Insights
June 18, 2026

IT Audit Checklist for Small Business: What to Review, Document, and Act On

What You're Missing Without an IT Audit: The Risk You Can't Afford to Ignore — AllSafe IT blog
Discover the benefits of IT audits, uncover hidden risks, and explore a detailed checklist to secure, optimize, and future-proof your business’s technology infrastructure.

An IT audit gives you a documented, accurate picture of where your technology stands, where it falls short, and what to address first. For small businesses preparing for HIPAA compliance, cyber insurance renewals, or CCPA documentation requirements, that picture is increasingly required rather than optional. This guide covers the full checklist of what gets reviewed, what to gather before the process begins, and what to do with the findings once they're in hand.

AllSafe IT has conducted IT audits and compliance reviews for businesses across Southern California for over 20 years, operating under the NIST Cybersecurity Framework with SOC2 Type II compliance.

What an IT Audit Actually Covers

A security scan looks for technical vulnerabilities in real time. An IT audit covers something broader: a structured review of your technology infrastructure, access controls, policies, and compliance posture designed to document where you stand today and identify gaps that need to be addressed.

This is different from a penetration test, which actively tries to exploit vulnerabilities, and different from a financial audit, which focuses on revenue and reporting accuracy. An IT audit examines your full environment: hardware and software inventory, who has access to what, how data is protected, whether policies exist and are current, and whether your setup meets the compliance standards that apply to your industry.

The output of a well-run IT audit is three things: a documented state of your IT environment, a prioritized gap list, and a remediation plan. That documentation is what your insurance carrier asks for at renewal, what a regulator reviews during an inquiry, and what an incoming MSP uses to take ownership of a new client's environment.

Understanding scope is what makes preparation effective. The seven checklist areas below map directly to what auditors examine.

Before the Audit: What to Gather First

The most common reason small businesses struggle during IT audits is not a lack of security controls. It is a lack of documentation for the controls they already have. Getting organized before the audit begins cuts the process time in half.

Asset inventory: Start with a complete record of your technology environment. This covers hardware (servers, workstations, laptops, mobile devices, printers, and network equipment), software (licensed applications, SaaS subscriptions, and OS versions on each device), and cloud services (Microsoft 365, Google Workspace, and any third-party platform that stores or accesses business data). If a device or system isn't in the inventory, it won't be reviewed and gaps stay hidden.

Documentation baseline: Gather existing IT policies: acceptable use, password policy, incident response procedures, and vendor access guidelines. Pull current network diagrams and software license records. If these documents don't exist, their absence is a finding worth noting before the formal audit begins.

Access list: Pull a current export of all active user accounts across your main systems. Identify which accounts belong to current employees, which carry admin-level permissions, and which remain active for people who have left the organization. Most small businesses discover at least a few of the latter, and each one is an open door.

Business owner reviewing IT audit checklist on a laptop.

The IT Audit Checklist: Seven Core Review Areas

The areas below map to what IT auditors, compliance reviewers, and cyber insurance underwriters consistently examine. Work through each one, document the current state, and flag items that don't meet the standard described.

1. User Access Controls and Identity Management

Access permissions accumulate over time without anyone noticing. An employee changes roles and keeps their old access. A contractor finishes a project and their account stays active. Someone leaves the organization and IT isn't notified until weeks later. Findings in this category are nearly universal in small businesses that haven't reviewed access recently.

Check for:

  • Former employee accounts that are still active
  • Users with admin privileges who don't need them for their current role
  • Shared or generic login credentials used by multiple people
  • Systems where multi-factor authentication (MFA) is available but not enforced
  • Third-party vendor accounts with standing permissions and no defined expiration date
  • Password policy enforcement: minimum length, complexity, expiration, and reuse restrictions

MFA on email and admin accounts is the item that matters most in this section. Most cyber insurance carriers have made it a coverage condition, and the majority of documented credential-based attacks exploit accounts where MFA was available but never required.

2. Endpoint Security and Patch Management

Every device that connects to your network is a potential entry point. The goal in this area is to confirm that every device is identified, protected, and receiving security updates.

Confirm EDR or antivirus is installed, active, and current on every device in the asset inventory. Identify any device running an unsupported operating system: Windows 10 reached end-of-life on October 14, 2025, which means it no longer receives security patches. Any Windows 10 device still in use is running an OS with known, publicly documented vulnerabilities and no vendor fix coming.

Third-party application patch status is a separate review item. Browsers, productivity suites, and plugins are commonly overlooked and frequently exploited. Confirm that mobile devices accessing company email or data are enrolled in a mobile device management (MDM) policy with remote wipe capability.

3. Network Security and Perimeter Defenses

The firewall is the most reviewed item in this category, but it is rarely the only gap. Confirm the firewall is in place, actively managed, and has had its ruleset reviewed within the past 12 months. Rules added for a temporary project years ago and never removed create unnecessary exposure that often goes unnoticed until an audit.

Check for:

  • Guest Wi-Fi separated from the business network on a distinct VLAN
  • Remote access requiring VPN or Zero Trust, with MFA enforced on all remote connections
  • DMARC, DKIM, and SPF email authentication configured to prevent domain spoofing
  • DNS filtering active to block connections to known malicious domains
  • Open network ports with a documented business justification for each one
  • Third-party and vendor remote access: how they connect, under what credentials, and whether that access is logged

4. Data Backup and Disaster Recovery

A backup only counts if it can actually be restored. Review how often backups run, what is covered, where copies are stored, and when the last successful restore test took place. The date of the last tested restoration is the most important number in this section.

Verify that at least one backup copy is stored outside the primary location. For Southern California businesses, geographic redundancy means storing copies outside the seismic and wildfire risk zone, not just in a separate folder on the same server or in the same cloud region used for primary storage.

Define your Recovery Time Objective (how long systems can be down before operations are materially affected) and Recovery Point Objective (how much data loss is acceptable between backups). Both should be documented, validated through an actual restore exercise, and owned by someone in writing. A backup plan that has never been tested is an assumption, not a recovery capability.

5. Compliance Documentation

The most common cause of compliance failures during a regulatory review is missing documentation, not missing technology. You can have every technical control in place and still fail an audit because the evidence is undocumented.

Identify which frameworks apply to your business:

  • HIPAA: any organization handling protected health information
  • CCPA/CPRA: California businesses meeting applicable revenue or data volume thresholds
  • GLBA: financial services firms
  • PCI DSS: any business processing card payments
  • SOC 2: service organizations and software companies handling client data

For each applicable framework, verify that written policies exist, technical controls are in place, compliance evidence has been captured, and the last review date is recorded. Confirm that Data Processing Agreements or Business Associate Agreements are signed with every cloud vendor handling regulated data. A vendor who won't sign one is not a compliant vendor for that data type.

6. IT Policies and Incident Response

Policies that haven't been updated since 2020 no longer match current regulatory requirements or the current threat environment. An incident response plan that doesn't account for AI-generated phishing, dual-extortion ransomware, or the California Privacy Protection Agency's 2025 cybersecurity audit requirements is not a current plan.

Review:

  • Incident response plan: exists, covers detection, containment, notification, and recovery, reviewed within the last 12 months
  • Acceptable use policy: covers personal device use, data handling expectations, and prohibited activities, signed by all current employees
  • Change management procedures: how changes to IT systems are proposed, approved, and documented before deployment
  • Employee offboarding checklist: IT access revocation happens on the employee's last day, not days or weeks after departure

The offboarding item consistently shows up as a gap. Credential revocation is typically listed in acceptable use policies but executed inconsistently when someone leaves unexpectedly or under difficult circumstances.

7. Physical Security and Environmental Controls

Cloud-first businesses have a shorter list here, but the section still applies. Physical access to any network equipment, server room, or wiring closet should be restricted and logged. An unlocked network switch in a hallway closet that anyone in the building can access creates the same security exposure as an unmanaged open port.

