Detectives investigating cybersecurity breach with keys, locked screens, tangled wires, and worried tech team in chaotic office.

Midyear Reality Check for Professional Services Firms: What Changed in Your Systems Since January?

July 06, 2026

Midyear Reality Check for Professional Services Firms: What Changed in Your Systems Since January?

If you're responsible for operations, compliance, or uptime in a legal, finance, or professional services firm, this is the time of year when risk becomes hardest to see.

Not because something broke.

But because everything kept working—while quietly drifting.

New hires needed access fast. Vendors were added. Tools were layered in to solve immediate problems. Permissions expanded. Integrations were set up quickly to keep things moving.

And almost none of it was revisited.

By July, most firms are no longer operating on what's true. They're operating on what they assume is still true.

That's where risk builds.

The Only Framework That Matters

Everything comes back to this:

Control = Access + Ownership + Recovery

If you can't answer these three things immediately, you don't have control:

  • Access — Who can get into each system right now
  • Ownership — Who is accountable for each system
  • Recovery — What happens if something fails today

This is not a technical test. It's a leadership test.

How to Run This in 30 Minutes (Exact Execution)

Do this as a working session with your operations lead, finance lead, and whoever touches your systems.

Step 1: Export user lists from your core systems

Pull reports from:

  • Microsoft 365
  • Your CRM (HubSpot or Salesforce)
  • QuickBooks or your finance system
  • Asana or Monday

When you export, include these columns:

  • User name
  • Role or permission level
  • Admin status
  • Last login or last activity

Do not overthink the report. Get the data out.

Step 2: Match against your real team

Put that list next to:

  • Your current employee list
  • Active vendors with approved access

Now scan line by line.

You are looking for:

  • People who no longer work there
  • Vendors nobody remembers approving
  • Employees who kept access from old roles
  • Shared logins with no owner

Step 3: Filter for highest-risk issues

Don't review everything equally. Go in this order:

  1. Admin accounts
  2. Inactive users
  3. Shared logins
  4. Unknown integrations
  5. Systems with no clear owner

If you try to audit everything at the same depth, you will miss the real risk.

Step 4: Categorize every issue

Use three buckets:

  • Fix now — inactive users, shared logins in sensitive systems, unknown admins
  • Fix this week — role cleanup, vendor access review, ownership gaps
  • Monitor — low-risk, read-only, clearly justified accounts

This keeps the session focused and actionable.

Step 5: Assign ownership immediately

For every system, write down:

  • Primary owner
  • Backup owner
  • Who acts first if it goes down

If you can't assign this in the meeting, that system does not have control.

The Audit Table to Use Internally

Use this exactly as-is:

System

User List Pulled

Admins Reviewed

Inactive Users

Shared Logins

Owner Assigned

Recovery Owner

Action Due

Microsoft 365

CRM

QuickBooks

Asana / Monday

If parts of this table stay blank, that's your exposure.

A Real Example: What Happens in Microsoft 365

A firm pulls a user export with roles and last login.

They sort by "admin" and "last activity."

They expect to see a clean list of current staff.

Instead, they find:

  • Former employees still active
  • Admin access granted to people who no longer need it
  • Accounts that haven't logged in for months

At first, it looks like housekeeping.

But then they realize what those accounts can access:

  • Client documents
  • Email
  • Shared drives
  • Internal communication

The issue isn't the list.

It's how much access still exists without anyone actively managing it.

Fixing it takes hours.

Finding it usually takes months—unless you look directly.

The Top 5 Issues to Look For

If you only focus on one section, make it this.

1. Any inactive user in a core system
If someone is no longer involved and still has access, fix it immediately.

2. More than 3-5 admin accounts
If you cannot explain why each admin exists, you have too many.

3. Shared logins still in use
No accountability. No audit trail. High risk.

4. Integrations nobody owns
If systems are connected and no one owns them, reporting and security both degrade.

5. No named system owner
If ownership is unclear, maintenance is inconsistent and risk compounds.

What an External Auditor Would Say

An external auditor or board member does not care how modern your tools are.

They care about clarity.

They will ask:

  • Who has access right now?
  • Who owns each system?
  • What happens if one fails today?

If those answers are delayed or debated, the conclusion is immediate:

You are operating on assumption.

And assumption fails under pressure.

What To Do After the Audit

This is where most firms stop.

You cannot.

Days 1-2: Remove immediate risk

  • Disable inactive users
  • Eliminate shared logins where possible
  • Reduce unnecessary admin access

Days 3-5: Fix ownership

  • Assign one accountable owner per system
  • Assign a backup owner
  • Define who approves access going forward

Days 5-7: Lock down recovery clarity

  • Identify who leads response for each system
  • Define the first action and escalation path
  • Make sure leadership knows exactly where this lives

Now you don't just have visibility.

You have control.

What To Do Next Week

Block 30 minutes with your leadership or operations team.

Run the audit exactly as outlined. Complete the table. Do not try to fix everything in the meeting.

Just identify:

  • Where access is unclear
  • Where ownership is missing
  • Where recovery is assumed

That becomes your real risk map for the second half of the year.

Take the Next Step

Schedule your 10 minute discovery call with 911 IT and bring your audit results. You'll walk through access, ownership, and recovery together and get a clear answer on where your systems are controlled versus where they're still operating on assumption.