Everything you need to know about auditing your tech stack

IT audits are complicated and too often neglected or completed haphazardly. But a careful audit can help to reduce costs, improve cybersecurity and accelerate growth. To do this effectively, business leaders must understand why, when and how to audit their tech stack 

If your tech stack has served you well for some time, then you might be reluctant to change anything. After all, if it ain’t broke, don’t fix it. Plus, auditing and mending a tech stack is a complicated task. With so many apps and software tools on the market, it can be difficult to know which options are best for your company. Inaction is often the simplest action.

But neglecting IT maintenance can leave your firm vulnerable and inefficient. Data and technology are now central to most organisations, so allowing your tech tools to become obsolete will inevitably impact business performance. Outdated tech will not only impede growth but is likely to leave your organisation exposed to cyber attacks.

Patching cybersecurity vulnerabilities

Many IT professionals point to cybersecurity as the primary reason to conduct regular tech-stack audits, according to a survey by The Institute of Internal Auditors and consulting firm Protoviti.

A tech audit can serve as a diagnostic tool, flagging vulnerabilities within your company’s IT infrastructure before they impact the health of your business. It can also help you to minimise entry points for hackers by identifying and removing legacy apps and software that no longer receive security patches. 

A lack of visibility meant actions that should have taken hours, took days

Equifax, the consumer credit reporting agency, learned the hard way that outdated tech and insufficient auditing processes can lead to devastating consequences. In 2015, the firm conducted an IT and security audit and discovered a backlog of more than 8,500 vulnerabilities, which needed to be patched. However, the company failed to carry out follow-up audits and no fixes were deployed, which resulted in a data breach in 2017 impacting 147 million customers. 

Crucially, the US Senate Permanent Subcommittee on Investigations determined that Equifax’s failure to patch critical vulnerabilities was a direct result of subpar IT assessment and cybersecurity practices. As a result, in 2019, the company agreed to a $575m (£454m) settlement with the US Federal Trade Commission and Consumer Financial Protection Bureau.

Digital strategy, tech integration and data integrity

Petra Tesch, chief information officer at visual media company Vizrt, explains that her firm’s most recent audit was “triggered by a desire to evolve our business model. We want to move from perpetual sales to a subscription-based software-as-a-service offering.” 

She adds that Vizrt’s tech-stack audit is not only about updating the firm’s tech tools, but also uncovering challenges posed by legacy solutions.

This point is echoed by Nick Elsberry, leader of software technology consulting at Xebia. Each tool in your tech stack should serve a strategic purpose, he says, so eliminating the lower-value ones will create better integrations and deliver efficiencies. An audit will reveal which tools are underused and which need consolidating. 

A thorough IT audit will also help to ensure data integrity and tech integration, as inaccessible or low-quality data will inevitably hinder business operations.

It is essential that business leaders understand what data they have, where it resides and who is best placed to use it, according to Stephen Bowes, security technologies practice director at the British Standards Institution. He stresses: “Determining the ‘what’, ‘where’ and ‘who’ within your tech stack requires effectively auditing your data as well as your software, hardware and cloud estates.”

Finally, you should consider auditing your tech stack if a significant period of time has passed since you last conducted one. But this begs the question: when and how often should you be auditing?

Tech Stack Illo1 1

Asking when or how often firms should audit their tech stack is a bit like asking what is the length of a piece of string. There are many variables at play.

If you have a complicated tech stack with many components, it can be difficult to ensure the usefulness of all the different applications and software. Frequent audits can help to keep a large tech stack optimised, providing insights on unnecessary and unused software and identifying opportunities for consolidation.

If your tech stack is already consolidated, however, composed of apps and software from a single vendor, for instance, there may be less pressure to conduct an audit. 

But software licences eventually expire and this can mark a convenient time for a thorough IT audit. The end of a subscription period is a good opportunity to consider which subscriptions should be renewed and which should be left to lapse. 

Don’t delay an audit

The key thing is to audit your tech stack on a regular basis. Oliver Kasicki, head of development at digital agency Bolser, suggests auditing once or twice a year to ensure that you’re not caught off guard by unforeseen issues.

“Identifying vulnerabilities and bottlenecks as early as possible will help to minimise any operational challenges and, at the same time, reassure your stakeholders and clients that you’re on top of everything,” says Kasicki. “The more frequently audits are conducted the easier the remediation process, as you can iteratively solve issues as they arise rather than in one unmanageable block.”

