IT Strategy for Melbourne Not-for-Profits: Doing More With ACNC-Grade Constraints

Melbourne not-for-profits run on volunteer-grade IT until something breaks. This is a practical strategy guide for NFPs with 25 to 150 staff: maximising the Microsoft non-profit licensing offers, the volunteer-vs-staff identity model, ACNC governance basics for donor data, and a realistic three-year roadmap on an NFP budget.

Why NFP IT looks the way it does

The pattern is consistent across the Melbourne NFP sector. A founder built the IT environment 8 to 15 years ago, probably with the help of a tech-savvy volunteer, and it grew organically as the organisation grew. Permissions accumulated, mailboxes were shared, board members got admin access, a couple of well-meaning contractors built things that nobody now understands. The IT spend looks lean on paper because most of it was donated, volunteered, or quietly absorbed into operational lines. The risk position looks fine until you actually audit it.

The Australian Charities and Not-for-profits Commission (ACNC) governance standards do not prescribe specific IT controls, but they do require that responsible persons act with reasonable care and diligence, that the organisation’s assets (including data) are managed properly, and that conflicts of interest are managed. For an NFP holding donor financial data, beneficiary case files, or vulnerable-person information, IT is in scope for that diligence obligation whether or not the board has framed it that way.

And then there is the funding reality. NFPs are running with thin margins, restricted grants, and a board that wants every dollar to go to the mission. Spending $80,000 a year on IT looks indefensible until you compare it to the cost of an incident that takes the organisation offline for a week. The strategy below is built to maximise the impact per dollar in an NFP context, drawing on a decade of work with Melbourne charities, social enterprises, and community organisations since founding TechAssist in 2014.

Maximising Microsoft non-profit licensing

The single largest cost lever for an Australian NFP is the Microsoft non-profit offer, and it is the one most under-claimed. Eligible organisations (registered charities with ACNC, plus some NDIS providers and educational organisations) can access:

The offers most NFPs underclaim are the Business Premium discount and the Azure credit. We routinely see NFPs running on Business Basic (free) when Business Premium at $8 per user per month would give them dramatically better security at trivial extra cost. We also see NFPs paying for Azure consumption that the annual credit grant would have covered.

A community services NFP in Footscray that we work with had 95 paid staff on Business Basic plus a handful of E3 licences for the leadership team. Migrating the whole organisation to Business Premium (at NFP discounted pricing) cost them an extra $9,500 a year and gave them Defender for Business, Intune device management, conditional access through Entra ID P1, and the foundation for an Essential Eight Maturity Level 1 posture. The same upgrade at commercial pricing would have cost $34,000 a year. The NFP discount made the security upgrade affordable.

The catch with the Microsoft non-profit offers is that they have changed several times over the past three years. The free E1 grant disappeared in 2024; the free Business Basic grant remains but with seat limits; pricing has shifted. The current state at the time of writing is in the Microsoft Tech for Social Impact portal, and we recommend reviewing your entitlements annually. The work to revalidate is small; the saving is large.

Donor data and ACNC governance basics

The IT-relevant parts of ACNC governance for an NFP holding donor or beneficiary data:

Responsible persons and diligence

Governance Standard 5 requires responsible persons (board members, trustees) to act with reasonable care and diligence in the role. In practice, that means the board needs to be able to demonstrate that data assets are being managed properly. The audit trail that satisfies this is documented controls (a basic security policy, evidence of MFA enforcement, a register of vendors processing personal data, an incident response plan). Not enterprise-grade artefacts, but defensible documents that would survive scrutiny.

The Privacy Act position

The Privacy Act small business exemption (under $3 million turnover) used to cover many NFPs. Two important caveats: NFPs providing health services (which is many) do not get the exemption, NFPs that are funded by government contracts may have contractual obligations equivalent to the APPs, and the Privacy Act reforms are narrowing the exemption for everyone. The pragmatic position for an NFP of any size is to operate as if the APPs apply, because the donor base, the grant funders, and the boards increasingly expect that posture. Our piece on the Privacy Act for SMBs and what your IT team must do covers the detail.

Beneficiary case data

For NFPs holding case data on beneficiaries – homelessness services, family violence support, mental health services, refugee support – the data sensitivity is at the highest tier. The controls need to match: encrypted storage, strict access controls, audit logs, MFA enforced for every user, careful management of contractors. Funders for these services often impose explicit data security clauses; the IT posture is contractual as well as ethical.

The volunteer-vs-staff identity model

The identity question is where most NFP IT environments fall apart. A typical mid-sized NFP has paid staff, volunteers, board members, contractors, partner organisations, and donors all interacting with various systems. The traditional approach – everyone gets a full Microsoft 365 licence with full mailbox and tenant access – is expensive, dangerous, and unnecessary.

The model we recommend for Melbourne NFPs:

The Entra ID guest (B2B) model is the unlock. Guests don’t consume Microsoft 365 licences from your tenant; they use their own. You pay for the infrastructure once, and contractors, board members at other organisations, and partner orgs can access scoped resources without licensing cost. For an NFP with 60 paid staff, 20 regular volunteers, 8 board members, 12 contractors, and 4 partner orgs, the licensing footprint is 60 paid licences plus 20 donated Business Basic. The other 24 people are B2B guests at zero licence cost.

The discipline that makes this work is the lifecycle. Guest accounts need to expire when the contract ends; volunteer accounts need to deactivate when the volunteer stops volunteering; board members need their access removed when they leave the board. Without lifecycle hygiene, the tenant fills up with orphaned accounts and the security posture rots. Conditional access policies and access reviews in Entra ID can automate most of this, but somebody needs to set it up and watch it.

Grant-funded vs operational IT spend

One of the structural challenges for Melbourne NFPs: most funders restrict grants to direct program costs, and IT is treated as overhead. The result is a chronic shortfall in IT investment because operational funding does not stretch and grant funding will not cover it.

Three practical strategies:

Bundle IT into program costs where it genuinely is

If a program needs a case management system, the licensing, training, and support for that system is a program cost, not overhead. The same logic applies to the laptops the program staff use, the security tooling that protects the beneficiary data, the M365 licences that enable the case workers to collaborate. Many funders accept this when it is explained. The key is to budget the IT for the program at the proposal stage, with the line items broken out.

