What Does an IT Audit Cover? A Guide for SMBs

Most small businesses come to us after something goes wrong — a ransomware incident, a departing employee who took data, a compliance letter, a server failure that revealed there was no working backup. An IT audit before any of those events would have identified the gap. More often than not, fixing a flagged issue costs a fraction of recovering from it.

But the audit itself isn't just a checklist of problems. The deliverable that matters is a documented baseline: a clear picture of what your infrastructure actually looks like, what's at risk, and a prioritized plan for addressing it.

What an IT Audit Covers

Network topology and segmentation. What's on your network? Are guest devices on the same segment as your servers? Is your firewall configured or still running factory defaults? We map the network, identify devices, and check for segmentation gaps that let a compromised workstation reach your file server directly.

Endpoint inventory. A surprising number of organizations don't have an accurate count of their own devices. Workstations, laptops, printers, IP cameras, network switches — anything that touches your network is a potential entry point. We catalog everything, check OS versions and patch status, and flag anything that's past end-of-life (Windows 10 support ends October 2025 — devices still running it after that date are an unpatched vulnerability).

Software licenses and shadow IT. What software is actually installed on your endpoints? This covers both compliance risk (unlicensed software can create liability) and security risk (outdated or unsupported applications are common attack vectors). We also look for shadow IT — tools people are using that IT doesn't know about, often because the official process was too slow.

Access controls and user account hygiene. Who has admin rights? How many people have them? Are there accounts for former employees still active in Active Directory or Microsoft 365? Are passwords shared? Is there a stale service account with domain admin privileges that nobody has touched in three years? Access control issues are among the most common and most easily exploited gaps we find.

Backup verification. Not just "do you have backups" — but when was the last restore test? Where are the backups stored, and are they accessible from the same network segment that would be compromised in a ransomware attack? Are backups immutable? This section of an audit frequently surfaces the gap between "we have backups" (true) and "we can recover from a disaster" (not always true).

Security vulnerabilities. A vulnerability scan against your internal network and public-facing services identifies known CVEs present in your environment. This isn't a penetration test — it's a credentialed scan that tells you what's exposed and at what severity. Critical and high-severity findings get flagged for immediate attention.

Compliance gaps. For Quebec businesses, this increasingly means Law 25 (Bill 64): do you have a documented inventory of the personal information you hold, a privacy officer designated, a privacy impact assessment process for new projects, and a breach response procedure? Many SMBs haven't done the groundwork, and the Commission d'accès à l'information has started levying fines.

Internal Audit vs External Audit

An internal audit is conducted by your own IT staff or IT department. It's useful for routine reviews and has the advantage that the person doing it understands your environment. The limitation: it can't objectively assess what it was involved in building, and it often lacks the breadth of exposure to see how your setup compares to industry practice.

An external audit brings outside perspective. It's not a personal criticism of your IT team — it's a structured evaluation by someone who has seen hundreds of environments and can say with confidence "this is unusual" or "this is a configuration we see exploited regularly." For SMBs without dedicated IT staff, it's also the only realistic option for a serious assessment.

What the Deliverable Looks Like

A good audit report has two parts.

The first is the findings: a documented inventory of your infrastructure, identified vulnerabilities and gaps, severity ratings for each finding, and evidence (screenshots, scan outputs, configuration excerpts) to support each finding. This becomes your baseline. Future audits compare against it.

The second is the remediation plan: findings organized by priority (critical, high, medium, low), with recommended actions, estimated effort, and rough cost. Not every finding needs to be fixed immediately. The plan helps you allocate budget and effort where the risk reduction is greatest.

A good audit doesn't just hand you a list of problems — it tells you which ones to fix first.

What It Costs

For a small to medium business with 10-50 employees, a thorough external IT security assessment typically runs $1,500 to $5,000 depending on scope, environment complexity, and whether it includes a vulnerability scan component.

That range can feel significant for a small business. The comparison that matters: the average cost of a ransomware recovery for a small business in North America exceeded $200,000 USD in 2024, according to Coveware's quarterly reports — and that's for businesses that paid the ransom. The ones that didn't paid more in downtime.

An IT audit is not a guarantee against incidents. But it closes the known gaps systematically, which is a much better position than hoping nothing breaks.

How IPCONNEX Conducts Security Assessments

Our assessment process starts with a kickoff call to scope the engagement — which systems matter most, what your compliance obligations are, what incidents or near-misses you've had in the past year. We then run a combination of automated scanning and manual review across the areas above.

The output is a written report with an executive summary (two pages, readable without a technical background) and a detailed technical section with full findings and remediation steps. We walk through the report with you and your team, prioritize the remediation plan together, and can implement the fixes or work alongside your existing IT team.

If you don't know what's in your environment, you can't protect it. That's the actual reason to start with an audit.