IT audit: Laying the foundations for a smart system evaluation

IT audit: 9 critical areas to evaluate in your IT system (Part 1)

Start your audit where it matters most: uncover how your system supports the business, which technologies it relies on, and how complex it really is.

it support

25 February 2025

Senior AI Application Engineer

Let’s turn your IT audit into a clear roadmap for smarter operations and long‒term growth!

9 key areas to examine in an IT audit for optimal system performance

When transferring the operation and development of software systems—or during company acquisitions—the need for IT system audits frequently arises. But what exactly does this process entail? Why is it important? And how should one envision an audit of this kind? In our three-part series, we outline 9 critical areas that should be examined during an IT audit. In this first instalment, we focus on 3 key aspects: the documentation of system functionality and business processes, mapping the technologies in use, and estimating software size.

Content: The first 3 steps of an IT audit

Why bother with an IT audit? Here’s what you gain

When taking over the operation and further development of a legacy system, it is essential to gain a clear understanding of its complexity, strengths, and weaknesses. This allows for an accurate estimation of the effort and costs associated with maintenance and future development.

An IT audit uncovers technical, operational, and legal factors, demonstrating that software transition is far more than just handing over the source code. In practice, it is crucial to update key documentation, assess security risks, and review business requirements and SLA expectations. A well-structured audit ensures that concrete plans are in place from the beginning of the transition, helping to prevent future issues such as technical debt or data protection gaps.

Although an audit requires time and resources, it lays a solid foundation upon which the client and the service provider can confidently build their contract and collaboration.

By gaining a comprehensive view of the system’s current state, potential risks, and necessary improvements, both parties can avoid disputes and unexpected costs. In the long run, this approach not only offers financial benefits but also strengthens partnerships, which is essential for the continuous and successful operation of the software.

Multiple aspects need to be examined to thoroughly assess a software system. An IT audit should consider the following 9 key areas.

1. Understanding functionality and business processes

A critical aspect of an IT audit is assessing how well the system’s functionality and business processes are documented. Clear and up-to-date documentation significantly aids in understanding the expected behaviour of the software, as it is built to support specific business requirements.

Any existing business documentation that is well-maintained can be a valuable resource during the audit.

However, if documentation is incomplete or entirely missing, the next step is to determine whether anyone within the company is still available who was involved in the software’s development or the definition of business requirements. If key individuals are still employed, interviews and discussions with them can provide crucial insights into the system’s intended operation and may even facilitate the reconstruction of missing documentation.

If no internal experts remain, the only option is to analyze the source code to map out the system’s functionality. This approach, however, often leads to challenges such as distinguishing whether a particular implementation is a feature or a bug.

2. Assessing the technologies in use

A thorough understanding of a software system’s technological stack begins with identifying the programming languages, databases (both SQL and NoSQL), and message queue solutions in use. Additionally, it is crucial to examine the versioning and support status of these technologies in alignment with the software’s lifecycle plans—for example, whether security updates are still available for the versions in use.

Using outdated or unsupported versions poses security risks and can hinder development by restricting the adoption of newer frameworks and libraries. In such cases, it is advisable to plan for version upgrades as early as the transition phase to avoid future roadblocks.

Another key aspect is evaluating the availability and cost of skilled professionals for the given technologies, both internally and in the job market. For instance, finding developers experienced in Delphi can be challenging, and even within the company, there may be little interest in acquiring expertise in such a niche area. Similarly, hiring a PHP developer versus a senior Java developer may come with vastly different salary expectations. Resources such as LinkedIn Talent Insights, Glassdoor Salary Insights, Stack Overflow Developer Survey, or GitHub Trends can provide valuable data for this assessment.

Finally, every programming language, framework, library, and tool should be reviewed for licensing requirements to ensure compliance. If any commercially licensed technology is in use, it is critical to define in the operations contract who will bear the associated costs. Ignoring these factors can lead to unexpected expenses or legal complications down the line.

Don’t just audit. Reclaim control.

Your digital product deserves more than patchwork. Our IT audits reveal the weak spots, so you can evolve with confidence, not guesswork.

Get your project back on track

3. Estimating the size and complexity of an IT system

Gaining a clear understanding of a system’s size and complexity is crucial for accurately estimating the resources required for maintenance and further development. Software size can be assessed using quantitative metrics, which are relatively easy to generate but provide only an approximate overview. In contrast, complexity analysis offers a more precise understanding of the system’s structure and maintainability, though it requires significantly more effort.

