By the Templateez Team · Licensed Attorney · June 2026

IT Consulting Intake Forms: What MSPs and IT Consultants Need to Capture at Client Onboarding

An IT consultant who walks into a new client engagement without knowing their server count, backup frequency, or whether they are subject to HIPAA is going to spend the first two weeks discovering things that should have been documented before the contract was signed. Meanwhile, the client is watching the clock and wondering why they are paying hourly rates for their new IT provider to ask basic questions about their own infrastructure.

Most IT consultants and managed service providers collect a company name, a primary contact, and maybe a rough workstation count. That is not onboarding — that is barely a lead form. A real IT consulting intake form captures the full picture of the client's environment, security posture, compliance obligations, and service expectations so you can scope accurately, price correctly, and deliver from day one without the discovery period that erodes client confidence.

Client and business information: context that shapes every decision

The business profile is not just administrative data. It determines your compliance requirements, your staffing model, and your risk exposure. An eight-person marketing agency and a 200-employee medical practice with three locations are fundamentally different engagements, and your intake needs to surface those differences immediately:

• Company name and primary contact — who you are working with and who picks up the phone when something breaks at 2 AM. Get the primary contact's direct line and preferred communication method. Email is fine for reports. It is not fine for a server that just went down.
• Industry — this single field drives more downstream decisions than almost anything else on the form. A healthcare company means HIPAA. A defense contractor means CMMC. A law firm means client confidentiality requirements that affect how you handle their data. A retail business processing credit cards means PCI DSS. Capture the industry early because it determines which compliance sections of the intake even apply.
• Company size — employee count, number of physical locations, and whether they have remote workers. Remote workers change your security model entirely — you are no longer securing a perimeter, you are securing endpoints scattered across home networks, coffee shops, and hotel Wi-Fi.
• Current IT staff — do they have an internal IT team, a single IT person, or are they fully outsourced? If they have internal IT, your engagement is co-managed, and you need to define who handles what before someone assumes the other party is watching the firewall logs. If they are fully outsourced, you are inheriting everything.
• Decision maker — who approves IT spending? In small companies, this is often the owner. In mid-size companies, it might be a CFO or operations director who has no technical background but holds the budget. Knowing who signs off on purchases prevents the situation where you spec a $40,000 infrastructure refresh and present it to someone who has no authority to approve it.
• Budget — annual IT budget or per-project budget. Some clients have a defined IT line item. Others have never thought about IT as a budget category and are going to be surprised when they learn what things cost. Understanding their budget reality at intake prevents scope mismatches later.
• Previous IT provider — who they were working with before and why they are switching. This is intelligence. If they left because their previous MSP had slow response times, you know SLA commitments matter to them. If they left because of a security incident, you know the security conversation is going to be front and center. If they have never had an IT provider, you are starting from scratch and should plan accordingly.

Current infrastructure: the full hardware inventory

You cannot manage what you have not documented. The infrastructure section of your intake is the foundation of every recommendation, every quote, and every support ticket that follows. Skip this and you will spend three months discovering devices, services, and configurations that should have been cataloged in the first week.

• Network — LAN, WAN, VPN, SD-WAN. How many locations are connected and how? Who is the internet provider, what speed tier, and is there a backup circuit? What firewall are they running — make, model, firmware version, and age? A ten-year-old SonicWall running end-of-life firmware is a finding, not just an inventory item. Document switches and wireless access points — managed or unmanaged, how many, and whether the Wi-Fi actually covers the building or leaves dead zones in the warehouse.
• Servers — on-premises, cloud, or hybrid. How many? What operating systems? What roles does each server fill — domain controller, file server, print server, application server? How old are they? A server running Windows Server 2012 R2 is out of extended support and is a security and compliance risk that needs to be flagged at intake, not discovered when it fails and you are scrambling to recover data from a RAID array that has been degrading for months.
• Workstations — total count, average age, and OS mix. How many are Windows, how many Mac, any Linux or Chromebook? Workstation age matters because a fleet of eight-year-old desktops running Windows 10 that cannot be upgraded to Windows 11 is a refresh project waiting to happen, and the client needs to know that before it becomes an emergency.
• Mobile devices — are they company-owned or BYOD? Is there a mobile device management solution in place? BYOD without MDM means company data is sitting on personal phones with no remote wipe capability, no encryption enforcement, and no way to separate business data from personal when an employee leaves.
• Printers and peripherals — count and type. Printers seem trivial until you realize the client has 14 networked printers across two floors, half of them are on a separate VLAN, and the accounting department's printer is the only one that can print checks, which makes it a single point of failure for payroll.
• Phone system — VoIP, legacy PBX, Microsoft Teams calling, Zoom Phone? Is it integrated with their directory? Who manages it? Phone systems increasingly fall under IT's umbrella, and inheriting a 15-year-old PBX that nobody knows how to administer is a common surprise in new MSP engagements.

Cloud and software: what they are running and paying for

The software environment is often more complex than the hardware. Clients accumulate SaaS subscriptions the way people accumulate streaming services — someone signed up for it three years ago, nobody remembers why, and it is still billing $200 a month.

