IT Budget Template for a 50-Person Melbourne SME (FY27 Edition)

A FY27 IT budget template for a specific persona: a 50-person Melbourne professional services firm, $12 million revenue. Numbered line items, real dollar ranges, IT-spend-as-percentage-of-revenue benchmarks, and the four lines most SMEs forget. Built for CFOs who want defensible numbers, not vendor guesswork.

The persona this budget is built for

Specifics matter; a generic IT budget is useless. The numbers below are sized for:

• 50 staff total (45 desk-based knowledge workers, 5 partners or executives)
• Melbourne-based, single office plus remote work, typical CBD or inner-suburb location
• Professional services (consulting, legal, accounting, architecture, engineering consultancy) – knowledge-worker firm with no manufacturing, no point-of-sale, no production line
• Approximately $12 million annual revenue
• Microsoft 365 stack, hybrid cloud (light on-prem footprint, most workloads in Azure or SaaS)
• Standard cyber insurance requirements; aligned to Essential Eight Maturity Level 1 minimum
• No internal IT staff; engagement with an MSP on per-user fixed monthly pricing

If your business is materially different – 50 staff with a manufacturing plant in Dandenong, or a 50-staff healthcare practice with clinical software, or a 50-staff retailer with 12 store locations – the totals will move significantly. Use this as a baseline to adjust from. Our sector-specific guidance for Melbourne manufacturers, healthcare, and law firms covers the variations.

The benchmark: IT spend as a percentage of revenue

Industry benchmarks vary by sector, but for Australian professional services firms in the 30 to 100 staff band, IT spend as a percentage of revenue typically lands between 1.5% and 3.5%. The drivers of where you sit in that range:

For our persona ($12 million revenue), the FY27 budget should land between $240,000 and $360,000 in steady state, or up to $420,000 in a project-heavy year. The template below targets the middle of that range and produces a defensible $295,000 to $345,000 total. If your number is above this, look first at the projects line; if it is well below, look first at security and backup.

The line-itemed FY27 template

All numbers are in AUD, annual, for the persona above. Ranges reflect actual variance across our managed book in Melbourne; the midpoint is what we would budget for a typical firm in this segment.

1. Microsoft 365 licensing

The single largest recurring line for most professional services firms.

Subtotal for M365: $29,000 – $52,000. For our persona, $35,000 is realistic – Business Premium across the firm, Copilot for 20 selected users, Power BI for the analyst pool. The Business Premium vs E3 conversation hinges on whether you need the deeper compliance and identity protection of E3+P2; for most 50-staff professional services firms, Business Premium is sufficient.

2. Security stack (beyond what is included in M365)

Microsoft 365 Business Premium includes Defender for Business, Intune, and Entra ID P1. That is a strong baseline. Additional security tooling for a 50-staff firm typically covers:

Subtotal for additional security: $32,000 – $60,000. For our persona, $42,000 is realistic – MDR through the MSP, additional email security, DNS filtering, password manager, light external attack surface monitoring. This line item is where SMEs traditionally underspent and where the post-2023 cyber insurance market has forced the conversation. Our Melbourne cyber security services wrap most of these into a managed stack.

3. Managed IT services retainer (MSP)

For a 50-staff firm engaging an MSP on per-user fixed monthly pricing, the typical Melbourne market rate in 2026 is $110 to $170 per user per month for a comprehensive engagement that covers unlimited support, security operations, vendor management, and proactive maintenance.

Subtotal: $66,000 – $102,000. For our persona, $80,000 to $90,000 is realistic. Co-managed models (where you have some internal capability and the MSP fills gaps) typically land 30 to 40% lower; pure break-fix models are cheaper still but rarely advisable at this scale. For the context on what to expect from a Melbourne MSP at this price band, see our guide to choosing an MSP in Melbourne.

4. Hardware refresh sinking fund

The mistake most SMEs make is treating hardware as a lumpy capex purchase every three years. Better: a smooth annual sinking fund that covers the rolling refresh.

Subtotal: $38,000 – $40,000. Hold this as a separate fund; do not blend it into operational expense. When the refresh cycle hits, the fund pays for it without a quarterly cost spike. The 4-year laptop cycle assumes mid-range business laptops (Dell Latitude, HP ProBook, Lenovo ThinkPad mid-tier); premium devices (MacBook Pro, ThinkPad X1) push the per-unit number to $3,500 and the line to $44,000.

5. Projects budget

The line item that gets cut first when revenue softens and then has to be reinstated when something breaks. Better to budget it explicitly:

Subtotal: $40,000 – $75,000. For our persona, $50,000 is realistic. A typical FY27 project list might include a SharePoint information architecture rebuild, an Entra ID conditional access refresh, a CRM integration, and the office Wi-Fi upgrade. Whatever the list is, it should be in the budget at the start of the year, not added quarter by quarter.

6. Cyber insurance

Cyber insurance premiums for Australian professional services SMEs in 2026 land around 0.4% to 0.8% of revenue for $5 million to $10 million of cover with reasonable retentions, assuming the security posture meets the underwriter’s requirements (MFA, EDR, backups, training, vendor risk management).

Subtotal: $30,000 – $55,000. For our persona, $42,000 is realistic. The premium has stabilised after the sharp increases of 2022-2024 but remains sensitive to your control posture; gaps in your security stack will push the premium up materially or trigger a coverage decline. The conversation with the broker is now half technical (controls), half financial (limits and retentions).

7. Training

Easily skipped, easily justified to skip, and the highest-ROI security spend in the budget.

Subtotal: $9,500 – $20,000. For our persona, $12,000 is realistic. Phriendly Phishing has strong Australian content and is our default recommendation for clients who want locally relevant training.

8. Contingency

10% of the total budget as a contingency reserve, held against unexpected events that the projects line cannot absorb (an early hardware failure outside the refresh cycle, a regulatory change forcing a tooling addition, a vendor that hikes prices unexpectedly).

Subtotal: $25,000 – $35,000.

The four line items most SMEs forget

Across hundreds of budget reviews with Melbourne SMEs, four line items show up in good budgets and are missing from average ones.

1. Vendor risk tooling and process

Either a dedicated platform (rarely justified at SME scale) or the time cost of running the lite vendor risk programme. We typically include this within the MSP retainer for our managed clients, but if you are running it internally, budget for 8 to 16 hours per month of someone’s time. For a 50-staff firm, this is $8,000 to $15,000 a year that often shows up nowhere.

2. AI licences you already pay for

Most firms now have Copilot for M365, ChatGPT Team or Enterprise, Claude.ai for Work or Teams, a specialised AI tool for their sector, and one or two pilots that grew into production. The cumulative AI line is rarely consolidated; it lives in expense claims, in a marketing budget, in a partner’s personal spend. Sum it up. For our persona, total AI tooling is typically $15,000 to $35,000 a year by FY27.

3. M365 backup

As discussed at length in our buyer’s guide on the topic, Microsoft does not back up your M365 data in a way that helps you recover from real incidents. Third-party M365 backup for 50 users is $1,800 to $3,600 a year. Cheap, essential, and missing from most budgets.

4. Exit and transition reserve

The unpleasant truth: at some point in the next 5 to 10 years, you will change MSPs, change your primary cloud platform, or be acquired. The cost of a clean exit is real – typically 4 to 12 weeks of overlap, documentation work, data extraction fees, and project management. Budget 5% of annual IT spend in a reserve, held separately, that exists for this purpose. For our persona, that is $15,000 a year sitting in a reserve account. You may not need it in any given year, but when the day comes, you will be glad it is there.

The CapEx vs OpEx question for FY27

The classic SME CFO question – ‘should we buy the laptops outright or lease them, should we buy the server or rent the cloud workload’ – has shifted meaningfully in the SaaS era. For most line items in this budget, the choice has been made for you: there is no CapEx option. Microsoft 365 is OpEx. The MSP retainer is OpEx. Cyber insurance is OpEx. The MDR service is OpEx.

The remaining CapEx choices are:

• Laptops: Buy outright is usually cheaper over a 4-year cycle than Device-as-a-Service, but DaaS smooths cash flow and includes refresh management. For a 50-staff firm, the financial difference is around $4 to $6 per device per month either way; the operational difference is more meaningful.
• Network equipment: Almost always CapEx. The lifespan is 5 to 7 years, and the rental models for switches and APs don’t make financial sense at this scale.
• Server hardware (if any): If you still run on-prem servers, CapEx remains the norm. The question to ask annually is whether the workload should be in Azure rather than on the server at all.

Our default recommendation for FY27 is to keep laptops and network equipment as CapEx with a sinking fund, and treat everything else as OpEx. Don’t over-engineer this.

The FY27 total

Adding the midpoints together for our persona:

$356,000 against $12 million revenue is 2.97% – in the upper half of the steady-state range. If FY27 is genuinely a steady-state year with no major projects, you could pull this back toward $300,000 by trimming the projects line. If FY27 has a major piece of work (M&A integration, platform migration, office relocation), the projects line should grow and the total can reasonably push past $400,000.

A real-world worked example

A 48-staff consulting firm in Collingwood approached us in 2025 with an FY26 IT budget of $185,000 that they suspected was too low. The reality check confirmed it: their security stack was a few years out of date, their MSP retainer was a break-fix arrangement that produced a constant stream of unbudgeted incidents, and there was no projects line.

The rebuild brought them to $310,000 for FY26, then approximately $330,000 for FY27 (this template). The increase landed in three categories: an additional $35,000 in security tooling and MDR, a $40,000 increase in the MSP retainer for a comprehensive managed model, and the previously-invisible projects budget at $50,000. Their cyber insurance premium dropped $9,000 the following year because the upgraded posture qualified them for a better rate. Net true cost increase: about $116,000, or just under 1% of revenue.

The conversation with the partners took two meetings. The first meeting was about why the number was going up; the second was about what they got for it (a defensible security posture, predictable monthly costs, no more invoice surprises, a real DR position, alignment with Essential Eight Maturity Level 1). The decision was unanimous after the second meeting. The lesson: SMEs underspend on IT because the value of the spend is invisible. Make it visible and the budget conversation gets easier.

How TechAssist works with the FY27 budget

For managed clients on our per-user fixed monthly pricing, the MSP retainer line on this template covers our entire engagement: the sub-15-minute P1 response from our 24/7 NOC at Tecoma, the same-business-day on-site response across Melbourne metro from either our Tecoma office or our 575 Bourke Street CBD office, and the work of our 13 Australian engineers across helpdesk, projects, security operations and vendor management. Founded in 2014, we have built the engagement model specifically for SMEs like the persona in this template: 30 to 150 staff, professional services or similar, Microsoft-aligned, Essential Eight focused.

The security tooling line, the M365 licensing, the cyber insurance premium and the hardware are direct vendor relationships that we manage on behalf of the client but bill at vendor cost. The projects line is scoped separately at the start of the financial year. The result is a budget that is predictable to within 5% across the year, which is what makes the CFO conversation work. For the broader picture of how the engagement is structured, see our MSP Melbourne page or reach the team through contact.

Frequently Asked Questions

We are smaller than 50 staff – how do we scale this down?

The fixed costs (cyber insurance, baseline security stack) don’t scale linearly with headcount. A 25-staff firm typically spends 3.0% to 4.0% of revenue on IT – higher than the 50-staff number – because the fixed costs are spread across fewer users. The per-user costs (M365 licensing, MSP retainer per user, hardware sinking fund) scale linearly. Apply the same template, adjust for size, and expect the percentage of revenue to be higher.

