"I should probably review my IT setup."

You know it's important. You know you're responsible for it. But when you look at your business's IT infrastructure, you're not entirely sure what you're looking at, what's normal, or what should concern you.

How do you audit something when you don't know what good looks like?

Here's your practical guide to auditing your business's IT when you're not technical.

Start With What You Can See

You don't need to understand server configurations or network architecture. Start with the obvious things you can verify yourself.

Your Website

Visit your website right now:

Does it load?
Does it load quickly?
Is there a padlock in the address bar?
Are there any error messages or warnings?
Does it look correct?
Does it work on your phone?

Click around:

Do all pages load?
Do forms work?
Do buttons do what they should?
Are there broken links or images?

Try key actions:

Can customers contact you?
Can they complete the actions your site is designed for?
Do confirmation emails arrive?

If anything doesn't work the way it should, that's your first audit finding.

Your Email

Send test emails:

Send yourself an email from your business account
Send to your personal Gmail/Outlook
Does it arrive promptly?
Does it go to spam?
Does it show your company name correctly?

Check email security:

Send from your business email to Gmail
View the email source ("Show original" in Gmail)
Look for SPF: PASS, DKIM: PASS, DMARC: PASS

If any of these fail, your email security has gaps.

Your Domain

Look up your domain:

Go to a WHOIS lookup site (like who.is)
Search for your domain
Check the expiration date
Identify where it's registered

Try to log in:

Go to your domain registrar's website
Can you log in?
Do you have the credentials?
Is the account under your business's control?

If you can't access your domain account, that's a critical finding.

The Inventory: What Do You Actually Have?

You can't audit what you don't know about. Create an inventory of your IT assets.

Digital Assets

Domain name(s)
Website(s)
Email accounts
Cloud storage
Business applications
Social media accounts (that link to your domain)

Service Providers

Domain registrar
Website hosting
Email provider
IT support
Any other IT-related services

Access Points

Who has admin access to your website?
Who can manage your domain?
Who can access your hosting?
Who controls your email system?

Write this down. If you can't list it, you don't have a clear picture of your IT setup.

The Questions That Reveal Problems

You don't need technical knowledge to ask revealing questions. Here are questions that, if you can't answer them, indicate gaps:

About Control

Who actually owns/controls each asset?
Can I access the accounts if I need to?
What happens if the person who manages this leaves?

About Security

How do we know our setup is secure?
When was security last reviewed?
Who gets notified if there's a security issue?

About Backups

Do we have backups?
Where are they stored?
When was the last backup?
Have we ever tested restoring from backup?

About Renewals

When do things expire (domains, hosting, SSL, subscriptions)?
Is renewal automatic?
How do we know if auto-renewal fails?
What payment method is on file?

About Documentation

Do we have documentation of our IT setup?
Is it current?
Would someone new be able to understand our infrastructure from it?

About Changes

What has changed in the past year?
Who approved those changes?
Were changes documented?

If you're struggling to answer these, you've found audit findings.

The Comparison: Before and After

Audit isn't just about the current state - it's about change over time.

If you have previous documentation:

What changed since the last documentation?
Who authorized those changes?
Do you understand why changes were made?

If you don't have previous documentation:

Create baseline documentation now
In 3-6 months, create updated documentation
Compare what changed

Changes aren't necessarily bad. Undocumented or unexplained changes are concerning.

Red Flags to Look For

Even without technical expertise, these are signs of problems:

Access Red Flags

You can't log in to critical accounts
Domains registered under someone else's personal account
Only one person knows how to access things
Former employees might still have access
No one knows all the passwords

These issues often surface during business acquisitions when buyers do their IT due diligence, or during insurance renewals when you can't provide documentation.

