A trade secret audit answers the question every misappropriation case eventually poses: what, exactly, are your trade secrets, and how are they protected? A company that cannot answer cannot protect its secrets consistently, cannot plead them with particularity when it sues, and cannot show a court the "reasonable measures" that the Defend Trade Secrets Act (18 U.S.C. § 1839(3)) and the Uniform Trade Secrets Act require. The audit is where a protection program is tested, refreshed, and documented.

This checklist is the operational counterpart to the building a trade secret protection program checklist; run the audit at least annually and after every major change. For the doctrine, see protection of trade secrets and building a trade secret protection program from scratch.

A framing note: many companies find that calling the exercise an "assessment" rather than an "audit" earns more candid cooperation from the engineers and salespeople who actually know where the secrets live. Whatever you call it, do it honestly — a self-serving audit that inflates the portfolio undermines the very claim it is meant to support.

Phase 1: Scope and govern the audit

  • Assign a named owner and a fixed review cadence (annually, plus triggers: fundraise, M&A, reorganization, system migration, shift to remote work).
  • Decide whether to conduct the audit under privilege, with counsel directing the work, so candid findings about gaps are protected.
  • Identify the business units to survey — R&D, engineering, sales operations, finance, manufacturing, IT — because no central team knows the full portfolio.
  • Score where the program sits on a maturity model: Level 0 (no policy or governance) through Level 3 (formal, documented, managed processes that people actually follow). A startup need not reach the top; it needs to get off the bottom.

Why this matters. Trade secret status is judged at the moment of dispute, against the company's actual practices. A governed, recurring audit produces contemporaneous evidence that the company managed its secrets deliberately — and surfaces gaps before a competitor or a litigation adversary does.

Phase 2: Inventory the crown jewels

  • List technical secrets: formulas, processes, methods, source code, algorithms, architectures, training data, and negative know-how (the failed approaches that save a rival the same dead ends).
  • List business secrets: curated customer lists with non-public preferences and contacts, pricing and cost structures, strategic plans, supplier terms.
  • For each item, record: what it is; where it lives (systems, repositories, file shares, cloud buckets); who is authorized to touch it; why it has value; and what protects it (access controls, encryption, markings, contracts).
  • Tier each item by sensitivity so the loss of core process documentation triggers more urgent attention than a stale prospect list.
  • Rigorously exclude information that is generally known, readily ascertainable, or lacking real value — over-inclusion dilutes the inventory and suggests nothing was truly treated as secret.

Why this matters. The "what protects it" column is, quite literally, the documentation of the reasonable measures the company will point to in court. And a current inventory is what lets the company answer, within hours of a breach or departure, were the crown jewels touched? A stale inventory points investigators at the wrong servers.

Common mistakes. Building the inventory once and letting it rot; cataloging value the way a privacy data-map catalogs personal data by category (a crown-jewels inventory catalogs value, not regulatory category); and omitting negative know-how, which is often the most valuable and least obvious asset.

Phase 3: Verify the measures protecting each item

  • Confirm physical controls: locked storage, access-controlled spaces, visitor logging, conspicuous marking.
  • Confirm technical controls: least-privilege access, authentication (ideally MFA), encryption at rest and in transit, logging, and data-loss prevention.
  • Run an access review for each crown jewel: who can reach it today, and does that match genuine business need? Tighten access that exceeds need.
  • Hunt for access creep — the employee who rotated to a different role two years ago but never lost access. It is both a security gap and an evidentiary liability that undermines the "need to know" story.
  • Confirm contractual coverage: every employee and contractor with access has a confidentiality and invention-assignment agreement; every third party with access is under an NDA.
  • Verify the Section 1833(b) whistleblower-immunity notice appears in those agreements (entered or amended after May 11, 2016).

Why this matters. Access creep and undisclosed personal-device storage are the classic failures that defeat secrecy even with no thief in sight; Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279 (11th Cir. 2018), and DM Trans, LLC v. Scott, 38 F.4th 608 (7th Cir. 2022), both turned on the gap between what the policy said and what the company actually did. The absence of NDAs "often dooms trade secret claims," as Abrasic 90 Inc. v. Weldcote Metals, Inc., 364 F. Supp. 3d 888 (N.D. Ill. 2019), put it.