Analyzing quantitative metrics

When estimating software size, many immediately think of the Lines of Code (LOC) metric. While LOC can be generated relatively easily from the codebase and serves as a useful starting point, it can be misleading in terms of complexity.

Version control systems can also provide insights into codebase size and modularity, offering a broader perspective on the software’s structure. Additionally, other quantitative indicators can be useful in the initial assessment, such as data-related metrics (The number of databases, tables, and their interrelationships) or infrastructure metrics(The number of physical or virtual servers, or the count of containers in a containerized environment).

Analyzing software complexity

Beyond assessing software size, evaluating complexity is crucial for realistically estimating maintenance and development efforts. By considering both size and complexity, organizations can establish a solid foundation for planning future tasks.

To map out system complexity, various static and dynamic code analysis tools can be utilized. These tools analyze the codebase and runtime behaviour, generating key complexity metrics. Some widely used static code analysis tools include: SonarQube, Codacy, Deepsource, JetBrains Qodana.

Measuring and evaluating Cyclomatic Complexity (CC)

One of the most commonly used metrics for assessing software complexity is Cyclomatic Complexity (CC), which measures the logical complexity of code based on the number of decision paths (branches) in the program. This metric can be calculated at different levels, including the entire codebase, individual modules, classes, or even functions.

The general CC scale is as follows:

1–10: Low complexity – The code is easy to understand and maintain.
11–20: Moderate complexity – Still manageable but requires careful handling.
21–50: High complexity – Refactoring is recommended to improve readability and maintainability.
51+: Extreme complexity – Code restructuring is strongly advised, as it becomes difficult to comprehend and maintain.

Halstead metrics

The Halstead metrics provide a way to quantify code complexity and readability based on the number of operators and operands in the code.

Basic measures:

n₁ = Number of unique operators
n₂ = Number of unique operands
N₁ = Total occurrences of operators
N₂ = Total occurrences of operands

Derived metrics:

Program vocabulary (n) = n₁ + n₂
Program length (N) = N₁ + N₂
Volume (V) = N × log₂(n)
Difficulty (D) = (n₁ / 2) × (N₂ / n₂)
Effort (E) = D × V
Estimated implementation time (T) = E / 18 (in seconds)
Bug rate (B) = V / 3000

Interpretation of volume (V) values:

Low volume (~under 1000) → Easily understandable and maintainable
Medium volume (~1000–3000) → Moderate complexity, readability should be monitored
High volume (3000+) → Difficult to maintain, refactoring recommended

Code coupling, cohesion, and dependency graph metrics

Coupling (Interdependency between modules):

Coupling measures the degree of dependency between classes and modules.

High coupling makes it difficult to modify individual modules independently, complicating bug fixes and further development while increasing turnaround time.
Low coupling improves modularity, making the system easier to maintain, extend, and test.

Cohesion (Internal consistency within modules):

Cohesion evaluates the internal dependency of a class or module.

High cohesion indicates that a module is well-structured, handling a single, well-defined responsibility, which makes it easier to maintain and understand.
Low cohesion suggests that a module contains unrelated functionalities, leading to poor code organisation and reduced maintainability.

Dependency graph metrics

A dependency graph visualizes the relationships and dependencies between system components and modules, offering insights into the overall complexity of the software.

Systems with clear, acyclic dependencies are generally easier to scale and modify.
Cyclic dependencies create architectural bottlenecks, making the system harder to scale and increasing operational risks.

The previously mentioned static code analysis tools can assist in defining and evaluating these metrics. By comparing the results obtained from these tools, a more accurate assessment of the system’s size and complexity can be achieved. This, in turn, facilitates the development of more effective maintenance and development strategies, ensuring that resource allocation and long-term planning are based on data-driven insights.

Read the other two parts of our feature here:

Part 2: Three more areas you can’t afford to overlook In this second part of our IT audit series, we explore the next 3 critical system areas—software quality and technical debt, operational aspects and historical operational data.
Part 3: Final steps for a full‒scope IT audit The final chapter in our IT audit series dives into risk areas that can make—or break—your tech: data security, legal gaps, and AI‒powered tools.

Ready to future‒proof your IT systems?

An IT audit s more than a technical review—it's your roadmap to smarter operations, stronger security, and scalable growth. Whether you're planning a system overhaul or just want to uncover hidden inefficiencies, our audit service gives you actionable insights tailored to your business. At LogiNet, we don’t just point out the gaps—we guide you toward sustainable solutions.

Request a tech audit consultation

Discover how we lead our partners to success

We partner with product owners and founders by developing products from scratch or growing the existing product. These real-world examples highlight how we help companies innovate and succeed.