Midyear Reality Check: What's Actually Slipping Inside Your Systems
January felt controlled.
Now it's July, and things have drifted.
Access got handed out fast so jobs didn't stall.
Tools got added to fix problems in the moment.
People moved roles. Vendors got layered in.
Nothing looks broken.
That's the problem.
Most risk doesn't come from what's broken. It comes from what changed and
never got cleaned up.
Where This Starts to Hurt
This is where it usually shows up.
A bid file can't be found when you need it.
A plan version doesn't match what the field is building from.
A change order can't be traced cleanly.
Now you're not fixing a system.
You're trying to defend decisions with incomplete records.
In construction, your systems aren't just operational.
They're what protects you when someone asks questions you have to answer.
Where to Act First (If You Only Have 2 Hours)
Start where failure actually happens.
Tier 1 — Immediate Risk
- Admin access
limited to 2-3 people
- No former
employees active in core systems
- Backup recovery
tested within the last 90 days
This is where most companies get burned.
Admin access is almost always higher than it should be.
And the most common failure point isn't backups—it's recovery.
Tier 2 — Control Gaps
- One named
internal owner per system
- Ownership
includes access, data, and resolution
- Escalation is
defined before something breaks
Tier 3 — Visibility and Efficiency
- One source of
truth for plans, bid files, and change orders
- Systems aligned
across estimating, project management, and accounting
- Field-to-office
data flows without workarounds
What Good Looks Like (No Guessing)
You don't need opinions. You need standards.
- Admin access
reviewed monthly
- Maximum 3
admins across critical systems
- Backup recovery
tested quarterly
- Critical
systems recoverable in under 4 hours
- One named
internal owner per system
- Zero active
project files stored on desktops
- Version control
enforced—no duplicate plan storage
If you can't confirm these quickly, you're running on assumptions.
How to Run the Audit
Keep it simple.
- Export user
access from Procore, SharePoint, Microsoft 365, and accounting
- Compare against
your current employee list
- Flag access
that shouldn't exist
- Assign a named
owner for each system
- Ask: "If this
fails, who leads?"
- Request proof
of backup recovery testing
- Document
everything in one place
You're not fixing yet.
You're getting visibility.
What to Fix First After the Audit
This is where most companies slow down.
Don't.
If admin access is bloated
- Remove all
admin roles immediately
- Reassign to 2-3
people
- Put an approval
process in place
If backup recovery hasn't been tested
- Run a full
restore test within 7 days
- Record actual
recovery time
- Compare it to
what your jobs can tolerate
If ownership is unclear
- Assign one
internal owner immediately
- Do this before
touching anything else
- That person
owns the outcome
No owner means no control.
Mini Playbooks (From Gap to Fix)
Access Issue → Fix
- Remove all
admin access
- Reassign to
limited users
- Tie permissions
to roles
- Document
approval path
Backup Issue → Fix
- Run full
restore test
- Measure
recovery time
- Validate
against downtime limits
- Adjust setup if
needed
Ownership Issue → Fix
- Assign one
owner
- Define
responsibility clearly
- Confirm
escalation path
This isn't optimization.
It's stabilization.
What This Looks Like Over 30 Days
This moves faster than most expect.
Week 1 — Visibility
Run the audit. Identify gaps.
Week 2 — Access + Ownership
Lock down admin access. Assign owners.
Week 3 — Backup Validation
Run recovery tests. Document results.
Week 4 — System Cleanup
Align data. Remove duplicates. Fix workflows.
Clear. Direct. Defensible.
911 IT Midyear Risk Model
Everything rolls up to four areas:
- Access control
- Backup and
recovery
- Ownership
clarity
- System
alignment
If one is weak, risk builds quietly.
If two are weak, operations start to feel it.
If three are weak, it shows up when something goes wrong.
Midyear Systems Audit Scorecard
Mark each as Green, Yellow, or Red.
Access Control
- Admin access
limited and reviewed
- No former
employee access
- Role-based
permissions enforced
Backup and Recovery
- Recovery tested
and verified
- Recovery time
documented
- Clear owner
assigned
Ownership Clarity
- One owner per
system
- Escalation
defined
- No vendor
confusion
System Alignment
- One source of
truth for plans
- No duplicate
storage
- Reliable
field-to-office sync
More than two Red sections means you're carrying avoidable risk.
Look at This Like an Auditor Would
If someone had to step into your business tomorrow, they wouldn't care
how busy it's been.
They would ask for proof.
Who has access—and why
When recovery was last tested
How fast you can restore
Who owns each system
If those answers aren't immediate, that's exposure.
Where This Actually Goes Wrong
A project manager leaves in February.
Their access to Procore, SharePoint, and estimating tools stays active.
In April, a change order dispute hits.
There are three versions of the same document—email, SharePoint, and
someone's desktop.
No clean audit trail. No version history you can stand behind.
Now legal is involved.
And instead of proving what happened, your team is trying to rebuild it.
Nothing broke.
But the system wasn't tight enough to defend you.
What To Do Next Week
Block 30 minutes.
Pull in whoever touches your systems.
Run the scorecard and mark every Yellow and Red.
Don't fix anything yet.
Just get clear.
Take the Next Step
Schedule your 10 minute discovery call with 911 IT. We'll walk through
your systems against this model and show you exactly where risk is sitting.
You'll leave knowing what needs attention now.