What about firms larger than 100 staff?

Past 100 staff, the conversation usually splits: an internal IT manager or director appears in the org chart, the security stack moves toward enterprise tooling, and the MSP relationship becomes co-managed rather than fully outsourced. Total IT spend as a percentage of revenue typically drops to 1.5% to 2.5% as scale efficiencies kick in.

How much of this should be CapEx versus OpEx for tax purposes?

This template lands roughly 90% OpEx and 10% CapEx (the hardware sinking fund). The OpEx-heavy mix is structurally favourable for cash flow but means the depreciation argument for tax is smaller than it was a decade ago. Talk to your accountant; the tax treatment of cloud and SaaS spend changes most years.

Should we budget for AI separately?

Yes. The AI line will grow meaningfully through FY27 and into FY28 as Copilot, agent-based tools, and sector-specific AI products scale up. Separating the AI line makes the growth visible and lets the leadership team make explicit decisions about it rather than discovering it on the credit card statement.

What is the most common budget mistake for a firm this size?

Underspending on security and overspending on premium hardware. We see firms with $3,500 MacBooks for every user but no MDR service and a self-managed Microsoft tenant. Inverting that ratio – mid-tier hardware, comprehensive security – produces a more defensible posture for the same total spend.

How do we benchmark our actual spend against this template?

Pull together your actual line items, map them to the eight categories above, calculate the percentage of revenue, and compare. If you would like an external review, we run IT budget assessments as a discrete piece of work for non-clients, with a one-page summary and a remediation list. Reach the team through the contact page.

Enterprise vendor risk management assumes you have a four-person governance, risk and compliance team. Most Melbourne SMEs have zero. This is a deliberately stripped ‘lite’ framework for businesses with 20 to 200 staff: three vendor tiers, a one-page questionnaire, the only evidence that matters, and the playbook for when a critical vendor fails the assessment.

Why the enterprise playbook fails for SMEs

Open any vendor risk management framework written for a bank or a listed company and you will find a 130-question security questionnaire, a quarterly review cadence, on-site audits, and a control library mapped to NIST CSF, ISO 27001, SOC 2, PCI DSS and the APRA standards. It works because there is a team paid full-time to run it.

An accounting firm in Hawthorn with 45 staff cannot run that programme. The office manager who ‘owns IT’ has neither the hours nor the technical background to read a SOC 2 Type II report properly, let alone challenge the boundaries it covers. And yet that same firm now uses 60 to 90 SaaS products that touch client data: Xero, a practice management system, an e-signature tool, four AI products, a payroll bureau, a document portal, a cloud archive, a CRM, and so on. The risk surface is the same as a mid-market enterprise. The team to manage it is not.

The lite framework below is what we run with our co-managed clients. It is opinionated, it ignores parts of the textbook on purpose, and it produces a defensible position that holds up in a cyber insurance application or a Privacy Act incident review. We have refined it across 12 years of running managed IT services in Melbourne since founding TechAssist in 2014, and it has now been deployed across professional services, healthcare admin, light manufacturing and not-for-profit clients.

The three-tier vendor categorisation

The single most useful move you can make is to stop treating all vendors the same. About 80% of the SaaS in a typical SME is low-risk; about 5% will hurt badly if it is breached or goes down. Sort the list once, properly, and you can focus your effort on the 5%.

Tier 1: Critical

A vendor is Tier 1 if any one of these is true:

• They process or store regulated personal data at scale (health records, financial accounts, legal matters, identity documents)
• Their outage stops the business from operating within 24 hours (your finance system, your line-of-business platform, your phone system, Microsoft 365)
• They have privileged access into your network, your identity provider, or your endpoints (your MSP, your security tooling, your remote support tools)
• They handle payments or move money

Expect 5 to 12 Tier 1 vendors in a typical SME. These get the full questionnaire, evidence requirements, and an annual review.

Tier 2: Important

A vendor is Tier 2 if they hold business data that you would care about leaking, but their outage is tolerable for a few days, or the data set is limited. Examples: your CRM, your marketing automation tool, your e-signature service, an HR information system that holds employee records, project management tools.

Expect 15 to 30 Tier 2 vendors. They get the short questionnaire and a light evidence check (the security page on their website is acceptable if it lists the right certifications).

Tier 3: Everyone else

Free productivity tools, internal-only utilities, vendors that hold nothing more sensitive than a contact list. The control is the procurement gate (someone signs off before the credit card goes in) and an annual list review. No questionnaire, no evidence, no annual reassessment.

Expect 30 to 60 Tier 3 vendors. The point is to have them on the list, not to spend any meaningful time on them.

The 12-question questionnaire that fits on one page

Long questionnaires (the SIG, the CAIQ, an internal 140-item monster) do not produce better risk decisions for SMEs. The vendor copies their answers from the last questionnaire, you have no way to verify most of it, and you sign anyway because you need the product. Strip it down to 12 questions that you will actually read.

Twelve questions. One page. Most credible vendors can answer it in 30 minutes; if a Tier 1 vendor takes three weeks to respond or sends boilerplate that does not address the question, that is your answer. We have seen serious Australian SaaS vendors fill this out in a working day. We have also seen offshore platforms ignore it entirely. Both outcomes are useful information.

What ‘evidence’ you actually need

The textbook says: review their SOC 2 report, walk through their controls, validate their penetration testing, examine their incident response runbooks. In practice, for an SME, the evidence stack is much simpler. Either the vendor has an independent third-party attestation that you can rely on, or they do not.

Accept (Tier 1 and Tier 2)

• SOC 2 Type II covering at least the last 12 months and covering the product you are using. Type I is a snapshot and is worth far less. The scope matters – if the SOC 2 covers their corporate environment but not the production service you are buying, it is window dressing.
• ISO 27001 certification with a recent certificate (within the three-year cycle) and a scope statement that includes the relevant systems. Insist on the scope statement, not just the certificate number.
• IRAP assessment at PROTECTED or higher, for any vendor handling government-adjacent or sensitive data.

Acceptable with caveats (Tier 2 only)

• A current public security page that lists controls in detail and names specific frameworks they align with.
• A signed letter from their CISO or equivalent stating the controls in place, where no certification exists.

Not acceptable for Tier 1

• ‘We follow industry best practice.’
• ‘We are SOC 2 compliant’ with no report attached.
• ‘Our hosting provider (AWS) is certified.’ AWS being certified does not certify the customer running on AWS.
• A self-assessment questionnaire as the only evidence.

This is where most SME vendor programmes drift. The temptation is to accept a marketing page and move on because the alternative is to delay a project. Hold the line on Tier 1. Be pragmatic on Tier 2.

The playbook for when a key vendor fails

Here is what the textbook gets wrong: it implies that a failed vendor risk assessment means you switch vendors. In SME reality, you almost never do. You have a contract, you have integrations, you have user training, and switching costs are punishing. The realistic outcome of a failed assessment is risk acceptance with compensating mitigations.

The playbook we run with clients has five steps.

Step 1: Identify the specific gap

Not ‘they failed the questionnaire.’ Specifically: they have no SOC 2, their breach notification is 30 days, they do not support SSO on our tier, they will not name their sub-processors. Write down the actual gap.

Step 2: Quantify the exposure

What is the worst credible outcome if this gap is exploited? Loss of which data set, of what volume, with what regulatory and reputational consequences? Document the number of records and the personally identifiable information categories.

Step 3: Design compensating controls

Most gaps can be mitigated on your side. If they do not support SSO on your tier, enforce a strong password manager policy, rotate the shared credentials quarterly, and put an alert on the account. If their breach notification is 30 days, monitor publicly available breach feeds yourself. If they will not name sub-processors, restrict the data set you send them. If they do not have MFA on admin accounts, do not send them your most sensitive data.

Step 4: Document the acceptance

A risk acceptance document that names the gap, the mitigations, the residual risk, the business benefit of continuing, and the executive who signed off. This is what makes the position defensible later. Insurance underwriters and OAIC investigators do not expect perfection; they expect documented, considered decisions.

Step 5: Set a review date

Twelve months from now, are the mitigations still in place? Has the vendor improved their controls? Should the risk acceptance be renewed, withdrawn, or escalated?

A 70-staff law firm in Camberwell we work with ran this playbook recently on a US-based legal AI vendor. The vendor had no SOC 2, no SSO on the relevant tier, and stored data in US-East. The partners wanted the product. The compensating controls: a dedicated tenant configuration that limited what content could be sent to the tool, an enforced data classification policy on the matter management side, quarterly review of the vendor’s audit log exports, and a contractual addendum on breach notification. Risk accepted, documented, signed by the managing partner, reviewed annually. That is a defensible position.

The Australian Privacy Act 1988 angle

The Privacy Act amendments that came through in 2024 and 2025 changed the conversation for SMEs. The small business exemption is being narrowed; the maximum penalty for serious or repeated breaches is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. Vendor risk management is now a Privacy Act obligation in practice if not in name. The OAIC has been clear: if your vendor has a breach involving your customers’ data, you are the entity that has obligations to notify and remediate, not the vendor.

Australian Privacy Principle 8 (cross-border disclosure) is the clause that catches most SMEs. Sending personal information overseas – which you do every time you sign up for a US SaaS – generally requires that you take reasonable steps to ensure the overseas recipient does not breach the APPs. Your vendor risk assessment is the ‘reasonable steps’ evidence. Without it, you are exposed.

For the detail on what this means in practice, see our companion piece on the Australian Privacy Act for SMBs and what your IT team must do. The vendor risk programme described here is one of the four foundational pieces of that broader compliance posture, alongside data minimisation, identity hygiene, and breach response readiness.

The cyber insurance vendor list creep problem

Cyber insurance applications now routinely ask for a vendor list. Some carriers want the top 10 by data sensitivity; some want every vendor with access to your systems; the more thorough underwriters want the questionnaire results for your Tier 1 vendors. Three observations from running these applications for clients over the past two years.

First, the list grows every year and the questions get sharper. A 2023 application that asked ‘do you use any third-party SaaS providers’ became a 2025 application that asks ‘list all third-party providers with access to personal information, the data categories involved, and your last review date for each.’ Expect this trajectory to continue. Your vendor list and tiering work is also insurance application work.

Second, an inaccurate disclosure on the insurance application can void the policy. We have seen clients tick ‘all critical vendors reviewed in the last 12 months’ when the answer was closer to ‘three of them.’ If a breach involves an unreviewed vendor, the carrier may decline. Be honest on the form, even if the answer is uncomfortable.

Third, insurers increasingly want evidence that you have an MSP or internal team running this programme. A client of ours in Box Hill had a cyber renewal in late 2025 where the carrier asked for proof of an MSP relationship covering vendor risk before they would renew on the existing premium. The co-managed IT support arrangement we had in place satisfied the underwriter; without it, the renewal would have been 40% more expensive.

What to run yourself versus what to delegate

The split we recommend for a 30 to 150 staff SME is:

The work the MSP does is the technical assessment and the document handling. The work the business owns is the procurement decision and the risk acceptance. That separation matters. Risk acceptance is a business decision, not an IT decision; the MSP should not be signing it off, but should provide the analysis that informs it.

