Skip to main content
Back to Blog
Compliance 8 min read 30 April 2026

IT Audit Services for London SMEs in 2026: A Buyer's Guide

What an IT audit actually delivers, what it does not, and how London SMEs select an auditor proportionate to size, sector and regulatory profile. Covers Cyber Essentials, ISO 27001, NIS2 supply-chain assurance and FCA Operational Resilience.

"IT audit" means different things to different buyers. For one London SME it is a Cyber Essentials assessment, for another a full ISO 27001 internal audit, for another a financial-services IT control review for FCA SYSC. This guide untangles the categories, prices, deliverables, and the questions a London SME should ask before commissioning.

The five categories of IT audit

1. Cyber Essentials / Cyber Essentials Plus

Cost: £300–£500 (Cyber Essentials self-assessment with assessor verification); £1,500–£3,500 (Cyber Essentials Plus with hands-on technical verification). Scope: the five technical controls (firewalls, secure config, user access, malware protection, security update management). Delivers: a certificate valid for 12 months, accepted by UK government, NHS, and most enterprise procurement teams. For London SMEs: the cheapest credible answer to "are you cyber-secure?" — minimum bar for selling to public sector.

2. ISO 27001 Internal Audit / Stage 1 Readiness

Cost: £3,000–£8,000 (internal audit); £4,500–£12,000 (Stage 1 readiness assessment by an accredited body). Scope: Information Security Management System (ISMS) — risk register, Statement of Applicability, Annex A controls. Delivers: non-conformity register and corrective action plan. For London SMEs: required if customers have asked for ISO 27001 certified status; usually 6–12 months ahead of certification audit.

3. SOC 2 Readiness

Cost: £8,000–£25,000. Scope: AICPA Trust Services Criteria, primarily for SaaS organisations selling into US enterprise. Delivers: readiness report identifying gaps before formal SOC 2 Type 1 / Type 2 audit. For London SMEs: typically when US customers ask for it, otherwise ISO 27001 is the European equivalent.

4. NIS2 / FCA SYSC IT Control Review

Cost: £5,000–£20,000 depending on scope. Scope: for financial services in scope of FCA SYSC 13 / 15A operational resilience, or for NIS2 essential / important entities. Delivers: control gap analysis with regulatory mapping. For London SMEs: required for in-scope financial firms; not required for most general-business SMEs.

5. Operational IT Audit / Internal Control Review

Cost: £4,000–£15,000. Scope: general controls (access management, change control, backup and DR, vendor management, incident response). Delivers: findings register tied to internal controls framework (often COBIT or COSO-IT). For London SMEs: typically commissioned by the audit committee or as part of due diligence for an acquisition or fundraise.

Six questions to ask any IT audit provider

  1. Who will run the audit? Named individual, qualifications (CISA, CISSP, ISO 27001 LA), years of experience auditing similar-sized organisations.
  2. What is the deliverable? Format, length, citation style, recommendations vs findings only.
  3. Reference clients? At least three London SMEs of similar size, willing to take a reference call.
  4. Scope boundary? What is in scope and what is explicitly out — written before kick-off.
  5. Conflict-of-interest position? If they sell remediation services, do they audit and recommend their own services? Disclose explicitly.
  6. Re-test included? After remediation, is a re-test included in the original fee or extra-cost?

What "London-specific" actually adds

An auditor based in London has practical advantages: easier on-site visits if needed, familiarity with the FCA / ICO landscape, established relationships with London-focused certification bodies. Prices are typically 10–20% higher than equivalent regional firms because of London cost base. For most SME audits the value of "London-based" is moderate — for FCA-adjacent or financial-services audits it is more material.

Common pitfalls when commissioning an IT audit

  • Wrong category: commissioning a generic IT audit when ISO 27001 readiness was needed (or vice versa). Match the audit type to the actual need.
  • Scope creep: the auditor's price assumes a defined scope; mid-audit additions inflate cost.
  • No remediation budget: the audit will produce findings; if you cannot fix them, the audit hurts more than helps.
  • Unrelated certifications: Cyber Essentials does not get you SOC 2; ISO 27001 does not satisfy FCA SYSC. Map your buyer's actual ask.

Where SummitBridge Horizon fits

We provide structured IT audit and readiness products for London SMEs:

For a programme-scope IT audit with on-site work and named-auditor delivery, our consultancy team scopes engagements proportionate to your size and regulatory profile. Request a London-based audit quote from £1,500.

Need help with this?

Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.

Book a Free Consultation

Related Articles