Financial Services IT Security Audit Checklist

Pull user lists from Schwab Advisor Center, Fidelity Wealthscape, Pershing NetX360, the CRM (Wealthbox / Redtail / Salesforce FSC), and the planning tool (eMoney / RightCapital). Reconcile against active-employee roster from HR. Common gotcha: associate advisor leaves the firm but the Schwab login is still active because nobody told ops.

Confirm MFA is enforced (not just available) on email, custody portals, CRM, document management (NetDocuments / ShareFile), and the archiving console (Smarsh / Global Relay). SMS-only MFA is increasingly flagged in SEC exams — prefer authenticator apps or hardware keys for privileged users.

For every termination in the audit period, confirm all access (email, custody, CRM, VPN, archiving, planning tools) was disabled within the firm's stated SLA — typically same-day for involuntary, end-of-day for voluntary. Also confirm Form U5 was filed within 30 days for any registered rep.

Disable each identified account immediately, capture screenshots of the disablement, and write a short root-cause memo for the CCO file. If the gap exceeded the firm's deprovisioning SLA, this is a finding that goes into the remediation plan.

List every domain admin, custody-portal admin, archiving-console admin, and service account. Confirm each has a named owner, last-rotated-date, and either JIT elevation or vaulted credentials. Shared admin passwords sitting in a OneNote are the classic finding here.

Pull the standing letter of authorization log and confirm only authorized ops staff initiated wires. Cross-check against the call-back verification log — wire instruction changes processed without verbal verification to a known number is the single most expensive control failure in this industry.

Confirm full-disk encryption on advisor laptops (BitLocker / FileVault), TLS 1.2+ on all client-facing portals, and at-rest encryption on the document repository. GLBA Safeguards Rule expects this; a lost laptop without FDE is a notifiable event in most states.

Pick a sample client folder and a sample CRM record and actually restore them from backup to a sandbox. Untested backups fail at the worst time — the test result, including timestamp and integrity check, is the audit evidence.

Review Microsoft Purview / Mimecast / Proofpoint DLP rules for SSN, account numbers, and DOB patterns. Send a test email containing a fake SSN to confirm the rule fires. Reg S-P expects reasonable safeguards against unauthorized NPI disclosure.

Sample 10 client folders in NetDocuments / ShareFile / Box. Confirm sensitivity labels are applied, external-share permissions are scoped, and there are no public links sitting on KYC documents.

Walk the FACT Act / Reg S-ID program: detection of red flags (address changes, unusual activity), response procedure, and annual board-or-equivalent report. Confirm the most recent annual report exists and was reviewed.

Export the perimeter firewall ruleset and walk any-any rules with the IT lead. Run an external scan (Tenable, Rapid7, or even a clean Shodan check) to confirm no unexpected RDP, SMB, or admin consoles are exposed.

Reconcile the EDR console (CrowdStrike / SentinelOne / Defender for Endpoint) against the asset inventory. Every laptop issued to an advisor or IAR — including remote/home setups — must be enrolled and reporting within the last 7 days.

From a general-staff workstation, attempt to reach the trading workstation VLAN, the rebalancer host (iRebal / Eclipse), and the financial planning server. The reachability matrix should match the documented segmentation policy.

Confirm WPA2-Enterprise or WPA3 on the staff SSID, separate guest SSID with no LAN access, and no rogue APs. For bank branches, also confirm teller-line wireless is on its own VLAN.

Verify the VPN or ZTNA solution requires MFA, posture-checks the endpoint (EDR running, OS patched, FDE on), and logs every session. Hybrid advisors working from home are the most common exam-flagged remote-access gap.

Confirm the IR plan names the IR lead, CCO, outside counsel, cyber insurance broker, forensic IR retainer (Mandiant / CrowdStrike Services / Kroll), and the breach-notification counsel. Pull the last tabletop after-action report — if there hasn't been one in 12 months, that's a finding.

Sample reps' personal-device messaging. Confirm Smarsh / Global Relay / MyRepChat is capturing texts and that no rep is using personal Gmail or unmonitored WhatsApp for client comms. The SEC's 2022-2024 enforcement sweep against off-channel comms produced over $2B in fines — this is the highest-leverage cyber-adjacent control to verify.

Walk a hypothetical NPI breach through the new Reg S-P amendments (30-day notification to affected individuals) plus the strictest applicable state law. Confirm the playbook hits every required addressee and timeline; SEC adopted these tighter timelines in 2024 with a 2025-2026 compliance date.

Pull the current cyber policy declarations page. Confirm coverage limits, retention, panel-counsel requirements, and the 24/7 incident hotline are accurate and accessible to the IR lead. Many policies require notice within 72 hours of discovery — missing that voids coverage.

List every reportable security event since the last audit — phishing-related credential compromise, lost device, unauthorized access attempt, third-party vendor breach affecting client NPI. For each, confirm the IR file is complete and RCA was closed.

For each notification-triggering incident, pull the notification letters and timestamps. Confirm delivery within Reg S-P's 30-day window and within any stricter state-law window (e.g., New York DFS 72-hour superintendent notice). Late notifications are a separate finding from the underlying incident.

Update the control-to-regulation matrix. Each Reg S-P safeguard, GLBA Safeguards Rule element, and (where applicable) NY DFS 23 NYCRR 500 requirement should map to at least one tested control above. Gaps go straight to the remediation plan.

Confirm the archive vendor's WORM / audit-trail attestation is current and that the retention policy meets Rule 17a-4 (BD) or Rule 204-2 (RIA). The 2022 amendments allow an audit-trail alternative to WORM — confirm which mode you're operating in and that it's documented.

Pull SOC 2 Type II reports for custodian, CRM, planning, archiving, and managed-IT vendors. Confirm each is current (within 12 months) and that any noted exceptions have firm-side compensating controls. The CCO owns this file.

Aggregate every finding from the prior sections. Tag each as Low, Medium, or High by likelihood-times-impact. High-severity findings — anything touching client NPI exposure, unmonitored privileged access, or missed regulatory notification — drive a remediation plan with named owner and date.

For every High finding, write a single-page remediation entry: control gap, owner, target close date (default 30 days unless lower-risk justifies more), and verification method. The CCO reviews this before the audit report is finalized.

The CCO signs the final audit report. The signed report, the findings summary, and the remediation plan are filed in the compliance folder and retained per Rule 204-2 / 17a-4. This file is the first thing exam staff ask for.