Our own approach at TechAssist is to maintain a vendor register for each managed client, run the questionnaire cycle from our 24/7 NOC at Tecoma, and bring findings to the client quarterly. When a P1 event involves a vendor (a Microsoft 365 outage, a confirmed third-party breach, a vendor that fails an audit), our sub-15-minute P1 response runs from the same NOC, and our 13 Australian engineers are the team that does the assessment work. No offshore questionnaire mills, no automated tooling that emails the vendor and walks away from the answer.

A realistic first 90 days

If you have nothing in place today and you want to start, here is the shape of the first quarter.

Weeks 1 to 2: List every SaaS, every vendor with a login, every contractor with system access. Pull it from your accounting system (every recurring expense), your password manager, and your single sign-on tenant. Expect to find 30 to 50 more than anyone thought existed.

Weeks 3 to 4: Tier the list. Most vendors will be Tier 3 in five minutes. The Tier 1 conversation is the one that takes time and judgement.

Weeks 5 to 8: Issue the 12-question questionnaire to Tier 1. Chase, read, file. Note the gaps.

Weeks 9 to 12: Risk acceptances or remediations for each Tier 1 gap. Document the position. Schedule the 12-month review. Brief the executive on residual risk.

At the end of 90 days you have a defensible vendor risk position, a paper trail for insurance and Privacy Act purposes, and a list that you can maintain in two to four hours a month rather than rebuilding from scratch every year. That is the goal of the lite programme: defensible, sustainable, and proportionate.

Frequently Asked Questions

Do we need a vendor risk programme if we are under the small business turnover threshold for the Privacy Act?

The small business exemption (under $3 million turnover) is being narrowed by the Privacy Act reforms, and even today the exemption does not apply to health service providers, businesses that buy or sell personal information, contractors to the Commonwealth, and a few other categories. More practically, your customers, your insurers, and your enterprise prospects increasingly require vendor risk evidence regardless of whether the Act technically applies to you. We recommend a lite programme for every SME with more than 20 staff.

Is a SOC 2 Type I report sufficient for Tier 1 vendors?

No. SOC 2 Type I is a point-in-time review and tells you very little about how the vendor actually operates the controls over time. For Tier 1, insist on a SOC 2 Type II covering at least six months and ideally twelve. Type I is acceptable for Tier 2 alongside other evidence.

What do we do about vendors that refuse to respond to the questionnaire?

For Tier 1, non-response is the answer. Either escalate to their account team (often the account manager can move the request through their internal security team) or accept that you cannot use them for Tier 1 workloads. For Tier 2, document the non-response, look at their public security page, and consider whether the gap is acceptable. Some smaller vendors genuinely do not have the team to respond, and that is itself a risk signal.

Should we use an automated vendor risk platform?

Probably not for an SME under 100 staff. The platforms (UpGuard, SecurityScorecard, BitSight, OneTrust) are excellent but priced for an enterprise budget and produce more data than a small team can act on. A spreadsheet, a shared mailbox for evidence collection, and a calendar reminder for annual review will do the job for most SMEs. Revisit the tooling question if you grow past 200 staff or if your customers start asking for vendor risk evidence in a specific format.

Who in the business should own vendor risk?

The accountability should sit with a named executive (CFO, COO or general manager in a typical SME). The day-to-day work can be delegated to an office manager, an internal IT lead, or your MSP. The risk acceptance decisions cannot be delegated below executive level.

How does this fit with our existing cyber security work?

Vendor risk is one pillar of a broader programme that also includes endpoint and identity controls, backup and recovery, and incident response. Our Melbourne cyber security services wrap these pillars together for managed clients, and the vendor risk lite framework is part of the standard offering. If you want to talk through how the pieces fit for your business, our team is reachable through the contact page.

The ‘just one more year’ laptop is the most expensive computer in your business. Once you account for warranty cost, ticket volume, productivity drag, and the security exposure of out-of-support hardware, the five-year-old machine in accounts is costing more than a new one would. Real numbers and a clean decision tree follow.

The honest TCO of a business laptop

Most SMEs assess endpoint refresh by looking at the purchase price. That is the wrong number. The right number is total cost of ownership across the working life of the device, which for a business laptop includes hardware acquisition, extended warranty, helpdesk tickets attributable to the device, productivity loss from slowness or failure, and the security risk premium of running unsupported software.

We have been tracking this data across our managed endpoint base since founding TechAssist in 2014, and the pattern is consistent. A Dell Latitude 5450 or Lenovo ThinkPad T14 purchased today at around $2,200 with a 3-year ProSupport or Premier warranty will deliver, on average:

• Year 1: 0.8 tickets per device, mostly setup and configuration issues
• Year 2: 1.4 tickets per device, mostly software and minor performance issues
• Year 3: 2.1 tickets per device, with the first hardware failures appearing
• Year 4: 3.6 tickets per device, often a battery or SSD swap, plus rising ‘this thing is slow’ complaints
• Year 5: 5.8 tickets per device, mostly performance complaints and software compatibility issues

At an average internal cost of $85 per ticket (including the user’s time, not just the helpdesk’s), a year-5 device is costing about $493 in support, plus the productivity hit from a user who is fighting their machine instead of doing their job. That productivity hit is the largest hidden cost, and it is what most SMEs miss when they decide to extend an endpoint refresh cycle.

Windows 11 changes the calculation

Until 2024, the SME endpoint refresh debate was mostly a productivity and support cost conversation. From October 2025, when Windows 10 reached end of support, the conversation became a hard security question. Microsoft will not issue free security patches for Windows 10 after that date. Extended Security Updates (ESU) for SMEs are available but priced to discourage them: USD $61 per device for year one, doubling each year for up to three years, on top of your existing licence costs.

The Windows 11 hardware requirement is the bigger issue. TPM 2.0, Secure Boot, and a compatible CPU are required. Most laptops sold before mid-2018 cannot run Windows 11 at all. Many laptops sold between 2018 and 2020 can technically run it but lag on performance. If you have devices in your fleet older than five years, the choice is no longer ‘replace or repair’, it is ‘replace, pay ESU, or accept the risk of unpatched endpoints’.

For Essential Eight alignment, running out-of-support operating systems fails the Patch Operating Systems control immediately. If you have any aspiration toward cybersecurity maturity or working with clients who require it, this is non-negotiable.

The replace-vs-repair decision tree

For every device in your fleet, the decision tree is:

1. Is the device Windows 11 compatible? If no, replace. The exceptions are devices that will be repurposed for a non-Windows use case (signage, kiosks, dedicated Linux workstations).
2. Is the device under warranty? If yes, repair through warranty for hardware failures. If no, move to step 3.
3. Is the device older than 4 years? If yes, replace rather than repair almost any hardware failure.
4. What is the failure? Battery and SSD swaps are usually repair-economic up to year 4. Motherboard, screen, or keyboard failures past warranty are almost always replace-economic.
5. Is the user a heavy use case? Developers, designers, video editors, and finance staff running large models tend to outgrow consumer-grade machines faster. For these users, lean toward earlier replacement.

The single most important question is the first one. Windows 11 compatibility is binary. There is no halfway. A device that cannot run Windows 11 is on borrowed time and every month of extension increases your security exposure.

The 3-year vs 4-year cycle debate

For years, the standard SME refresh cycle was 4 years, often stretched to 5. The recent move by most progressive MSPs has been toward 3 years, and the reasoning is worth understanding.

The case for a 3-year cycle

• Manufacturer warranties typically cover 3 years out of the box (extending to 4 or 5 adds noticeable cost)
• Tickets jump significantly from year 3 to year 4 (1.4 to 3.6 in our data)
• Resale value at 3 years is meaningfully higher than at 4, especially for ThinkPad and Latitude business lines
• Battery degradation past 36 months affects user productivity even when the device is technically working
• Operating system and software requirements creep upward; a 3-year-old device is current, a 5-year-old device is fighting Teams

The case for a 4-year cycle

• Higher capital cost per year averaged out, but lower total spend if devices truly are healthy at year 4
• Light-use users (front-of-house, occasional office users) often genuinely do not need a refresh at year 3
• Lease structures often align to 36 or 48 month terms; 48 spreads the cost more

Our recommendation

Run a 3-year cycle for heavy users and a 4-year cycle for light users, with the cohort defined explicitly during procurement, not retrospectively. Mixed cycles within a fleet are fine as long as the policy is documented and the lifecycle dates are tracked.

Lease vs buy in a high-AUD or volatile-AUD environment

The AUD has been volatile against the USD through 2025 and into 2026, and hardware pricing reflects it. Dell, Lenovo, and HP price in USD and adjust Australian list prices on a delayed basis. For an SME refreshing 30+ endpoints, the lease vs buy decision needs revisiting.

The instant asset writeoff has changed several times over the last few years and remains a moving target through the 2026 federal budget cycle. As at writing, the current rules support certain small business write-offs, but the thresholds and the eligible business turnover bands change frequently. Talk to your accountant before committing to an EOFY hardware purchase based on a write-off assumption.

For a Box Hill accounting firm we work with, 28 staff, the move from a buy-and-stretch model (5-year average device age) to a leased 3-year cycle through a major financier reduced their year-on-year IT support cost by 22% and removed the year-4 productivity drag entirely. The lease cost was higher in nominal monthly terms than the depreciation on the previous model, but the total cost was lower once support and productivity were included.

The ‘one device class, one image’ policy

One of the highest-leverage decisions an SME can make about endpoints has nothing to do with the refresh cycle. It is the decision to standardise on one device class with one operating system image.

What standardisation actually means

One business laptop SKU for everybody who needs a laptop (with a workstation-class SKU for the heavy users who genuinely need it). One desktop SKU for fixed-desk roles. One Windows 11 image, one set of pre-installed applications, one configuration baseline managed through Intune or your MDM of choice.

Why it matters

• Bulk pricing improves significantly when you buy 10 of one SKU instead of 2 each of five SKUs
• Spares and loaners are interchangeable, so a broken device can be swapped in 15 minutes
• Driver and firmware management becomes a single workflow instead of five
• Support tickets resolve faster because the helpdesk has seen this exact configuration a hundred times
• Security baselines are testable across the entire fleet

For a Port Melbourne logistics company we manage, the move from a mixed fleet (Dell, Lenovo, HP, a few MacBooks) to a single Lenovo ThinkPad SKU with one image reduced their endpoint ticket volume by 31% in the first year of the new policy. Not because the hardware was better, but because the standardisation killed an entire class of compatibility and driver problems.

Standardisation is also what enables sub-15-minute P1 response. When a director’s laptop dies on the way to a board meeting, our team can dispatch an identically configured loaner from our Tecoma or 575 Bourke Street CBD office, and a same-business-day on-site swap is achievable across Melbourne metro. None of that works if the fleet is heterogeneous.

The EOFY tax timing question

The Australian financial year boundary at 30 June makes endpoint refresh a tax-timing question every year. Should you bring forward purchases to claim depreciation or instant asset write-offs in the current FY? Should you defer to spread cost?

The current state of instant asset write-off

The instant asset write-off has been a moving target since the original $20,000 limit was raised, extended, contracted, and reset multiple times through COVID-era stimulus and subsequent budgets. As at the 2025-26 financial year, the threshold and eligibility rules sit at a different level than they did during the peak stimulus period. Do not rely on this post for current numbers; check with your accountant in the month you are planning to purchase.

