What a network audit actually reveals and why every organization should have one
When we tell a new client that we’d like to start with a network audit before recommending anything, the reaction is usually one of two things. Either: “good, we’ve been meaning to do that for years.” Or: “we already have documentation, we know what’s there.”
In our experience, both reactions lead to the same place: a list of findings the organization didn’t expect.
This isn’t a criticism. It’s a structural problem with how networks grow.
The “Organic Growth” Trap: How Networks Drift from Documentation
No organization sets out to build a poorly documented, organically sprawling network. They build a network that was appropriate for the organization at the time and then the organization changes. Staff joins and leaves. A remote office gets connected. A new IP camera system gets installed. Someone brings in a Wi-Fi access point because the conference room coverage was bad. A server gets added. A switch gets replaced, but the old one isn’t removed because it’s still being used for something nobody can quite remember.
Each of these changes is individually reasonable. Collectively, over three or five or ten years, they produce an environment that is meaningfully different from any documentation that was created when the network was first built and often different from what anyone in the IT team believes is there.
This is not unique to smaller organizations. We find the same pattern in enterprise environments, in government institutions, and in companies with dedicated IT departments. The only difference is scale.
What Does a Professional Network Audit Actually Cover?
A proper network audit is not a port scan and a spreadsheet. It covers several interconnected layers.
Device discovery and identification. Active scanning of all reachable addresses on the network. Identification of every device switches, routers, access points, servers, cameras, printers, workstations, IoT devices, and anything else with an IP address. For each device: what it is, where it is, what it’s doing, and whether anyone can account for it.
Topology mapping. How devices are connected to each other. Which switch is connected to which. Where the uplinks are. How traffic flows between segments. Most organizations have a topology diagram from when the network was built if they have one at all. Most of those diagrams are wrong within two years of being created.
IP addressing and documentation. Is there a documented IP scheme? Is the scheme being followed? Are there conflicts? Is DHCP being used where static addressing should be, or vice versa? Are subnets sized appropriately for the devices they contain?
Configuration review. Are switches and routers running current firmware? Are default credentials still in use anywhere? Are VLANs configured, and are they actually achieving the segmentation they were meant to? Are management interfaces exposed on interfaces where they shouldn’t be?
Wireless assessment. Coverage mapping where the signal is adequate, where it drops. Channel utilization and interference. Client density per access point. Authentication configuration. Guest network isolation.
Security posture. Open ports that shouldn’t be open. Devices with remote management enabled. Traffic flows between segments that weren’t intentionally permitted. Devices that haven’t been updated in a period that creates vulnerability exposure.
Common Findings: Unidentified Devices and Firmware Gaps
After running network audits across organizations of various sizes in Bosnia and Herzegovina and the wider region, the findings follow recognizable patterns.
Unidentified devices appear in almost every environment typically between 15 and 30 percent of active addresses. Some are benign: old printers, retired workstations still plugged in, IoT devices that staff installed without IT involvement. Some are not: rogue access points, misconfigured servers, devices whose function nobody can determine.
Documentation gaps are universal. Topology diagrams that don’t reflect the current state. IP address assignments that exist only in someone’s memory. VLAN configurations that were set up years ago and nobody is certain what traffic they’re carrying.
Firmware and software currency is consistently poor. Devices running firmware versions that are two or three years old. Management software running on operating systems that are past end of support. Cameras and IoT devices that have never received a firmware update since installation.
Configuration inconsistencies are common in environments that have been managed by multiple people over time. Different naming conventions on different switches. SNMP community strings that were set at deployment and never changed. Spanning tree configurations that create loops nobody has noticed because the redundancy has never been triggered.
Operational Impact: Why Knowing Your Network Saves Time and Money
The practical consequences of an undocumented, organically grown network show up in specific ways.
Troubleshooting takes longer. When something breaks, the time spent tracing where cables go, identifying which switch a device is connected to, and determining what was changed recently all of that time is wasted. In a properly documented environment, a network fault can be isolated in minutes. In an undocumented one, it can take hours.
Security incidents are harder to contain. When a device is compromised, the speed of containment depends on knowing what that device is connected to, what it can reach, and how to isolate it. Without that knowledge, containment is slow and incomplete.
Changes carry unknown risk. Adding a new system to a network you don’t fully understand is a risk you can’t quantify. You don’t know what the change will affect until you make it.
Planning is impossible. Capacity planning, refresh cycles, and expansion all depend on knowing what currently exists. Without accurate documentation, these decisions are made on assumptions that may be significantly wrong.
Beyond the Audit: Creating a Technical Baseline for the Future
The audit is the starting point, not the deliverable.
The output of a network audit is a documented, accurate baseline: what’s there, how it’s connected, how it’s configured, and what the risks are. From that baseline, decisions can be made with real information. What needs to be remediated immediately. What can wait. What the upgrade path looks like. What monitoring should be put in place to maintain visibility going forward.
In some cases, the audit findings are manageable a few undocumented devices, some firmware updates to apply, some documentation to create. In others, they reveal structural issues that require more significant work. In either case, knowing is always better than not knowing.
The organizations that avoid audits generally do so because they’re worried about what they’ll find. That concern is understandable but it’s precisely backwards. The right time to discover a problem in your network is not when the network fails or when a security incident makes the gaps visible. It’s during a controlled assessment, with time and options to respond.
If your network hasn’t been audited in the last two years, it’s worth doing. Not because something is necessarily wrong but because you shouldn’t have to assume that something isn’t.
Zerick conducts network audits across Bosnia and Herzegovina and the Western Balkans region. If your network hasn’t been mapped and documented recently, we’d be glad to tell you what’s there. Get in touch at info@zerick.ba.