Apply for dedicated IT capacity grants

Several Australian foundations and government programs fund organisational IT capacity specifically: cyber security uplift grants, digital transformation grants, infrastructure modernisation grants. They are competitive but real money is available. A heritage and arts NFP we work with in Brunswick received a $45,000 cyber security uplift grant in 2025 that funded the full Essential Eight Maturity Level 1 implementation we had been recommending for two years.

Treat the IT investment as risk mitigation in the board narrative

Boards approve risk mitigation spend when they understand the risk. The ‘this is the security stack’ conversation rarely lands; the ‘a successful cyber attack on this organisation would cost X dollars, take Y weeks to recover from, and trigger Z mandatory disclosures’ conversation usually does. The IT spend becomes risk insurance, which boards understand better than infrastructure.

The realistic 3-year roadmap (25 to 150 staff NFP)

What does a sensible IT modernisation roadmap look like for a mid-sized Melbourne NFP that is starting from a typical legacy posture?

Year 1: Foundation and triage

Year 1 focus: the controls that most reduce risk for the least money. By the end of Year 1 the NFP should have a defensible Essential Eight Maturity Level 1 posture, a documented identity model, and a working DR position. Approximate cost for a 60-staff NFP: $40,000 to $60,000 above the existing baseline, much of which can be partially grant-funded.

Year 2: Optimisation and capability

Year 2 focus: making the staff genuinely productive and reducing the operational tax of accumulated technical debt. The SharePoint rebuild alone often returns 2 to 4 hours per staff member per week in time saved looking for documents.

Year 3: Strategic and scale

Year 3 focus: capability that lifts the mission, not just the operational base. By the end of Year 3 the NFP should be at a mature state where the IT investment is producing visible program impact – more case workers serving more beneficiaries, more donor reach per fundraising dollar, better impact measurement for funders.

The two NFP-specific traps

Two patterns we see repeatedly in Melbourne NFPs that deserve specific attention.

Trap 1: Founder-era shared mailboxes

Almost every long-running NFP has a set of shared mailboxes that date to the founder era: info@, admin@, donations@, volunteers@, plus a clutch of program-specific ones. They were set up with shared passwords, often without MFA, often with everyone who has ever worked there still having access. The risk is enormous and the cleanup is awkward because important communications are routed through them.

The fix is a structured project: identify every shared mailbox, identify the legitimate access list, convert to proper Microsoft 365 shared mailboxes with delegated access (which means access is tied to individual identities, MFA-protected, and auditable), and migrate the workflows that depended on shared passwords to proper licensed accounts. Not glamorous, but it removes a real attack surface. Expect 60 to 100 hours of work for a typical mid-sized NFP.

Trap 2: Board members with full SharePoint access from 2018

Board membership turns over, but historical access often does not. A typical mid-sized NFP has 4 to 8 former board members whose accounts are still active in the tenant with the access they had when they left. Some of them may also be working at competing or partner organisations now. The conditional access policies they fell under in 2018 are not the policies in force today.

The fix is an Entra ID access review, run annually, against the board membership records held by the company secretary. Every former member’s access is removed cleanly. Future board members are onboarded with a clear lifecycle (account provisioned at appointment, access removed within 7 days of departure, conditional access policy enforced).

This sounds like basic hygiene because it is. The fact that it is missing in 80% of the NFPs we have audited is the point.

Security posture: aligning to Essential Eight on an NFP budget

The Australian Signals Directorate’s Essential Eight is the de facto baseline for organisational cyber security in Australia. Maturity Level 1 is achievable for a mid-sized NFP at modest cost when the Microsoft non-profit licensing covers the underlying infrastructure. The strategies that map to NFP-relevant controls:

Maturity Level 1 across all eight strategies, for a 60-staff NFP, is achievable at around $25,000 to $40,000 in tooling and project costs above the existing licensing. Maturity Level 2 adds another $30,000 to $50,000 and is appropriate for NFPs with sensitive beneficiary data or government contracts that require it. For the broader context on aligning to the Essential Eight, our zero trust security model piece covers the complementary thinking.

The MSP question for NFPs

Most Melbourne NFPs that engage an MSP fall into one of three models:

1. Pro-bono or heavily discounted MSP – the MSP donates time, often through their own community engagement program. Variable quality; the MSP’s paying clients always come first.
2. Volunteer-led with MSP escalation – a tech-skilled volunteer manages day-to-day and engages an MSP for specific projects. Works well if the volunteer is genuinely skilled and committed; falls apart when they move on.
3. Standard per-user managed services engagement – the NFP pays standard rates for the engagement, sometimes with a sector discount.

The honest assessment after a decade of NFP work: the third model produces the best long-term outcome. Pro-bono engagements are inconsistent and don’t survive the MSP changing strategy; volunteer-led models work until they don’t, and the transition cost is high. A standard managed engagement at a sector-appropriate rate gives the NFP the same response model as a paying commercial client, which matters when something is on fire at 3 a.m.

For TechAssist, our NFP engagements run on the same model as our commercial managed clients: per-user fixed monthly pricing, sub-15-minute P1 response from our 24/7 NOC at Tecoma, same-business-day on-site response across Melbourne metro from our two offices (Tecoma and 575 Bourke Street CBD), and the same 13 Australian engineers across helpdesk, projects and security. We typically offer a sector-appropriate rate that reflects the NFP budget reality, but the service is the same. The discipline of running it as a real engagement is what makes it work for both parties. To talk through an NFP engagement, our team is reachable through the contact page, or our Melbourne managed IT services page covers the broader engagement model.

Frequently Asked Questions

We are a very small NFP (under 25 staff). Does this strategy still apply?

Most of it does, scaled down. The Microsoft non-profit licensing maximisation is still the biggest lever. The identity model still matters even at smaller scale. The Essential Eight Maturity Level 1 alignment is still achievable. The MSP engagement is the piece that scales differently; for very small NFPs, a co-managed model or a sector-shared service can be more affordable than a per-user managed engagement. Our co-managed IT support page covers that model.

How do we get board buy-in for an IT investment that competes with program funding?

Frame it as risk mitigation and capacity-building, not infrastructure. The board cares about the mission and about not having a catastrophic incident; they typically do not care about Entra ID conditional access policies. Show the worst-case scenarios with realistic numbers, show what an Essential Eight Maturity Level 1 posture costs to put in place, and frame the spend as protecting program continuity. Most boards approve when the trade-off is framed honestly.