But, he warns, what you mustn’t do is procrastinate and act only once a problem has arisen.

If Equifax, for example, had carried out regular follow-up audits after discovering vulnerabilities in its systems in 2015, it may have avoided the massive data breach that occurred a couple of years later. IT audits, therefore, should be proactive, not reactive. 

Do you trust your data?

Vizrt’s Tesch points out that IT systems are only as good as the data they’re based on. Feeding your apps bad data will produce low-quality insights and making business decisions based on that data can be costly and lead to inefficiencies. An erosion of trust in the data that your apps and software are generating is a clear sign that it’s time to audit your tech stack.

Determining the ‘what’, ‘where’ and ‘who’ within your tech stack requires auditing your data as well as your software

Accessibility is equally important. Online marketplace Gumtree recognised the need for an audit following its carve-out from eBay in 2021. Early in the process the firm had difficulties migrating its data infrastructure away from eBay’s largely centralised stack.

“A lack of visibility meant actions that should have taken hours, took days. This wasted valuable engineering resources and created an unbalanced team of long-standing employees with historical knowledge and newer colleagues with few reference points,” says Andressa Dantas, head of engineering at Gumtree.

As a result of the firm’s audit, everything connected to Gumtree’s tech stack is now meticulously documented and processes for regular reviews have been put into place. 

“Anyone coming into our organisation can easily find all the information they need to carry out a successful audit and flag issues before they become a concern,” Dantas says.

So you know why you need to audit your tech stack and when and how often you should be doing it. But what are the steps to conducting a thorough IT audit?

Tech Stack Illo2 (1)

First an foremost, says Elsberry, audit leaders should map actual workflows on to the existing tech stack. Only then can they “identify new workflows that could extract increased value from underutilised portions of the tech stack and eliminate tools that are no longer necessary after workflows are reconciled”.

Start by documenting every tool in the tech stack. Unless the purpose of the audit is simply to reduce your tech spending, you should make a record of all apps and software, even the free ones, no matter how insignificant you believe them to be. 

The use of ‘shadow IT’ – apps and/or software that are not authorised by the IT department – has made it harder to keep track of everything feeding into your tech stack. Communication is therefore essential, not just in documenting the apps in your stack, but throughout every stage of the process.

Create stakeholder buy-in 

Although a tech-stack audit is usually led by an IT manager or cybersecurity director, depending on the intended goal, a successful audit will require the buy-in and commitment of the whole tech team.

Buy-in hinges on knowledge and clear communication, however. When Gumtree encountered problems with data accessibility following its split from eBay, the firm onboarded a knowledge-sharing tool. It serves as a virtual question board for the tech team, where questions and answers can be posted, ensuring everyone has the information they need.

The more frequently audits are conducted the easier the remediation process, as you can iteratively solve issues as they arise

Dantas says that this tool has helped the team to bridge its initial information gap and now enables team members to proactively develop their own knowledge. It will also make future audits easier.

Each member of the tech team must also have a clearly defined role. Dantas says that Gumtree “carefully monitors which teams are accountable for each tech component to ensure responsibilities are split evenly. No single team is under intense pressure when incidents occur.”

And, you shouldn’t assume that your teams have a shared understanding or way of working. Employees require different levels of support to perform to their best ability. For some, this could mean being paired with a more experienced team member, she explains, while for others a written guide may suffice.

Collate data and fit the pieces together

Once you have established processes and expectations in the team and compiled an exhaustive list of the apps and software being used across the business, the next step is to consider the value and utility of each tool. Teams will need to ask whether particular tools integrate well with the rest of the stack, whether each is achieving its intended goal and whether any are failing to justify their cost. 

Stakeholders in the process must balance factors including the frequency and extent of an app’s use, its impact on employee productivity and, of course, its price tag.

Equipped with insights from these considerations, decision-makers can determine which tools should be maintained and which should be left to expire. 

With your apps and software consolidated, you might think that you’ve reached the end of the process. But there is one final step, which should not be neglected: a post-audit assessment. Examining, for instance, the veracity and accessibility of your system’s data, changes in workflows and productivity and any cost savings, can help you to understand whether you achieved your intended goal and what can be improved upon in your next audit. 

Takeaways for a successful tech-stack audit

Expand Close