Midyear Reality Check for Professional Services Firms: What Changed in Your Systems Since January?
If you're responsible for operations, compliance, or uptime in a legal,
finance, or professional services firm, this is the time of year when risk
becomes hardest to see.
Not because something broke.
But because everything kept working—while quietly drifting.
New hires needed access fast. Vendors were added. Tools were layered in
to solve immediate problems. Permissions expanded. Integrations were set up
quickly to keep things moving.
And almost none of it was revisited.
By July, most firms are no longer operating on what's true. They're
operating on what they assume is still true.
That's where risk builds.
The Only Framework That Matters
Everything comes back to this:
Control = Access + Ownership + Recovery
If you can't answer these three things immediately, you don't have
control:
- Access — Who can get
into each system right now
- Ownership — Who is
accountable for each system
- Recovery — What happens
if something fails today
This is not a technical test. It's a leadership test.
How to Run This in 30 Minutes (Exact Execution)
Do this as a working session with your operations lead, finance lead, and
whoever touches your systems.
Step 1: Export user lists from your core systems
Pull reports from:
- Microsoft 365
- Your CRM
(HubSpot or Salesforce)
- QuickBooks or
your finance system
- Asana or Monday
When you export, include these columns:
- User name
- Role or
permission level
- Admin status
- Last login or
last activity
Do not overthink the report. Get the data out.
Step 2: Match against your real team
Put that list next to:
- Your current
employee list
- Active vendors
with approved access
Now scan line by line.
You are looking for:
- People who no
longer work there
- Vendors nobody
remembers approving
- Employees who
kept access from old roles
- Shared logins
with no owner
Step 3: Filter for highest-risk issues
Don't review everything equally. Go in this order:
- Admin accounts
- Inactive users
- Shared logins
- Unknown
integrations
- Systems with no
clear owner
If you try to audit everything at the same depth, you will miss the real
risk.
Step 4: Categorize every issue
Use three buckets:
- Fix now — inactive
users, shared logins in sensitive systems, unknown admins
- Fix this week — role
cleanup, vendor access review, ownership gaps
- Monitor — low-risk,
read-only, clearly justified accounts
This keeps the session focused and actionable.
Step 5: Assign ownership immediately
For every system, write down:
- Primary owner
- Backup owner
- Who acts first
if it goes down
If you can't assign this in the meeting, that system does not have
control.
The Audit Table to Use Internally
Use this exactly as-is:
|
System |
User List Pulled |
Admins Reviewed |
Inactive Users |
Shared Logins |
Owner Assigned |
Recovery Owner |
Action Due |
|
Microsoft 365 |
|||||||
|
CRM |
|||||||
|
QuickBooks |
|||||||
|
Asana / Monday |
If parts of this table stay blank, that's your exposure.
A Real Example: What Happens in Microsoft 365
A firm pulls a user export with roles and last login.
They sort by "admin" and "last activity."
They expect to see a clean list of current staff.
Instead, they find:
- Former
employees still active
- Admin access
granted to people who no longer need it
- Accounts that
haven't logged in for months
At first, it looks like housekeeping.
But then they realize what those accounts can access:
- Client
documents
- Email
- Shared drives
- Internal
communication
The issue isn't the list.
It's how much access still exists without anyone actively managing it.
Fixing it takes hours.
Finding it usually takes months—unless you look directly.
The Top 5 Issues to Look For
If you only focus on one section, make it this.
1. Any inactive user in a core system
If someone is no longer involved and still has access, fix it immediately.
2. More than 3-5 admin accounts
If you cannot explain why each admin exists, you have too many.
3. Shared logins still in use
No accountability. No audit trail. High risk.
4. Integrations nobody owns
If systems are connected and no one owns them, reporting and security both
degrade.
5. No named system owner
If ownership is unclear, maintenance is inconsistent and risk compounds.
What an External Auditor Would Say
An external auditor or board member does not care how modern your tools
are.
They care about clarity.
They will ask:
- Who has access
right now?
- Who owns each
system?
- What happens if
one fails today?
If those answers are delayed or debated, the conclusion is immediate:
You are operating on assumption.
And assumption fails under pressure.
What To Do After the Audit
This is where most firms stop.
You cannot.
Days 1-2: Remove immediate risk
- Disable
inactive users
- Eliminate
shared logins where possible
- Reduce
unnecessary admin access
Days 3-5: Fix ownership
- Assign one
accountable owner per system
- Assign a backup
owner
- Define who
approves access going forward
Days 5-7: Lock down recovery clarity
- Identify who
leads response for each system
- Define the
first action and escalation path
- Make sure
leadership knows exactly where this lives
Now you don't just have visibility.
You have control.
What To Do Next Week
Block 30 minutes with your leadership or operations team.
Run the audit exactly as outlined. Complete the table. Do not try to fix
everything in the meeting.
Just identify:
- Where access is
unclear
- Where ownership
is missing
- Where recovery
is assumed
That becomes your real risk map for the second half of the year.
Take the Next Step
Schedule your 10 minute discovery call with 911 IT and bring your audit
results. You'll walk through access, ownership, and recovery together and get a
clear answer on where your systems are controlled versus where they're still
operating on assumption.
