An MSP audit isn’t an interrogation—it’s a structured evaluation of whether your IT support delivers what you’re paying for. But like any evaluation, the quality of answers depends on asking the right questions.
Many businesses approach audits passively, accepting whatever information their MSP volunteers. That’s a mistake. The questions you ask—and how you follow up on answers—determine whether your audit produces actionable insights or comfortable reassurances.
These seven questions form the foundation of an effective MSP audit. Each one probes a different aspect of your IT support relationship, and each one separates providers who are genuinely serving you from those who are merely collecting payments.
1. “Can You Show Me Exactly What Services We’re Receiving?”
This seems obvious, yet many businesses can’t answer it themselves. Your MSP should be able to produce a clear, current list of every service they’re providing—not what’s in the contract, but what’s actually happening.
What You’re Looking For
A comprehensive inventory should include:
- All devices under active monitoring and management
- Security tools deployed and their current status
- Backup systems, schedules, and verification results
- Software licenses managed through the MSP
- Ongoing maintenance tasks and their frequency
- Strategic services (virtual CIO, technology planning, compliance support)
Red Flags
- Vague answers that reference the contract rather than current reality
- Inability to produce an inventory without significant preparation time
- Services listed on invoices that don’t appear in the operational inventory
- Gaps between what you thought you were getting and what’s documented
Follow-Up Questions
“For each service, can you show me evidence it’s actively occurring?” Monitoring should have dashboards. Backups should have logs. Security scans should have reports. Claims without evidence are just claims.
2. “What Were Our Response and Resolution Times Last Quarter?”
SLA compliance isn’t something to take on faith. Your MSP tracks this data—whether they share it proactively is another matter. Request specific metrics, not summaries.
What You’re Looking For
Ask for a breakdown showing:
- Number of tickets by priority level
- Average and worst-case response times for each priority
- Average and worst-case resolution times for each priority
- SLA compliance percentage by category
- Trend comparison against previous quarters
Red Flags
- Aggregated numbers only, without priority-level detail
- Response times reported without resolution times
- Inability to provide historical comparisons
- Numbers that don’t match your own experience
Follow-Up Questions
“For tickets that missed SLA targets, what were the causes?” This reveals whether misses were anomalies or patterns, and whether the MSP is learning from failures.
3. “What Security Incidents Have We Experienced, and How Were They Handled?”
Security incidents happen to every organization. What matters is detection, response, and improvement. Your MSP should maintain a security incident log and be prepared to discuss it.
What You’re Looking For
A transparent review should cover:
- Detected threats (malware, phishing attempts, unauthorized access attempts)
- How each threat was identified (automated detection, user report, audit)
- Response actions taken and timelines
- Root cause analysis and preventive measures implemented
- Any incidents that resulted in actual breach or data exposure
Red Flags
- “We haven’t had any incidents” (this is almost never true and suggests poor detection)
- Incidents discovered by you or your staff rather than by the MSP
- Lack of documentation or inability to discuss specifics
- No evidence of post-incident improvements
Follow-Up Questions
“What proactive security measures have you implemented in the past year?” Security isn’t just incident response—it’s continuous improvement. Ask about new tools deployed, configuration hardening, user training, and policy updates.
4. “Are Our Backups Actually Working?”
Backup systems that haven’t been tested don’t actually work—they just create the illusion of protection. Verification requires more than green status lights on a dashboard.
What You’re Looking For
Comprehensive backup verification includes:
- Backup job completion records (not just “running” but “verified successful”)
- Test restoration results—actual files recovered to confirm backup integrity
- Recovery time demonstrations—how long does it actually take to restore?
- Offsite backup verification for disaster recovery scenarios
- Coverage confirmation—are all critical systems included?
Red Flags
- Backup “success” based only on job completion without restoration testing
- No documented test restorations in the past quarter
- Gaps in backup coverage that weren’t disclosed
- Backup failures that occurred without notification to you
Follow-Up Questions
“If we had a complete system failure today, how long until we’re operational?” This recovery time objective (RTO) question reveals whether your backup strategy matches your business needs.
