What an IT Infrastructure Audit Actually Reveals (And Why Most Businesses Are Surprised)

Every IT infrastructure audit I've run has uncovered something the business didn't know about. Often several things.

The findings vary — sometimes it's a security gap, sometimes it's a pile of forgotten subscriptions, sometimes it's a single person who is the only one who knows how a critical system works. But there's almost always a surprise.

Here's what comes up most often — and why businesses should care.

1. Zombie Subscriptions

The most common finding, and often the most immediately actionable.

A zombie subscription is software you're paying for that nobody is using. This happens constantly in growing businesses:

• A free trial that converted to paid and nobody noticed
• Software from a departed employee that was never cancelled
• Duplicate tools where different departments bought the same capability separately
• Legacy contracts that auto-renew annually while the software gathers dust

Typical finding: 15–30% of software spend is on unused or redundant tools.

What to do: An accurate software asset inventory is the foundation. Once you can see what you're paying for, cancelling what you don't need is straightforward.

2. Shadow IT

Shadow IT is technology purchased or used by staff without IT oversight. It's not malicious — it's usually someone solving a real problem with the fastest tool available.

Common examples:

• Dropbox or Google Drive used to share files when the company has SharePoint
• WhatsApp for customer communication
• Personal ChatGPT accounts used with company data
• Free project management tools used by one team

Why it matters: Shadow IT isn't just a cost issue — it's a data governance and security risk. When data lives outside your approved systems, you lose visibility, control, and potentially compliance.

What to do: Shadow IT audits involve interviewing staff, reviewing network logs, and checking expense reports for SaaS purchases. The goal isn't punishment — it's understanding what problems staff are trying to solve and providing better-governed alternatives.

3. Undocumented Systems

This one comes up in almost every audit: a critical system that nobody fully understands, or worse, that only one person understands.

Signs of undocumented systems:

• "We'd have to ask Sarah — she set that up three years ago"
• Servers or services that nobody can identify in the asset register
• Processes that exist only in someone's head

Why it matters: Undocumented systems are a business continuity risk. When Sarah leaves, goes on extended leave, or is unavailable in an emergency, that knowledge walks out the door with her.

What to do: Documentation is unsexy but essential. Part of every audit includes capturing the knowledge that exists in people's heads and getting it into written form.

4. Compliance Gaps

Regulatory and compliance requirements vary by industry, but almost every business has some obligations — even if they're not fully aware of what they are.

Common compliance gaps found in audits:

• Data retention policies that don't match legal obligations
• No documented privacy policy covering staff data handling
• MFA not enforced on business email accounts
• No process for handling data breach notifications
• Licence non-compliance (using software beyond what you've paid for)

Why it matters: The cost of non-compliance — fines, reputational damage, customer loss — far outweighs the cost of addressing the gaps.

What to do: Every audit includes a compliance gap analysis mapped to the relevant frameworks (Privacy Act, ISO 27001, industry-specific requirements). We prioritise by risk level and build a remediation plan.

5. Security Posture Issues

Security findings range from minor to critical. Common ones in SMB audits:

• Shared credentials: Multiple staff sharing one admin account
• Weak password policies: No MFA, no complexity requirements, passwords never expire
• Unpatched systems: Servers or devices running outdated software with known vulnerabilities
• No backups: Or worse, backups that have never been tested
• Flat networks: No segmentation between systems — if one device is compromised, everything is exposed

The pattern: Most SMB security issues aren't the result of bad intentions — they're the result of growth outpacing IT maturity. The business grew, the IT setup didn't keep pace.

---

What Happens After an Audit

The audit itself isn't the outcome — it's the starting point. The value is in what you do with the findings.

A good audit delivers:

1. A prioritised action list — ordered by risk and impact, not just effort
2. Quick wins — things you can fix in a week that make a meaningful difference
3. A roadmap — longer-term improvements tied to business goals and budget

Most businesses that go through an audit are surprised by two things: how much they didn't know, and how many of the issues are actually straightforward to address.

The hardest part is usually just starting.