The Business Owner's Quarterly IT Review Checklist

12 min read

You don't need to manage your IT every day. But you do need to check in on it regularly to catch issues before they become crises.

Think of it like regular maintenance on a building. You don't inspect the roof daily, but you do check it periodically to ensure everything's still solid before leaks develop.

Here's your practical quarterly IT review - actionable checks you can do four times a year to stay confident about your business's IT.

Why Quarterly?

Too often: Monthly reviews become burdensome and don't catch enough change to be valuable.

Too rare: Annual reviews miss too much. Problems can compound over a year.

Just right: Quarterly reviews (every 3 months) catch issues while they're still manageable, without consuming excessive time.

Mark your calendar:

  • Q1: January
  • Q2: April
  • Q3: July
  • Q4: October

Block 1-2 hours for your quarterly IT review. That's 4-8 hours per year to stay on top of your business's IT infrastructure.

Domain & Registration

Check domain expiration dates

  • When does your main domain expire?
  • When do secondary domains expire?
  • Is auto-renewal enabled and working?
  • Is the payment method current?

Action: Log in to your domain registrar and verify renewal dates. If anything expires in the next 6 months, verify payment info is current.

Verify domain control

  • Can you log in to your registrar account?
  • Is the account under your business's control?
  • Is 2FA enabled?
  • Is registrar lock enabled?

Action: If you can't log in or don't have access, fix this immediately. Your domain is your business identity.

Review WHOIS information

  • Is contact information current?
  • Is domain privacy enabled (if desired)?
  • Is the listed email address monitored?

Action: Update any outdated contact information.

Website & SSL

Check SSL certificate status

  • Is the padlock showing on your website?
  • Are there any security warnings?
  • When does the SSL certificate expire?
  • Is auto-renewal working?

Action: Visit your website. If you see warnings or no padlock, investigate immediately.

Test website functionality

  • Does your website load properly?
  • Do forms work?
  • Do links work?
  • Does it look correct on mobile?

Action: Spend 5 minutes clicking through your site as if you were a customer. Note anything broken.

Review website performance

  • Is it loading slowly?
  • Are there errors in the browser console?
  • Have you received customer complaints about the site?

Action: If performance has degraded, investigate why.

Check backup status

  • When was the last website backup?
  • Can you restore from backup if needed?
  • Where are backups stored?

Action: Verify backups are actually running. Don't assume - check.

Email Configuration

Test email security

  • Send a test email to Gmail
  • Check if SPF, DKIM, and DMARC pass
  • Verify your emails aren't going to spam

Action: Send yourself a test email, view the source in Gmail, and look for "SPF: PASS, DKIM: PASS, DMARC: PASS."

Review email accounts

  • Do all current employees have necessary email addresses?
  • Are there email accounts for former employees that should be removed?
  • Are forwarding rules still appropriate?

Action: List who should have email access. Remove any accounts that are no longer needed.

Check email storage

  • Are any accounts approaching storage limits?
  • Is email archiving working?
  • Are old emails being handled appropriately?

Action: Verify no one's about to hit storage limits and lose email.

Verify email deliverability

  • Are customers receiving your emails?
  • Have you noticed any delivery issues?
  • Are automated emails (invoices, confirmations) working?

Action: Test sending email to multiple providers (Gmail, Outlook, etc.) and verify delivery.

Access Control

Review who has access

  • Who has admin access to your website?
  • Who can access your domain registrar?
  • Who has access to your hosting control panel?
  • Who can manage your email system?
  • Who has access to other business systems?

Action: Create or update a list of who has what access. Remove access for anyone who no longer needs it.

Former employee audit

  • Has anyone left the company since last quarter?
  • Was their access properly removed?
  • Do they still have login credentials?

Action: If anyone left in the past 3 months, verify their access was revoked everywhere.

Check for unused accounts

  • Are there old contractor accounts still active?
  • Are there test accounts that should be removed?
  • Are there service accounts that are no longer used?

Action: Remove any accounts that aren't actively used.

Verify 2FA status

  • Which accounts have two-factor authentication enabled?
  • Are admins using 2FA on critical systems?

Action: Enable 2FA on any admin accounts that don't have it.

Services & Subscriptions

Review active subscriptions

  • What services are you paying for?
  • Are they all still necessary?
  • Are there services you're paying for but not using?

Action: Review credit card statements for recurring IT charges. Cancel anything you're not actively using.

Check subscription renewal dates

  • When do hosting, domains, email, etc. renew?
  • Is payment information current?
  • Are there any services expiring soon?

Action: Mark renewal dates in your calendar. Verify payment methods are current. This is the kind of proactive tracking monthly IT reviews provide automatically.

Verify service health

  • Are all services you're paying for actually working?
  • Have you received service degradation notices?
  • Are there better alternatives now available?

Action: Test critical services to ensure they're functioning as expected.

DNS & Configuration

Review DNS records

  • Are all DNS records still necessary?
  • Are there old records for services you no longer use?
  • Have any services changed that need DNS updates?

