Midyear Reality Check: The System Drift You Can't See (Especially with Client Data on the Line)
You've carried your firm through deadlines, clients, and high-stakes work
without missing a step.
But your systems didn't stand still while you were doing that.
Access was granted quickly. Tools were added when needed. Vendors stepped
in to help.
None of that was wrong.
What's risky is what didn't happen afterward.
Almost no one goes back and asks:
"Is this still correct today?"
That's where drift happens.
And in firms handling confidential client data, drift isn't just
inefficiency. It's exposure.
What a Clean System Actually Looks Like
When your systems are aligned, everything feels predictable.
Not simple—predictable.
You can answer, immediately:
- Who has access
- What each
system does
- Where your data
flows
- Who owns each
system
And you can prove those answers if anyone asks.
That's what control looks like.
Run This Audit in 60 Minutes (Exactly How)
Here's how this gets done in the real world.
Step 1: Export user lists Pull directly from:
- Microsoft 365
admin center (user export)
- Practice or
case management system
- Billing or
accounting system
Combine into one spreadsheet.
Step 2: Compare against your staff list Flag anything that doesn't match:
- Former
employees
- Unknown users
- Duplicate
accounts
In most firms, this alone uncovers problems. It's common to find 10-20%
of accounts no longer aligned with reality.
Step 3: Check access and security controls Focus on:
- Admin-level
access (global admin, system admin)
- Access to
sensitive client data
- MFA
(multi-factor authentication) status
If MFA isn't enforced through your identity system, that's a priority
gap.
Step 4: Map your core systems List:
- Email and file
system (Microsoft 365)
- Document
management
- Case or
practice management
- Billing
Draw simple arrows for how data moves.
You're not building architecture diagrams—just clarity.
Step 5: Assign ownership
- One owner per
system
- One backup
- Vendor
involvement clearly defined
If ownership is shared, it's not owned.
Step 6: Validate backup reality
- Confirm backups
exist
- Confirm last
test (not setup)
- Confirm
recovery expectations
A practical cadence for most firms is quarterly testing. Without testing,
backups are just assumptions.
What Your Audit Spreadsheet Should Look Like
This is your single source of truth.
Columns: User | Role | System | Access Level | MFA | Owner | Flag
Example rows:
- Sarah L. |
Attorney | Microsoft 365 | Standard | Yes | IT | —
- Mark D. |
Former Employee | Microsoft 365 | Active | No | — | REMOVE
- Admin-Global |
System | Azure AD | Global Admin | No | IT Vendor | CRITICAL
- Jenna K. |
Paralegal | Document System | Full Access | Yes | Ops | REVIEW
- Contractor-Tmp
| External | CRM | Admin | No | Marketing | REMOVE
If this isn't easy to understand at a glance, it won't be useful when it
matters.
Where to Start If Everything Feels Messy
Don't spread effort evenly.
Focus where risk concentrates.
Tier 1: Identity systems
- Microsoft 365 /
Azure AD
- Admin roles
- MFA enforcement
Most real-world issues start here.
Tier 2: Client and financial systems
- Billing
- Case management
These directly impact client trust and revenue.
Tier 3: Everything else
- Marketing tools
- Operational
platforms
If You Only Fix Three Things, Start Here
If time is limited:
- Remove inactive
accounts immediately
- Reduce admin
access to the smallest necessary group
- Enforce MFA
across all users
Those three actions eliminate a significant portion of actual exposure.
What to Do With What You Find
This is where most audits stop short.
Here's how to act on it:
Inactive accounts
- Remove or
disable immediately
- Do not leave
"just in case" access
Over-permissioned users
- Reduce access
to role-based minimums
- Avoid removing
everything at once—step down access safely
Admin privileges
- Limit to a
small, named group
- Move others to
standard access
Ownership gaps
- Assign
ownership to someone already closest to the system (operations, finance,
or IT)
- Define one
person accountable—not a team
Speed matters here.
The longer you leave gaps in place, the more likely they become
normalized.
Where Firms Get Caught Off Guard
These don't show up until they matter:
- Shared logins
no one owns
- Vendor access
never revoked after projects end
- Old
integrations still moving data in the background
- "Temporary"
permissions that were never removed
These are rarely documented—and that's why they get missed.
Where This Usually Breaks (Real Example)
We worked with a mid-sized legal firm—about 30 people—that initiated an
audit after struggling with a cyber insurance renewal.
They couldn't answer basic access and control questions.
Inside one review, they found:
- 17 inactive
Microsoft 365 accounts still active
- Two core
systems with no assigned owner
- Backups that
had never been tested
What changed afterward:
- Access was
reduced and aligned to roles
- Ownership was
clearly assigned
- They were able
to confidently complete their insurance audit
Nothing had failed before.
But they moved from assumption to proof.
What Happens When This Goes Wrong
This doesn't start as a major incident.
It starts quietly.
An inactive account remains active
→ That account still has access to documents
→ A sensitive file is accessed or shared
→ A client questions confidentiality
At that moment, it's no longer a systems issue.
It's a reputation issue.
What This Drift Actually Costs
You see it in operations first:
- One hour of
downtime can disrupt multiple matters at once
- Attorneys lose
billable time waiting on access or clean data
- Reporting
becomes unreliable across systems
- Insurance
renewals become harder to justify
The cost builds slowly—until it suddenly doesn't feel small anymore.
What You Should Walk Away With
By the end of this, you should have two documents you can reuse every
quarter:
1. Midyear Systems Audit Checklist
- Verified access
- Permissions
validated
- Systems mapped
- Backup status
confirmed
2. System Ownership Tracker
- Every system
listed
- Primary and
backup owner assigned
- Vendor
responsibility defined
- Last review
date recorded
These aren't just notes.
They're how you prove control.
Your Next-Week Action
Start with Microsoft 365.
Export your user list and compare it to your current staff.
If you find one account that doesn't belong, keep going.
That's not an exception—it's a pattern.
The Goal Isn't Perfection. It's Control
You've already built a firm your clients trust.
This is about making sure your systems support that—quietly and
consistently.
Schedule your 10 minute discovery call to walk through your access and
ownership structure. It will help you confirm whether these gaps exist in your
environment and what needs attention first. 911 IT can give you a clear answer
so you know exactly where you stand.