Security Red Flags

No padlock on your website
Email security checks failing
No two-factor authentication on admin accounts
Passwords haven't been changed in years
No one monitoring for security issues

Documentation Red Flags

No documentation of your IT setup
Documentation is years out of date
Only one person knows how things work
No record of what's changed or when

Financial Red Flags

Don't know what IT services you're paying for
Subscriptions on someone's personal credit card
Paying for services you don't recognize
No one reviewing IT spending

Maintenance Red Flags

Things "just work" but no one knows why
No regular maintenance or updates
Issues get fixed reactively, never proactively
No one checking expiration dates
Backups exist but haven't been tested

The Verification Process

Don't just accept what you're told. Verify:

"Our SSL is set up properly"
→ Visit the website. Is there a padlock with no warnings?

"Email security is configured"
→ Send a test email. Does it pass SPF/DKIM/DMARC?

"We have backups"
→ When was the last backup? Where is it? Can we restore from it?

"Everything auto-renews"
→ What's the renewal date? What payment method is on file? What happens if it fails?

"It's all secure"
→ Is 2FA enabled? When was security last reviewed? What security measures are actually in place?

Trust but verify. The audit is the verification.

Creating Your Audit Report

You don't need a fancy document. A simple list works:

WHAT WE HAVE:

List of assets
List of service providers
List of who has access to what

WHAT'S WORKING:

Things that passed verification
Services that are properly configured
Security measures that are in place

WHAT'S CONCERNING:

Red flags discovered
Questions you couldn't answer
Things that failed verification
Missing documentation

WHAT NEEDS ACTION:

Critical issues (fix immediately)
Important gaps (address this quarter)
Nice-to-haves (address eventually)

This becomes your roadmap for improvement.

Prioritizing What You Found

Not everything needs immediate attention. Prioritize:

Critical (fix immediately):

Domain about to expire
Can't access critical accounts
Security warnings on website
Email security failing
Former employees still have admin access

Important (fix this quarter):

Missing documentation
No backups or untested backups
No 2FA on admin accounts
Unclear ownership of assets
Paying for services you don't use

Good to have (address eventually):

Optimization opportunities
Better documentation
Improved processes
Minor cleanup

Fix critical items now. Plan for important items. Address good-to-haves when convenient.

Getting Help With What You Found

You've completed your audit and found issues. Now what?

If you have an IT provider: Share your findings. Ask them to:

Explain each concerning item
Provide a plan to address issues
Give you timeline estimates
Help prioritize based on risk

If you don't have an IT provider: Your audit findings tell you what you need:

Someone to transfer domain control
Someone to configure email security
Someone to set up proper backups
Someone to document your setup

The audit reveals what needs attention. You don't have to fix everything yourself - but you need to know what needs fixing.

The Follow-Up Audit

An audit isn't one-time. It's a regular practice.

3 months after your first audit:

Run through the same process
What changed?
Were issues addressed?
Are there new concerns?

Ongoing:

Keep documentation current
Track changes as they happen
Review quarterly
Update audit as things change

The first audit is the hardest. Subsequent audits are updates: what changed since last time?

What Good Looks Like

After you've addressed audit findings, you should be able to say:

"I know what IT assets my business has. I know where they're hosted and who controls them. I can access the accounts I need to. I've verified basic security is in place. Things are documented. I know when things expire and how they're renewed. I know who to contact if something breaks."

That's not perfection. That's competence. And it's achievable without becoming a technical expert.

The Bottom Line

Auditing your IT when you're not technical means:

Verifying what you can see (website, email, domain)
Creating an inventory of what you have
Asking questions that reveal gaps
Looking for red flags
Testing claims rather than accepting them
Documenting findings
Prioritizing issues
Following up to ensure fixes happen

You don't need to understand how everything works. You need to verify that someone does, that it's properly configured, and that you have appropriate control and documentation.

Start with this audit. You'll be surprised what you find - both good and concerning. But you can't fix what you don't know about.

Many owners only realize these gaps after something changes — a vendor leaves, a certificate expires, or an insurance renewal asks unexpected questions.

Explain My IT exists to create a dated, owner-readable record of what's visible from the outside — so you don't have to reconstruct this later.

Ready to see your IT setup?

🎯 Run your free snapshot → — See your current configuration in 60 seconds

📅 Want this monthly with full history? See Basic subscription → ($15/month)

Related reading: