Most businesses close their financial books in December but never close their technology books. A year-end technology audit does for your systems what the accountant does for your cash: it forces an honest look at what happened, what is still open, and what needs to be fixed before it becomes next year's fire. It takes one afternoon and it will save you more than one afternoon of pain in the first quarter.

I run this exercise with clients every December, and the pattern is consistent: nobody has revoked the access of the ex-employee who left in March, nobody remembers what half the recurring subscriptions actually do, and everybody has a quiet list of systems they complain about but never scheduled time to fix. A year-end technology audit surfaces all three, on paper, where they can actually be prioritized instead of just grumbled about.

Start with access, because that is the security risk hiding in plain sight

Access sprawl is the single most common finding in every audit I run. People leave, roles change, contractors finish projects, and almost nobody goes back to revoke what is no longer needed.

  • Pull the full list of active users across every system: email, cloud storage, admin panels, financial software, code repositories.
  • Cross-reference against current staff and active contractors.
  • Revoke anything tied to someone no longer with the business, no exceptions, no "we'll get to it."
  • Check for shared logins, the single account three people use because nobody set up individual accounts. These are an audit trail black hole and a liability the day something goes wrong.

This alone is worth doing even if you skip everything else on this list. An ex-employee with lingering access to financial systems or customer data is not a hypothetical risk, it is a live one sitting in your account list right now.

Cancel the subscriptions nobody can explain

Software subscription sprawl compounds quietly. A tool gets bought to solve a problem eighteen months ago, the problem gets solved differently, and the subscription just keeps renewing because cancelling requires someone to notice and act.

Pull your card and bank statements for recurring software charges and ask, for each one: who uses this, and what breaks if we cancel it? If nobody in the room has a confident answer, that is your answer. I have found businesses paying for three overlapping project management tools, two of which had a total of one active user between them.

This is not about penny-pinching, it is about knowing what you are actually running. A business that cannot list its own active software stack from memory has already lost the plot on its own technology footprint.

Verify backups actually restore, not just that they run

A scheduled backup job that completes without error tells you the job ran. It does not tell you the backup is usable. Year-end is the right moment to run an actual restore test, not just check the job logs.

Pick a backup from a few months back, restore it to an isolated environment, and confirm the data is complete and the application runs against it. I wrote a full walkthrough of this in Backups and Disaster Recovery: The Unsexy Lifesaver, and the short version is: a backup nobody has restored is a hope, not a backup. Do not let this be the thing that gets discovered broken during an actual incident.

List the systems everyone complains about

Every business has at least one system that staff quietly hate, the inventory tool that requires three extra clicks, the reporting spreadsheet that breaks every time someone adds a row, the customer database that three different departments maintain three different copies of. These complaints rarely reach the owner's desk as a formal request, they just get absorbed as "how things are."

Ask your team directly, in writing: what system wastes your time every week? Compile the answers without editing them. This list is usually more revealing than any formal systems review, because it comes from the people actually doing the clicking.

The year-end audit checklist

Area Action Owner
Access Revoke ex-employee and contractor access IT/admin lead
Access Eliminate shared logins IT/admin lead
Subscriptions Cancel unused or overlapping software Finance + ops
Backups Run a full restore test Technical lead
Pain points Collect staff complaints in writing Owner/manager
Priorities Pick the single biggest fix for Q1 Owner

Pick one fix for Q1, not five

The temptation after an audit like this is to try to fix everything at once. Resist it. Rank the findings by business impact and pick exactly one to solve in the first quarter, the same discipline I recommend in Set 3 Technology Goals for the New Year (Not 10). A single well-executed fix beats five half-finished initiatives every time, and it gives you a clean before-and-after story to show for the effort.

Practical takeaway

Closing the books on technology should be as routine as closing the books on finance. Revoke access you no longer need, cancel subscriptions nobody can justify, verify your backups actually restore, and write down the systems your own team is quietly frustrated with. Then choose one fix, the highest-impact one, and put it on the calendar for January before the audit itself becomes just another document nobody revisits.