What is the single most impactful change for an NFP starting from a typical legacy posture?

Enforcing multi-factor authentication on every account, with no exceptions for the founder, the board, or ‘the person who has been here forever.’ It costs nothing beyond the Microsoft licensing you already have. It prevents the most common attack pattern. It is the change most NFPs delay because it is annoying for users in the first week, and the change that most NFPs regret delaying after the first incident.

Can we just rely on the donated free Microsoft 365 Business Basic?

For very small NFPs with low risk profiles, possibly. For most mid-sized Melbourne NFPs holding donor or beneficiary data, no. Business Basic does not include Defender for Business, does not include Intune device management, and does not include the conditional access capabilities that an Essential Eight posture requires. The Business Premium upgrade at NFP-discounted pricing is one of the highest-ROI spending decisions an NFP can make.

How do we handle the long tail of historical accounts in our tenant?

Run an Entra ID access review, focused on accounts that have not signed in for 90 days. Most are former staff, former volunteers, former board members, or test accounts that were never cleaned up. Disable them (do not delete immediately; the licence cost is zero and the audit trail is valuable). After 90 days of being disabled without complaint, delete. The cleanup typically removes 20 to 40% of the tenant accounts in a long-running NFP.

Where do we start if we have no IT documentation at all?

Start with three documents: a tenant configuration baseline (what is currently configured, by whom, for what reason), an asset list (devices, accounts, key vendors), and a basic incident response plan (who calls whom when something happens). These three documents are 80% of the audit-readiness conversation and form the foundation that everything else builds on. The work is typically 20 to 30 hours of MSP time and is some of the highest-value spending in the first year of a managed engagement.

A FY27 IT budget template for a specific persona: a 50-person Melbourne professional services firm, $12 million revenue. Numbered line items, real dollar ranges, IT-spend-as-percentage-of-revenue benchmarks, and the four lines most SMEs forget. Built for CFOs who want defensible numbers, not vendor guesswork.

The persona this budget is built for

Specifics matter; a generic IT budget is useless. The numbers below are sized for:

• 50 staff total (45 desk-based knowledge workers, 5 partners or executives)
• Melbourne-based, single office plus remote work, typical CBD or inner-suburb location
• Professional services (consulting, legal, accounting, architecture, engineering consultancy) – knowledge-worker firm with no manufacturing, no point-of-sale, no production line
• Approximately $12 million annual revenue
• Microsoft 365 stack, hybrid cloud (light on-prem footprint, most workloads in Azure or SaaS)
• Standard cyber insurance requirements; aligned to Essential Eight Maturity Level 1 minimum
• No internal IT staff; engagement with an MSP on per-user fixed monthly pricing

If your business is materially different – 50 staff with a manufacturing plant in Dandenong, or a 50-staff healthcare practice with clinical software, or a 50-staff retailer with 12 store locations – the totals will move significantly. Use this as a baseline to adjust from. Our sector-specific guidance for Melbourne manufacturers, healthcare, and law firms covers the variations.

The benchmark: IT spend as a percentage of revenue

Industry benchmarks vary by sector, but for Australian professional services firms in the 30 to 100 staff band, IT spend as a percentage of revenue typically lands between 1.5% and 3.5%. The drivers of where you sit in that range:

For our persona ($12 million revenue), the FY27 budget should land between $240,000 and $360,000 in steady state, or up to $420,000 in a project-heavy year. The template below targets the middle of that range and produces a defensible $295,000 to $345,000 total. If your number is above this, look first at the projects line; if it is well below, look first at security and backup.

The line-itemed FY27 template

All numbers are in AUD, annual, for the persona above. Ranges reflect actual variance across our managed book in Melbourne; the midpoint is what we would budget for a typical firm in this segment.

1. Microsoft 365 licensing

The single largest recurring line for most professional services firms.

Subtotal for M365: $29,000 – $52,000. For our persona, $35,000 is realistic – Business Premium across the firm, Copilot for 20 selected users, Power BI for the analyst pool. The Business Premium vs E3 conversation hinges on whether you need the deeper compliance and identity protection of E3+P2; for most 50-staff professional services firms, Business Premium is sufficient.

2. Security stack (beyond what is included in M365)

Microsoft 365 Business Premium includes Defender for Business, Intune, and Entra ID P1. That is a strong baseline. Additional security tooling for a 50-staff firm typically covers:

Subtotal for additional security: $32,000 – $60,000. For our persona, $42,000 is realistic – MDR through the MSP, additional email security, DNS filtering, password manager, light external attack surface monitoring. This line item is where SMEs traditionally underspent and where the post-2023 cyber insurance market has forced the conversation. Our Melbourne cyber security services wrap most of these into a managed stack.

3. Managed IT services retainer (MSP)

For a 50-staff firm engaging an MSP on per-user fixed monthly pricing, the typical Melbourne market rate in 2026 is $110 to $170 per user per month for a comprehensive engagement that covers unlimited support, security operations, vendor management, and proactive maintenance.

Subtotal: $66,000 – $102,000. For our persona, $80,000 to $90,000 is realistic. Co-managed models (where you have some internal capability and the MSP fills gaps) typically land 30 to 40% lower; pure break-fix models are cheaper still but rarely advisable at this scale. For the context on what to expect from a Melbourne MSP at this price band, see our guide to choosing an MSP in Melbourne.

4. Hardware refresh sinking fund

The mistake most SMEs make is treating hardware as a lumpy capex purchase every three years. Better: a smooth annual sinking fund that covers the rolling refresh.

Subtotal: $38,000 – $40,000. Hold this as a separate fund; do not blend it into operational expense. When the refresh cycle hits, the fund pays for it without a quarterly cost spike. The 4-year laptop cycle assumes mid-range business laptops (Dell Latitude, HP ProBook, Lenovo ThinkPad mid-tier); premium devices (MacBook Pro, ThinkPad X1) push the per-unit number to $3,500 and the line to $44,000.

5. Projects budget

The line item that gets cut first when revenue softens and then has to be reinstated when something breaks. Better to budget it explicitly:

Subtotal: $40,000 – $75,000. For our persona, $50,000 is realistic. A typical FY27 project list might include a SharePoint information architecture rebuild, an Entra ID conditional access refresh, a CRM integration, and the office Wi-Fi upgrade. Whatever the list is, it should be in the budget at the start of the year, not added quarter by quarter.

