Why Every Business Needs an Annual IT Audit
An IT audit is not something most business owners look forward to. It sounds bureaucratic, expensive, and time-consuming. But here is the reality: if you are not reviewing your IT environment at least once a year, you are flying blind. You do not know what vulnerabilities exist, what systems are approaching end of life, what compliance gaps you have, or whether the money you are spending on technology is actually delivering value.
An IT audit does not have to be a massive, painful exercise. At its core, it is simply a structured review of your technology environment — what you have, how it is configured, whether it is secure, and whether it is serving the business effectively. Think of it as a health check for your IT systems.
This checklist covers the 15 areas that matter most for mid-size Australian businesses — typically 20 to 200 employees — running a mix of on-premise and cloud infrastructure. Use it as a starting point for your own annual review, or hand it to your IT audit provider and ask them to address every item.
The 15-Point IT Audit Checklist
1. Hardware Inventory and Lifecycle
Do you know exactly what hardware you have, where it is, who is using it, and how old it is? This sounds basic, but a surprising number of businesses cannot answer this question accurately. An IT audit should produce a complete inventory of all desktops, laptops, servers, network equipment, printers, and mobile devices.
For each piece of hardware, you need to know: the make and model, the purchase date, the warranty status, and the expected end-of-life date. Hardware that is past its warranty or approaching five years old should be flagged for replacement planning. Running critical business operations on aging hardware is a risk you are choosing to take — make sure it is a conscious choice, not an accidental one.
2. Software Licensing and Compliance
Are all the software applications in your environment properly licensed? Are you paying for licenses you are not using? Are staff using unauthorised software that could pose security or legal risks?
A software audit should reconcile your licenses against actual usage. Over-licensing wastes money. Under-licensing exposes you to legal liability. Unauthorised software (shadow IT) can introduce security vulnerabilities. This is particularly important for businesses running Microsoft 365, Adobe Creative Cloud, or industry-specific applications where licensing costs are significant.
3. Backup and Disaster Recovery
This is arguably the most critical item on the list. Your IT audit should verify that backups are running, that they are completing successfully, that they cover all critical data, and — most importantly — that they have been tested with an actual restore.
Questions to answer: How often are backups taken? Where are backups stored (on-site, off-site, cloud)? How long would a full restore take? When was the last test restore performed? Is there a documented disaster recovery plan, and has it been tested in the last 12 months?
A backup that has never been tested is not a backup. It is a hope. And hope is not a strategy when ransomware hits at 2am on a Friday.
4. Cybersecurity Controls
Your audit should assess the current state of your cybersecurity controls against a recognised framework — ideally the Essential Eight. At a minimum, review:
Endpoint protection: Is antivirus/anti-malware installed on all devices? Is it up to date? Is it centrally managed? Email security: Are you filtering for spam, phishing, and malicious attachments? Do you have DMARC, DKIM, and SPF configured for your domain? Firewall: Is your perimeter firewall properly configured and regularly updated? Are there rules that no one remembers creating? Multi-factor authentication: Is MFA enabled on all internet-facing services — email, VPN, cloud applications, remote desktop?
5. Patch Management
How quickly are security patches being applied to your operating systems and applications? The Essential Eight requires critical patches within 48 hours. Your audit should check: the current patch status of a sample of devices, the average time between patch release and deployment, whether any devices are running unsupported software (like Windows 10 past its end-of-support date), and whether there is an automated patch management process in place.
Manual patching is unreliable. If your IT environment relies on staff clicking “update later,” patches are not being applied in a timely manner.
6. User Access and Permissions
Who has access to what? This is a fundamental security and compliance question. Your audit should review: the list of all user accounts (are there accounts for people who left the company months ago?), administrative access (who has admin rights, and do they genuinely need them?), shared accounts (are multiple people sharing login credentials?), and access to sensitive data (who can access financial records, customer data, HR files?).
Orphaned accounts — accounts belonging to former employees that were never disabled — are a common finding in IT audits and a significant security risk. Every former employee account that still has access is a potential breach vector.
7. Network Infrastructure
Your network is the backbone of everything. The audit should review: network topology (do you have a current, accurate diagram of your network?), Wi-Fi coverage and security (are you using WPA3? Are there dead spots? Is the guest network properly isolated?), switch and router configuration (are default passwords still in use?), and network segmentation (is your network segmented to limit the blast radius of a breach?).
