Quarterly IT Security Audit Checklist

When to use this

Not the deep technical audit IT does annually. This is the office-facing review of access and devices — the things admin and HR own.

# Quarterly IT Security Audit

## Identity & access
- [ ] Leaver list since last quarter reconciled with system access
- [ ] Joiner list since last quarter reconciled with access set up
- [ ] Privileged-access list reviewed (who has admin in what)
- [ ] Shared accounts identified and justified (or removed)
- [ ] MFA enabled on every staff account (no exceptions)

## Passwords & vaults
- [ ] Password manager adoption: % of staff onboarded
- [ ] Shared vault entries reviewed; stale ones removed
- [ ] Service-account passwords rotated per policy

## Devices
- [ ] Asset register reconciled with what we actually have
- [ ] Lost / stolen devices since last quarter — status of each
- [ ] BYOD devices enrolled in MDM
- [ ] Encrypted disk verified on every laptop

## Backups & restores
- [ ] Backup logs reviewed
- [ ] At least one restore drill completed this quarter
- [ ] Critical data identified and confirmed in scope

## Third parties
- [ ] Vendors with system access reviewed
- [ ] Vendor MFA confirmed where they integrate to our systems
- [ ] Vendor offboarding actioned where engagements ended

## Phishing & training
- [ ] Phishing simulation results since last quarter reviewed
- [ ] Repeated failures identified and supported with training
- [ ] Security training compliance: % of staff up to date

## Findings
| # | Finding | Severity | Owner | Due |
|---|---------|----------|-------|-----|
|   |         |          |       |     |