TL;DR: Most IT provider evaluations focus on price and promises. These 20 questions focus on evidence and specifics - the things that tell you whether a provider will actually deliver. Use this list whether you are evaluating a new provider or auditing your current one.
Why Standard IT Evaluations Fail
The typical IT provider evaluation goes like this: you ask for a proposal, three providers submit documents with similar service descriptions and different prices, and you choose based on price or whoever seemed nicest in the meeting. Six months later you discover the cheapest option was cheap for a reason.
The problem is not the process - it is the questions. “What services do you offer?” and “What is your SLA?” tell you almost nothing. Every provider will describe their services attractively and quote an SLA target. What separates good providers from average ones is not what they say - it is what they can prove.
These 20 questions are designed to get past the marketing language and into the specifics that actually predict service quality.
Section 1: Response Time and Support (Questions 1–5)
Question 1: What is your average first response time, and can you provide data from the last 90 days?
What to listen for: Specific numbers with data to back them up. An honest provider will share a PDF or screenshot from their ticketing system without hesitation. A provider who gives you a target (“our SLA is 2 hours”) rather than actual data is telling you their performance does not match their promises.
At CX IT Services, our average first response time is under 15 minutes. We can show you the data.
Question 2: Where is your helpdesk based?
What to listen for: Australian-based, ideally Melbourne-based for a Melbourne business. Offshore first-line support introduces delays, communication friction, and a lack of local business context. Ask specifically: “Who answers the phone when we call at 2pm on a Tuesday?” Not “where is your team” but “who specifically answers our calls.”
Question 3: What is your escalation process for critical issues outside business hours?
What to listen for: A specific, documented process - not “we have after-hours support.” Ask: “If our file server goes down at 7pm on a Thursday, what exactly happens? Who is notified? What is the target response time? How is that different from business hours?”
Question 4: How many clients does each account manager or technician support?
What to listen for: A ratio that allows for genuine relationship-based service. If a single technician manages 200 clients, they do not know your business. A genuinely dedicated model means a small number of clients per team so the team actually knows your environment.
Question 5: Can you provide references from clients in our industry and of similar size?
What to listen for: Yes, with specific names and contact details. A provider who cannot (or will not) provide references from clients like you either does not have them or does not trust their clients to give positive references. Follow up and actually call the references.
Section 2: Proactive vs Reactive Approach (Questions 6–8)
Question 6: Give me three specific examples of issues you caught proactively last month, before the client noticed.
What to listen for: Specific, recent, detailed examples. “We noticed a hard drive in one of their servers was showing early warning signs in our monitoring dashboard, replaced it before it failed, and the client never experienced any disruption.” That is a proactive provider. “We monitor all our clients 24/7” is not an answer to this question.
This is the single best question for distinguishing a truly proactive managed service from a break-fix provider with a monthly retainer attached.
Question 7: How does your patch management process work?
What to listen for: A documented, scheduled patching process with specific timelines. When are patches applied? How are patches tested before deployment? How are exceptions handled? What is the process for emergency patches following a critical vulnerability disclosure? A provider who patches “when we get around to it” or “when the client asks” is not managing your security.
Question 8: What does a typical quarterly business review cover?
What to listen for: Evidence that the provider conducts genuine strategic reviews - not just “are you happy?” but a review of security posture, upcoming technology lifecycle, roadmap progress, and business alignment. If the provider does not conduct quarterly reviews, your IT is being managed tactically, not strategically.
Section 3: Security (Questions 9–12)
Question 9: What cybersecurity controls are included as standard versus optional extras?
What to listen for: Security as a baseline, not an upsell. At minimum, every client should receive endpoint protection, email security, MFA enforcement, and backup management as part of the standard service. A provider who charges extra for MFA or basic email filtering is not taking security seriously.
Red flag: “We can add security services if you want.” Security is not an add-on.
Question 10: Are you familiar with the ACSC Essential Eight? What maturity level would you target for a client like us in the first 12 months?