• Email platform — Microsoft 365, Google Workspace, or on-premises Exchange. This determines your identity management approach, your backup strategy, and your security tooling. A company running on-prem Exchange in 2026 is a migration project.
• Cloud services — AWS, Azure, GCP, or none. If they have cloud infrastructure, who built it, who manages it, and does anyone actually understand the architecture? Many small businesses have an AWS account that a contractor set up years ago, and nobody has the root credentials.
• Line-of-business applications — ERP, CRM, accounting software, and industry-specific applications. These are the systems the business cannot function without. If their ERP goes down, they cannot ship orders. If their practice management software is unavailable, their attorneys cannot bill. Identify these at intake because they drive your RTO calculations and your priority matrix for incident response.
• SaaS subscriptions — a full inventory of what they are paying for. This almost always reveals redundant subscriptions, unused licenses, and shadow IT — departments that signed up for tools without telling anyone. This is both a cost-saving opportunity and a security concern.
• Licensing compliance — are licenses properly assigned? Are they running software they do not have licenses for? Licensing non-compliance is a financial and legal risk that the client may not even know they have. A Microsoft audit finding unlicensed Office installations is an expensive surprise.
• File storage — OneDrive, SharePoint, Google Drive, Dropbox, a NAS in the server closet, a file server, or some combination. Where does critical data actually live? The answer is often "everywhere," which means your backup strategy needs to account for data scattered across five platforms.
• Backup solution — what is backed up, how often, where do backups go, and when was the last successful test restore? The last question is the most important. A backup that has never been tested is not a backup — it is a hope.

Security posture: what is protecting them and what is not

Security is where IT consulting intake diverges most sharply from IT support intake. An IT support company is primarily reactive — something breaks, they fix it. An IT consultant or MSP is responsible for the security architecture, and that means you need a complete picture of the client's current security posture before you can recommend improvements or accept the liability of managing their environment.

• Antivirus and EDR — what product are they running, is it centrally managed, and is it actually deployed on every endpoint? "We have antivirus" means nothing until you verify it is current, reporting to a central console, and covering every machine — including the marketing intern's laptop that was set up by someone who skipped the security software.
• Email security — spam filtering, phishing protection, and whether DMARC, SPF, and DKIM records are properly configured. Email is the number one attack vector for small and mid-size businesses. If their domain does not have DMARC enforcement, anyone can send email that appears to come from their CEO.
• Multi-factor authentication — where is it enabled and where is it not? MFA on email but not on the VPN is a gap. MFA on the VPN but not on the cloud admin console is a bigger gap. Document what is covered and what is exposed.
• Password policy — complexity requirements, rotation schedule, and whether they use a password manager. A company where everyone uses the same shared admin password written on a sticky note under the keyboard is not an exaggeration — it is a Tuesday.
• User access review — when was the last time someone reviewed who has access to what? Former employees with active accounts, vendors with VPN credentials that were never revoked, and shared service accounts that five people use are all common findings.
• Security awareness training — is it in place? How often? Phishing simulations? The best firewall in the world does not help when an employee clicks a malicious link because they have never been taught what a phishing email looks like.
• Cyber insurance — do they have it, and what does the policy require? Many cyber insurance policies now mandate MFA, EDR, and documented incident response plans. If the client does not meet those requirements, their policy may not pay out when they need it most.
• Previous incidents — any history of breaches, ransomware, or successful phishing attacks. This is not just historical curiosity. Previous incidents indicate where the environment is weakest, and they may trigger notification obligations or ongoing monitoring requirements.
• Dark web exposure — have employee credentials been found in data breach dumps? A dark web scan at intake often reveals dozens of compromised credentials that the client had no idea were circulating.

Compliance requirements: what regulations apply

Compliance is not optional, and it is not something you figure out after the contract starts. Your intake needs to identify every regulatory framework that applies to the client's business, because those frameworks dictate your security controls, your documentation requirements, and your audit obligations:

• HIPAA — healthcare providers, health plans, and their business associates. If you are managing IT for a medical practice, you are a business associate under HIPAA, and you need a BAA in place before you touch their systems.
• PCI DSS — any business that processes, stores, or transmits payment card data. This includes the restaurant with a point-of-sale system and the e-commerce company with a payment gateway.
• SOC 2 — SaaS companies and service providers whose clients require third-party assurance of security controls. If the client's customers are asking for SOC 2 reports, the client needs controls that you will be responsible for implementing and maintaining.
• CMMC — defense contractors handling controlled unclassified information. CMMC requirements are becoming enforceable, and non-compliance means losing government contracts.
• GDPR and CCPA — privacy regulations that apply based on whose data the client handles, not where the client is located. A New Jersey company with European customers is subject to GDPR.
• Industry-specific frameworks — FINRA for financial services, FERPA for educational institutions, CJIS for organizations accessing criminal justice information. Each of these has specific technical controls that affect how you configure the environment.
• Audit history — when was the last compliance audit, who conducted it, and what were the findings? Existing audit reports are a goldmine of information about gaps that need to be addressed.

