Every December I run the same conversation with a client who has not looked closely at their technology stack all year. A year end technology audit is not glamorous work, and that is exactly why it gets skipped until something breaks. The businesses that run this check once a year, deliberately, catch the ex-employee who still has admin access, the backup that has silently failed for six months, and the subscription nobody remembers approving. None of it takes more than an afternoon.

I treat this the way I treat a car service. Nothing on the checklist is exciting. All of it is the difference between a small, boring fix now and an expensive, public failure later. The businesses I have watched skip this longest are the ones that eventually get hit by exactly the risk the audit would have caught.

Here is the checklist I actually use, in the order I run it.

1. Subscriptions and Licenses

Pull every recurring charge on the company card and match it to a person who can explain why it exists.

  • Cancel anything nobody can explain within thirty seconds.
  • Check seat counts against actual headcount; software rarely shrinks its seat allocation on its own when people leave.
  • Confirm renewal dates for anything annual, and calendar them now, not when the invoice arrives.

This is the same discipline behind subscription creep in your software budget, and December is the natural checkpoint to run it, since most annual renewals cluster around calendar year end.

2. User Access for Departed Staff

This is the single highest-risk item on the list and the one owners most consistently underestimate.

  • Pull a list of everyone who left the company this year, across every system: email, cloud storage, code repositories, financial software, physical building access, WhatsApp Business if it is shared.
  • Confirm access was actually revoked, not just that an offboarding checklist said it would be.
  • Pay particular attention to systems the departed person set up personally. A former employee's personal email as the recovery contact on a company domain is a real and common finding.

I have seen a departed employee retain access to a shared drive eight months after leaving, discovered only because a client asked why an old contract template was edited after the person's last day.

3. Backup Integrity

A backup that has never been restored is a backup you do not actually have.

  • Pick your most critical database or file store and attempt a real restore to a test environment.
  • Confirm the restore point is recent, not a snapshot from a year ago that nobody rotated.
  • Check that backup jobs are actually completing, not just scheduled. Scheduled and successful are different facts.

Do this test annually at minimum. It is the cheapest insurance against the worst kind of surprise, and it is the one item on this checklist that a spreadsheet cannot fake for you.

4. Domains and Certificates

  • List every domain the business owns and confirm renewal dates and the account they renew under; a domain expiring under a departed employee's personal account is a recurring cause of embarrassing outages.
  • Check SSL certificate expiry across all customer-facing sites and confirm auto-renewal is actually configured, not assumed.
  • Confirm who has admin access to the domain registrar account itself, since this is often forgotten in the access review above.

5. Vendor Contracts and Dates

Build one simple table for the year ahead:

Vendor Contract type Renewal or notice date Owner
Hosting provider Annual March IT lead
Payment gateway Rolling monthly N/A, review pricing tier Finance
Core software vendor Annual, auto-renew January, 60-day notice required Owner

The column that matters most is notice period. Many enterprise contracts auto-renew unless you cancel 60 or 90 days before the term ends, and missing that window locks you in for another year of a tool you may want to leave behind.

6. Security Basics

Not a full penetration test, just the basics that decay silently over a year:

  • Two-factor authentication enabled on every system that touches money or customer data.
  • Password reuse across critical systems, especially anything shared among multiple staff.
  • Any API keys or integrations that are no longer in use but still have live credentials.

Putting It on the Calendar

The point of a checklist is that it does not require memory. Put this exact list, or your version of it, on a recurring calendar entry for the first week of December every year, assigned to one named owner, not "the team." A checklist nobody owns does not get run. If this audit turns up bigger structural questions, like whether to rebuild or replace a core system, that is a good moment to loop in a partner rather than patch around it for another year.

Takeaway

A year end technology audit does not need a consultant or a weekend. It needs an afternoon, this exact list, and one person accountable for running it. Do the access review and the backup restore test first if you only have time for two items; those are the ones that turn into genuine incidents when skipped.