Check:

  • Server room or network closet: physical access restricted, documented, and logged
  • Environmental monitoring in any space housing servers: temperature and humidity tracking
  • Visitor access: no unsupervised access to spaces containing IT equipment
  • Device disposition: old hardware must be wiped before disposal or physically destroyed. Hard drives from decommissioned computers contain recoverable data unless explicitly wiped or shredded
IT auditor assessing network security and technology systems in an office.

What to Do With Audit Findings

The audit report means nothing without a plan attached to it. Findings that aren't assigned to a named owner with a target date will still be present when the next audit runs.

Organize findings into three priority tiers:

Immediate (address within 30 days): Active accounts belonging to former employees. Any device running an unsupported OS. Missing MFA on email or admin accounts. Backup failures or backups that have never been tested. Undocumented vendor access with standing permissions. These represent the shortest path from your current environment to a breach or compliance failure.

High priority (address within 90 days): Outdated endpoint protection. Missing or untested incident response plan. Non-compliant vendor agreements for regulated data. Policies that are missing or haven't been reviewed by current staff.

Scheduled (next technology budget cycle): Hardware approaching end-of-life. Network segmentation improvements. Policy documentation updates. Alignment with additional compliance framework requirements.

According to IBM's 2024 Cost of Data Breach Report, the global average cost of a data breach reached $4.88 million, a 10% increase from the prior year. Most cyber insurance carriers now require documented audit findings and remediation evidence as part of underwriting and renewal.

An IT audit report with a completed remediation plan is the document your broker submits on your behalf. Businesses that cannot produce one face higher premiums, reduced coverage, or denied claims after an incident.

Repeat cadence: Annual IT audits are the right standard for most small businesses. Healthcare practices, financial services firms, and legal offices should audit more frequently, at minimum quarterly or after any major infrastructure change or security incident.

IT Audit Requirements for California Businesses

California adds a compliance layer that most national IT audit guides skip. Businesses operating here face requirements that go beyond what a general checklist addresses.

CCPA and CPRA: The California Privacy Protection Agency's July 2025 regulatory updates require businesses subject to CPRA to conduct annual cybersecurity audits and submit written certifications to the CPPA. The audit must document security controls, identify gaps against a recognized framework, and include a remediation plan. Businesses handling California resident personal data that have not completed a documented audit are already behind the current regulatory standard.

HIPAA: Los Angeles County's healthcare sector is the region's largest private employer. Every organization handling protected health information carries HIPAA Security Rule obligations regardless of company size. HIPAA audits require documented technical safeguards: access controls, encryption, audit logging, automatic session timeouts, and breach notification procedures. Our HIPAA security services cover the documentation structure that HHS auditors and the CPPA review in separate enforcement proceedings.

GLBA Safeguards Rule (2023 update): Financial services firms in Newport Beach, Irvine, and across Orange County carry dual obligations. GLBA requires a formal written information security program, a designated qualified security officer, and a documented annual risk assessment. CCPA applies on top for any California consumer data those firms hold.

Cyber insurance in California: SoCal Edison's recurring power shutoff events, seismic exposure, and wildfire disruption lead insurers to apply additional scrutiny to business continuity documentation during underwriting. An IT audit that specifically addresses geographic redundancy in backup procedures, with tested restore results, directly answers the questions underwriters ask.

Our IT audit and compliance service covers all of these frameworks for businesses across the region.

Internal vs. External IT Audits: Which One Does Your Business Need

For most small businesses, an internal IT audit conducted by their MSP is the right annual standard. It produces actionable findings, generates the documentation insurance carriers and compliance reviewers expect, and keeps your security posture current without the cost of a formal external engagement.

External IT audits, conducted by an independent third-party auditor, are appropriate in specific situations: HIPAA compliance certification, SOC 2 readiness, regulatory enforcement proceedings, cyber insurance underwriting for high-value policies, or mergers and acquisitions due diligence. External auditors bring independence and objectivity. Their reports carry evidentiary weight with regulators and insurers that an internally produced document may not.

The practical guidance: if you need a document that will hold up to scrutiny from an outside party, a regulator, an underwriter, or a prospective buyer, use an external auditor. For everything else, an annual internal audit against a named framework is the appropriate standard.

Detailed IT audit report highlighting vulnerabilities and recommendations for a secure IT environment.

Putting the Audit to Work

A completed checklist is the starting point. What makes an IT audit worth the time is acting on what it surfaces: closing the access gaps, testing the backups, updating the policies, and producing the documentation that a compliance reviewer or insurance carrier expects to see.

AllSafe IT provides IT consulting in Los Angeles and across Southern California, conducting IT audits against the NIST Cybersecurity Framework and producing compliance-ready documentation for HIPAA, CCPA, GLBA, and cyber insurance requirements. For businesses that need managed IT services in Los Angeles with ongoing security monitoring alongside the annual audit, both functions are available under one accountable engagement. If you want to understand where your current environment stands, contact our team to schedule an assessment.

Frequently Asked Questions

How often should a small business conduct an IT audit?

Most small businesses should run a full IT audit annually. Healthcare organizations, financial services firms, and legal practices should audit more frequently, at minimum quarterly, given the compliance frameworks they operate under. Any significant infrastructure change, such as adding a new cloud platform, opening a new office, or onboarding a vendor with system access, or any security incident should trigger a targeted audit of the affected systems regardless of when the last full audit occurred.

What is the difference between an IT audit and a cybersecurity assessment?

An IT audit is broader. It covers your full technology environment: access controls, hardware inventory, backup procedures, compliance documentation, and IT policies alongside security controls. A cybersecurity assessment focuses specifically on your security posture, examining vulnerabilities, threat detection capability, and defensive controls. A penetration test is a subset of a cybersecurity assessment that actively simulates an attack. Most businesses benefit from both, but the IT audit should come first because it establishes the documented baseline that a security assessment measures against.

Can I conduct an IT audit myself or do I need outside help?

A baseline IT audit can be conducted internally using a structured checklist, particularly for asset inventory, access review, backup verification, and policy documentation. For compliance-specific audits, HIPAA, CCPA, GLBA, or SOC 2, you need auditors who understand the specific technical controls each framework requires and can produce documentation that meets the evidentiary standard regulators and insurers look for. Most small businesses use their MSP for the internal annual audit and bring in an independent external auditor when a formal certification or regulatory submission is required.

What does California law require from businesses in terms of IT audits?

The California Privacy Protection Agency's July 2025 regulations require businesses subject to CPRA to conduct annual cybersecurity audits, document the findings, and submit written certifications of compliance to the CPPA. The audit must identify gaps against a recognized security framework and include a remediation plan. Healthcare businesses carry separate HIPAA Security Rule audit requirements. Financial services firms carry GLBA Safeguards Rule requirements for documented annual risk assessments. Most California businesses subject to CCPA are now operating under at least two overlapping compliance frameworks with audit documentation requirements.

How long does an IT audit take for a small business?

For a 10-to-50 person business running a cloud-first environment, a thorough IT audit typically takes one to two weeks of active work. This includes the initial asset inventory and access review, the checklist assessment across all seven areas, documentation review, and production of a findings report with prioritized remediation recommendations. Businesses with on-premise infrastructure, multiple locations, or complex compliance requirements take longer. The preparation phase, gathering existing documentation and access lists before the formal audit begins, is usually where the most time is spent during a first audit.

What should I do if my IT audit uncovers serious security gaps?

Address access-related findings first. Active accounts belonging to former employees, admin accounts without MFA, and undocumented vendor access with standing permissions should be closed within 24 to 48 hours of being identified, not queued behind other remediation work. For technical findings like unpatched operating systems or untested backup procedures, assign a named owner and a 30-day target date and treat them as immediate priority. Document every finding and its remediation status in writing. That documentation is what your insurance carrier and any future auditor will ask to see.

Ready to transform your IT? Contact us today!

Ready to transform your IT experience? Reach out to our experts for top-notch IT consulting in Westlake. Whether you’re looking to enhance your IT infrastructure, improve cybersecurity, or need support with your current technology, we’re here to help.

Contact us today to discuss how our tailored solutions can meet your business needs and keep your technology running smoothly.

What service(s) are you interested in?
Select all that apply
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.