Audit findings from the last 14 engineering audits

Every audit is bespoke and confidential, but the categories of finding are not. Aggregated and anonymised, the recurring six were:

§ 1.0 — No documented rollback

11 of 14. Teams had a deploy script. None had a one-command rollback that had been exercised in the last 90 days. The fix is rarely technical. It is a 30-minute drill on the first Friday of every month.

§ 2.0 — Single-author critical paths

10 of 14. One person on the team is the only person who has touched the billing module / the search index / the auth flow. They are not a flight risk. They are a holiday risk. Pair-program before they go on annual leave, not after.

§ 3.0 — Backups that have not been restored

9 of 14. Backups were running nightly. None had been restored to a fresh environment in the last quarter. We do not consider a backup to exist until it has been used to bring a system back up.

§ 4.0 — Dependencies pinned a year ago

13 of 14. We are not in the Patch Everything Tuesday camp, but if your lockfile has not been updated since the last general election, your security posture is theoretical.

§ 5.0 — Logging that nobody reads

8 of 14. Verbose JSON logs flowing into a managed log service that nobody opens unless something is on fire. The audit recommendation is always the same: cut volume by 80%, keep what would help an on-call engineer in the first ten minutes.

§ 6.0 — Implicit dependency on a free tier

7 of 14. A free email service. A free CDN account. A free metrics tier. Each one quietly increasing usage. Each one outside the procurement process. Each one a future surprise invoice.

§ 7.0 — The boring conclusion

The same things keep failing in the same way. There is nothing here that requires an architect or a rewrite. The fixes are operational, cheap, and unglamorous. We charge 450 EUR to write the report. The clients who run the 90-day plan get back roughly a hundred times that.