What Is an IT Audit?
An IT audit is a thorough check of an organisation's IT systems, infrastructure, policies, and operations. It assesses whether systems are secure, reliable, and fit for purpose. Then, it identifies risks, gaps, and areas where you need to dedicate investment or attention.
This article explains what an information technology audit involves for a small or medium-sized business and when you should run one. It also includes a practical IT audit checklist for small businesses, which covers 8 areas to address. If you already know what an IT audit is and have come here for the checklist, skip ahead to the relevant section.
What Is an IT Audit (and Why Do SMBs Need One)?
IT audits are not exclusively compliance-oriented. For larger organisations, technology auditing frequently falls under a broader regulatory framework. For SMBs, the more immediate value is operational: knowing what your business truly depends on, where it is exposed, and whether your systems can support what you need them to do next.
The business case is straightforward. A Gartner Peer Community survey found that 93% of teams with experience of technical debt are still carrying it. McKinsey & Company research found that tech debt can account for up to 40% of the total value of an organisation's technology estate. Neither of these is an enterprise problem, as both show up in businesses of every size, and it's much easier to address them if you identify them early on.
A tech audit also gives leadership a shared picture of the IT estate, which matters more than it sounds. In most SMBs, IT knowledge is distributed unevenly across a small number of people, and the gap between what management thinks the systems do and what they actually do tends to widen over time.
For more on how systems get into this position in the first place, see our guide to what a legacy system is. An audit also pairs naturally with a structured IT risk assessment for SMBs, which scores the likelihood and impact of the issues an audit surfaces.
When Should You Run an IT Audit?
For most small and medium-sized businesses, an annual IT audit is a good starting point. Apart from that, there are several situations when it's worth it to run one regardless of when you did it previously.
- Before scaling or adding headcount. Systems that work for 20 people may not work for 50, so a technology audit before a growth phase will surface bottlenecks and risks before they become urgent.
- After a security incident. If there was a phishing attack, a data breach, or a near-miss, it's time to review what was in place, what failed, and what else might be exposed.
- Before changing a key supplier or platform. If you are replacing your ERP, moving to a new cloud provider, or switching IT support, an audit gives you an accurate picture of your starting point.
- Before a merger, acquisition, or investment round. IT due diligence is standard in M&A. Running your own audit beforehand means that you're not going to discover problems at the worst possible moment.
- When the IT environment has not been formally reviewed in over two years. For most SMBs, two years without a structured review is enough time for meaningful risk to accumulate quietly.
The IT Audit Checklist: 8 Areas to Review
The checklist below covers the areas that matter most when you audit IT systems in a small or medium-sized business. The questions are designed to be answered without specialist knowledge, though some will require input from whoever manages your IT.
Work through each section and note: what you have confirmed, what you cannot answer, and what needs attention.
1. Hardware and Infrastructure
This section of the IT infrastructure audit checklist addresses the physical and hosted foundation your business runs on.
- What is the age of your servers, network equipment, and core hardware? Anything older than five years deserves attention.
- Is any hardware end-of-life or approaching it, with no replacement plan in place?
- Do you know when the capacity you currently have will become a limitation? Do you have documented capacity for storage, processing, and bandwidth?
- Is there a tested disaster recovery plan that includes hardware failure scenarios?
- If you use on-premise infrastructure, is it physically secure, temperature-controlled, and protected against power failure?
2. Software and Licensing
- Is all software in active use still supported by the vendor? The NCSC identifies end-of-life and unsupported software as one of the most common exploitable entry points in UK cyber incidents — and the scale of the problem is growing: the NCSC's Annual Review 2025 reported 204 nationally significant attacks in the year to August 2025, up from 89 the year before.
- Do you have an accurate, up-to-date inventory of all software in use across the business?
- Are the licenses up-to-date and appropriately sized for their intended purpose?
- Are any business-related applications installed or utilised by staff members without formal IT awareness or approval?
- Are any business-critical processes running on software that has not been updated in over 12 months?
A common example: an accounting firm is still running a version of Sage two major releases behind, with no upgrade planned because the migration seems disruptive. The licensing cost is minor compared to the security and operational risk.
3. Security and Access Controls
This is the IT security audit checklist section, which is the area that tends to carry the most immediate risk.
- Is multi-factor authentication (MFA) enforced for all remote access, email, and business-critical systems?
- Are password policies documented and enforced with minimum length, complexity, and rotation?
- Are user access rights reviewed regularly? Are accounts that were previously held by former employees, contractors, or suppliers still active?
- Is data encrypted in transit and at rest, particularly for sensitive customer or financial data?
- Are you working towards or certified under Cyber Essentials, the UK Government-backed scheme? Designed to defend against the most prevalent internet-based threats, it is based on five technical controls: patch management, malware protection, user access control, firewalls, and secure configuration.
- Is there a documented process for revoking access when someone leaves?
4. Data Management and Backup
- Do you back up all of your business-critical data automatically?
