Technician inspects and repairs messy computer setup while system shows error and secure system check completes.

6 Questions Smart Companies Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Smart Companies Ask Their IT Provider Every Quarter

Most technology failures don't begin with an outage.

They begin with a leadership assumption.

If you're responsible for protecting client data, keeping employees productive, satisfying compliance requirements, and ensuring the business keeps running, one of the most dangerous assumptions you can make is this:

"Everything must be fine because nothing has broken."

In my experience, major disruptions rarely happen because a company ignored a flashing red warning light. They happen because small risks were allowed to sit unnoticed for months.

A quarterly IT review isn't about finding what's broken.

It's about finding what's about to break.

The organizations that avoid costly downtime, failed audits, security incidents, and productivity losses aren't necessarily spending more on technology.

They're asking better questions.

Question #1: What Security Risks Need Immediate Attention?

Every business has vulnerabilities.

The question is whether someone is actively looking for them.

Ask your IT provider:

  • What are our top three security risks today?
  • Which systems still need security updates?
  • Have there been suspicious login attempts?
  • Are any user accounts creating unnecessary risk?
  • What recommendations remain unresolved?

Red Flag vs. Green Flag

Question: What security risks do we need to address?

Strong Answer

"We identified four accounts without multi-factor authentication, two critical security updates that need installation, and several failed login attempts that require monitoring. Remediation is scheduled."

Weak Answer

"Everything looks secure."

Real security conversations involve evidence, priorities, and action plans.

Not reassurance.

Question #2: Have Our Backups Been Tested Recently?

Most companies believe they have a backup strategy.

What many actually have is backup software.

Those are not the same thing.

A backup only matters if it can restore operations when the business needs it.

Ask:

  • When was the last recovery test completed?
  • How long would it take to restore operations?
  • How much data could potentially be lost?
  • Are cloud applications included?
  • Are backups protected from ransomware?
  • Who has verified recovery procedures?

Know These Two Numbers

Recovery Time Objective (RTO)

How long your organization can operate without critical systems.

Recovery Point Objective (RPO)

How much data loss your business can tolerate.

If your IT provider cannot clearly explain both numbers, there is a good chance your recovery strategy has blind spots.

Red Flag vs. Green Flag

Strong Answer

"Recovery testing was completed this quarter. Systems were restored successfully. Microsoft 365 data is included and immutable backups are active."

Weak Answer

"Backups run every night."

One answer demonstrates preparedness.

The other demonstrates hope.

Question #3: Where Is Technology Slowing Down Our Team?

The most expensive technology problems often look harmless.

An application loads slowly.

A file takes too long to open.

A video meeting freezes.

Employees log in multiple times each day.

No individual issue feels significant.

But together they become incredibly expensive.

The Cost of Tiny Delays

Imagine a company with 25 employees.

If each employee loses just 20 minutes every day because of technology friction:

  • More than 8 hours are lost daily
  • More than 40 hours are lost weekly
  • More than 2,000 hours are lost annually

That's roughly the equivalent of a full-time employee's annual productivity disappearing into slow systems and inefficient processes.

Ask your provider:

  • What recurring complaints are we seeing?
  • Which systems create the most delays?
  • Are we outgrowing our infrastructure?
  • What should be optimized, replaced, or upgraded?

Technology should remove friction.

Not create it.

Question #4: Are We Still Compliant?

Many organizations treat compliance as an annual event.

The reality is that compliance is a continuous process.

Requirements evolve.

Security standards change.

Insurance carriers raise expectations.

Auditors ask new questions.

Ask your provider:

  • Have compliance requirements changed?
  • Are there documentation gaps?
  • Are employee training requirements current?
  • Are security controls still sufficient?
  • Has our cyber insurance posture changed?

Questions by Industry

Healthcare

  • Are access reviews being completed?
  • Can critical systems remain available during an incident?
  • Is sensitive information adequately protected?

Financial Services

  • Are regulatory controls documented?
  • Are retention requirements being met?
  • Are access permissions reviewed regularly?

Professional Services

  • Are client files properly protected?
  • Are collaboration tools secured?
  • Are confidentiality requirements being enforced?

Manufacturing

  • Are production systems protected?
  • Can operations recover from a technology disruption?
  • Are critical networks properly segmented?

The Boardroom Test

Imagine your executive team asks four simple questions tomorrow morning:

  1. How long would recovery take after a ransomware event?
  2. When was the last successful backup restoration test?
  3. Are we ready for our next audit?
  4. What is our biggest unresolved technology risk?

Could your organization answer all four immediately?

If not, the issue is no longer technical.

It's operational.