The strategic question

Tax timing should be a tiebreaker, not a driver. If you genuinely need to refresh devices, the right time is when the devices need refreshing. Bringing forward a purchase by two months to capture a write-off can be smart. Deferring a needed refresh by six months to align with FY26 is almost never smart, because the support cost and productivity drag of the extra six months exceeds the tax benefit.

Bulk timing

For businesses on a 3-year cycle, batching refreshes once a year (typically May or June, into the new FY) is administratively cleaner than rolling refreshes throughout the year. Procurement is a single negotiation, deployment is a single project, and the depreciation schedule is clean. The downside is that a year-1 cohort all ages out together, but in practice the cohort approach also makes succession planning easier.

What to do with the old devices

Endpoint refresh is not finished until the old devices are properly disposed. Three options, with very different risk profiles.

Resale

Through a refurbisher or platform like Grays. Requires certified data destruction before transfer. Acceptable for devices in good condition with no sensitive role history. Capture the resale value against the new device cost.

Donation

To schools, charities, or community programs. Still requires certified data destruction. Generates goodwill and sometimes a tax deduction. The administrative overhead is non-trivial.

Certified destruction

For devices that held sensitive data, devices that failed, or devices with no resale value. Use a certified e-waste processor with a documented chain of custody. For businesses pursuing ISO 27001 capability or aligned to the Essential Eight, this is the only defensible disposal path for devices that handled regulated data.

For healthcare and legal practices in particular, the data on a returned laptop is the same data that triggered the Privacy Act compliance work. Treat disposal as a data security event, not an asset disposal event. Our healthcare IT practice and legal IT practice both build certified destruction into the refresh workflow as standard.

Putting it all together

A working endpoint refresh policy for a typical Melbourne SME looks like this:

• 3-year cycle for knowledge workers, 4-year cycle for light users, documented at procurement
• One device class (e.g. Lenovo ThinkPad T-series or Dell Latitude 5000-series) for all standard knowledge workers
• One workstation-class SKU (e.g. ThinkPad P-series or Latitude 7000-series) for heavy users
• Windows 11 Pro, one image, managed through Intune
• 3-year manufacturer warranty (ProSupport or Premier) bundled at purchase
• Annual batch refresh, typically May or June
• Lease structure for businesses with predictable growth or capex sensitivity
• Certified destruction or platform resale at end of life, with documented chain of custody

This is the kind of policy that lives inside a managed IT services arrangement with per-user fixed monthly pricing, because the MSP carries the refresh planning, the procurement leverage, and the deployment execution. For businesses that prefer to keep procurement in-house, the policy still works; you just need to run it yourselves.

Frequently Asked Questions

How do we handle devices for staff who travel constantly?

Heavy travellers are heavy users by definition; their devices take more wear, drop damage, and battery cycles. Move travellers to the 3-year cohort regardless of seniority, and consider upgrading to a workstation-class device with a longer battery and a heavier-duty chassis. The TCO maths almost always favours the more expensive device for users who live out of a bag.

What about Macs?

Macs have a different lifecycle pattern. Hardware tends to last longer (battery and SSD are the main issues), but macOS support tails off after about 7 years and Apple does not offer extended security updates the way Microsoft does. For Mac-using teams, a 4-year refresh cycle is realistic, and the resale value at 4 years is typically strong enough to materially offset the next purchase.

Are refurbished devices a viable option?

For light-use roles, yes. Certified refurbished business-class devices from a reputable refurbisher with warranty can be a sensible choice for 5% to 15% of a typical fleet, particularly for casual users or temporary staff. We do not recommend refurbs for knowledge workers, finance, or any role that lives on the device 8 hours a day.

What is the policy on bring-your-own-device?

BYOD has security and support cost implications that almost always exceed the savings. For staff who genuinely need it (contractors, casual freelancers, board members), use a managed app model on personal devices with Intune App Protection or similar. For employees, issue a managed device. The exception is mobile phones, where BYOD with corporate app containerisation is the more common pattern.

How does this fit with the rest of our IT strategy?

Endpoint refresh policy is one of the foundational decisions that sits underneath cybersecurity, productivity, and IT support cost. A coherent policy makes everything else easier. An incoherent policy or no policy makes everything else harder. If you are evaluating an MSP, ask them what their default endpoint policy looks like and how they enforce it. The answer tells you a lot about how they run their other operations.

Can we just keep extending the warranty?

Most major manufacturers will extend warranty by 1 or 2 years past the original 3-year term, but the cost ramps quickly and the warranty does not cover battery, productivity, or the security exposure of older hardware. For most SMEs, extending warranty past year 4 is more expensive than refreshing the device. If you want a deeper conversation about the right policy for your business, get in touch; this is the kind of question we work through with clients in onboarding.

If you cannot tell us in 30 seconds how many SaaS subscriptions your business pays for, you have SaaS sprawl. For a typical sub-$10M Australian SME, 5% to 12% of recurring SaaS spend is duplicated, unused, or forgotten. This post walks through a four-step audit you can finish before EOFY.

Why SaaS sprawl is a financial problem, not just an IT one

This is a deliberately financial post. We have a separate piece coming on Shadow IT, which covers the security angle. The audit process below is the one we run when a CFO calls us in May or June and says some version of: “I think we are paying for too much software and I do not really know what we have.” That conversation has happened more times this year than in the previous three combined, and EOFY is the moment to fix it because every subscription you cancel before 30 June reduces your run-rate cost for FY27.

SaaS sprawl is not a security incident, it is a slow leak. It happens because individual product subscriptions are small enough to fall under the discretionary spend threshold of most managers ($50 to $200 a month on a credit card), and big enough collectively to fund another two staff members. For a Hawthorn-based professional services firm we audited recently with 48 staff and around $7.5M revenue, the SaaS bill came to $186,000 a year. After audit, we cut it to $142,000 without removing any meaningful capability. That is one and a half graduate salaries, sitting in software nobody used.

Since founding TechAssist in 2014, we have run this exercise inside our managed IT engagements and as standalone projects. The methodology has stabilised into a four-step process that works for any SME with bookkeeping in Xero or MYOB and an executive willing to make some decisions.

Step 1: Extract the spend data

The first step sounds easy and is usually the hardest. You need a clean, single-source list of every recurring software charge the business has paid for in the last 12 months. Not what the IT register says you have. What the bank account and the credit card statements prove you have.

Pulling data from Xero

For Xero-based businesses, the export workflow is:

1. Go to Accounting, Reports, Account Transactions
2. Set the date range to the last 13 months (you want one full year plus the current month for renewal visibility)
3. Filter by the expense accounts you typically book software to: usually ‘Software Subscriptions’, ‘IT Expenses’, ‘Computer Software’, ‘Cloud Services’, and sometimes ‘Marketing’ for tools that snuck in via that team
4. Export as CSV

You also need the credit card transaction export, separately, because half the rogue subscriptions are on staff cards and never get coded to a software account. Pull the last 13 months of card statements and grep for any merchant name that looks like a SaaS vendor.

Pulling data from MYOB

For MYOB Business or AccountRight users, the workflow is similar: Reports, Accounts, Find Transactions, filter by account, export to Excel. The chart of accounts in MYOB tends to be messier than Xero in our experience, so you will want to also pull the All Journals report for the period and search the description column for known SaaS vendor names.

The Microsoft 365 admin centre and Google Workspace

Do not forget the platform you are already on. Microsoft 365 and Google Workspace both have a billing section showing all subscriptions, seat counts, and the per-seat price. Pull that as a separate dataset. You will use it later when you check seat utilisation against headcount.

At the end of step 1, you should have a single spreadsheet with columns for: vendor name, total annual spend, monthly spend (if recurring), billing frequency, payment method, charge account, and a blank column for ‘function’ which we fill in next.

Step 2: Deduplicate by function

This is where the audit gets interesting. Most SMEs do not think they have duplicate tools. Almost all of them do. The trick is to categorise every tool by the job it does, and then look for jobs being done twice.

Use a six-category matrix:

For each line in your spreadsheet from step 1, assign a category. Then sort by category and look for duplicates within each category. The patterns we find most often:

• Three project management tools, because each department picked their own and never standardised
• Two e-signature platforms (DocuSign for legal, Adobe Sign because it came in Acrobat Pro)
• Paid Zoom Pro alongside Teams Phone, when nobody actually needs Zoom anymore
• An old CRM still being paid for after the team migrated to a new one 18 months ago
• Multiple file-sharing tools (Dropbox, OneDrive, Google Drive, Box) because different teams brought in different ones
• Two password managers, one of which has six active users out of 40 seats paid

The team in our audit example that kept paying for Trello two years after moving to ClickUp is not an exaggeration. The Trello bill was $18 a user per month for 12 seats, $2,592 a year, billed to the credit card of a manager who left in 2024. Nobody had thought to cancel it because nobody had thought about it at all.

Step 3: Map each tool to a business owner

For every line in your now-deduplicated list, you need a named human who owns the decision to keep, kill, or consolidate. This is the step that breaks the audit at most SMEs, because nobody wants to own a tool nobody uses, and nobody wants to admit they signed up for the thing in the first place.

The ownership conversation

Run this as a structured exercise, not an email thread. Get the leadership team in a room with the spreadsheet on a screen. For each line, the question is: “Who is the business owner of this tool?” If nobody puts their hand up, that is the strongest possible signal that the tool should be killed.

Owners need two responsibilities clearly stated:

• They authorise the spend
• They are accountable for whether the business gets value from the tool

For tools that survive ownership assignment, you also want a documented use case (“we use Asana for client project tracking across the consulting team, 18 users”) and a renewal date.

Seat utilisation check

For every tool the business is keeping, pull the actual seat utilisation in the last 30 days. Most SaaS vendors have a ‘last active’ or ‘last login’ field in the admin console. Compare paid seats to actively used seats.

A South Melbourne creative agency we audited had 38 Adobe Creative Cloud licences for 24 people. The previous office manager had set up seats for every staff member because Adobe ran a promotion in 2022. Of the 38 seats, 19 had been used in the prior 90 days. Cutting back to 25 seats (24 plus one buffer) saved $11,800 a year. They had been paying $880 a month for unused creative software for 18 months.

Step 4: Kill, consolidate, keep

The final step is the decision. Every tool in your spreadsheet ends up in one of three buckets.

Kill

Tools with no owner, no use case, or zero seat utilisation. Cancel them before the next renewal. For tools billed monthly, the cancellation is easy. For tools on annual contracts, mark the renewal date in the calendar and set a reminder for 60 days prior.

Watch for cancellation friction. Some SaaS vendors require you to call a sales rep to cancel, especially on enterprise tiers. Budget time for this. Some require 30 or 60 days notice. Read the terms before you assume you can cancel today.

Consolidate

Two tools doing the same job, both with active users. The owner of each tool needs to pick one and migrate. Set a realistic migration timeline (usually 60 to 90 days for a project management tool migration; longer for a CRM) and a hard cancellation date for the loser.

Migration is the step where consolidation projects die. Account for the cost: someone needs to actually do the work, and the loser tool needs to stay paid until the migration completes. Build that into the savings calculation.

Keep

Tools with a clear owner, an active use case, and reasonable seat utilisation. For these, the audit work is rightsizing the seat count and aligning the billing frequency. Annual billing is usually 10% to 20% cheaper than monthly. If you are confident in the keep decision, switch to annual at renewal.

