After 10+ years running a managed IT business in Melbourne, here are the questions that actually separate good IT providers from average ones - and the red flags to watch for.
Choosing an IT provider is one of the more consequential technology decisions a Melbourne business makes. Get it right and IT becomes a background function that just works. Get it wrong and you end up in a cycle of reactive fixes, escalating costs, and IT that is always slightly behind where your business needs it to be.
I have been running a managed IT business in Melbourne for over a decade. I know what good looks like, and I know the warning signs. Here is a checklist I would use if I were a business owner evaluating IT providers - not as a sales exercise, but as someone who wants to make a good decision.
Before You Start: Define What You Actually Need
Before you talk to a single IT provider, get clear on your requirements. You do not need a detailed IT specification - but you do need to answer these questions:
- How many staff do you have, and how many of them depend on IT to do their jobs?
- Do you have servers on-premises, or are you cloud-first?
- What industry-specific software do you rely on? (LEAP, Best Practice, MYOB, CAD tools, etc.)
- What is your most important IT risk? (Ransomware? Downtime? Data loss? Compliance?)
- Do you have any regulatory or compliance requirements? (Privacy Act, industry-specific standards)
- What does your current IT situation look like, and what is the thing you most want to change?
The answers to these questions should drive your evaluation. An IT provider who does not ask some version of these questions in the first conversation is not listening.
The Questions That Actually Matter
On response time and support:
“What is your average first response time for support requests, and can you share actual data from the last 90 days?”
Every IT provider will tell you their SLA. What you want is actual performance data. An honest provider will share this without hesitation. One who deflects or gives you targets rather than actuals is a provider whose actual response time is worse than their stated SLA.
Follow-up: “What is your escalation process for critical issues outside business hours?” Be specific - not “we have after-hours support” but “what happens when our server goes down at 7pm on a Thursday?”
“Where is your helpdesk based, and how is support covered outside business hours?”
This matters more than a simple “local vs offshore” answer suggests. The right model depends on what you actually need. A helpdesk that is 100% local may not offer meaningful after-hours coverage. A helpdesk that is 100% offshore may lack the business context to resolve issues efficiently during the day. Many well-run providers - including us - use a hybrid model: local engineers handle business-hours support and relationship management, while a trusted overseas team covers extended hours and overnight monitoring so that your business has genuine around-the-clock coverage without compromising daytime quality.
The questions that actually matter: What percentage of issues are resolved at first contact? Who handles escalations, and where are they based? What does after-hours critical incident response look like in practice? A provider who is transparent about their model and can back it up with resolution data is far more valuable than one who simply says “we’re local” without being able to demonstrate what that means for your support experience.
On proactive vs. reactive approach:
“Give me three examples of issues you caught and resolved proactively in the last month - before the client noticed.”
This is the single best question to distinguish a truly managed IT service from a break-fix provider with a retainer attached. A provider running genuine proactive monitoring will have specific, recent examples. A provider who is primarily reactive will struggle to give you concrete answers.
“How does your patch management process work? What is your patching schedule and how do you handle patching for our specific applications?”
Patching is unglamorous but critical. You want a provider with a documented, scheduled patching process - not one who patches when they happen to be onsite.
On security:
“What cybersecurity controls do you implement for all clients as standard, versus as optional add-ons?”
Red flag: anything important is an optional extra. Security should be a baseline, not an upsell. At minimum, every client should receive endpoint protection, email filtering, MFA enforcement, and backup management as part of the standard service.
“Are you familiar with the ACSC Essential Eight? What maturity level would you achieve for a client in our first 12 months?”
A security-aware provider should be able to answer this specifically. If they are not familiar with the Essential Eight, that is a significant signal about their security maturity.
“How would you respond if we had a ransomware attack right now?”
Listen for a specific incident response process - not a general statement about backups. You want to hear about isolation procedures, backup validation, recovery time estimates, and communication protocols.
On pricing and contracts:
“Is your pricing per-seat, per-device, or fixed? What is and is not included?”
Understand exactly what the monthly fee covers. Common gotchas: on-site visit costs, after-hours rates, project work fees, hardware mark-ups, and additional charges for specific software support. A clear, transparent pricing structure is a sign of a well-run provider.
“What are your contract terms and your offboarding process?”
A confident provider makes it easy to leave. If they are reluctant to discuss offboarding - documentation handover, account access, vendor transitions - that is a red flag. Your IT documentation, your system configurations, and your vendor account credentials belong to you. A good provider acknowledges this explicitly.
On industry fit:
“Have you worked with businesses in our industry before? What industry-specific software do you support?”
This is especially important for professional services firms. An IT provider who has never supported a law firm does not understand LEAP. An IT provider who has never supported a medical practice does not understand the Medicare HPOS portal. Industry experience is not just about marketing language - it is about whether a technician can actually fix your specific software when it breaks.
The Red Flags
After evaluating dozens of IT providers over the years (as a client before I became an IT provider myself), here are the things that should make you hesitant:
Reluctance to share actual performance data. If they will not show you ticket resolution times, uptime statistics, or customer satisfaction data, assume the numbers are bad.
One-size-fits-all proposals. If every client gets the same proposal regardless of their environment, the provider is not really assessing your needs.
Cybersecurity as an add-on. Security should be a baseline, not an upsell. A provider who charges extra for MFA or email filtering is not taking security seriously.
No mention of documentation or IT asset management. A good provider documents your environment systematically. If they do not mention this, you will discover why it matters when you need to recover from a failure or transition to another provider.
Long lock-in contracts without performance guarantees. Three-year contracts with significant penalties for leaving, combined with no service level guarantees, are a way of capturing revenue regardless of service quality.
Vague answers about escalation. “We have 24/7 support” is not the same as a documented, tested escalation process. Push for specifics.
What Good Actually Looks Like
A good managed IT provider for a Melbourne SMB:
- Responds to support requests in under 15 minutes on average
- Has a helpdesk model that delivers fast local response during business hours and genuine coverage after hours - whether that is a local-only team, a hybrid team, or a trusted overseas partner covering extended hours
- Documents your entire IT environment and gives you access to that documentation
- Proactively identifies and resolves issues before you notice them
- Has a systematic approach to cybersecurity that is built into the service, not added on top
- Provides quarterly IT reviews with a clear roadmap
- Can tell you what your IT spend covers and why
- Makes it easy to leave if you choose to
If a provider meets all these criteria, the specific brand of software they use to manage your environment matters less than you think. The fundamentals of a well-run managed IT service are about people, process, and proactivity - not tools.
One Last Thing
The Right Fit Call concept is something I genuinely believe in, and it is how we start every client relationship at CX IT Services. Before any proposal, before any pricing discussion, we have a 15-minute conversation about your business, your IT frustrations, your goals, and your environment.
If we are not a good fit - maybe you are too small for our model, maybe your requirements are outside our specialty, maybe your existing provider is actually doing a good job and the grass is not greener - we will tell you honestly. We have turned away clients who were not the right fit, and they have respected it.
That is the standard I would hold any IT provider to in your evaluation. If they are more interested in closing the sale than in understanding whether they can actually deliver what you need, that tells you something important about how the relationship will go.