5. “What Does Our Environment Look Like Compared to Best Practices?”
Your MSP isn’t just supposed to keep things running—they’re supposed to keep things secure, efficient, and appropriately modern. Ask for an honest assessment of where you stand.
What You’re Looking For
A candid assessment should address:
- Hardware approaching end-of-life or end-of-support
- Software versions that need updating
- Security configurations that could be stronger
- Compliance gaps if you’re in a regulated industry
- Architecture issues that create risk or inefficiency
- Areas where technology could better support business goals
Red Flags
- “Everything looks great” with no qualifications (no environment is perfect)
- Recommendations that always involve buying more services from the MSP
- Lack of industry benchmark comparisons
- Defensiveness about questions regarding infrastructure quality
Follow-Up Questions
“If you were starting from scratch, what would you do differently?” This hypothetical reveals problems they’ve accepted rather than solved, and opportunities they haven’t prioritized.
6. “How Are You Helping Us Plan for the Future?”
Reactive support—fixing problems as they arise—is necessary but insufficient. A good MSP relationship includes proactive planning that anticipates needs before they become emergencies.
What You’re Looking For
Strategic engagement should include:
- Technology roadmap aligned with your business plans
- Budget forecasting for hardware refresh cycles
- Recommendations for efficiency improvements or cost savings
- Regular strategic reviews (quarterly or more frequently)
- Awareness of upcoming changes that affect your environment (vendor end-of-support, compliance requirement changes)
Red Flags
- No documented technology roadmap or strategic plan
- Surprise expenditures that could have been anticipated
- Reactive stance—always responding to problems rather than preventing them
- Lack of familiarity with your business goals and priorities
Follow-Up Questions
“What technology changes should we budget for over the next 18 months?” An MSP engaged in your success can answer this specifically. One just collecting fees will give vague responses.
7. “Where Are We Spending More Than Necessary?”
This question tests whether your MSP views themselves as your partner or just your vendor. A partner helps you optimize spending. A vendor maximizes billing.
What You’re Looking For
Honest cost optimization advice might include:
- Licenses you’re paying for but not using
- Services that overlap or duplicate each other
- Hardware that could be consolidated or virtualized
- Processes that could be automated to reduce support burden
- Contracts that could be renegotiated or replaced
Red Flags
- Defensiveness about current spending levels
- “You need everything you have” with no specifics
- Suggestions that all cost reductions would compromise service quality
- Inability to identify any optimization opportunities
Follow-Up Questions
“If we needed to reduce IT spending by 15%, where would you start?” The answer reveals their understanding of what’s essential versus what’s optional in your environment.
How to Use Audit Findings Effectively
Questions are the beginning, not the end. What you do with the answers matters more than the questions themselves.
Document Everything
Create a written record of questions asked, answers received, and evidence provided. This documentation serves multiple purposes: tracking commitments, identifying patterns over time, and providing evidence if disputes arise.
Verify Claims Independently
When your MSP claims 99.5% SLA compliance, cross-reference against your own records. When they report successful backups, request test restoration evidence. Trust but verify.
Establish Improvement Expectations
If the audit reveals problems, document specific improvements expected and timelines for achieving them. Follow up systematically to confirm that commitments become reality.
Use Findings in Contract Discussions
Audit results provide leverage during renewals. Strong performance justifies continued partnership. Documented problems justify demanding improvements, credits, or considering alternatives.
The Audit Mindset
Effective MSP audits require a mindset shift from passive customer to active evaluator. You’re not being difficult when you ask pointed questions—you’re being responsible.
Your MSP may initially react defensively to audit scrutiny. A good provider will recognize that your engagement reflects investment in the relationship. They’ll welcome the opportunity to demonstrate their value with evidence rather than assurances.
A provider who resists transparency, answers vaguely, or can’t produce basic performance data is telling you something important. That information is just as valuable as positive audit findings—it helps you understand whether this relationship deserves to continue.
Every business deserves an MSP that delivers what they promise, responds when needed, protects what matters, and helps plan for the future. These seven questions help you determine whether that’s what you have—or whether it’s time to find a partner who will.