What to listen for: Familiarity with the Essential Eight framework and a specific maturity level target with a rationale. If the provider has never heard of the Essential Eight, that is a significant signal about their security maturity. For most Melbourne SMBs, a target of Maturity Level 2 across most controls within 12 months is reasonable.
Question 11: What is your incident response process if we experience a ransomware attack?
What to listen for: A specific, documented process covering isolation, assessment, communication, recovery, and post-incident review. Not “we would fix it.” Ask: “Who would I call? What would happen in the first hour? How would you communicate with us during the incident? What are your recovery time targets?”
Question 12: How do you protect against Business Email Compromise?
What to listen for: Specific technical controls - SPF, DKIM, DMARC configuration; Microsoft Defender for Office 365 anti-phishing policies; Safe Links and Safe Attachments; user awareness training on BEC scenarios. A vague answer about “email security” without these specifics suggests surface-level protection.
Section 4: Documentation and Governance (Questions 13–15)
Question 13: How do you document your clients’ IT environments?
What to listen for: A specific documentation platform (ConnectWise Manage, IT Glue, or equivalent) with documented standards for what is captured and maintained. You want to know: if you were to leave this provider tomorrow, would you receive comprehensive documentation of your entire IT environment? The answer should be yes.
Question 14: Who owns the documentation and credentials for our environment?
What to listen for: An unequivocal “you own everything.” Your documentation, your Microsoft 365 tenant Global Admin credentials, your domain registrar access, your vendor relationships - all of it belongs to you. A provider who hedges on this or uses this as leverage is not a provider you want.
Question 15: Do you have a Service Level Agreement and what does it cover?
What to listen for: A written SLA with specific response and resolution time commitments for different priority levels, and some form of remedy if those commitments are not met. SLA targets without remedies are not commitments - they are aspirations.
Section 5: Pricing and Contracts (Questions 16–18)
Question 16: Is your pricing per-seat, per-device, or fixed? What is specifically included and excluded?
What to listen for: Clarity and transparency. Understand exactly what the monthly fee covers. Common exclusions that generate unexpected invoices: on-site visit fees, after-hours rates, project work, hardware procurement mark-ups, specific software support, and carrier charges. Ask the provider to walk you through a scenario where you would incur additional charges.
Question 17: What are your contract terms and minimum commitment period?
What to listen for: Reasonable terms with performance guarantees. A confident provider offers shorter commitments (monthly or 12-month maximum) backed by service quality. Aggressive long-term contracts (3+ years) with significant penalties for leaving are a red flag - they are a mechanism for retaining unhappy clients.
At CX IT Services, we do not have lock-in contracts. We earn your business every month.
Question 18: What does your offboarding process look like if we choose to leave?
What to listen for: A clear, documented process: documentation handover, credential transfer, vendor transition support, and a reasonable transition timeline (minimum 30 days). If a provider is reluctant to discuss this, assume the worst about how it plays out in practice.
Section 6: The Right Fit Questions (Questions 19–20)
Question 19: What types of businesses are you NOT a good fit for?
What to listen for: An honest, specific answer. A provider who claims to be a perfect fit for every business is selling you something. At CX IT Services, for instance, we are not the right fit for businesses with fewer than 10 staff, businesses looking for the cheapest possible option, or businesses that want a purely reactive IT relationship. Knowing who a provider does not serve well tells you a lot about their values.
Question 20: What would make this engagement unsuccessful?
What to listen for: Self-awareness about the partnership requirements. A good IT relationship requires responsiveness from the client - approving patches, communicating about upcoming changes, providing access when needed. A provider who articulates what they need from you is thinking about the partnership, not just the sale.
Scoring Your Current Provider
If you are evaluating your current IT provider rather than a new one, work through these questions in a review meeting. Give them a score of 1-3 for each:
- 3: Answered specifically with evidence
- 2: Answered generally without evidence
- 1: Could not answer or answered evasively
A score below 40 out of 60 suggests significant gaps in your current provider’s capability or transparency. Below 30 suggests it is time to look at alternatives.
If you want to compare your current provider’s performance against what CX IT Services delivers, book a Right Fit Call. We will be honest about where we are a better fit and where we are not.