Phase 4: Value and prioritize

  • Capture a rough value note for each secret (development cost in person-months, price premium sustained, licensing potential) — it supports the "independent economic value" element and seeds a damages theory.
  • Prioritize protection ruthlessly: lavish controls on the few genuinely critical secrets, accept lighter controls on lower-value information, proportionate to the company's size.
  • For secrets headed into licensing or M&A, consider a more rigorous discounted-cash-flow or market-based valuation.

Why this matters. The "independent economic value" element is, at bottom, a valuation question, and a company that can articulate what its secret is worth is answering an element of its own claim. WeRide Corp. v. Huang, 379 F. Supp. 3d 834 (N.D. Cal. 2019), shows how a concrete development-cost figure helps. Proportionate prioritization is also what courts expect from a smaller company — no court expects a two-year-old startup to run a security operations center, but it does expect the crown jewels to be protected.

Phase 5: Remediate and document

  • Build a prioritized remediation list: missing NDAs, missing Section 1833(b) notices, over-broad access, unmarked sensitive files, unmanaged personal-device storage.
  • Fix the cheap, high-impact items first (offer-letter and contractor-agreement language; access revocation; document marking; MFA).
  • Update the inventory and the protection-measures record to reflect remediation.
  • Preserve the audit work product (what triggered it, what was gathered, what it concluded) as the contemporaneous record of diligence.
  • Calendar the next audit and the triggers that would accelerate it.

Why this matters. When an acquirer or investor runs IP diligence, a documented audit raises money on better terms and avoids the chain-of-title and protection gaps that derail deals. And the audit's own paper trail answers the defense bar's favorite argument — that the plaintiff slept on its rights or never really treated the information as secret.

Phase 6: Tailor the audit to the setting

The principles above apply everywhere, but three settings put distinctive strain on the reasonable-measures inquiry and deserve targeted attention during the audit.

  • Startups: confirm the foundational, near-free documents are in place from day one — confidentiality agreements with the Section 1833(b) notice, invention assignments, a basic written policy — because their absence is the most common and most damaging gap in early-stage companies. Protect the most critical information with measures proportionate to size; no court expects a two-year-old company to run a security operations center.
  • R&D environments: audit the line between the publishable general contribution and the protectable specific embodiment, and confirm the team draws it consciously and in advance. Flag the patent-versus-secret fork — disclosing a secret in a patent application the company files will, once published, destroy trade secret status as to that disclosure. Treat negative results (the dead ends) as secrets too.
  • Manufacturing / the factory floor: confirm a visible process is compartmentalized so no single person sees the whole, that everyone with floor access (contractors included) is under a confidentiality obligation, and that suppliers who must understand part of a process are bound by confidentiality provisions and return or destroy materials when an engagement ends.

Why this matters. A startup that waits until it is "big enough" to think about trade secrets usually discovers the subject only after a departure has cost it something irreplaceable — and at that point the question is not how to protect the secret but whether a protectable secret ever legally existed. A process shared with a supplier under no confidentiality obligation may simply cease to be a secret (Farmers' Edge Inc. v. Farmobile, LLC, 970 F.3d 1027 (8th Cir. 2020)).

Common mistakes

  • Auditing once and never refreshing, so the inventory misdescribes where secrets live.
  • Claiming everything is a secret, which persuades a court nothing was treated as one.
  • Skipping the access review, leaving access creep to undermine the need-to-know narrative.
  • Failing to verify the Section 1833(b) notice, quietly forfeiting exemplary damages and fees.
  • Running the audit with no privilege structure, so candid findings about weaknesses become a discovery gift to an adversary.

Primary authority

  • DTSA, 18 U.S.C. § 1839(3) (definition and "reasonable measures"); § 1833(b) (whistleblower notice); § 1836(b) (civil cause of action and remedies).
  • Uniform Trade Secrets Act § 1 (definition).
  • Key cases: Yellowfin Yachts v. Barker Boatworks, 898 F.3d 1279 (11th Cir. 2018); DM Trans v. Scott, 38 F.4th 608 (7th Cir. 2022); Abrasic 90 v. Weldcote Metals, 364 F. Supp. 3d 888 (N.D. Ill. 2019); WeRide Corp. v. Huang, 379 F. Supp. 3d 834 (N.D. Cal. 2019).

Related resources

This checklist is for general informational purposes only and does not constitute legal advice or create an attorney-client relationship. Trade secret law varies by jurisdiction and turns heavily on specific facts. Consult qualified counsel before acting.