Your IT Audit: What You Must Do, What You Should Do and What You Could Do

Neil Limbrick is an independent consultant who has worked in an IT Strategy Role with MATs and Schools for over 20 years. He is currently working with over 100 different networks through theEducationCollective made of up of 10,000 individuals in over 5,000 schools.

IT is a massive area and understanding what you need to audit and how you should go about it is equally massive. In this blog, Neil uses his considerable expertise to help you focus your attention on the areas you should be concentrating on and signposts some of the resources that can really help you. The emphasis is on practical cost-effective advice. Neil also did a fantastic webinar with us on this very subject which you can watch here.

What You Must Do

There are four key areas of external compliance which all schools must comply with:

  • Website requirements
  • DfE standards
  • Health and Safety
  • GDPR

Website Requirements

Depending on whether you are an academy of a maintained school, there are certain things that must be on your website,

  • Governor / Trustee Information
  • Admission Arrangements
  • School Uniform
  • Ofsted Reports
  • Exam, Assessment and Performance Measures
  • School Opening Hours
  • Curriculum
  • Policies and Procedures
  • Premiums
  • Financial Information

The government has put together some useful checklists and they can be access on-line.

There are companies that will audit your website for you. If you are a school in special measures or have an imminent Ofsted inspection or quite simply have disgruntled parents then it is a good idea to spend some money in this area to ensure that your website is delivering and is compliant. Ofsted will look for very specific points and it can have an impact on the outcome of your report.

DfE Standards

The DfE does have standards on the following key areas, with more to follow:

  • Broadband and Internet Standards
  • Switch Standards
  • Network Cabling Standards
  • Wireless Network Standards
  • Cyber Security Standards
  • Filtering and Monitoring Standards
  • Cloud Solution Standards
  • Servers and Storage Standards

Further detail can be found at

It is a little unclear how they will enforce the standards, as they are listed as “guidelines”. However, you should be aware that if you are having financial issues which result in DfE scrutiny, the DfE will look at your IT provision and questions will be asked if it does not meet the standards listed in the guidelines.

Health and Safety

Guidelines for staff working on computers cover the following 6 areas:

  • Keyboards
  • Mouse / Trackball
  • Display Screens
  • Software
  • Furniture
  • Environment

For further detail on this and a link to the HSE workstation checklist you can go to This covers what you need to do and provides a document that can be used as a self-assessment tool to audit your workplace.

If people are working from home, they should also be compliant with this guidance. While you are not responsible for staff working from home, you should make them aware of the guidelines and informing them they should be compliant. Again, they can use the HSE checklist.


Key areas that you need to audit in relation to GDPR are how or why you are holding data, specifically:

  • Where your data is located
  • Why you are holding it / whether you should be
  • A list of all third parties with which you share data
  • A list of all people who have access to your organisation’s data and their role
  • An understanding of how you process data and why

What You Should Do

Cyber security is a strand that runs through all elements of IT and it is not a specific standalone audit requirement. However, it is an area that you should be looking at and ensuring that your data and the way that you manage data is safe and secure. There are some excellent tools available to help you do this and simplifies the audit process – namely Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials is a self-assessment tool which asks you a number of basic, straightforward and non-technical questions that interrogate how you safeguard your information. It is government backed and it will help protect you against a number of the most common cyber-attacks. You should be carrying it out annually. It does not take a lot of time to do but what comes out of the assessment may require time to put right. It is recommended that you have 1 or 2 people doing this and preferably one person should be involved in IT.  

You can also go for Cyber Essentials Plus which would involve an external person coming into the school to do it for you. If you pass then you would have government backed insurance free of charge and you would be able to publicise that you are an accredited organisation. It can be quite expensive to go through the process – between £800 to £1,000. Generally, for your purposes the basic Cyber Essentials is enough.

The five areas Cyber Essentials addresses are:

  • Firewalls
  • Secure configuration
  • Security update management
  • User access control
  • Malware protection

The government’s National Cyber Security website also has guidance for public sector bodies with checklists and questions that you can use to test your resilience and readiness in the face of a cyber-attack which will help you to understand your weaknesses. This help is free of charge.

What You Could Do

Use of IT

There are a number of key areas that you can audit to ensure that the equipment you have is usable and crucially is being used.

  • For example take a snapshot of how smartboards are being used
  • Typical pupil interaction – Pick a typical timetable e.g. a year 7, 9 and 12 child and look at how many times in the week they are interacting with a computer. There may be some classes using them all the time and others not using them at all. This often depends on the teacher and the timetable.

Effectiveness of Administration

Least amount of money is spent in administration but it is the most crucial area for the SBM. If mistakes are made and the system is not efficient it can cost money. A good audit of the administrative side will save money in the long term and could stop you from inputting information twice and holding data you do not need to.

User feedback

It is always a good idea to ask parents how they feel about communications. It could be you are not reaching people and they may feel disenfranchised. Staff are key users of technology in your schools and they need to be listened to and will have valid suggestions on improvements.

GDPR audits

GDPR audits should be done regularly to understand what data you are holding, where it is and whether you should still be holding it. For example, you may still have course work from students who left 10 years ago and keeping hold of this will cost money to back up and hold.

And Finally…..How To Evaluate Your MIS

If you want to look at how effective your MIS is, then I would recommend you evaluate it based on three key stages which can be applied to any part of your system from you how your email is working, to how you network your computers.  At any point you could find yourself somewhere along this scale:

  1. Crisis management: Instead of using the system correctly, you are spending most of your time just trying to make it work.
  2. Stable and reliable: Your system is doing what you paid for. You are comfortable with it, you do not have to think too hard about using it as it does the basics.
  3. Value Added: The holy grail of IT and where you ideally want to be. You are probably not using all the features that you can and, as a result, you are not working it to its maximum potential. This is true of any IT provision. When you are closer to Value Added you can get rid of your third party tools thus saving time and money.

Sign up to get our


Our weekly procurement briefings just for schools and MATs are packed with advice to help you save money. Simply pop your details in below and we’ll send you our newsletter every week.

  • This field is for validation purposes and should be left unchanged.

Need assistance?

Our friendly Executive Assistant, Plum Garland is here to help. Call today: 01256 213242

Not feeling chatty? Email us at