MCR Business Tech Solutions

Services

Managed IT

We Booked an IT Assessment. What Actually Happens in the 90 Minutes?

MCR Business Tech SolutionsMay 19, 20268 min read

Most owners we talk to in Mercer, Butler, and Lawrence counties have never sat through an IT assessment before, and the prospect of one feels like a dental cleaning crossed with a sales pitch. They are not sure what an IT assessment is supposed to cover, how long it actually takes, whether it costs money, or what they are agreeing to by booking one.

This post is the plain-English answer. If you have a 90-minute slot on your calendar next week labeled "IT assessment" and you have no idea what to expect, read this first. It walks the actual sequence of a real assessment for a 5 to 50-person business in Western Pennsylvania (or the bordering counties in Ohio, West Virginia, and western New York), what the assessor is doing during each block of time, and what should (and should not) show up in the written report at the end.

What is an IT assessment, and why does every MSP offer one?

An IT assessment is a 60 to 90-minute walk-through of your current technology environment, conducted by a managed IT services provider (an "MSP," the model where one company handles all of your tech for a flat monthly fee). The assessor inventories what you have, surfaces the risks that need attention this quarter, and leaves you with a written report you can act on with or without hiring them.

The reason every MSP offers one (including MCR Business Tech Solutions) is straightforward. A real conversation about IT support cannot start without a shared understanding of what is actually running in your office. Quoting managed IT without an assessment is like a contractor quoting a kitchen remodel without walking the kitchen. You can do it, but the number will be wrong, and the relationship starts with a renegotiation.

For the business owner, the assessment is the free version of due diligence. You learn what an MSP looks at, how they think, whether they explain things in English or in jargon, and whether their priorities line up with yours. You can hire them after, hire someone else after, or do nothing after. None of those outcomes are wrong.

How long does an IT assessment take, and is it really free?

The honest answer is 60 to 90 minutes on-site or over a screen-share, plus another 60 to 90 minutes of work by the assessor afterward to write the report. So roughly two to three hours of professional time, which most MSPs offer at no charge as the start of a sales conversation.

If a provider wants to charge you for an initial assessment, that is a yellow flag. The exceptions are narrow: a forensic post-incident assessment (after a confirmed breach), a regulatory readiness assessment (for SOC 2, HIPAA, or PCI audit prep), or a deep penetration test. Those are real engagements with real deliverables and they cost real money. A standard "let us see what you have" assessment should not.

The "free" comes with one fair expectation: the provider gets a real conversation about whether their service is a fit. That conversation may happen at the end of the assessment, or in a follow-up call a week later. You are under no obligation to say yes. You are under an obligation (politely) to give them a real answer either way, because a "let me think about it" that turns into six months of silence is the version of the conversation everyone hates.

What does the assessor actually look at during the 90 minutes?

The on-site or screen-share portion of the assessment usually covers six areas in roughly this order. None of it is exotic.

The credential and admin inventory: who has admin access to what, where the master password list lives, whether there is a password manager in use, what happens to those credentials when someone quits or gets terminated. This is the highest-risk surface in most small businesses and the assessor will spend real time here.

The Microsoft 365 or Google Workspace tenant: license count vs actual users, mailbox sizes, MFA enforcement state (turned on for which users), conditional access policies, SharePoint and OneDrive sharing settings, dormant accounts that still have licenses, and any external forwarding rules that should not be there. Most companies are paying for 5 to 15 percent more licenses than they need and are missing the right security policies on the licenses they have.

The endpoint inventory: how many workstations, how many laptops, who is using what, what operating system version each is on, whether antivirus or EDR (endpoint detection and response) is installed and reporting, whether disk encryption is on, whether the OS is past end-of-support. A 20-person law firm we assessed in Butler last year had three Windows 7 machines still running the file server share. Nobody knew.

The network: the firewall make and model, the firmware version, whether the firewall license is current, what ports are open to the public internet, whether the Wi-Fi has a separate guest network, whether the office still has any default vendor passwords on routers or switches. This is a quick look but a load-bearing one.

The backup state: where the backups are running, how often, what they cover (just files, or full system images), where they are stored (on-site, cloud, both), the last successful restore test (if any), and the documented recovery time objective. The honest answer for most small businesses is "I think we have a backup but I have no idea if it works." That is the answer the assessor expects.

The line-of-business stack: the accounting platform, the CRM, the practice management system, the EHR, the e-commerce platform, the phone system, whatever runs the business. The assessor is not auditing each application, just inventorying what they are and noting any that are out of support or out of license.

For a dental practice in Sharon or Hermitage, the line-of-business inventory is heavier (PMS uptime, HIPAA breach reporting workflow, the iPad at every operatory). For a financial-services firm or accounting practice in Butler, it is heavier on the regulatory and data-retention questions. For a manufacturer in the Shenango Valley, it pivots toward shop-floor PCs, ERP servers, and CAD workstations. The framing changes; the underlying six areas do not.

What questions should you be ready to answer?

To make the assessment productive, the office manager or owner should be ready to answer (or hand the assessor someone who can answer) a handful of questions. None require preparation, but knowing they are coming saves the back-and-forth.

How many full-time, part-time, and seasonal staff do you have, and how many are on a company-provided computer vs a personal one. What is the address of every office, retail location, or warehouse you operate (multi-site businesses change the answer on backup and network design). What regulatory regimes apply (HIPAA, PCI, financial-services rules, anything industry-specific). When was the last time you actually paid an IT bill, and what was the rough monthly or quarterly number. Who owns the relationship with your phone company and your internet provider. Has the business ever had a security incident, even a small one, and if so what happened.

If you do not know the answers to any of these, that is also fine. "I don't know" is useful data. The assessment is not a quiz.

What does the written report cover, and what should it not include?

A real written assessment report is somewhere between 6 and 20 pages. It should include an executive summary written in plain English (one page, readable by someone who has never touched IT), an inventory of what is running (the six areas above, in list form), a prioritized risk register (this quarter, next quarter, this year), and a recommended remediation roadmap.

What the report should not include is a quote on the front page for managed IT services before you have read anything else. If the cover of the report is a number with your name on it, that is a sales document with an assessment glued to the back. A real assessment leads with findings, recommendations, and a roadmap. The pricing conversation comes after, in a separate document or a separate meeting, once you have read the findings and decided whether you want to act on them.

The report should also be specific. "We recommend improving your security posture" is not a finding. "Your firewall is a SonicWall TZ300 running firmware 6.5.4, which is end-of-support as of November 2024; replacement budget is $1,200 to $1,800 plus configuration time" is a finding. Push back on any report that reads like the first version.

Is this a sales pitch in disguise?

The short answer is: it is the start of a sales conversation, and the assessor knows it, and you should know it too. The two-hour investment by the MSP is real, and they are making it because they think there is a fair chance you will become a client. Pretending otherwise is silly.

The longer answer is that the structure of the conversation matters more than the label. A good assessor spends 80 percent of the time asking questions and 20 percent making recommendations. A bad assessor flips that ratio and turns the meeting into a 90-minute product demo. If the first 20 minutes are about their company, their team, and their service tiers, the assessment is the pitch, not a prelude to one. End the meeting politely and call someone else.

The other tell: a good assessor will tell you if the work is too small for them, or too specialized, or too far outside their service area, and refer you elsewhere. A bad one quotes anything they can get a credit-card number for.

How do you tell a real assessment from a glorified quote?

Five quick checks. One, ask the provider how long the on-site or screen-share portion takes; if the answer is under 30 minutes, the assessment is too thin to be real. Two, ask whether the written report comes before or after the pricing conversation; the right answer is before. Three, ask who on their team is doing the assessment (a technical engineer or a salesperson with a checklist). Four, ask if you can keep the written report whether or not you become a client; the answer should be yes. Five, ask for a sample redacted report from a prior assessment; a real MSP can produce one in 24 hours.

If the provider hedges on any of these, you are looking at a sales call with assessment branding. There are 30 plus MSPs serving Western PA, and at least 8 of them do real assessments. Pick one of those.

What should you do with the report once you have it?

Three options, in roughly increasing order of speed.

Option one: read the executive summary, file the report, and do nothing for now. This is a defensible choice if your business is stable, you have no upcoming compliance deadline, and the risks in the report are all yellow rather than red. The report still has value as a snapshot you can compare against in 12 months.

Option two: cherry-pick the top 3 risks from the prioritized list and act on those, with or without the MSP that did the assessment. Most assessments surface 2 or 3 items that need attention this quarter regardless of who handles them (turning on MFA universally, replacing an end-of-support firewall, fixing a broken backup). Handle those; circle back to the rest later.

Option three: use the report as the scoping document for a managed IT engagement. This is the path the MSP is hoping you pick, and it is the right path for most businesses under 50 employees. The report becomes the first 90-day plan, and the recurring monthly service handles everything else.

Whichever option you choose, the report is yours. Keep a copy. The next time someone asks you what your IT environment looks like (your cyber liability insurer, your accountant, your auditor, the next MSP you talk to), you will have a real answer instead of "I am not sure."

If you operate a 5 to 50-person business in Mercer, Butler, Lawrence, Crawford, Erie, Allegheny, Washington, or Westmoreland county in Pennsylvania (or Trumbull, Mahoning, or Columbiana county in Ohio), MCR Business Tech Solutions runs a no-cost 90-minute IT assessment for businesses in your size range, with a written report you keep whether or not we end up working together. Call 833-859-9021 or request an IT assessment. The first call is a conversation about what you have and what concerns you, not a sales pitch.

it assessmentmanaged it servicessmall business itwestern pamspwhat to expect

Talk to us

Ready for IT
that just works?

No commitment. No sales pitch. Just a straightforward conversation about your tech.

Call 833-859-9021Get Assessment