6. Cyber insurance

Cyber insurance premiums for Australian professional services SMEs in 2026 land around 0.4% to 0.8% of revenue for $5 million to $10 million of cover with reasonable retentions, assuming the security posture meets the underwriter’s requirements (MFA, EDR, backups, training, vendor risk management).

Subtotal: $30,000 – $55,000. For our persona, $42,000 is realistic. The premium has stabilised after the sharp increases of 2022-2024 but remains sensitive to your control posture; gaps in your security stack will push the premium up materially or trigger a coverage decline. The conversation with the broker is now half technical (controls), half financial (limits and retentions).

7. Training

Easily skipped, easily justified to skip, and the highest-ROI security spend in the budget.

Subtotal: $9,500 – $20,000. For our persona, $12,000 is realistic. Phriendly Phishing has strong Australian content and is our default recommendation for clients who want locally relevant training.

8. Contingency

10% of the total budget as a contingency reserve, held against unexpected events that the projects line cannot absorb (an early hardware failure outside the refresh cycle, a regulatory change forcing a tooling addition, a vendor that hikes prices unexpectedly).

Subtotal: $25,000 – $35,000.

The four line items most SMEs forget

Across hundreds of budget reviews with Melbourne SMEs, four line items show up in good budgets and are missing from average ones.

1. Vendor risk tooling and process

Either a dedicated platform (rarely justified at SME scale) or the time cost of running the lite vendor risk programme. We typically include this within the MSP retainer for our managed clients, but if you are running it internally, budget for 8 to 16 hours per month of someone’s time. For a 50-staff firm, this is $8,000 to $15,000 a year that often shows up nowhere.

2. AI licences you already pay for

Most firms now have Copilot for M365, ChatGPT Team or Enterprise, Claude.ai for Work or Teams, a specialised AI tool for their sector, and one or two pilots that grew into production. The cumulative AI line is rarely consolidated; it lives in expense claims, in a marketing budget, in a partner’s personal spend. Sum it up. For our persona, total AI tooling is typically $15,000 to $35,000 a year by FY27.

3. M365 backup

As discussed at length in our buyer’s guide on the topic, Microsoft does not back up your M365 data in a way that helps you recover from real incidents. Third-party M365 backup for 50 users is $1,800 to $3,600 a year. Cheap, essential, and missing from most budgets.

4. Exit and transition reserve

The unpleasant truth: at some point in the next 5 to 10 years, you will change MSPs, change your primary cloud platform, or be acquired. The cost of a clean exit is real – typically 4 to 12 weeks of overlap, documentation work, data extraction fees, and project management. Budget 5% of annual IT spend in a reserve, held separately, that exists for this purpose. For our persona, that is $15,000 a year sitting in a reserve account. You may not need it in any given year, but when the day comes, you will be glad it is there.

The CapEx vs OpEx question for FY27

The classic SME CFO question – ‘should we buy the laptops outright or lease them, should we buy the server or rent the cloud workload’ – has shifted meaningfully in the SaaS era. For most line items in this budget, the choice has been made for you: there is no CapEx option. Microsoft 365 is OpEx. The MSP retainer is OpEx. Cyber insurance is OpEx. The MDR service is OpEx.

The remaining CapEx choices are:

• Laptops: Buy outright is usually cheaper over a 4-year cycle than Device-as-a-Service, but DaaS smooths cash flow and includes refresh management. For a 50-staff firm, the financial difference is around $4 to $6 per device per month either way; the operational difference is more meaningful.
• Network equipment: Almost always CapEx. The lifespan is 5 to 7 years, and the rental models for switches and APs don’t make financial sense at this scale.
• Server hardware (if any): If you still run on-prem servers, CapEx remains the norm. The question to ask annually is whether the workload should be in Azure rather than on the server at all.

Our default recommendation for FY27 is to keep laptops and network equipment as CapEx with a sinking fund, and treat everything else as OpEx. Don’t over-engineer this.

The FY27 total

Adding the midpoints together for our persona:

$356,000 against $12 million revenue is 2.97% – in the upper half of the steady-state range. If FY27 is genuinely a steady-state year with no major projects, you could pull this back toward $300,000 by trimming the projects line. If FY27 has a major piece of work (M&A integration, platform migration, office relocation), the projects line should grow and the total can reasonably push past $400,000.

A real-world worked example

A 48-staff consulting firm in Collingwood approached us in 2025 with an FY26 IT budget of $185,000 that they suspected was too low. The reality check confirmed it: their security stack was a few years out of date, their MSP retainer was a break-fix arrangement that produced a constant stream of unbudgeted incidents, and there was no projects line.

The rebuild brought them to $310,000 for FY26, then approximately $330,000 for FY27 (this template). The increase landed in three categories: an additional $35,000 in security tooling and MDR, a $40,000 increase in the MSP retainer for a comprehensive managed model, and the previously-invisible projects budget at $50,000. Their cyber insurance premium dropped $9,000 the following year because the upgraded posture qualified them for a better rate. Net true cost increase: about $116,000, or just under 1% of revenue.

The conversation with the partners took two meetings. The first meeting was about why the number was going up; the second was about what they got for it (a defensible security posture, predictable monthly costs, no more invoice surprises, a real DR position, alignment with Essential Eight Maturity Level 1). The decision was unanimous after the second meeting. The lesson: SMEs underspend on IT because the value of the spend is invisible. Make it visible and the budget conversation gets easier.

How TechAssist works with the FY27 budget

For managed clients on our per-user fixed monthly pricing, the MSP retainer line on this template covers our entire engagement: the sub-15-minute P1 response from our 24/7 NOC at Tecoma, the same-business-day on-site response across Melbourne metro from either our Tecoma office or our 575 Bourke Street CBD office, and the work of our 13 Australian engineers across helpdesk, projects, security operations and vendor management. Founded in 2014, we have built the engagement model specifically for SMEs like the persona in this template: 30 to 150 staff, professional services or similar, Microsoft-aligned, Essential Eight focused.

The security tooling line, the M365 licensing, the cyber insurance premium and the hardware are direct vendor relationships that we manage on behalf of the client but bill at vendor cost. The projects line is scoped separately at the start of the financial year. The result is a budget that is predictable to within 5% across the year, which is what makes the CFO conversation work. For the broader picture of how the engagement is structured, see our MSP Melbourne page or reach the team through contact.

Frequently Asked Questions

We are smaller than 50 staff – how do we scale this down?

The fixed costs (cyber insurance, baseline security stack) don’t scale linearly with headcount. A 25-staff firm typically spends 3.0% to 4.0% of revenue on IT – higher than the 50-staff number – because the fixed costs are spread across fewer users. The per-user costs (M365 licensing, MSP retainer per user, hardware sinking fund) scale linearly. Apply the same template, adjust for size, and expect the percentage of revenue to be higher.

What about firms larger than 100 staff?

Past 100 staff, the conversation usually splits: an internal IT manager or director appears in the org chart, the security stack moves toward enterprise tooling, and the MSP relationship becomes co-managed rather than fully outsourced. Total IT spend as a percentage of revenue typically drops to 1.5% to 2.5% as scale efficiencies kick in.

How much of this should be CapEx versus OpEx for tax purposes?

This template lands roughly 90% OpEx and 10% CapEx (the hardware sinking fund). The OpEx-heavy mix is structurally favourable for cash flow but means the depreciation argument for tax is smaller than it was a decade ago. Talk to your accountant; the tax treatment of cloud and SaaS spend changes most years.

Should we budget for AI separately?

Yes. The AI line will grow meaningfully through FY27 and into FY28 as Copilot, agent-based tools, and sector-specific AI products scale up. Separating the AI line makes the growth visible and lets the leadership team make explicit decisions about it rather than discovering it on the credit card statement.

What is the most common budget mistake for a firm this size?

Underspending on security and overspending on premium hardware. We see firms with $3,500 MacBooks for every user but no MDR service and a self-managed Microsoft tenant. Inverting that ratio – mid-tier hardware, comprehensive security – produces a more defensible posture for the same total spend.

How do we benchmark our actual spend against this template?

Pull together your actual line items, map them to the eight categories above, calculate the percentage of revenue, and compare. If you would like an external review, we run IT budget assessments as a discrete piece of work for non-clients, with a one-page summary and a remediation list. Reach the team through the contact page.

Strategic problem (cloud migration, M&A, compliance) and an internal team to execute? Hire an IT consultant. Day-to-day breaking and nobody monitoring? You need an MSP. Both true — as for most growing Melbourne SMEs — you need both, without paying two firms for the overlap.

This is the question I get asked most often by owners and GMs of 20-200 person Melbourne businesses, and the answer is genuinely “it depends”. So let’s pull the two roles apart properly, because the marketing copy on both sides of the fence has muddied the water.

The honest definition: consultant vs MSP

IT consultancy in Melbourne — at least the version worth paying for — is strategic advisory work. A consultant comes in with a defined scope, a defined deliverable, and a defined exit. They don’t answer your password reset tickets. They don’t patch your servers at 2am. They tell you what to do, why, in what order, and roughly what it should cost. Then they hand over to someone (your internal team or an MSP) to actually build it.

A managed service provider, by contrast, runs the lights. Monitoring, patching, helpdesk, backups, identity, endpoint security, server and network operations. An MSP is measured on uptime, response time, ticket resolution, and whether your staff can actually get their work done. The relationship is ongoing — usually a monthly fee per user or per device.

The confusion comes from the fact that a competent MSP will do some consulting (you can’t run someone’s IT well without thinking strategically about it), and a competent consultant will sometimes get hands-on (especially on smaller engagements). The overlap exists. But the centre of gravity for each role is clearly different.

What an IT consultant actually does

The clearest way to think about consultancy work is by deliverable. A consultant is usually engaged to produce one of these:

• An IT strategy or roadmap. A 12-36 month plan covering infrastructure, applications, security posture, and budget. This is the closest to “permanent” consulting work, often delivered as part of a strategic planning engagement.
• A specific transformation business case. Should we move from on-prem to Azure? Replace Citrix with AVD? Migrate from on-prem Exchange to Microsoft 365? The consultant writes the business case, costs the options, and recommends a path.
• Vendor selection. Independent assessment of which line-of-business platform, MSP, or telco to pick. Genuine independence here is rare and worth paying for — most “consultants” who do vendor selection are receiving a kickback from the chosen vendor. Always ask.
• M&A IT due diligence. You’re buying or selling a business. What’s the state of the target’s IT estate? What are the integration risks? What’s the cost to get it to your standard? This is a defined-scope engagement that wraps up when the deal does.
• Regulatory and compliance projects. Essential Eight uplift, ISO 27001 readiness, IRAP, APRA CPS 234, ASD-aligned controls for a government tender. The consultant maps where you are, where you need to be, and what the gap costs to close.
• Architecture review. A second opinion on a design your internal team or current vendor has produced.

Notice what’s not on that list: running your helpdesk, fixing the printer in the Hawthorn office, doing the Windows updates, monitoring whether your firewall is alive at 3am. A pure consultant won’t touch any of that, and arguably shouldn’t, because the day rates don’t make sense for operational work.

What an MSP actually does

The MSP world has its own jargon, but the core functions of a Melbourne managed services engagement are reasonably consistent:

• Service desk. Your staff have a number to call or an email to send when something breaks. Tickets get triaged, prioritised and resolved against an SLA.
• Monitoring and remediation. Servers, network, endpoints and cloud services are watched 24/7 by a NOC. Alerts are triaged and either auto-remediated or sent to an engineer. TechAssist runs a 24/7 NOC out of our Tecoma operations centre for exactly this reason — alerts at 3am still get acted on.
• Patch management. OS updates, third-party app updates, firmware, browser updates, deployed and validated on a schedule.
• Backup and recovery. Configured, tested, monitored, restored when needed.
• Identity and access. Microsoft Entra, conditional access, MFA, joiner/mover/leaver workflows.
• Endpoint security and SOC. EDR/XDR rollout, alerts triaged, incidents responded to. The good MSPs run this as a proper security operation, not just “we installed Defender”.
• Procurement and lifecycle. Buying the laptops, the licenses, the firewalls. Replacing them on a sensible cycle.
• Documentation. If your MSP can’t show you the current network diagram and your asset register on demand, fire them.

The MSP relationship is ongoing because IT operations are ongoing. You can’t outsource Tuesday’s printer problem to a consultant and Wednesday’s password reset to a different one — the economics fall apart, and nobody owns the overall environment.