Typical wins for a sub-$10M SME

For Australian SMEs in the $2M to $10M revenue band, we consistently see SaaS audit savings of 5% to 12% of total SaaS spend. The mix typically breaks down like this:

For a Cremorne software business we worked with (32 staff, $4.8M revenue, $94,000 annual SaaS spend pre-audit), the savings broke down as $11,200 from killing unused tools, $9,800 from consolidating overlapping tools, $6,400 from rightsizing seats, and $2,100 from billing switches. Total $29,500 a year, 31% reduction. The audit itself took about 14 hours of staff time across three weeks.

The Excel template

The template we use internally has six tabs. You can build your own in an afternoon:

1. Raw data: CSV exports from Xero or MYOB, pasted as-is, one tab per source
2. Consolidated list: deduplicated by vendor, with annual spend, monthly spend, billing frequency, category, owner, use case, and decision (kill/consolidate/keep) columns
3. Seat utilisation: for each kept tool, the paid seats vs active seats vs target seats
4. Renewal calendar: all renewal dates in date order, colour-coded by criticality
5. Savings tracker: per-decision annualised saving, with a running total
6. Action log: what we cancelled, when, what we consolidated, and the realisation date for each saving

The most important tab is the action log. Audits are easy. Execution is hard. Without a tracked action log, half the decisions never get implemented and the savings never land.

Common mistakes during SaaS audits

Not including microservices and add-ons

Many tools are sold as the base product plus per-feature add-ons. HubSpot, Salesforce, Microsoft 365, Adobe Creative Cloud, all have premium add-ons that are often turned on by accident or for a one-off campaign and never turned off. Audit add-ons separately, not just the base product.

Ignoring the implicit licence inside another product

This is the biggest miss. If you are paying for Microsoft 365 Business Premium at $33 per user per month, you already have Teams (voice optional), SharePoint, OneDrive, Exchange, Intune, Defender for Office 365, Azure AD Premium P1, and Power Automate Free. If you are also paying for Slack, Dropbox, a separate identity provider, or a third-party MDM, you are paying twice. Map the included entitlements of your platform tier before assessing the standalone tools.

Forgetting personal credit card subscriptions

If staff expense SaaS through reimbursement, those subscriptions never hit the company card. They live in the expense system. Pull a year of expense claims and search for any vendor name that smells like software.

Treating it as a one-off

SaaS sprawl is a continuous problem. Without a recurring process, you will be back where you started in 18 months. Build a quarterly mini-audit into the finance calendar: every quarter, pull new SaaS charges, check ownership and use case, and add to the central register. This is the kind of governance that comes naturally inside a managed IT services arrangement with per-user fixed monthly pricing, because the MSP has a vested interest in keeping the SaaS register clean.

How this connects to your broader IT environment

A clean SaaS register is a precondition for several other things you probably need to do this year. It feeds directly into your cybersecurity posture, because every SaaS tool is an authentication surface and a data exfiltration risk. It feeds into your Privacy Act compliance, because the 2024 reforms require you to know where personal information lives, and ‘in some SaaS tool nobody can remember the name of’ is no longer acceptable. It also feeds your cloud services strategy, because a deduplicated tool stack is much easier to integrate and govern.

For Essential Eight alignment specifically, the audit is the foundation of the User Application Hardening control. You cannot harden applications you do not know exist.

When to bring in external help

You can run the audit yourself if you have a financially literate operations manager with a few spare hours each week and an executive willing to make decisions. If you do not, or if you suspect the audit will surface uncomfortable conversations about who signed up for what, an external party makes the process faster and less politically charged.

TechAssist runs SaaS audits as a standalone engagement or as part of broader managed IT onboarding. Our team of 13 Australian engineers includes the people who actually know which Microsoft 365 entitlements overlap with which standalone tools, which matters because most of the consolidation savings hide in that overlap. We run audits out of both our Tecoma office and our 575 Bourke Street CBD office, so we can do the workshop in person wherever your team is. If you want to start a conversation, the EOFY window is the right time.

Frequently Asked Questions

How long does a typical SaaS audit take?

For a 30 to 80-staff SME, plan on 12 to 20 hours of work spread over three weeks. The data extraction is the longest single task. The decisions can be made in two or three workshops if leadership is willing to commit time.

Can we just use a SaaS management platform like Vendr or Zylo?

Those tools are excellent for businesses with 200+ staff and SaaS bills over $500,000. For sub-$10M SMEs, the licence cost of the management tool is often higher than the savings it surfaces. Excel and a focused three-week project produce 90% of the result at 10% of the cost.

Should we cancel everything that has zero use, or migrate users first?

Confirm zero use across at least 90 days before cancelling, and notify the listed billing contact (not just the technical contact) before pulling the plug. Some tools are ‘used’ only at month-end or quarter-end and look dormant at other times. A 90-day window catches most of these.

What about free SaaS tools, do they matter for the audit?

From a cost perspective, no. From a security and governance perspective, very much yes. Free tools are where the data leaks happen. That conversation belongs in the Shadow IT review, not the financial audit.

Do we need to involve our MSP in the audit?

If you have one, yes. Your MSP often holds the admin credentials to half the tools you are auditing, knows the seat utilisation in real time, and can execute the cancellations on your behalf. If you run a co-managed IT arrangement, this is the kind of work that should already be part of your quarterly review with the MSP.

When is the right time of year to run the audit?

April or May, to bank the FY27 savings before 30 June. Cancellations made in May reduce your run-rate for FY27 and improve your EBITDA position before EOFY. Audits run in September or October are still valuable, but you have given up a year of savings.

Your sole internal IT person hands in their notice on a Tuesday afternoon. The next 90 days will quietly expose every undocumented decision, shared login, and unwritten vendor relationship they were holding together. Most Melbourne SMEs discover within a fortnight that they have no idea what their IT person actually did, and the cost of that ignorance compounds fast.

The shape of the problem

If you are running a 30 to 150-staff business in Melbourne with a single internal IT person, your operational risk is almost certainly higher than your insurer thinks it is. That person is the firewall, the documentation, the vendor relationship manager, the backup verifier, and the person who knows that the printer on level 2 has its own static IP because someone in 2019 wired it badly and nobody has fixed it since. When they resign, none of that lives anywhere else.

We have walked into this scenario more times than we can count since founding TechAssist in 2014. The pattern is consistent enough that we now treat it as a defined transition project rather than a panic. The 90-day window splits cleanly into three phases, and how you handle each one determines whether the next IT model you adopt is built on knowledge or built on guesswork.

This post walks through that window honestly. We will not pretend the handover is clean, because it almost never is. We will name the mistakes that bite later, lay out a realistic cost comparison for the three paths forward, and tell you what to do in the first 48 hours that will save you the most pain.

Week 1-2: Knowledge dump and credential capture

The clock starts the moment notice is given. Your departing IT person is, depending on the relationship, either genuinely trying to leave things tidy or already mentally checked out. Either way, the goal of the first fortnight is to extract every piece of operational knowledge from their head and every credential from their personal devices before they walk out the door.

The credential audit comes first

Before anything else, you need a complete list of every system the business uses, who owns the admin account, and where that credential is stored. In practice, most SMEs discover their IT person has been the sole holder of admin credentials to:

• The Microsoft 365 global admin account, often tied to their personal mobile for MFA
• The domain registrar (frequently a personal GoDaddy or Crazy Domains account from years ago)
• The DNS provider, which may or may not be the same as the registrar
• The firewall management console, with the vendor portal login on a Post-it note
• The NBN or fibre service account, registered to their personal email
• Backup software portals, antivirus consoles, RMM tools if they ran one
• Line-of-business application admin accounts

The MFA problem is the one that catches people. Personal phone-based MFA is the single most common landmine we find. If your departing IT person’s mobile is the second factor for your Microsoft 365 global admin, and you do not transfer that before they leave, you are one factory reset away from being locked out of your own tenant. Microsoft’s account recovery process for global admin lockouts is slow, painful, and requires documentation most SMEs cannot produce on demand.

Document the undocumented

The other priority for week 1-2 is sitting down with the departing engineer and walking through the actual environment. Not what is in the wiki, what they actually do day-to-day. The questions that produce the most value:

• What automations or scripts run on a schedule? Where do they live?
• Which vendor support contracts exist, when do they renew, and who is the named contact?
• What is the backup routine, where are backups stored, and when was the last successful restore test?
• Which servers or services are running on hardware that should have been replaced years ago?
• What workarounds exist that nobody else knows about?
• Which staff have local admin rights they should not have, and why?

A Caulfield-based legal practice we onboarded last year had their sole IT manager resign after 11 years. During the knowledge dump, he casually mentioned that the practice management database was being backed up by a PowerShell script he wrote in 2016 that ran on his personal laptop because the server scheduled task had stopped working in 2019 and he had not got around to fixing it. The firm had been one stolen laptop away from losing seven years of matter records without realising it.

Week 3-6: Vendor relationships and the ‘who pays for what’ audit

Once you have credentials and a working operational picture, the second phase is harder and less satisfying. You need to map every vendor relationship, every recurring charge, every Master Services Agreement, and every handshake deal your IT person ever made. This is the phase that tends to drag, because the information is fragmented across accounts payable, the IT person’s email folders, and the memories of long-tenured staff.

The vendor map

Start with the bank statements and the accounting system. Pull 12 months of card transactions and supplier invoices. Categorise every IT-related charge. You will find:

• SaaS subscriptions nobody uses anymore
• Hardware leases that auto-renew next quarter
• Support contracts on equipment that was decommissioned
• Domain renewals you did not know existed
• Monthly retainers to small contractors for specific systems
• Cloud bills (AWS, Azure) that have been growing 8% per quarter without anyone noticing

For each vendor, you want the named contract, the renewal date, the named contact, and the escalation path. Most SMEs find at least 5% of IT spend is going to things that no longer deliver value. For a business with $80,000 annual IT spend, that is $4,000 a year sitting in dead subscriptions.

The MSA discovery

Master Services Agreements with key vendors are often signed once, filed badly, and forgotten. When your IT person leaves, you need to know:

• What service levels are you actually entitled to?
• What are the notice periods if you want to terminate?
• Are there minimum spend commitments?
• Who has authority to raise priority support tickets?

For businesses considering a move to a managed IT services arrangement, this audit is non-negotiable. You cannot transition into a managed model cleanly without a complete picture of existing commitments. We have seen incoming MSPs surprised by 18-month telco contracts that the previous IT person signed without anyone realising.

Week 7-12: Decide the path forward

By week 7, you have credentials, documentation, and a vendor map. Now the actual strategic decision: replace, co-manage, or fully outsource. This is where most SMEs default to ‘replace like-for-like’ because it feels safest, but it is rarely the cheapest or the most resilient option.

Option 1: Replace internally

Hire another internal IT person. This is the path of least change but the highest single-point-of-failure risk. You are rebuilding the same fragile structure you just discovered the cost of. If you go this route, your new hire should inherit not only the credentials but also a contract clause requiring all admin access to use organisational MFA, all credentials to be stored in a business password vault, and all documentation to live in a business-controlled system. That is the bare minimum to avoid repeating this exercise in three years.

Realistic Melbourne salary for a competent internal IT generalist who can cover infrastructure, end-user support, and basic security is $90,000 to $115,000 including super, plus tools, training, and the productivity gap during recruitment (typically 3-4 months).