- When were backups last tested by restoring from them? An untested backup isn't trustworthy.
- Do you have defined recovery point objectives (how much data you can afford to lose) and recovery time objectives (how long you can afford to be down)?
- Where are backups stored? If they are on the same physical site as the primary data, a fire or flood will affect both.
- Do your data retention practices comply with the ICO's guidance on storage limitation under UK GDPR? The ICO does not set fixed retention periods, but requires organisations to document how long they keep each category of personal data and why. It also prompts to delete or anonymise it when that period ends.
5. Network and Connectivity
- Is your firewall configuration current and documented? Has it been reviewed in the past 12 months?
- Is remote access controlled through a VPN or equivalent, with MFA enforced?
- Does the network have a segmentation mechanism that prevents a breach in one area from granting access to all other areas?
- Is there monitoring in place to alert on unusual activity, such as failed login attempts, large data transfers, and access outside normal hours?
- Is bandwidth adequate for current usage patterns, including remote working?
A logistics business that expanded remote access quickly without reviewing its VPN configuration is a recurring pattern in SMB security incidents. Access has been established, it functions properly, and there is no assessment of its security.
6. Compliance and Regulatory
- Are you meeting your obligations under UK GDPR, including data subject rights, breach notification timelines, and lawful basis for processing?
- Do you have a current record of processing activities (ROPA)?
- Are there industry-specific regulatory requirements that apply to your business (financial services, healthcare, legal) that you are confident you are meeting?
- Are contracts with suppliers and data processors up to date?
- Have staff received data protection and security awareness training in the past 12 months?
7. IT Policies and Documentation
This IT department audit checklist part is where most SMBs have the most gaps. The absence of documentation is a risk in itself, and it compounds when staff leave or systems need to be recovered.
- Is there a documented acceptable use policy that staff have acknowledged?
- Do you have an incident response plan, i.e., a written process for what to do when something goes wrong?
- Is there a disaster recovery plan that has been both written and tested?
- Are vendor contracts, SLAs, and renewal dates tracked in one place?
- Is there documentation for how critical systems are configured, so that if the person who set them up leaves, someone else can maintain them?
8. Team and Skills
- Is there a single person whose departure would leave the business unable to maintain or recover a critical system?
- Do you have a clear picture of which IT functions are covered internally, which are handled by external suppliers, and where the gaps are?
- When did staff last receive training relevant to the systems and tools they use daily?
- Do you have active support contracts in place with your key IT suppliers, and have those contracts been reviewed in the past 12 months?
- Is there a contingency plan for key IT roles, whether internal or external?
This connects directly to the technical debt that accumulates when systems are maintained by individuals rather than documented processes.
How to Use Your Audit Results
An audit produces a list of findings, and what matters is how you act on them. A useful framework consists of three categories.
- Fix now. Issues that carry immediate security, legal, or operational risk, such as unsupported software, unpatched systems, MFA not enforced on remote access, and backups that have never been tested. These should not sit on a planning list.
- Plan for. Issues that are real but not immediately critical, like ageing hardware with remaining useful life, licensing gaps, and undocumented processes, need a timeline and an owner.
- Monitor. Areas that are currently acceptable but require periodic review, e.g., capacity planning, compliance, and vendor contracts coming up for renewal.
The first category's findings are frequently underestimated because the systems are still operational, yet a system that has never failed is not equivalent to a system that is low-risk. For a fuller picture of how inherited IT problems accumulate over time, see our guide to technical debt.
When to Bring in Outside Help
A checklist like this is useful as a starting point because it explains what to look at. However, it does not always tell you what you are looking at when you get there.
External help is worth considering when:
- your IT environment has grown faster than your internal capability to manage it;
- you rely entirely on a single managed service provider whose work has never been independently reviewed;
- you have had a security incident or near-miss;
- you are preparing for growth, M&A activity, or an investment round;
- your last formal review was more than two years ago.
Regarding cost and timelines, for an SMB, a structured IT audit typically takes between one and three weeks, depending on the scope and the complexity of the environment. It's best to focus an initial assessment on the highest-risk areas rather than start with a comprehensive review. In nearly all cases, the cost of that assessment is less than the cost of the initial incident that it helps you avoid.
Key Takeaways
- An IT audit is a structured review of your systems, security, policies, and operations, not just a compliance exercise.
- For UK SMBs, the main value is identifying risk before it becomes an incident, and understanding what your business actually depends on.
- The eight areas that matter most: hardware and infrastructure, software and licensing, security and access controls, data and backup, network and connectivity, compliance, IT policies and documentation, and team and skills.
- Audit findings should be prioritised by risk and business impact: fix now, plan for, or monitor.
- If several areas produce findings you cannot confidently assess internally, an external review is worth the investment.
When you go through this list, it's normal to find more questions than answers. The purpose of an IT audit is not to confirm that everything is fine. Rather, it aims to give you an accurate picture of where your business stands.