The overlap zone: vCIO services

Between pure strategy and pure operations sits the role most likely to confuse buyers: the virtual CIO. A vCIO is a part-time, fractional strategic advisor — usually delivered by an MSP as either an included or paid extra on top of operational services.

If you want the full breakdown, we wrote a plain-English guide to virtual CIO services separately. But for this article the short version is: vCIO is the consultancy work an MSP does for its own clients as part of the ongoing relationship. Quarterly business reviews, roadmap planning, budget input, risk register, technology refresh planning. It’s lighter-touch than a standalone consultancy engagement, and it’s biased toward the MSP’s own service catalogue.

That bias isn’t necessarily bad — your MSP knows your environment better than anyone — but it’s worth being clear-eyed about. If you need a genuinely independent view on a major decision (especially “should we replace our MSP?”), you want an outside consultant, not your incumbent MSP’s vCIO.

A real Melbourne example

A 55-person professional services firm in Hawthorn came to us last year. They had an existing MSP doing reasonable operational work — service desk, patching, backups, the usual. The owner had been told by his accountant to “talk to a consultant” because they were planning to acquire a smaller firm in Geelong and the IT side felt risky.

What they actually needed was three distinct things:

1. Pre-deal IT due diligence on the Geelong target — a defined consultancy piece, two weeks, fixed fee.
2. A post-acquisition integration plan — another consultancy deliverable, with a clear handoff to the operations team that would execute it.
3. Ongoing operational support for the combined entity once the deal closed — pure MSP work.

They could have hired three different firms. They could have stretched their existing MSP into consultancy work they weren’t really set up for. Or they could have brought in a Big Four consultant who would have charged them roughly four times the going rate and then handed an unimplementable PowerPoint to the same internal team that was already overloaded.

What we did: ran the due diligence as a fixed-scope consulting engagement, produced the integration plan, then transitioned them onto our managed IT services with a vCIO included. Same firm, two separate deliverables, no double-charging because the operational team already had the context from the consulting work.

That’s the case for “both” — but it’s also the case where it makes sense to have both functions sit under one roof. It doesn’t always.

Decision matrix: which do you actually need?

Here’s the cheat sheet I’d give an owner trying to sort this out internally. The scenarios are real ones I see across our Melbourne client base.

How to avoid paying twice for the same thing

This is the practical problem most buyers don’t see coming. You hire an MSP. The MSP includes “strategic reviews” or vCIO time in the contract. Six months later you also hire a consultant for a specific project, and the consultant’s first three weeks are spent doing exactly the discovery work the MSP already documented. You’re paying for both.

A few rules to keep this honest:

• Make your MSP’s documentation a contract deliverable. Network diagrams, asset register, application list, identity model, security posture document, backup runbook. If a consultant comes in later, this is their starting point.
• Scope consulting engagements tightly. Defined deliverable, defined timeline, defined exit. “Help us with IT strategy” is not a scope. “Produce a three-year infrastructure roadmap with costed options, presented to the board by 30 September” is a scope.
• Be clear who owns implementation. A consultant who produces recommendations they can’t or won’t help implement is half a service. Either they hand off cleanly to your MSP, or they’re set up to execute themselves.
• Don’t let the MSP grade their own homework. If you need an independent view on whether your MSP is performing — particularly during a contract renewal — get an outside consultant. The conflict of interest in asking the incumbent is obvious.
• Push back on day rates that don’t match the work. Consultant day rates are appropriate for strategy and design. They are not appropriate for ticket work. If you’re being charged consultant rates for operational tasks, you’ve got the wrong engagement model.

Where TechAssist sits

Honest disclosure: we do both. We’ve been a Melbourne MSP since 2014, and we run the operational side — 13 Australian-based engineers, sub-15-minute response on P1 incidents, 24/7 NOC at our Tecoma operations centre — as our core service. The consultancy work sits alongside it: vCIO for clients on our managed services, defined-scope consulting engagements for organisations that just want the strategic deliverable, and IT due diligence work for businesses going through M&A.

What we don’t do is pretend the two functions are the same thing. If you come to us for a fixed-scope consulting piece and you don’t want to be on managed services, that’s a perfectly reasonable engagement and we’ll quote it that way. If you’ve got a good incumbent MSP and you just want an independent architecture review, we’ll do that too. The aim is to size the engagement to the actual problem.

Frequently asked questions

Is an MSP cheaper than hiring an IT consultant?

For ongoing work, almost always yes. MSP pricing is per-user or per-device per month, and the operational economics work because the MSP spreads cost across many clients. Consultant day rates make sense for defined deliverables that need senior thinking. Trying to use a consultant for operational work, or an MSP for genuinely strategic independent advice, is where the cost-benefit breaks down.

Can I just use my MSP for everything strategic too?

For most things, yes — a good MSP’s vCIO function will cover roadmap, budget, refresh planning and quarterly reviews competently. Where you genuinely need an outside consultant: independent vendor selection, M&A due diligence, a review of the MSP itself, or compliance work where an independent attestation is required.

What’s the difference between a vCIO and a CIO?

A full-time CIO is on your payroll, in your meetings, accountable for IT outcomes across the business. A vCIO is fractional — usually one to four days a month — delivered by an MSP or consultancy. For SMEs under about 250 people, a vCIO is usually the right answer. Above that, you start needing the full-time role. We covered this in detail in our virtual CIO guide.

How do I know if my current MSP is strong enough on the consulting side?

Ask for the last twelve months of quarterly business reviews. If they exist, are written down, and contain actual recommendations with timelines and costs — you’ve got a strong vCIO function. If your MSP can’t produce them, or they’re a template with your logo on it, the strategic side is weak and you’ll need to supplement.

Should I hire a consultant before I hire an MSP?

If you’re starting from scratch — new business, no incumbent — usually no. Pick a competent MSP, get the operational basics running, and let the vCIO function handle initial strategy. Bring in a consultant if and when a specific large decision sits outside the MSP’s competence or independence. If you’re replacing an existing MSP, a short consulting engagement to define what you actually need before going to market is often worth the money.

A sensible next step

If you’re not sure whether you need a consultant, an MSP, or both, the cheapest first move is a conversation. We do these for free — half an hour, no obligation, honest read on whether the problem you’ve described is operational, strategic, or both. If we’re the right fit, we’ll tell you. If you’d be better off with a different model, or a different firm, we’ll say that too.