Option 2: Co-managed IT

Keep an internal person, but layer an MSP underneath them for the heavy lifting: 24/7 monitoring, after-hours coverage, escalation for complex problems, vendor management, and the security stack. The internal person focuses on what they are best at, which is usually being close to the staff and the business. This model works well for businesses with 50 to 250 staff who have a meaningful in-house IT need but not enough work to justify a team of three.

Our co-managed IT support model is designed for exactly this scenario, and it is often where businesses land when they have just lost a sole IT person and want resilience without complete outsourcing. The internal hire is junior to mid-level (so cheaper), the MSP carries the senior expertise and after-hours risk, and the business gets two layers of redundancy.

Option 3: Fully outsource to an MSP

No internal IT person. All support, infrastructure, security, and strategy moves to an MSP under a per-user fixed monthly contract. This is the right answer for most businesses under about 80 staff, and increasingly for businesses up to 150 staff who do not have specialist needs.

The economics are straightforward once you do the maths. A 60-staff Melbourne business paying $105,000 fully-loaded for an internal IT person, plus $25,000 in tools and licences they manage, is spending $130,000 a year for one person who takes leave, gets sick, and cannot cover after-hours. A per-user fixed monthly MSP arrangement for the same business typically lands between $110 and $160 per user per month depending on inclusions, which puts the spend in the $80,000 to $115,000 range with a contracted service level behind it. You also get the security stack, 24/7 monitoring, and a team rather than a person.

TechAssist runs a 24/7 NOC at our Tecoma office, which means when something breaks at 2am, somebody Australian is already looking at it. We also operate a CBD office at 575 Bourke Street, which matters if your staff are in the city and you want same-business-day on-site response across Melbourne metro. Our 13 Australian engineers cover the work that one internal person cannot, and our sub-15-minute P1 response target is contractual, not aspirational. If you want to choose an MSP in Melbourne properly, this is the question to ask: what is the contractual response time, and what happens if it is missed?

Realistic cost comparison: three paths

The numbers below assume a 60-staff Melbourne business with a typical mix of office and field workers, Microsoft 365 Business Premium, a small server footprint, and standard security needs. Adjust for your context, but the relative shape holds.

The outsourced option is cheapest on paper, but the right answer depends on the business. A manufacturer in Dandenong South with heavy line-of-business software and a real shop-floor IT footprint might genuinely need an on-site person. A professional services firm in Hawthorn with 40 staff almost certainly does not.

Offboarding mistakes that bite later

These are the recurring patterns we see in the second year after a sole IT person leaves. None of them are dramatic. All of them are expensive.

Shared admin accounts

The departing IT person had a personal admin account they used for everything. When they left, somebody changed the password but did not disable the account. Six months later, an attacker who phished those credentials in 2023 finally gets around to using them. The audit log shows the admin account was used, but nobody knows which human pressed which key. Disable departing admin accounts. Do not just rotate the password.

Personal phone-based MFA

Already covered above, but it bears repeating because it is the single most common failure mode. Every MFA factor needs to be on a business-controlled device or a business-controlled mechanism (such as a security key held by the business, or a service account authenticator app on a business device).

Undocumented automations

Scripts, scheduled tasks, Power Automate flows, Zapier workflows, all running quietly in the background, all created by the departing person, none of them documented. The first failure happens nine months later when something breaks and nobody can find the source. Audit every scheduled task on every server, every Power Automate flow in the tenant, and every connector in any iPaaS tool. Document what each does, who owns the business outcome, and what happens if it stops.

Vendor portals registered to personal emails

The Telstra account, the Microsoft partner relationship, the AWS root account, the domain registrar, all created in 2017 using a personal Gmail address because it was faster than waiting for IT to set up a shared mailbox. Hunt every one of these down before the departing person walks out. Once they are gone and the vendor only accepts identity verification via that personal email, you have a multi-month problem.

Local admin rights on workstations

Many sole-IT-person businesses run with local admin rights distributed liberally. The IT person gave it out as a workaround for software installs and never took it back. This is a security problem that needs fixing during the transition, not after, because incoming MSPs will see this as a red flag and either price it in heavily or refuse the engagement. Restricting local admin is also one of the Essential Eight controls that the ACSC has been pushing for years.

What to do in the first 48 hours

If you are reading this because your IT person just resigned, here is the order of operations for the first two days. Everything else can wait.

1. Change the Microsoft 365 global admin password and MFA factor. Today. Use a business-owned phone or hardware token.
2. Add a second global admin account belonging to a director, with separate MFA, as an emergency access account.
3. Pull a list of all admin role assignments in Microsoft 365 and document which humans hold which roles.
4. Identify the domain registrar and DNS provider and confirm the business has account control. If not, start the recovery process immediately.
5. Engage a transition partner if you do not have internal capacity for the next 11 weeks of work. This is not a normal-business-week task.

If you want help running this transition cleanly, that is the bread and butter of our Melbourne MSP practice. We have done it dozens of times. The pattern is repeatable. The mistakes are predictable. The 90 days will pass either way.

Frequently Asked Questions

How long should the notice period be for a sole IT person?

Contractually, whatever your employment agreement says, usually four weeks. Practically, you want to be in a position where you could survive a one-day departure if the relationship turned sour. That means documentation, credential capture, and a transition plan ready to execute. If you only have the standard notice period and no plan, four weeks will not be enough.

Should we let the departing IT person help us choose the replacement?

Generally, no. Their incentives and the business’s incentives are not aligned. They may favour a friend, or push toward a model that protects their professional reputation rather than what fits the business. Use the departing engineer for knowledge transfer, not for vendor selection.

What if the departing person was a contractor, not an employee?

The risk profile is similar but the legal lever is different. Contractors usually have weaker IP and confidentiality protections by default unless the contract was written carefully. Check the contract for credential ownership, work product ownership, and data handling clauses. If the contractor was using their own tooling (their RMM, their backup software, their monitoring), you need to migrate off that tooling before they leave, not after.

Is co-managed IT just outsourcing with extra steps?

No, and this is a common misconception. Co-managed works because the internal person handles the relationships, the business knowledge, and the ground-level support, while the MSP handles the depth, the after-hours, the security stack, and the senior expertise. The internal person is the face. The MSP is the backbone. It works for businesses that have enough IT work to keep one person busy but not enough to justify a team.

How does the Essential Eight fit into all of this?

The Essential Eight is the ACSC’s baseline cybersecurity framework, and it is becoming a de facto expectation for Australian SMEs working with government, financial services, or healthcare clients. A sole IT person rarely has the bandwidth to implement and maintain all eight controls properly. The transition out of a sole-IT model is a natural moment to assess your cybersecurity posture against the Essential Eight and pick a path forward that closes the gaps.

How quickly can an MSP take over from a departing internal IT person?

For a clean transition, six to eight weeks from contract signature to full handover is realistic. We have done faster in emergency scenarios, but the work suffers. The first two weeks are discovery and credential transfer, the next two weeks are tooling deployment and policy alignment, and the final two to four weeks are co-running while the departing person is still available for questions. If you are starting that conversation, do it the week the resignation lands, not the week before the person leaves.

Shadow IT Discovery: Finding the SaaS Tools Your Staff Bought on a Credit Card

The average 50-person Melbourne SME has 60 to 80 SaaS apps in use. Finance can see maybe 15 of them. The rest were signed up to by individual staff on free trials or personal credit cards. The fix is discovery, triage and a clear sanctioning path, not a memo telling people to stop.

Why shadow IT happens (and why blaming users is the wrong move)

Before we talk discovery, it is worth being honest about why shadow IT exists. Three reasons account for almost all of it.

The first is speed. The official process for getting a new SaaS tool approved at most Melbourne SMEs is “raise a request, wait two weeks, get told no”. Trello is free. Notion is free. Calendly is free. ChatGPT is free. A salesperson who needs to send a polished proposal to a prospect by Friday will not wait two weeks. They will sign up for the free tier on Wednesday and put the paid upgrade through their personal card if the trial expires before they have proven the case for an official tool.

The second is feature gaps. Microsoft 365 is excellent at a lot of things and mediocre at a few. Planner is not Trello. Forms is not Typeform. SharePoint document collaboration is not Notion. When the official toolset has a feature shaped hole, staff fill it from outside. The accounting firm we audited last quarter had three separate Notion workspaces precisely because nobody could agree whether SharePoint or Teams was the right place to do running notes.

The third is autonomy. Department heads — particularly in sales and marketing — often have their own budget and the authority to spend it. They are not breaking any rules when they sign up to HubSpot, Mailchimp, Canva Pro or Loom. They are exercising the budget authority they were given. IT only finds out when something integrates badly with the core stack, or when the credit card runs through to finance.

The right framing is: shadow IT is a signal that your official tooling is missing something. Treat it as feedback, not as misbehaviour.

The actual cost of unsanctioned SaaS

Shadow IT is not free for the business. It costs in five distinct ways.

Direct duplication. Three different teams each paying $50 a month for the same tool because none of them knows the others have it. We have audited Melbourne SMEs that were paying for Slack, Microsoft Teams, Google Chat and Discord simultaneously. None of the leaders knew about all four.

Data exposure. Client data in unmanaged tools the business has no idea exists, with no DLP, no retention policy, and no offboarding when the staff member leaves. The Notion workspace tied to someone’s personal email survives their departure indefinitely unless someone goes looking.

Compliance failure. The Australian Privacy Act obligations apply to personal information regardless of which SaaS tool the staff member chose to store it in. The fact that the tool was not sanctioned by IT is not a defence. The 2024-25 amendments tightened the breach notification and accountability requirements specifically here.

Integration risk. Every shadow tool that connects to Microsoft 365 via OAuth gets a slice of access to your tenant. Most of them are fine. Some of them are not. There is a non-trivial number of “free productivity apps” with read access to mailbox content.

Exit friction. When a senior staff member leaves and they have been the de facto owner of three shadow SaaS tools the rest of the team relies on, you are now in the position of either paying ransom to get the data out, or rebuilding the institutional knowledge from scratch.

Four discovery methods that actually work for SMEs

You do not need to buy a Cloud Access Security Broker for $40,000 a year to find your shadow IT. There are four cheap and effective methods, and the right answer for most Melbourne SMEs is to run all four sequentially.

Method 1: Microsoft Defender for Cloud Apps (if you have it)

If you are on Microsoft 365 E5, Defender for Cloud Apps is built in. If you are on Business Premium, it is not, but the related “Cloud Discovery” features in Microsoft Defender for Endpoint give you a surprisingly useful subset. Both work by analysing endpoint and firewall logs for outbound connections to known SaaS providers, then producing a discovery report that maps which staff are using what.

The first run of this against a tenant is always sobering. We ran it for a 70-person legal firm in Richmond and the discovery report identified 137 distinct cloud services in use, of which the firm had formally sanctioned 12. The rest broke down into “harmless free tools nobody minds” (about 80), “duplicates of things we already pay for” (about 20), “things that should probably be replaced” (about 15), and “wait what is this” (about 10).

Defender for Cloud Apps gives you a risk score per service based on a published catalogue of about 30,000 cloud apps with their compliance and security attributes. That risk score is a useful starting point for triage but should not be treated as the final word.

