I do a version of this review with every new client, and it consistently turns up the same categories of surprises. Software nobody uses that the company is still paying for. Security controls that were set up once and never verified. Former employees with active accounts. Devices on the network that nobody has touched in a year. A backup that stopped working and sent alerts to an inbox nobody checks.
None of these is an exotic problem. They are the natural result of a business that has been adding tools, people, and complexity over time without a regular moment to step back and look at the whole picture.
The annual I.T. review is that moment. It is not an incident response. It is not a sales pitch for new tools. It is a structured conversation about the current state of your environment, what is working, what is not, and where the highest risks are.
Here is what a useful annual review actually covers.
Asset inventory. Start with a complete list of all devices: laptops, desktops, servers, phones, tablets, network hardware, and all software subscriptions. This list is the foundation of everything else. If you do not know what you have, you cannot protect it. The inventory should include who owns each device, what OS version it runs, when it was last updated, and whether it is enrolled in device management.
For software, the inventory should include what you pay for, what is actively used, and what was approved versus what employees adopted on their own. In most small businesses, this review alone saves money. There are almost always canceled trials that never stopped billing, duplicate tools solving the same problem, and legacy subscriptions from years ago that nobody relies on anymore.
Access and accounts. Pull a list of every active user account across your key systems: email, file storage, accounting software, CRM, and remote access tools. Cross-reference it against your current employee list. Every account that belongs to a former employee should be disabled or deleted. Every account with admin-level access should be reviewed, does that person still need admin access, or did they get it for a project two years ago and nobody removed it?
Security controls. Go through a short checklist of the controls that matter most for small businesses. MFA active on all critical systems? Encryption enabled on all laptops? Backup running and tested within the last 90 days? Antivirus or endpoint protection active and current? Firewall in place and properly configured? Patches current within 30 days? Each of these is a yes-or-no question. The nos are your action list.
Vendor review. Who are you paying for I.T.-related services? Internet providers, cloud platforms, and software vendors.
The biggest-risk conversation. This is the question I recommend every business owner ask their I.T. provider directly: given everything you know about our environment, what is the thing that worries you most? What would you fix first if budget were not a constraint?
A good I.T. provider has an answer to that question. They see your environment every day. They have a view of what is fragile, what is outdated, and where the exposure is. The problem is that I.T. providers often do not share this unsolicited. They fix what breaks, respond to requests, and stay in their lane. The annual review is the right moment to ask them to step out of that lane and speak plainly.
If they say “everything looks fine” without walking through the details, that is not a satisfying answer. Push. What does fine mean? Are backups tested? When did we last review access controls? What would an attacker find easiest to exploit in our environment?
The output of the review should be a short list. The top three things to fix in the next 90 days, ranked by risk. Assign each one an owner and a deadline. Review it at the next quarterly check-in.
The businesses that handle I.T. incidents best are almost never the ones with the most sophisticated tools. They are the ones who have a clear picture of their environment and update that picture regularly. An annual review is the minimum. At CIO Landing, we prefer them quarterly, and in some cases monthly. But if you have never done one at all, start this year by asking your I.T. provider what they would fix first.