IT strategy & audit Published 12 November 2024 7 min read Martin Giertl

What is an IT audit and when do you actually need one

The word “audit” has an uncomfortable sound to it. It conjures images of a tax authority inspection or a tedious documentation exercise. An IT audit is usually something quite different — and if you do it at the right moment, it pays back in the form of a clearer head and money saved.

What an IT audit actually is

An IT audit is a structured mapping of what IT you have, how it works, and what risks or opportunities come with it. The output should not be (and should not try to be) a hundred-page document full of technical jargon. It should be an overview that lets management know:

  • What everything costs and what does not justify the cost
  • Where the security risks are
  • What is slowing down the business
  • What could be cancelled or made cheaper
  • What needs to be added or modernised

An audit can be narrow — for example, focused only on access security or software licensing — or broad, for a company that has lost track of its entire IT portfolio.

When an IT audit makes sense

From practice, I see several triggering moments.

You are taking on a new role or a new company. New IT manager, new director, an investment into a company — anyone taking on IT responsibility who needs to quickly understand what they are inheriting.

You are growing rapidly or preparing for an acquisition. During due diligence or before bringing in a new investor, an IT audit becomes essential. It shows what is in order and what the hidden liabilities are.

You have the feeling that IT costs a lot but you do not know why. Licences, contracts, unused systems — this is a classic area where an audit finds savings within a month.

You are preparing a larger IT project. Before investing in a new ERP, cloud migration or digitisation initiative, it is sensible to know what you have today. Otherwise you are building on an uncertain foundation.

A security incident occurred or a customer is auditing you. Enterprise customers increasingly require proof of suppliers’ security posture. An audit gives you the materials for such an audit or certification.

Qualifying questions: do you recognise the moment?

The triggers above are usually visible from the outside. There is also a second category of signals that come from inside the company and are often overlooked. If you answer yes to any of the following questions, it is time to consider an audit:

  • Are you unable to clearly say what each part of your IT actually costs? How much goes to infrastructure, how much to core information systems, how much to supporting applications?
  • Is your IT spend growing without an obvious reason and you cannot pin down why?
  • Is your IT consistently failing to meet business demands? Is delivery slow, sometimes wasted — features arriving after the moment they were relevant?
  • Is slow IT preventing you from reacting to the market with the agility you need? Is launching a quick marketing campaign an unsolvable problem for you?
  • Do you feel that if a competitor “ramped up” a product faster, you would have nothing to respond with?
  • Are you facing a major investment (a new core information system, infrastructure, cloud) and you are not sure whether the existing architecture can support it?

If you answer yes to more than one, an audit will probably bring you more certainty than it costs. This often relates to companies that have long stopped seeing themselves as organisations where IT plays a strategic role — even when in practice it does. I have written about that separately — why IT is now a matter for every company →.

What an audit does not capture

An IT audit maps the current state, not the future. It will not recommend a specific product (and if it does, ask the auditor about their relationship with that vendor). It does not address process changes or people organisation. And it does not replace a penetration test if you need a deep security assessment.

How long does it take

It depends on the scope and the size of the company. An audit focused on a specific area (licensing, access management, infrastructure) for a company with up to 200 people typically takes 2–4 weeks from kick-off to final report. A broader audit of the entire IT portfolio takes 4–8 weeks.

What a useful output looks like

A good audit output is readable by a manager without a technical background. It contains:

  1. Executive summary — what matters most, without technical jargon
  2. Findings overview with prioritisation (what is urgent, what is recommended, what is informational)
  3. Specific recommendations — not “consider improving security” but “implement MFA on all accounts with access to system X within 30 days”
  4. Indicative costs and benefits where they can be estimated

An audit is the first step, not the last

An audit maps the current state, not the future. After the audit should come IT advisory and consulting that helps design the strategic changes. Without that follow-up, the audit remains an inventory — descriptive, not directive.

An audit on its own is a stocktake. It only gains value through what the company does with it next. That means deciding what from the recommendations actually gets done, by whom, by when, and at what cost. And then doing the work.

And here a frank warning is in order: the company has to be ready to do that work itself. An external advisor can advise, point the way, support the change — but the actual transformation is carried out by the company with its own people. Without internal commitment, the audit’s output is an expensive document in a drawer.

A practical note

The most common mistake I see is an IT audit done as a formality — for an investor or customer, not for yourself. That kind of audit ends up in a drawer. An audit that actually helps is one where the client reads the output and works through the recommendation list over the following year.

If you are not sure where to start, or want an independent view of your IT situation — I am happy to talk.

How I conduct IT audits →

← Back to blog