Method 2: Expense report keyword scan

This costs nothing. Export the last twelve months of corporate card transactions and personal expense reimbursements. Scan for the obvious keywords: Notion, Trello, Asana, Monday, Loom, Calendly, Canva, HubSpot, Mailchimp, ChatGPT, Anthropic, OpenAI, Zapier, Make, Airtable, Slack, Zoom, Lucidchart, Miro, Figma, Dropbox, Google. Add any local Australian SaaS providers relevant to your industry.

This catches everything that has gone through finance — which is roughly two-thirds of all shadow IT, in our experience. The expense report scan is fast, cheap, and produces a list with names attached, which is the part that makes the conversation possible. A salesperson cannot deny they signed up to HubSpot when the $80 a month is on their May expense report.

We did this exercise for a Geelong construction firm and the keyword scan caught more shadow SaaS than the Defender for Cloud Apps discovery did, because so much of the spend was on personal cards being expensed back.

Method 3: Browser extension audit

If your staff use Chrome or Edge on managed devices, the installed extensions list is a goldmine of shadow tooling. Grammarly, Loom, Asana, Notion Web Clipper, ChatGPT extensions, password manager extensions that are not the corporate one, screen recorders, AI writing assistants — they all show up.

This is also where you find the genuinely risky stuff. There is a long tail of malicious browser extensions that survive on the Chrome Web Store for weeks at a time before being pulled, often with names that look like productivity tools. An extension audit catches these and is also a chance to enforce an allowlist via Microsoft Edge for Business or Chrome Enterprise policies.

For Melbourne SMEs on Microsoft Intune, this is a one-page report. For unmanaged endpoints it requires a walk-the-floor approach, which is part of why endpoint management matters.

Method 4: Microsoft 365 OAuth consent report

This is the one most people miss. Every time a staff member clicks “Sign in with Microsoft” on a third-party SaaS app, that app gets an OAuth token to access some scope of their Microsoft 365 data. The list of apps with active OAuth consent against your tenant lives in the Entra admin centre under Enterprise Applications, and is usually astonishing the first time someone looks.

We did this for a Camberwell architecture firm and found 89 third-party applications with active OAuth consent against their tenant, including three that had been granted “read all mail” scope — one of which was a free email tracking tool an account manager had signed up to in 2022 and forgotten about. That OAuth grant survived their staff turnover and was still active two years later.

The OAuth consent report is also where you find the AI integrations. ChatGPT plugins, Anthropic Claude connections, Zapier OAuth grants, all the new wave of AI productivity tools that are wiring themselves into Microsoft 365. None of them are inherently malicious. All of them deserve to be looked at.

The four-bucket triage: sanction, replace, retire, ignore

Once you have a discovery list, every item goes into one of four buckets. The bucket determines the action. This is the framework we use with every Melbourne SME shadow IT engagement.

The ignore bucket is important. The temptation in shadow IT projects is to try to bring everything under formal control, which is both impossible and counterproductive. If a salesperson has Grammarly installed on their personal browser profile and uses it occasionally, that does not need to be on a vendor management register. Pick your battles.

Case study: a Melbourne accounting firm with three Trellos

A mid-sized accounting firm we work with — about 60 staff across two offices, including one in South Yarra — asked us to run a shadow IT discovery exercise in mid-2025 because their cyber insurer had started asking pointed questions about SaaS inventory at renewal. The findings were instructive.

The expense report scan turned up three separate Trello accounts run by three different teams. None of the teams knew the others had one. Each was paying $13 per user per month for the standard tier. The combined annual spend was $14,400, and the equivalent functionality was already available in Microsoft Planner and Loop, which were included in their existing M365 Business Premium subscription.

The OAuth consent report identified two Notion workspaces with active access to mailbox content. One was being actively used by the marketing team; the other belonged to a partner who had set it up in 2023 to draft a strategy document and then forgotten about it. The forgotten one still had read access to his mailbox via OAuth.

Most concerning, the browser extension audit identified a competitor’s project management tool — a SaaS aimed at accounting firms specifically — installed by a junior accountant on her work laptop. She had been adding live client data into it as a personal productivity tool because she found it easier than the firm’s official practice management software. The client data exposure was real, the staff member’s intent was harmless, and the underlying problem was that the official tool was genuinely worse than the alternative she found.

The triage outcome: Trellos consolidated and replaced with Planner over six weeks. The active Notion workspace was sanctioned and brought under IT management with proper offboarding workflow. The forgotten one was retired and OAuth revoked. The competitor tool was retired, the data was migrated out and into the firm’s official system, and the practice management software was put on the roadmap for replacement because the staff feedback was now formally on the table. None of this would have happened without the discovery exercise.

Building a sanctioning path so this does not happen again

Discovery is the first step. The longer-term fix is to build an internal path for staff to legitimately request new SaaS tools, with a turnaround time fast enough that they do not need to go around it. Three principles.

Time-box the approval. Five business days from request to yes/no. Longer than that and people will revert to shadow IT. The five-day commitment is enforceable if the assessment is structured: data classification, vendor security posture, integration impact, cost. A senior engineer can usually run this in two hours.

Pre-approve common categories. Maintain a list of SaaS categories where any tool from a pre-approved shortlist can be self-served by staff. Design tools, video conferencing, scheduling tools — none of these need a full assessment every time someone wants to use one. The shortlist gets reviewed quarterly.

Make rejection mean something. If you say no to a tool, you owe the requester either an alternative that meets their need or a clear explanation of why the problem cannot be solved that way. “No” without context is what drives staff into the shadow IT cycle. Co-managed IT models often work well here because they give internal IT the capacity to run this assessment without becoming the bottleneck.

The role of identity and conditional access

Shadow IT discovery is closely related to the broader identity story. The more you centralise authentication through Microsoft Entra ID, the more visibility you get over what is connected to your tenant. Tools that require staff to create separate accounts with personal email addresses are inherently invisible; tools that integrate via “Sign in with Microsoft” show up in the OAuth consent report.

Conditional Access policies can be configured to require admin consent for any new third-party application requesting Microsoft 365 data access, which closes the OAuth-grant-from-2022 problem at the source. This is one configuration change, takes about thirty minutes, and stops new shadow IT from accumulating in that specific way. We make it a standard part of the cybersecurity baseline for every new client tenant we onboard.

The trade-off is that admin consent becomes a queue you have to service. If the queue is slow, staff will route around it. Five business days, again.

What this costs to fix

For a typical 50-person Melbourne SME, a complete shadow IT discovery and triage engagement runs four to six weeks of elapsed time and one to two days of senior engineer effort. The deliverables are: an inventory of cloud services in use, a triage report with recommended actions per service, a remediation plan for the high-risk items, and a sanctioning workflow design for ongoing requests.

The hard-dollar return varies but is almost always positive. The Geelong construction firm saved $9,400 a year in duplicate SaaS subscriptions identified during discovery. The Richmond legal firm saved closer to $22,000 because they had been paying for three project management tools and four file-sharing tools simultaneously. The South Yarra accounting firm broke even on direct cost but eliminated a real data exposure that would have been a notifiable breach if it had been discovered later.

The softer return — the reduction in compliance risk, the cleaner OAuth surface, the ability to answer “what SaaS tools do you use” honestly on an insurance renewal — is harder to put a number on but matters more.

How TechAssist runs shadow IT discovery

We treat shadow IT discovery as a structured engagement, not an ongoing service. The work is intensive for four to six weeks and then transitions into a steady-state sanctioning process that internal stakeholders can run themselves with our support.

Founded in 2014, we have 13 Australian-employed engineers and a 24/7 NOC in Tecoma. Our two offices — Tecoma and 575 Bourke Street CBD — let us run on-site sessions for Melbourne metro clients on the same business day where the discovery work needs human follow-up. We are Essential Eight aligned and ISO 27001 capable, which matters when the deliverable from the engagement needs to land in front of an auditor or cyber insurer.

We have run shadow IT engagements for clients in construction, manufacturing, logistics, law firms, accounting firms and healthcare. The methodology is broadly similar; the specific tools that show up vary wildly by industry. A construction firm’s shadow IT is almost entirely site-management apps and free file-sharing tools. A law firm’s is document collaboration and AI drafting tools. A healthcare provider’s is patient communication platforms — which is where the regulatory stakes get serious.

Frequently Asked Questions

Is shadow IT really a security problem or just an IT housekeeping issue?

Both, depending on which tool. A free Calendly account with no client data in it is housekeeping. A Notion workspace holding client matter notes with OAuth access to a partner’s mailbox is a security problem. The point of discovery and triage is to tell the difference and act accordingly.

Can we just ban shadow IT outright?

You can write a policy that says so, but you cannot enforce it without either heavy egress controls (which most SMEs find impractical) or a fast sanctioning process (which most do not have). The realistic answer is “discover, triage, sanction the useful, retire the risky, build a fast path for new requests so people use it”.

How often should we run a discovery exercise?

The first run is the big one. After that, an annual refresh combined with a quarterly OAuth consent review is enough for most Melbourne SMEs. If your business is going through rapid headcount growth or a significant tooling change, run discovery more often.

Do free SaaS tools count as shadow IT?

Yes. The pricing is irrelevant to the risk assessment. A free Trello account with client tasks in it is the same data exposure problem as a paid one. The triage matters more than the cost.

What about staff using their personal ChatGPT account for work?

This is the 2026 version of the shadow IT problem and it deserves its own conversation. Personal AI accounts in use for work tasks need to be either replaced with sanctioned enterprise alternatives (Microsoft 365 Copilot Chat, ChatGPT Team, Anthropic Claude Team) or actively prohibited. The middle ground — “just be careful” — does not work because there is no audit trail.

Should we tell staff we are running discovery?

Yes. Transparency makes the exercise work better. Staff who know discovery is happening volunteer information that the technical methods would not have caught. Frame it as “we want to make sure the tools you need are properly supported”, not as “we are looking for who broke the rules”.

What to do this week

Pick one of the four discovery methods and run it. The expense report scan is the easiest starting point and requires nothing more than a spreadsheet and an hour. The OAuth consent review is the second easiest if you have Microsoft 365 admin access. Both will turn up enough to justify a broader conversation.

Whatever you find, do not lead with blame. Lead with curiosity. The staff who signed up for these tools were trying to do their jobs. The fix is to build a system where doing their jobs and following the rules are the same thing.

If you want a hand running a structured shadow IT discovery and triage across your Melbourne business, get in touch. We will tell you what is worth fixing and what is not.

To audit your MSP before renewal, pull twelve months of ticket data, your asset register, every invoice, and your security baseline. Then test the provider against ten measurable points: SLA compliance, resolution times, security posture, licence usage, documentation, after-hours performance, strategic input, escalation, project scope, and communication quality. The gaps tell you whether to re-sign.

Most Melbourne SMEs renew their managed IT contract on autopilot. The invoice arrives, someone signs it, and another three years tick over. That’s how businesses end up paying for fifty Microsoft 365 licences when they have thirty-eight staff, or discover their “24/7 support” means a voicemail box until 8am.

This is a checklist you can run yourself before you put pen to paper on a renewal — or before you go to market. It applies to any provider, including us. If your current MSP can’t survive this audit, the renewal conversation should be a difficult one.

