An IT audit is one of the cheapest forms of insurance a Kenyan business can buy, and one of the most avoided. Owners put it off because they expect bad news, or because they assume their current provider would have told them if something were wrong. Both assumptions are how small problems become expensive ones. This guide explains how to prepare for an IT audit so you get maximum value from it, whether it is a security review, a compliance check, or a due-diligence exercise before you change providers.
What an IT audit actually examines
A proper audit is not a sales pitch with a clipboard. It is a structured review of four things: your network and infrastructure, your security posture, your backup and recovery readiness, and your support arrangements. A good auditor leaves you with a written report and a clear, prioritised action plan, not a vague verbal “you should really upgrade some things”.
The five things every audit tends to uncover
Across the environments we review, the same issues surface again and again:
- Backups that report “success” every night but have never once been test-restored
- Former employees whose accounts can still log in months after they left
- Firewalls running on default or years-old configurations
- “Unlimited support” contracts whose fine print is anything but
- Software licences being paid for twice, or paid for and never used
None of these are exotic. They are the quiet, accumulated cost of IT that nobody has independently checked.
How to prepare: a practical checklist
You will get far more from an audit if you assemble a few things in advance. None of this requires technical skill.
- An asset list, even a rough one. How many computers, servers, network devices and phones? Where are they?
- Your current IT contracts and recent invoices. These reveal what you are paying for and what is excluded.
- A list of your critical systems. Which applications would stop your business if they went down for a day? Core banking, accounting, HMIS, ERP, email.
- Your backup details, if you have them. What is backed up, where, and when was it last tested?
- A note of recent problems. The outages, the recurring complaints, the “it does this every Monday” issues. Patterns matter.
- The names of who holds the keys. Who has admin passwords and access to your systems today? This is often the most revealing question of all.
The one test you can run yourself today
Before any auditor arrives, you can check the single most important thing yourself. Copy three unimportant files onto a flash disk so you do not lose them, then delete them from your server: one created today, one a week old, one a month old. Call your current IT provider and ask them to restore the three files from backup. A capable provider does this quickly and without drama. If they cannot, or it takes days, you have found a serious problem that no amount of marketing was going to tell you about.
What to do with the findings
An audit report is only useful if it drives action. Insist that yours ranks issues by risk and cost, separates “fix this week” from “budget for next year”, and gives you estimates you can take to your board. The goal is not a perfect environment overnight; it is a clear-eyed plan and the end of nasty surprises.
The worst time to discover your backups do not work is the morning you need them.
If you would like an independent, confidential review of where you actually stand, our free IT audit does exactly this: a senior engineer reviews your environment on site and gives you a written report and action plan you keep, with no obligation. Your current provider does not even need to know it is happening. For a fuller list of the questions worth asking any IT company, our free guide, 18 Questions to Ask Before Hiring an IT Company in Kenya, is a useful companion.