Annual IT Review Checklist for Small Businesses

Why an Annual IT Review Matters

Businesses change over the course of a year: staff join and leave, the software stack evolves, new devices are added, business processes shift. IT that was appropriate twelve months ago may have gaps today. An annual review provides a structured opportunity to catch these gaps before they create problems.

For businesses with a managed IT provider, this review should be scheduled as a formal agenda item — not left as something that happens informally when problems arise.

Business and People Changes

• [ ] Review staff list against IT user accounts — any accounts for departed staff still active?
• [ ] Review access permissions — have any staff changed roles and retained permissions they no longer need?
• [ ] Review admin accounts — only current staff in IT admin roles should hold admin access
• [ ] New staff who joined this year — are their devices enrolled in MDM, accounts in Microsoft 365, MFA enabled?
• [ ] Any planned headcount changes in the next 12 months that require IT capacity planning?

Hardware Review

• [ ] Audit all devices (computers, laptops, tablets, servers) against a register
• [ ] Identify devices over 4 years old (workstations/laptops) or over 5 years (servers) — flag for replacement planning
• [ ] Confirm all devices are on a current, supported operating system
• [ ] Review UPS battery age — replace batteries if over 3 years old
• [ ] Network equipment firmware — is everything current?
• [ ] Any hardware running without warranty or manufacturer support?

Software and Licences

• [ ] Audit all active software subscriptions and annual costs
• [ ] Identify unused or underutilised subscriptions to cancel
• [ ] Confirm Microsoft 365 licence count matches current headcount
• [ ] Confirm no software running past end-of-support date
• [ ] Review whether current Microsoft 365 plan tier is appropriate

Security

• [ ] Run a DMARC check — is the domain policy at p=reject?
• [ ] Confirm MFA is active for all user accounts
• [ ] Confirm EDR is installed and active on all devices
• [ ] Confirm security patching has been applied consistently — review patch compliance report
• [ ] Review dark web monitoring findings from the year — any credentials found that were not rotated?
• [ ] Confirm backup has been tested quarterly

Budget Planning

• [ ] Hardware replacements planned for the next 12 months — get quotes and include in IT budget
• [ ] Licence cost increases to account for (Microsoft 365 pricing changes, security tools)
• [ ] Any planned projects (office move, major software migration, new site) to budget for
• [ ] Security awareness training — at least one session planned and budgeted

Managed IT Service Review

• [ ] Review SLA performance from the past 12 months — did the provider meet commitments?
• [ ] Are there unresolved recurring issues to address in the next contract period?
• [ ] Is the current per-user price still competitive?
• [ ] Has the scope of the agreement kept pace with changes in the business?

Why an Annual IT Review Is Different From Day-to-Day Support

Day-to-day managed IT support is reactive and operational: fix the printer, resolve the connectivity issue, unlock the account. It keeps the business running. But day-to-day support does not provide the strategic view of where IT needs to go over the next 12 months.

An annual IT review is the structured opportunity to step back and assess:

• Is the current IT setup still fit for purpose as the business has evolved?
• What IT investments are needed in the coming year?
• Are there emerging risks that need to be addressed?
• Are there efficiency gains available from IT that are currently untapped?
• What has changed about the threat environment since the last review?

For businesses without a dedicated IT manager, this review is typically conducted by the managed IT provider — but the business owner or CEO should be present and engaged, not just a passive recipient of a report.

The Business Context Assessment

Before getting into technical details, the annual review should start with business context:

How has the business changed? New staff, departed staff, new locations, new business lines, new major clients, upcoming acquisitions — any of these affect IT requirements.

What IT frustrations has the team experienced? Informal feedback from staff about what is slow, unreliable, or annoying provides more actionable signal than formal metrics for a small business.

What are the business goals for the next 12 months? Growth plans, system changes, new services — the IT roadmap should support the business roadmap, not be planned in isolation.

What has the cost of IT been? Review actual IT spend against budget for the past year. Identify any unplanned IT costs and whether they indicate underlying issues (recurring hardware failures suggesting aging device fleet, frequent security incidents suggesting security gaps).

The Technical Review Components

Device fleet assessment. Review all devices: age, operating system, hardware specification, warranty status. Flag devices approaching end-of-life or running end-of-life operating systems. Produce a hardware refresh schedule for the next two years.

Software and licence audit. What software is deployed and is it all licenced correctly? Are there unused licences being paid for? Are there tools multiple teams are using that could be consolidated into a shared licence? What software subscriptions are auto-renewing and are they all still needed?

Security posture review. Review the current security controls:

• MFA: enabled for all users, all services?
• EDR: deployed and monitored on all devices?
• Backup: running, completed successfully, tested?
• Patching: all devices on current, supported software?
• DMARC: configured at p=quarantine or p=reject?
• Staff training: when was the last security awareness session and simulated phishing exercise?

Cloud and application review. What cloud services does the business use? Are accounts properly managed (company accounts, not personal)? Are any applications end-of-life or approaching end-of-support?

Internet and connectivity review. Is current internet bandwidth adequate? Has the team grown and the internet plan not been reviewed? Is failover in place? Is the phone system still fit for purpose?

Building the 12-Month IT Roadmap

The output of the annual review is a 12-month IT roadmap — a list of planned IT activities with timing and estimated cost:

| Priority | Activity | Timeline | Estimated Cost | -------------------------------------------- HighReplace 3 end-of-life Windows 10 PCsQ1~$4,500 HighComplete DMARC implementation to p=rejectQ1Included in managed IT MediumStaff phishing awareness trainingQ2~$500 MediumUpgrade internet to 250/25 Mbps planQ2~$30/month additional LowMicrosoft 365 SharePoint document structure reviewQ3~$800 | Low | IT documentation update | Q4 | Included in managed IT |

This roadmap gives the business owner visibility of upcoming IT investment, allows budgeting in advance, and prevents the reactive spend that comes from addressing problems at crisis point rather than planning them.

Netluma IT conducts annual IT reviews for managed IT clients as part of the ongoing service. For businesses not on a managed IT plan, a standalone annual review is available. Call 1300 521 162 to book.

Netluma IT conducts annual IT reviews for all managed clients. Call 1300 521 162 to schedule yours.