Reach the team on 1300 028 324 or via the contact page and we’ll get back to you the same business day.

Before 30 June 2026, Melbourne SMEs should verify backups, reconcile the IT asset register with finance, audit software licences, decide on any pre-EOFY hardware purchases with your accountant, and decommission anything you’re paying for but not using. The rest is detail.

EOFY isn’t just a tax event. For most Melbourne businesses we look after, it’s the one time of year where finance and IT actually sit down together and tally up what’s been bought, what’s been retired, what’s still being paid for, and what needs replacing. If you skip that conversation, you end up paying for ghost subscriptions in July, missing depreciation entries in August, and scrambling to buy laptops in September when supply tightens.

This EOFY IT checklist is the same one our engineers run with clients across Hawthorn, Box Hill, Dandenong and the CBD every June. It mixes operational housekeeping with the finance-side items your bookkeeper or CFO will thank you for. Nothing fancy. Just the stuff that actually moves the needle before the books close.

Why EOFY matters for IT, not just finance

Two reasons. First, your tech estate drifts over a year. People leave, projects start and stall, trials become forgotten subscriptions, and hardware quietly ages past its useful life. EOFY is a natural forcing function to clean that up. Second, if you’re planning capital spend on technology, the timing of the purchase, the install, and the in-service date can matter for how your accountant treats it. We don’t give tax advice, but we do give you a clean asset list and accurate purchase dates so your accountant can do their job properly.

A Hawthorn accounting firm we work with had 47 active Microsoft 365 licences on the books in May last year. After we ran their EOFY audit, the real headcount needing licences was 38. Nine licences at $30+/month each had been quietly billing since two staff turnovers and a contractor project that wrapped in October. That’s around $3,200 a year in pure waste, caught in a 90-minute review.

The EOFY IT checklist: 10 items to work through before 30 June 2026

Work through these in order. Most can be done in a single afternoon with your IT provider; a few need finance involvement. If you’re a TechAssist managed client, your account engineer will already have most of this scheduled into your June service calendar.

1. Verify your backups actually restore

Having backups isn’t the same as having recoverable data. Before 30 June, pick at least one critical system (your file server, your accounting database, your shared mailbox) and do a test restore to an isolated location. Time how long it takes. Compare that to your recovery time objective. If you don’t have an RTO documented, this is the moment to write one down.

We see at least two or three clients a year discover their “working” backups had been silently failing for weeks because nobody read the alert emails. A test restore is the only proof that matters. More on our approach at data backup and recovery.

2. Reconcile the IT asset register with finance

Your finance team has a fixed asset register. Your IT provider has an inventory list. These almost never match. EOFY is when you sit them next to each other and resolve every discrepancy: laptop serial numbers, monitor counts, server hardware, network gear, even the licences attached to specific people.

The output is a single reconciled asset list with purchase dates, supplier invoices, current location, and assigned user. Your accountant uses this for depreciation. Your IT provider uses it for warranty and refresh planning. Both of you stop chasing ghosts.

3. Audit every software subscription and licence

Pull a report of every SaaS subscription you pay for. Microsoft 365, Adobe, Xero, Dropbox, ChatGPT Team, Canva, Zoom, the random Trello upgrade somebody bought in 2023. For each one, answer three questions: who uses it, do they still need it, and is the licence tier right?

Common findings: Microsoft 365 E3 seats assigned to people who only need Business Premium; per-user tools paid for ex-staff; duplicate tools (two project management apps, two e-signature platforms). Cancelling or right-sizing before 30 June means the saving starts in FY27 rather than mid-year.

4. Decommission unused services and shadow IT

This is the cousin of item 3. Subscription audits catch the things on your credit card. Decommissioning catches the things that aren’t, like that VPS somebody spun up four years ago, the test SharePoint site nobody touches, the legacy line-of-business app running on a Windows Server 2012 box in the corner. Each one is an attack surface, a compliance headache, and in some cases a recurring cost.

Make a list. Tag each item: keep, migrate, decommission. Set a date for each decommission. Get sign-off from a business owner so nothing critical disappears by surprise.

5. Plan your hardware refresh cycle

Walk your asset list and identify everything that’s three or more years old. Laptops on their fourth Windows feature update, servers past warranty, switches that haven’t had a firmware update since the Coalition was in power. These don’t all need replacing in June, but you need a plan with dates and budgets.

If you do intend to purchase hardware before 30 June 2026 for tax-timing reasons, talk to your accountant about the current instant asset write-off threshold and whether the asset must be installed and ready for use by 30 June to qualify. The rules change year to year and we won’t pretend to know yours. See the ATO website for current figures.

6. Review your IT spend: capex vs opex

Sit with finance and categorise your IT spend from the past 12 months. How much was capital (hardware purchases, major project work, software licences treated as assets)? How much was operating expense (managed services, subscriptions, cloud)? Most Melbourne SMEs we work with are gradually shifting from capex-heavy to opex-heavy as cloud and managed services replace owned infrastructure.

Whether that shift is right for your business is a tax and cashflow conversation with your accountant. Our job is to give them clean numbers. A per-user fixed monthly model like ours makes the opex side predictable, which is what finance teams want when they’re forecasting FY27.

7. Confirm depreciation schedule with your accountant

Your IT assets depreciate. Laptops, servers, network equipment, sometimes software. The schedule depends on the asset class, the effective life the ATO publishes, and any small business concessions your accountant elects to use. You don’t need to understand the maths. You do need to give your accountant the reconciled asset list from item 2 with accurate purchase dates and disposal dates.

If you disposed of equipment during the year (e-waste, sold a server, scrapped old phones), document it. Disposals affect the depreciation schedule and the asset register both. Photos of the e-waste pickup or the disposal certificate are good evidence to keep.

8. Check renewal dates for the next 12 months

Pull every renewal date that hits between July 2026 and June 2027. Microsoft 365 anniversaries, antivirus, firewall licences, domain renewals, SSL certificates, broadband contracts, your MSP agreement. Put them in a single spreadsheet sorted by month.

This gives finance a cashflow forecast and gives IT a heads-up for negotiation windows. Multi-year deals often have better pricing if you can commit, but only commit on tools you’ve confirmed you still need (item 3).