Why a pre-renewal audit matters

MSP contracts in Australia typically run two to three years. Over that time, staff numbers shift, software stacks change, security expectations rise, and the original scope drifts. The provider you signed with in 2023 isn’t necessarily the same operation in 2026 — engineers leave, tooling changes, and the founder who sold you the contract may not even be answering tickets anymore.

An audit gives you leverage. If you walk into renewal negotiations with twelve months of ticket data, a count of unused licences, and a list of unmet SLAs, you’re not arguing on vibes. You’re arguing on numbers. That changes the price, the scope, and often the provider.

We’ve done second-opinion audits for businesses in Hawthorn, Box Hill, and Dandenong South where the existing MSP had been billing for services they weren’t delivering for years. Nobody was being malicious — it’s just that nobody had checked.

Before you start: what to gather

You’ll need:

• The last 12 months of ticket exports (CSV from the MSP’s PSA — ConnectWise, Autotask, HaloPSA, Halo, whatever they run)
• Every invoice for the past 12 months, including any project or out-of-scope work
• The current Master Services Agreement and any Statements of Work
• The agreed SLA document
• Your current asset register (from the MSP)
• Your Microsoft 365 / Google Workspace admin centre access
• Any documentation the MSP has provided (network diagrams, runbooks, password vault structure)

If your MSP refuses to hand over ticket data or the asset register, that’s the first red flag — and probably the only audit point you need. The data is yours. They’re contracted to maintain it on your behalf.

The 10-point audit checklist

1. Pull real ticket data and check the numbers

What to pull: A CSV export of every ticket logged in the last 12 months, with fields for date opened, date closed, priority, category, time-to-first-response, time-to-resolution, and engineer assigned.

What to look for: Total ticket volume per user per month (a healthy environment runs 0.5 to 1.5 tickets per user per month — anything higher suggests unresolved root causes), category distribution (if 40% of tickets are password resets, you’ve got a self-service problem), and engineer concentration (are 80% of your tickets handled by one person who could leave tomorrow?).

Red flags: Ticket volume trending up over the year, repeat tickets on the same machine or user, tickets closed without resolution notes, or a single engineer carrying the entire account. Also watch for tickets being closed and immediately reopened — that’s a metrics game, not a fix.

2. Test SLA compliance against the contract

What to pull: Your signed SLA and the same 12 months of ticket data, filtered by priority.

What to look for: Calculate the percentage of P1, P2, P3 and P4 tickets that met the contracted response and resolution targets. If your contract says “P1 response within 15 minutes” and 30% of P1s took an hour, you have a breach pattern, not an exception.

Red flags: SLA compliance below 95% on any tier. Vague SLA definitions like “best efforts” or “as soon as practical” — those aren’t SLAs, they’re hedges. For reference, our standard P1 response sits under 15 minutes from our 24/7 NOC in Tecoma, with the SLA structure and credit terms documented on our pricing page. If your provider can’t show you a written SLA with credits attached, that’s a deeper problem.

3. Audit the asset register against your invoices

What to pull: The MSP’s asset register (every endpoint, server, switch, firewall, and licensed user) and your monthly invoices.

What to look for: Reconcile the number of billed devices and users against what’s actually deployed. If you’re paying per-device or per-user, you should be able to name every line item. We’ve seen Melbourne businesses paying for laptops that left with employees in 2022.

Red flags: Billed count exceeds physical count. Devices on the register that haven’t reported in for 90+ days (either decommissioned or unmanaged — both are problems). No documented onboarding/offboarding process for assets. Read our breakdown of how Australian MSPs structure billing for the trade-offs between per-user and per-device models.

4. Check security posture against current standards

What to pull: The Essential Eight maturity assessment (if your MSP has done one), your last vulnerability scan, MFA coverage report from Microsoft 365 or Google Workspace, endpoint detection coverage report, and patching compliance numbers.

What to look for: MFA on 100% of accounts (not 95% — the unprotected accounts are where attackers go). Endpoint protection deployed on every device including BYOD where applicable. Patching cycles documented with compliance rates above 95% for critical patches within 14 days. Privileged access reviewed quarterly.

Red flags: No documented Essential Eight position. No regular vulnerability scanning. Legacy protocols still enabled (SMBv1, basic auth on Exchange Online, NTLMv1). Local admin rights handed out to end users. An MSP that can’t tell you the security posture of your environment in concrete terms isn’t doing the work.

5. Audit licence usage versus licence cost

What to pull: Microsoft 365 admin centre user list (or Google Workspace equivalent), every other software subscription on the invoice (security tooling, backup, RMM), and a current staff list from HR.

What to look for: Unassigned licences, licences assigned to former staff, users on Business Premium who only need Business Standard, users on E3 who’d be fine on Business Premium. Backup licences for machines that no longer exist. We routinely find 10–20% of licence spend is dead weight.

Red flags: The MSP can’t produce a clean licence-to-user map. They’re billing you for licences they’re buying through their own CSP at a markup you can’t see. They’ve never proactively suggested a downgrade — only upgrades. This is one of the areas covered in detail in our piece on hidden costs Melbourne MSPs don’t disclose.

6. Review documentation completeness

What to pull: Every document the MSP holds about your environment — network diagrams, server inventory, application list, vendor contacts, line-of-business app runbooks, disaster recovery plan, password vault structure, and the offboarding playbook.

What to look for: A non-engineer should be able to follow the network diagram. The DR plan should specify RPO, RTO, and the exact steps to recover. Application runbooks should cover the quirks — the printer driver that needs a specific install order, the legacy app that breaks on Windows 11 24H2.

Red flags: Documentation last updated more than six months ago. Critical knowledge held in one engineer’s head. No documented DR plan or a plan that’s never been tested. If your MSP can’t hand you a portable, useful documentation pack, you don’t own your environment — they do. That’s a problem when you switch.

7. Check after-hours response performance

What to pull: Ticket data filtered for tickets logged outside 8am–6pm Monday to Friday, plus any after-hours phone records.

What to look for: Average response time for P1s logged at 2am. Whether a real engineer picked up or whether tickets sat until the next business day. Whether your contract specifies 24/7 coverage or only business hours.

Red flags: “24/7 support” that’s actually a triage line forwarded to an offshore call centre with no escalation authority. Long after-hours response times for outages that hit your operations. Our NOC runs 24/7 from Tecoma with the same 13 Australian engineers who handle daytime work — the model isn’t universal, so check what you’re actually getting.

8. Evaluate strategic input (the vCIO function)

What to pull: Meeting minutes or technical business reviews (TBRs) from the past 12 months, the current 3-year IT roadmap, and the budget forecast document.

What to look for: Quarterly business reviews with documented outcomes. A roadmap that ties IT to business goals (expansion, new sites, compliance requirements). Budget forecasts with capex and opex split out. Evidence the MSP is thinking about your business, not just closing tickets.

Red flags: No TBRs in the past year. No roadmap. The only strategic input is “you should buy more of what we sell.” If you’re paying a managed services fee and you’ve never had a strategy conversation, you’re paying for a help desk dressed up as a partnership.

9. Review project work scope creep

What to pull: Every Statement of Work or project quote from the past 24 months alongside the original signed scope.

What to look for: Projects that ballooned past the original quote. Recurring “small projects” that should have been included in the managed service fee (firewall firmware updates, mailbox migrations within the existing tenant, basic group policy changes). Whether the MSP is upselling projects to compensate for thin managed services margins.

Red flags: The total cost of “projects” exceeds 30% of the annual managed services spend. The same project type recurs (Microsoft 365 “optimisation” every six months — that should be ongoing, not a project). Hourly rates on projects that weren’t disclosed at contract signing. Compare your structure against the co-managed, fully managed, and internal IT models to see whether you’re paying twice for the same coverage.

10. Evaluate cultural fit and communication quality

What to pull: Sit down with three people in your business — someone in finance, someone in operations, and your most-frustrated end user.

What to look for: Do they know who to call? Do they get a human, or a ticket form? Do engineers turn up on site when needed, or is everything remote? Do you trust the team? Have engineers stayed across multiple years, or is there churn?

Red flags: Different engineer every ticket, no continuity. Account manager you’ve never met. Communication that comes across as scripted or defensive when issues are raised. An MSP that won’t show you their engineer retention numbers.

A concrete example: how this plays out

A 42-staff professional services firm in Camberwell ran this audit before their renewal last year. Their MSP had been quoting a 6% price increase. Here’s what the audit found:

They didn’t switch immediately — they put the findings to their MSP and renegotiated. Final outcome: 18% reduction in monthly fee, project work re-scoped into the managed contract, and quarterly TBRs reinstated. The audit took about two days of internal effort. The savings were $40K+ in year one.

Not every audit ends with a renegotiation. Sometimes the data is clean and the provider’s doing a good job. That’s a useful result too — you re-sign with confidence rather than out of inertia.

What to do with the findings

If the audit is clean: re-sign, but lock in the SLA credits and TBR cadence in writing. Don’t accept verbal promises.

If the audit shows fixable issues: book a meeting with the MSP, walk through the findings, and ask for a remediation plan with deadlines. Good providers will own the gaps and propose fixes. The reaction tells you whether the relationship is worth continuing.

If the audit shows systemic issues — missing documentation, security gaps, SLA breaches across the board — go to market. Issue an RFP to two or three providers and let the incumbent compete. Our team handles transitions like this regularly; the process is laid out in our managed IT services overview.

How TechAssist would look under this audit

We wrote this checklist knowing it’d be applied to us as well. For the record: we operate from Tecoma with a 24/7 NOC, 13 Australian engineers on staff, sub-15-minute P1 response as standard, per-user fixed monthly fee with no surprise project margins on in-scope work, quarterly TBRs built into every managed contract, and full documentation handover at any point on request. We’ve been doing this since 2014.

None of that means we’re the right fit for every Melbourne SME — we’re not. But the audit is the right way to figure out whether any MSP, us included, is doing what you’re paying them for.

If you want a second-opinion audit run by an MSP that isn’t your current one, give us a call on 1300 028 324 or drop us a line through the contact page. We’ll walk through the ten points with you, no charge for the initial conversation. If the result is that your current provider passes — great, re-sign and get on with running your business.

Frequently asked questions

How long does an MSP audit take?

Two to five working days of internal effort depending on the size of the environment. The data-gathering phase is the slow part — once you have the ticket exports, licence reports, and asset register, the analysis is a day or two for a 30–80 staff business.

Should I tell my current MSP I’m auditing them?

Yes. Frame it as renewal due diligence — most providers do this as standard for their own clients and will cooperate. If they push back on handing over ticket data, asset registers, or documentation, that itself is a finding. The data belongs to you under any reasonable contract.

What if I don’t have the technical skills to interpret the data?

Bring in a third party — either a tech-literate board member, an internal IT lead at another business you trust, or a competing MSP offering a second-opinion audit. Most reputable Melbourne MSPs will do an initial review at no charge as part of a sales conversation. Just be aware they have a commercial interest in the result.

How often should I audit my MSP?

A full audit at every renewal (every two to three years). A lightweight check — licence reconciliation, SLA compliance, ticket volume trends — every six months. If your business goes through significant change (acquisition, new site, headcount jump), audit at that point too.

What’s the difference between an audit and a vCIO review?

A vCIO review is forward-looking — it’s about strategy, roadmap, and budget. An audit is backward-looking — it’s about whether the past 12 months of service matched the contract. You need both, and they shouldn’t be done by the same provider if you want them to be honest.