Question #5: What Should We Budget For Next Quarter?

Technology expenses should rarely surprise leadership.

Strong IT providers identify upcoming costs before they become emergencies.

A quarterly review should cover:

  • Aging hardware
  • Warranty expirations
  • Software renewals
  • Security improvements
  • Infrastructure upgrades
  • Capacity planning

Red Flag vs. Green Flag

Strong Answer

"Several systems are approaching replacement age. Warranty coverage expires next quarter, and budget planning should begin now."

Weak Answer

"We'll let you know if something comes up."

Good planning prevents emergencies.

Poor planning creates them.

Question #6: Where Are We Falling Behind?

This is where average providers separate themselves from strategic partners.

Most IT providers discuss today's problems.

Great providers discuss tomorrow's risks.

Ask:

  • What opportunities are we missing?
  • What should be automated?
  • Have security standards evolved?
  • What are similar organizations doing differently?
  • What emerging threats should we prepare for now?

The businesses that continuously improve rarely become tomorrow's cautionary tale.

How One Company Avoided a Major Outage

A professional services company with approximately 70 employees completed a routine quarterly technology review after noticing occasional performance issues.

Nothing appeared urgent.

Employees could still work.

The business was still operating.

During the review, infrastructure monitoring revealed increasing errors on a storage system supporting critical business data.

The hardware had not failed.

Yet.

Further testing showed the issue was progressively worsening.

The system was replaced during a planned maintenance window.

Several weeks later, follow-up diagnostics confirmed the component likely would have failed under normal production workloads.

Because the issue was discovered during a quarterly review:

  • Operations continued uninterrupted
  • Employees experienced no downtime
  • Data remained protected
  • Emergency replacement costs were avoided

The most valuable technology discoveries happen before they become incidents.

What Great Providers Report Every Quarter

A meaningful quarterly review should include four categories:

Security Findings

  • Vulnerabilities discovered
  • Security updates completed
  • Outstanding risks
  • Account protection status

Backup Validation

  • Last recovery test
  • Recovery success rate
  • Recovery time achieved
  • Coverage verification

Compliance Updates

  • New requirements
  • Policy changes
  • Documentation gaps
  • Employee training needs

Infrastructure Health

  • Aging systems
  • Warranty expirations
  • Capacity concerns
  • Recommended improvements

If leadership isn't receiving this type of information, visibility into technology risk is limited.

Leadership Dashboard: Metrics Every Executive Team Should Review

Metric

Minimum Standard

What Great Looks Like

MFA Adoption

95%+

100% with advanced access controls

Patch Compliance

Critical updates completed

Automated validation and reporting

Backup Success Rate

Restorable backups

Tested recovery with documented results

Security Findings

Reviewed quarterly

Tracked through completion

Asset Lifecycle

Replacement plan exists

Multi-year roadmap maintained

Audit Readiness

Documentation available

Documentation verified quarterly

Executives don't need more technical details.

They need measurable visibility.

Quarterly IT Health Scorecard

Score each category:

Green = 2 Points

Yellow = 1 Point

Red = 0 Points

Category

Green

Yellow

Red

Security

Protection fully implemented

Minor gaps

Significant gaps

Backups

Tested quarterly

Tested occasionally

Never tested

Compliance

Current and documented

Some gaps

Unknown status

Hardware

Modern systems

Aging systems

End-of-life systems

Productivity

Minimal complaints

Recurring issues

Constant disruption

Recovery Readiness

Validated regularly

Partial testing

Never verified

Scoring Results

Score

Meaning

10-12

Healthy

6-9

Moderate Risk

0-5

Immediate Review Needed

What Good Looks Like vs. What Great Looks Like

Area

Good

Great

Security

MFA enabled

MFA plus advanced access controls

Backups

Quarterly testing

Quarterly testing plus immutable recovery

Compliance

Documentation exists

Documentation reviewed every quarter

Recovery

Written recovery plan

Tested and measured recovery capabilities

Reporting

Risks identified

Risks tracked through resolution

IT Provider

Fixes problems

Prevents future business risk

Your Next-Week Action

Pull out your most recent IT review.

Highlight every recommendation that remains unresolved after 90 days.

Those unresolved items often represent the greatest hidden risk inside the organization.

Final Thought

The businesses that consistently avoid costly outages, failed audits, productivity losses, and security incidents are rarely the lucky ones.

They're the ones asking the right questions before problems occur.

Schedule your 10 minute discovery call with 911 IT.

We'll walk through the scorecard and identify where operational, security, and compliance risks may exist. This helps confirm whether these risks apply to your business—and it only takes 10 minutes.