this timeline significantly by pulling reports directly from your endpoint management and security tooling.
Do I need an IT audit if I already have a managed IT provider?
Even businesses with managed IT providers benefit from periodic audits. A good provider will proactively surface these issues, but it's worth doing a structured review at least annually to confirm that assumptions about coverage haven't drifted. High-turnover environments, recent software changes, and new compliance requirements can all create gaps that day-to-day management misses.
What's the difference between an IT audit and a cybersecurity assessment?
An IT audit is broader. It covers operational health, licensing, hardware lifecycle, access management, and general hygiene. A cybersecurity assessment focuses specifically on your security posture: vulnerabilities, attack surface, detection capabilities, and response readiness. Both are valuable, but they answer different questions. Many organizations benefit from doing a general IT audit annually and a dedicated security assessment every 12 to 18 months.