For businesses with multiple sites or remote workers, also review your VPN configuration and inter-site connectivity.
8. Email Configuration and Security
Email is both your primary communication tool and your primary attack surface. Beyond the basic security controls mentioned above, your audit should check: whether email archiving and retention policies are configured correctly (this matters for compliance), whether data loss prevention rules are in place to prevent sensitive information from being emailed externally, whether staff are trained to recognise phishing attempts, and whether there is a process for reporting suspicious emails.
9. Cloud Services and SaaS Applications
Most businesses now use a range of cloud services — Microsoft 365, Google Workspace, accounting software, CRM, project management tools, and more. Your audit should inventory all cloud services in use (including ones IT did not officially approve), review the security configuration of each (especially admin accounts and sharing settings), verify that data in cloud services is being backed up (Microsoft 365 does not comprehensively back up your data by default), and check whether single sign-on (SSO) is configured where possible.
10. Physical Security
IT security is not just digital. Your audit should review: who has physical access to server rooms or network closets (is it locked? Who has keys?), whether visitor access is controlled in areas with IT infrastructure, whether security cameras cover critical infrastructure areas, and whether laptops and mobile devices have physical security measures (cable locks, encrypted drives, remote wipe capability).
11. Business Continuity Planning
Beyond disaster recovery for IT systems specifically, does your business have a broader continuity plan that addresses: how operations continue if your primary office is unavailable, who is responsible for what in an emergency, communication plans for staff, customers, and suppliers during an incident, and insurance coverage (including cyber insurance) — is it current, adequate, and do you meet the conditions?
12. Compliance Requirements
Depending on your industry, you may have specific compliance obligations that your IT environment needs to support. Common ones for Australian businesses include: Privacy Act and Australian Privacy Principles (APP), industry-specific regulations (APRA for financial services, AHPRA for healthcare), PCI DSS if you handle credit card data, and contractual obligations from clients or partners who require specific security standards.
Your audit should map your compliance obligations against your current controls and identify any gaps.
13. IT Documentation
Good IT documentation is the difference between a smooth recovery and a chaotic scramble. Your audit should check whether you have: an up-to-date network diagram, documented procedures for common tasks (user onboarding, offboarding, password resets), a register of all vendor contacts and support agreements, documented configurations for critical systems, and a password management system (not a spreadsheet).
If your current IT provider left tomorrow, could someone else step in and understand your environment? If the answer is no, your documentation needs work.
14. IT Spending and ROI
An IT audit is not just about security and risk — it is also about value. Review: your total IT spend (hardware, software, services, licensing, telecommunications), whether you are paying for services or licenses you are not using, whether your current IT investments are aligned with business priorities, and whether there are opportunities to consolidate, renegotiate, or optimise costs.
Many businesses are surprised to find they are paying for duplicate services, unused licenses, or legacy systems that could be replaced with cheaper and better alternatives.
15. Staff IT Literacy and Training
Your people are both your greatest asset and your greatest vulnerability. The audit should assess: when staff last received cybersecurity awareness training, whether there is a clear acceptable use policy for IT resources, whether staff know how to report security incidents, and whether there are recurring issues that suggest a training gap (for example, repeated phishing clicks or frequent calls to the helpdesk for the same issue).
Technical controls can only do so much. If your staff do not know how to spot a phishing email, all the firewalls in the world will not save you.
How to Use This Checklist
You can approach this in a few ways:
Self-assessment. Walk through the checklist with your internal IT team or person. Document what you find, prioritise the gaps, and create a plan to address them. This is better than nothing, but be aware of blind spots — it is hard to audit yourself objectively.
MSP-led review. If you have a managed service provider, ask them to conduct an annual audit against this checklist (or their own equivalent). A good MSP should be doing this proactively as part of their service.
Independent audit. For the most thorough and objective assessment, engage an independent IT audit provider. They will bring fresh eyes, no conflicts of interest, and often catch things that internal teams and incumbent providers miss.
How TechAssist Can Help
At TechAssist, we provide comprehensive IT audits for mid-size businesses across Australia. Our audit covers every item on this checklist and more, resulting in a detailed report with prioritised recommendations that you can action immediately or incorporate into your IT roadmap.
We also offer ongoing managed IT services where regular auditing and review is built into the service — not an afterthought or an annual event, but a continuous process of monitoring, assessing, and improving.
Ready to get a clear picture of your IT environment? Get in touch and we will scope an audit that fits your business and your budget.