Action: Get a copy of your current DNS records. Ask your IT provider if any are outdated and should be removed.

Check DNS propagation

  • Are all DNS records pointing to the correct locations?
  • Are there any records pointing to old servers?

Action: Use a DNS lookup tool to verify your main records are correct.

Verify subdomains

  • What subdomains do you have configured?
  • Are they all still in use?
  • Do they all have proper SSL certificates?

Action: List your subdomains. Remove or fix any that are broken or unused.

Security Review

Check for security incidents

  • Have there been any security alerts?
  • Any unusual login attempts?
  • Any suspicious email or website activity?

Action: Review security logs if available, or ask your IT provider about any incidents.

Review recent changes

  • What IT changes were made in the past quarter?
  • Were they documented?
  • Did they introduce any issues?

Action: If you don't know what changed, that's a problem. Start tracking changes going forward.

Update passwords

  • Are you using the same passwords you used a year ago?
  • Are shared passwords secure?
  • Are admin passwords stored safely?

Action: Change any passwords that haven't been updated in a year, especially admin accounts.

Verify backup and recovery

  • Do you have current backups?
  • Have backups been tested recently?
  • Do you know how to restore from backup if needed?

Action: Don't assume backups work. Verify they exist and are restorable.

Documentation Review

Update IT documentation

  • Is your IT inventory current?
  • Are access lists up to date?
  • Is contact information for IT providers current?

Action: Update any documentation that's changed since last quarter.

Review dated records

  • Do you have a record of your current IT configuration?
  • Can you compare it to last quarter to see what changed?

Action: Create a dated snapshot of your IT setup this quarter. Compare to last quarter if available.

Document recent issues

  • What problems occurred this quarter?
  • How were they resolved?
  • What was learned?

Action: Keep a simple log of IT issues and resolutions. Patterns reveal bigger problems.

Performance & Monitoring

Review analytics

  • How is your website performing?
  • Are there error patterns?
  • Are visitors having issues?

Action: Check basic website analytics for anomalies.

Check uptime

  • Has your website or email had downtime?
  • Were you aware of it?
  • How long did it last?

Action: If you don't have uptime monitoring, consider setting it up. You should know when services go down.

Evaluate response times

  • How quickly are IT issues being addressed?
  • Are there recurring problems?
  • Is your IT support responsive?

Action: If issues consistently take too long to resolve, that's a conversation to have with your IT provider.

Business Continuity

Verify disaster recovery plan

  • What happens if your website goes down?
  • What happens if email stops working?
  • Who do you call? What's the process?

Action: Ensure you have contact information for IT support and know the escalation process.

Check dependencies

  • What IT services is your business dependent on?
  • What happens if each one fails?
  • Are there single points of failure?

Action: Identify critical services and ensure there are backup plans.

The Simple Quarterly Checklist

Print this and check it off every quarter:

  • ☐ Domain expiration dates verified, auto-renewal confirmed
  • ☐ Can log in to domain registrar, 2FA enabled
  • ☐ Website shows padlock, no security warnings
  • ☐ Website functional, forms working, mobile looks good
  • ☐ Email security (SPF/DKIM/DMARC) passing
  • ☐ Email accounts reviewed, former employees removed
  • ☐ Access control reviewed, unnecessary access revoked
  • ☐ Subscriptions reviewed, unused services canceled
  • ☐ DNS records checked, old records removed
  • ☐ No unresolved security incidents
  • ☐ Passwords updated for admin accounts
  • ☐ Backups verified as current and restorable
  • ☐ IT documentation updated
  • ☐ Dated IT snapshot created
  • ☐ No critical issues unaddressed

What to Do With Issues

When you find something concerning:

Critical (address immediately):

  • Domain about to expire
  • No padlock on website / security warnings
  • Can't access critical accounts
  • Email security failing
  • Former employee still has access

Important (address this quarter):

  • Old services still being paid for
  • Outdated DNS records
  • Documentation out of date
  • Backups not verified
  • No 2FA on admin accounts

Nice to have (address eventually):

  • Minor cleanup of old accounts
  • Performance optimizations
  • Improved documentation

Don't let perfect be the enemy of good. Fix critical items immediately, important items this quarter, and nice-to-haves when time permits.

The Bottom Line

A quarterly IT review takes 1-2 hours and catches problems before they become crises. You don't need to understand everything technically - you need to verify the basics are in place and working.

Mark your calendar for quarterly reviews. Use this checklist. Address issues as you find them. That's how you stay on top of your business's IT without it consuming your life.

Many owners only realize these gaps after something changes — a vendor leaves, a certificate expires, or an insurance renewal asks unexpected questions.

Explain My IT exists to create a dated, owner-readable record of what's visible from the outside — so you don't have to reconstruct this later.

Ready to see your IT setup?

🎯 Run your free snapshot → — See your current configuration in 60 seconds

📅 Want this monthly with full history? See Basic subscription → ($15/month)

Related reading:

Back to all articles