SMB IT audit: the 10 points we look at first
The IT audit grid Macinwork runs through during the 1-3 half-day initial assessment. Identity, endpoints, backup, security, governance.
When a leader or operations head calls us for the first time, the underlying question is almost never “is my IT working?” — it’s working, otherwise you’d have called sooner. The real question is: what is wrong that I don’t see. Here are the 10 points we look at first in our free initial IT audits.
1. Corporate identity
First reflex: who can sign in to what, and how. Is there a single identity provider (Entra ID, Okta, Google Workspace) or are accounts scattered across each tool? Is MFA mandatory for everyone, or only admins? Are there dormant accounts never disabled (former staff, departed contractors)?
Statistically the most degraded point on the SMBs we onboard. 60% of organizations that think they’re compliant discover they have 10-25% dormant accounts active without MFA.
2. Endpoint management (MDM)
A modern IT estate runs on an MDM (Kandji, Jamf, Microsoft Intune). We check: how many endpoints are under MDM, how many escape (BYOD, contractor laptops, legacy machines), what’s the active encryption rate (FileVault on Mac, BitLocker on PC), what’s the average application time of critical OS updates.
A mature 50-staff SMB should have 95%+ endpoints under MDM, 100% encryption, and a critical-update window under 14 days.
3. Endpoint security (EDR)
Is an EDR (Microsoft Defender, CrowdStrike, SentinelOne) deployed on every endpoint? Are alerts supervised (by the org or an MDR) or piling up in a console no one reads? Does coverage include Macs (still too often forgotten on the assumption they don’t need it)?
4. Backup
The point most often found broken. Is the 3-2-1 rule (three copies, two media, one off-site) respected? Are backups regularly tested? Is there ransomware protection (immutable backups, separate service accounts)? How long would full IT restoration take?
Many SMBs think they’re backed up because they “have OneDrive”. A OneDrive sync isn’t a backup — ransomware encrypts OneDrive at the same time as the local endpoint.
5. Connectivity and network
Primary internet link: type, speed, provider, contract. Is there a backup link (4G/5G, second operator) with auto-failover? Is the firewall up to date, supervised, with documented rules? Is Wi-Fi segmented (staff, guests, IoT, payment)?
6. Email and collaboration
Workspace or Microsoft 365: are anti-spam and anti-phishing policies configured (DKIM, DMARC, SPF, Defender for Office 365, Workspace Security Center)? Is external file sharing controlled (link expiry, audit of broad shares)? Do Teams/Drive groups have governance (controlled creation, archival of inactives)?
7. Business SaaS and subscriptions
The organization typically pays for 15-30 different SaaS: Notion, Slack, Linear, Figma, HubSpot, Pipedrive, Asana, etc. We map: who pays for what (often scattered between corporate and personal cards), who has admin access, how to offboard a leaver from all these tools, what redundancies exist (two tools doing the same job).
8. ERP and production tools
Highly business-specific: Business Central, Sage, Cegid, QuickBooks for finance; Shopify, Magento, WooCommerce for commerce; Salesforce, HubSpot, Pipedrive for sales. We check the version (often outdated, sometimes unpatched security vulnerabilities), EDI or API integrations, total cost of ownership.
9. Governance and documentation
Is there an up-to-date IT estate map? Are critical procedures (onboarding, offboarding, incident handling, restoration) documented and tested? Is GDPR handled (treatment register, DPO, public privacy policy aligned with actual practice)? Is sectoral compliance covered (NIS2 for regulated sectors, ISO 27001 for client requirements)?
10. The crisis cell
The final, most revealing test: if ransomware fires overnight, who do you call, at what hour, with which access, in what order. Almost no SMB has a clear answer to that question — and that’s precisely the point of an IT audit, to make it clear.
What we deliver
The Macinwork initial IT audit takes 1-3 half-days on site and produces a structured deliverable: existing-IT map, risk identification by criticality (red / orange / green), 12-month costed action plan with prioritization, recommendation of engagement model (time-and-materials, package, managed subscription). It’s free. What happens next — you entrust us with one workstream, several, or none — is up to you.
The form at the bottom of the home is built to start that conversation.
Read next
More on modern SMB IT management.
Modernizing a corporate Mac fleet with Kandji and Apple Business Manager
Field report: moving from manual Mac management to a fully MDM-driven fleet. Zero-touch onboarding, hardened security, measurable time savings.
Read the post
Why replace your corporate VPN with Zero Trust Network Access (ZTNA)
The classic corporate VPN is a 25-year-old design that no longer fits. ZTNA (Cloudflare Access, Tailscale, Zscaler) offers a finer, safer, better-UX model.
Read the post
Opening a retail store: the IT checklist in two weeks
Network, segmented Wi-Fi, Shopify POS, payment, video surveillance, backups: what to plan so a new store is operational on day one.
Read the post