Service needs: defining the engagement scope

The most common source of MSP-client conflict is mismatched expectations about what the engagement covers. Your intake form is where you define the scope explicitly so there is no ambiguity about what is included, what is extra, and what the client is responsible for:

• Managed services model — full outsource or co-managed with internal IT? In a co-managed arrangement, you need a clear responsibility matrix. Otherwise you end up in the situation where a server patch was not applied because your team assumed the internal IT person was handling OS updates, and the internal IT person assumed your team was handling it.
• Help desk — expected ticket volume, response time expectations, and escalation procedures. A client who expects a 15-minute response time for every ticket needs to understand that is a different service tier — and a different price — than next-business-day response.
• Monitoring — 24/7 or business hours only? If the client runs a three-shift manufacturing operation, business-hours monitoring means nobody is watching the network during second and third shift when half the workforce is active.
• Patch management — operating system patches, third-party application updates, and firmware updates. Who approves patches? What is the testing window? A patch that breaks a line-of-business application at 2 PM on a Wednesday is worse than the vulnerability it was supposed to fix.
• Project work — upcoming projects that fall outside the managed services agreement. Office moves, infrastructure refreshes, cloud migrations, M&A integration, new location buildouts. These are scoped and priced separately, but knowing about them at intake lets you plan capacity and identify dependencies.
• Strategic planning — does the client want vCIO services? Technology roadmap development? Annual budget planning for IT? Some clients want a vendor who keeps the lights on. Others want a strategic partner who sits in quarterly business reviews and helps them plan three years out. The intake is where you determine which relationship this is.
• Procurement — does the client want you to handle hardware and software purchasing? This affects your vendor relationships, your margin structure, and your liability for equipment warranties.

Disaster recovery and business continuity

Every client says their data is important. The intake is where you quantify exactly how important by forcing them to answer the hard questions about downtime and data loss:

• RTO and RPO — Recovery Time Objective is how long they can be down. Recovery Point Objective is how much data they can afford to lose. A client who says "we cannot be down at all" needs to understand what that costs. A client who says "a few hours is fine" needs that documented so it is clear when — not if — an outage exceeds a few hours.
• Backup testing — when was the last successful restore test? A backup system that has run green for two years but has never been tested may contain corrupted data, incomplete snapshots, or configuration errors that only surface when you actually need to restore.
• DR plan — is there a documented disaster recovery plan? Has anyone ever tested it? Does it account for the current environment, or was it written five years ago when they had half the servers and none of the cloud services they have today?
• Failover and redundancy — redundant internet circuits, server clustering, replicated storage, hot standby systems. What happens when the primary goes down? If the answer is "nothing, we wait," that is an acceptable answer as long as it is documented and the client has signed off on the risk.
• Data classification — what data is critical versus nice-to-have? Not everything needs the same level of protection. Email archives from 2019 and the active accounting database have very different recovery priorities. Classification at intake drives your backup tiering and your DR sequencing.

Onboarding documentation and knowledge transfer

The final section of a thorough IT consulting intake addresses the operational handoff — getting the information and access you need to actually start managing the environment:

• Existing documentation — network diagrams, password vaults, asset inventories, runbooks, standard operating procedures. If the previous provider left documentation, you need it. If they did not, that tells you something about why the client is switching.
• Administrative credentials — domain admin, firewall admin, cloud admin console, SaaS admin accounts. These need to be transferred securely — not emailed in a spreadsheet. Your intake should specify the secure transfer method you require.
• Vendor contacts — ISP account representative, phone system provider, LOB application support, copier and printer vendor, cabling contractor. When something breaks, you need to know who to call, what the account number is, and whether there is an active support contract.
• Warranty and contract information — what hardware is under warranty, what software is under maintenance, and when do contracts expire? A server warranty that expired six months ago means the next hardware failure is a full replacement, not a next-business-day parts swap.
• Knowledge transfer — is the previous IT provider cooperating with the transition? Is there an internal IT person who is leaving and needs to do a brain dump before their last day? Transitions without knowledge transfer are the most expensive kind because you rediscover everything through troubleshooting.

Why thoroughness at intake pays for itself

The IT consulting intake is not paperwork for the sake of paperwork. Every field on a well-designed intake form corresponds to a question that will get asked eventually. The difference is whether it gets asked in a structured onboarding process that takes two hours, or whether it gets asked piecemeal over six months as problems surface and you scramble to understand an environment you should have documented from the start.

A complete intake also protects the business relationship. When the client says "I thought patching was included," you can point to the intake where service scope was defined. When a compliance auditor asks about your documentation process, you can show a structured intake that captures the regulatory landscape before the engagement begins. When a security incident occurs, you can demonstrate that you assessed the client's posture at onboarding and recommended the improvements they chose not to implement.

If you are managing IT for businesses that also need break-fix support documentation, the IT support intake guide covers the residential and small-business support angle — the client-facing troubleshooting and repair side of IT services. For consultants and MSPs operating at the strategic level, the intake documented here is what separates a professional engagement from a handshake and a hope.

If you are building documentation across a full professional services practice, the Professional Services Bundle includes IT consulting alongside 34 other professional service categories, each with industry-specific intake fields.