Infrastructure & network posture
Architecture review, segmentation, perimeter and internal controls, asset inventory accuracy, configuration drift.
01 / Audit
Independent IT auditing for municipalities, agencies, and corporate.
When the in-house IT team is too close to the systems they built, you need outside eyes. Three decades auditing Palm Beach County municipalities, healthcare organizations, regulated industries, and Florida small businesses — by someone who has seen what actually breaks under audit pressure.
Why outside eyes
The team that built it can't be the team that audits it.
Internal IT shops carry the institutional knowledge, but also the institutional blind spots. The system that's "fine" because it has always worked is the system that has never been tested by someone without a stake in the answer. An outside audit is the cleanest way for a board, a council, a CFO, or a general counsel to know what they actually have.
My audits are written for the people who will read them — boards, elected officials, executives, and counsel — not for IT staff defending their own work. Findings are prioritized by risk, not by what's easiest to fix. Recommendations are concrete: do this, in this order, by this date.
What's covered
Representative scope.
Tailored to each engagement; this is the typical surface.
Identity, access & privilege
Account hygiene, privileged access, MFA coverage, joiner/mover/leaver controls, service accounts and shared credentials.
Backup, recovery & resilience
Backup integrity, restore testing, off-network copies, ransomware survivability, documented recovery time vs. claimed recovery time.
Vendor & third-party risk
MSP and SaaS dependency mapping, contract review for security obligations, who-can-do-what in your environment.
Policy, change control & documentation
Written policy vs. operational reality, change management discipline, incident response plan stress-tested for actual usefulness.
Spend, license & vendor rationalization
Tool sprawl, overlapping licenses, shelf-ware, contracts that auto-renew without anyone reading them.
Who this is for
Three audiences.
- Municipalities & government agencies — councils, commissions, and elected leadership who need an independent read on their IT shop's posture, before a constituent (or a ransomware crew) asks the question first.
- Corporate boards & executives — directors and C-suite who carry fiduciary responsibility for cyber risk and need something more substantive than the CIO's annual deck.
- Counsel preparing for litigation, M&A, or regulatory scrutiny — when a transaction or a case turns on what the target organization's IT environment actually looks like.
Track record
Audited & advised over the years:
MunicipalityTown of Palm Beach
MunicipalityTown of Jupiter
MunicipalityCity of Delray Beach
HealthcareHealth Care District of Palm Beach County
AgencySolid Waste Authority
VillageRoyal Palm Beach
VillageWellington
EducationPBAU · Palm Beach State College
Private sectorHundreds of Florida SMBs
Client voices
What clients said about the audit work.
From the InfoStream years.
"Alan Crowetz is the ultimate professional in the IT support services field. His knowledge and expertise is verified by the many certifications he holds and by the tremendous success of his company. CPAs employ his company to conduct the information system audit for their financial audits."
"I am an executive consultant and I consider myself fortunate to have InfoStream as a resource when my clients are expanding their system, face interruptions, or need expertise to audit their system's existing security protocols and configurations."
FAQ
Common questions.
How long does a typical IT audit take?
For most municipalities and mid-sized organizations, fieldwork runs two to four weeks, with the written report and findings review delivered within another two to three weeks. Smaller engagements can close in under a month start to finish.
Will the audit disrupt our operations?
No. Audits are designed around the in-house team — interviews, documentation review, and read-only access to systems where appropriate. There are no scans or test traffic that risk service interruption without explicit written authorization and a documented change window.
What does the deliverable look like?
A written report in plain English, organized by risk tier rather than technical category, with concrete recommendations: do this, in this order, by this date. Boards and councils get an executive summary; IT staff get the technical appendix. Findings sessions are included so the people who have to act on the report can ask questions live.
How is this different from a penetration test or our financial-IT audit?
A penetration test answers "can a specific attack succeed against this specific system." A financial-IT audit confirms the controls a regulator or CPA wants documented. An independent IT audit answers a broader, higher-stakes question: across people, process, and technology, where is this organization actually exposed, and what should leadership do about it.
Can findings be used in litigation, insurance claims, or post-incident reviews?
Yes. Reports are written to a standard that holds up under scrutiny, with methodology and evidence cited so a third party can verify the work. Past audit clients have referenced findings in insurance renewals and regulatory filings.
Scope an audit
Discover the gap before the auditor does.
Independent IT and security audits for municipalities, agencies, and corporate IT — risk-prioritized findings boards can act on. Twenty-minute scoping call to start.