9. Review cyber security posture and insurance

Cyber insurance renewals usually ask the same questions: MFA on everything, EDR on every endpoint, backup tested in the last 90 days, patching cadence, admin account separation. If you haven’t been measuring yourself against a framework, EOFY is a sensible time to start. The Essential Eight from the ACSC is the practical baseline for Australian SMEs.

Even if you’re not pursuing formal compliance, the Essential Eight maturity levels give you and your insurer a common language. Most cyber policies now ask explicitly about MFA coverage and backup testing. Having documented answers makes renewal cheaper and faster.

10. Set the FY27 IT budget and roadmap

You can’t do this properly without items 1-9. Once you have the asset list, the subscription audit, the renewal calendar, and the refresh plan, the budget almost writes itself. Three buckets: recurring (subscriptions, managed services), planned capex (hardware refreshes, projects), and contingency (10-15 percent for the things you can’t predict).

For most SMEs we work with, IT spend lands between 3 and 6 percent of revenue depending on industry. Professional services and finance firms run higher because of compliance and software costs. Trades and retail tend to run lower. There’s no universal right answer, only what’s right for your business and what’s enabled the year ahead. We help clients build this through IT strategic planning sessions, usually run in late June or early July.

A quick reference table

How TechAssist runs EOFY for our managed clients

We’ve been doing this since 2014. The standard EOFY cycle for our managed IT services in Melbourne clients runs across May and June. Your account engineer schedules the backup test, pulls the licence and subscription report from our PSA, generates the reconciled asset list, and books a 60-minute review with you and your finance lead. We hand the asset register and the FY26 IT spend summary directly to your accountant if you want us to.

For context: TechAssist has 13 engineers, all employed in Australia (no offshoring), and our 24/7 Network Operations Centre runs from Tecoma in the Dandenong Ranges. Our P1 response target is under 15 minutes and we publish it openly in our pricing and SLA. The model is per-user, fixed monthly — which makes the EOFY conversation about value delivered, not surprise invoices.

If you’re not on a managed agreement and you’d like to run a one-off EOFY IT review before 30 June 2026, we offer that too. It’s a fixed-scope engagement that gives you the reconciled asset list, the subscription audit, the backup verification, and a written summary your accountant can use. Call 1300 028 324 or use the form at contact.

Common mistakes we see at EOFY

A few patterns repeat every year. Worth flagging so you can avoid them.

• Buying hardware on 28 June without checking install-by dates. If the asset has to be installed and ready for use by 30 June for a particular tax treatment, a laptop sitting in a delivery van doesn’t qualify. Order earlier.
• Cancelling subscriptions on the last day of the month. Most SaaS billing runs monthly anniversaries, not calendar months. You’ll often still be billed for July. Cancel mid-month with explicit confirmation of when access ends.
• Treating the asset register as IT’s problem. If finance doesn’t have an accurate fixed asset register, your accountant is guessing. This is a joint exercise, not a handoff.
• Skipping the backup test because backups “looked green”. A green dashboard isn’t a restore. Test the restore.
• Promising a major rollout starts 1 July. Nothing major should start on day one of the financial year. Your team is exhausted, suppliers are slow, and finance is busy. Start mid-July at the earliest.

What good looks like on 1 July

If you’ve done the work, here’s what your first week of July 2026 looks like. Backups tested and documented. Asset register matches finance’s books. Every active subscription is justified and right-sized. Decommissioned services no longer billing. Renewal calendar visible 12 months out. Cyber posture documented against the Essential Eight. FY27 budget signed off with three buckets and a contingency. Your accountant has clean numbers. Your team isn’t scrambling.

That’s the standard. It’s not glamorous and it doesn’t make headlines. It does mean July starts calm instead of chaotic, and that’s worth a fortnight of June effort.

Frequently asked questions

What’s the instant asset write-off threshold for FY26?

The instant asset write-off rules change regularly. As of mid-2026 the threshold has been adjusted several times in recent years by federal budget announcements. Rather than quote a figure that may be out of date by the time you read this, check the current threshold on the ATO website or ask your accountant. The principle stays the same: assets under a certain dollar value, installed and ready for use by 30 June, may be eligible for immediate deduction rather than depreciation over multiple years. Your accountant will tell you whether it applies to your situation.

How does depreciation work for IT assets like laptops and servers?

The ATO publishes effective life schedules for different asset classes. Laptops and desktops typically have an effective life around three to four years; servers and network equipment longer. Your accountant chooses between prime cost (straight-line) and diminishing value methods, and may apply small business depreciation concessions if you qualify. Your job is to give them an accurate asset list with purchase dates, prices, and disposal dates. The maths is their job.

When’s the best time to budget IT spend for the new financial year?

May and June, before 30 June. You want the FY27 budget signed off before the new financial year starts so July doesn’t begin with uncertainty. The inputs are the items in this checklist: reconciled asset list, subscription audit, renewal calendar, refresh plan, cyber posture review. With those in hand, a half-day workshop with your business owner and IT lead is usually enough to land a defensible FY27 number.

Should I buy laptops before 30 June 2026 for tax reasons?

Talk to your accountant. If the asset is genuinely needed and you’re going to buy it anyway, timing the purchase before 30 June may have tax benefits depending on the current rules and your business structure. If you’re buying purely to chase a deduction, that’s a worse decision than it sounds, because you’ve spent real cash to save a fraction of it in tax. We can help you decide whether the hardware is genuinely needed; your accountant decides whether the timing helps your tax position.

How long does an EOFY IT review take?

For a typical 20-50 user Melbourne SME, the review itself is half a day of work from your IT provider plus a 60-90 minute joint session with finance. Remediation (cancelling subscriptions, scheduling decommissions, organising hardware orders) is usually another half day across the month. Start in mid-May and you’ve got comfortable runway. Start on 25 June and you’ll be cutting corners.

Closing thought

EOFY IT prep is one of those tasks where the value isn’t in any single item, it’s in doing all of them properly. A clean asset register makes depreciation accurate. An honest subscription audit makes the FY27 budget defensible. A tested backup means the next ransomware incident is a Tuesday inconvenience instead of a business-ending event. None of it is exciting. All of it compounds.

If you’d like a hand running through this before 30 June 2026, get in touch via our contact page or call 1300 028 324. We’ll tell you straight whether you need our help or whether you’ve already got it sorted.