Accounting Firms • ISO 27001 • Internal Audit • Evidence Readiness • Client Trust

Case Study: How an Accounting Firm Prepared for ISO 27001 Internal Audit

For accounting firms, ISO 27001 internal audit is not just a compliance step. It is a chance to prove that client data is protected by controls that actually work.

Quick Snapshot

Case Study Area What the Firm Focused On
Business Context A mid-sized accounting firm prepared for ISO 27001 internal audit before busy season.
Main Risks Client data access, vendor oversight, SharePoint permissions, offboarding, incident readiness, and evidence gaps.
Audit Prep Focus Scope, risk register, access reviews, vendor reviews, policies, evidence packs, and management review.
Key Outcome Internal audit became a structured readiness exercise instead of a last-minute evidence scramble.
Main Lesson Accounting firms need proof, not just good intentions, to show client data is protected.

Introduction

Accounting firms handle very sensitive client information.

That can include:

  • tax records
  • payroll files
  • financial statements
  • audit working papers
  • bank details
  • client portal documents
  • employee records

This makes ISO 27001 a strong fit.

But internal audit can feel hard for accounting firms. The team already has client deadlines, seasonal pressure, partner reviews, and limited security time.

This case study shows how a fictional accounting firm prepared for ISO 27001 internal audit. The firm is fictional, but the lessons are based on common patterns we see in real accounting firms.

Meet the Firm

Let’s call the firm NorthBridge Accounting LLP.

NorthBridge is a mid-sized accounting firm. It provides:

  • tax preparation
  • bookkeeping
  • payroll support
  • audit support
  • outsourced controllership
  • financial reporting
  • advisory services

The firm uses Microsoft 365, SharePoint, Teams, cloud accounting tools, payroll platforms, client portals, e-signature tools, endpoint protection, and managed IT support.

The partners decided to pursue ISO 27001 because larger clients were asking harder security questions.

Clients wanted proof that their financial, payroll, and tax data was protected.

What Clients Wanted to Know

Clients were asking practical questions:

  • Who can access our tax files?
  • How are payroll records protected?
  • Are client folders reviewed?
  • What happens when staff leave?
  • How are vendors assessed?
  • Do you test incident response?
  • Can you prove your controls are working?

NorthBridge had many controls in place. But the firm had not tested whether those controls were ready for ISO 27001 internal audit.

The Starting Point

NorthBridge was not starting from zero.

The firm already had:

  • MFA on Microsoft 365
  • basic endpoint protection
  • a managed IT provider
  • client portals
  • SharePoint document libraries
  • employee onboarding and offboarding checklists
  • backup services
  • some security policies
  • a basic incident response plan

On the surface, this looked good.

But internal audit preparation showed a different picture. The firm had controls, but the evidence was scattered.

Initial Readiness Area What the Firm Found
Access Control Some client folders had old staff, broad groups, or unclear owners.
SharePoint Sensitive sites existed, but not all had access review evidence.
Vendor Management Key vendors were known, but risk ratings and review decisions were incomplete.
Policies Some policies had missing approval and review dates.
Risk Register Risks were discussed, but not owned or tracked well.
Evidence Proof was spread across email, SharePoint, tickets, and screenshots.

The problem was not a lack of security. The problem was weak proof.

Why Internal Audit Mattered

NorthBridge did not treat internal audit as a box-checking exercise.

The firm used it as a rehearsal before external certification and client security reviews.

The firm wanted to know:

  • Are controls designed well?
  • Are controls actually working?
  • Can owners explain their duties?
  • Can evidence be found quickly?
  • Are risks reviewed and treated?
  • Are policies approved and current?
  • Are corrective actions tracked?

The goal was not perfection. The goal was to find weak evidence before customers or external auditors did.

Workstream 1: Confirming ISO 27001 Scope

The first step was scope.

At first, NorthBridge wanted to include almost everything. That would have made the audit harder than needed.

Instead, the firm focused the ISMS scope on systems and processes that supported client service delivery and sensitive client data handling.

Included in Scope Why It Was Included
Microsoft 365 and Entra ID Identity, email, documents, Teams, and access control.
SharePoint client libraries Storage of client files and audit evidence.
Client portal Secure document exchange.
Payroll platform Sensitive employee and client payroll information.
Tax software Client tax data.
Managed IT provider Supports infrastructure and security operations.

Some low-risk internal tools were left out of the first scope. The firm documented why they were excluded. It also planned to revisit them later.

Right-sized scope kept the internal audit focused, clear, and manageable.

Workstream 2: Cleaning Up Access Control

Access control became the highest-priority workstream.

This made sense. Accounting firms hold sensitive client financial data. If access is too broad, old, or undocumented, trust breaks quickly.

NorthBridge reviewed access across:

  • Microsoft 365
  • Entra ID
  • SharePoint
  • Teams
  • client portals
  • tax software
  • payroll systems
  • shared mailboxes and vendor accounts
Access Review Question Why It Mattered
Who has access to client folders? Client data must be limited to authorized staff.
Are former employees removed? Offboarding must be complete and provable.
Are seasonal users disabled? Temporary access can create hidden risk.
Are privileged roles justified? Admin access must be limited.
Are access changes documented? Audit evidence needs a decision trail.

What Changed

  • Inactive users were removed.
  • Broad SharePoint groups were reduced.
  • Sensitive client libraries received owners.
  • Privileged Entra ID roles were reviewed.
  • Exceptions were documented.
  • Offboarding evidence was improved.
  • Quarterly access reviews were scheduled.

Evidence Created

Evidence Purpose
Access review export Shows who was reviewed.
Review sign-off Shows the review was completed.
Removal list Shows unnecessary access was removed.
Exception list Shows known access exceptions.
Offboarding sample Shows access was removed when staff left.

Internal audit lesson: It was not enough to say “only authorized staff have access.” The firm needed evidence.

Workstream 3: Building a Usable Risk Register

NorthBridge had discussed risks before.

But those discussions were spread across partner meetings, IT emails, client concerns, and informal notes.

For ISO 27001, the firm needed a structured risk register.

Risk Register Field Purpose
Risk ID Tracks each risk clearly.
Risk Description Explains what could go wrong.
Risk Owner Assigns accountability.
Treatment Decision Shows whether the risk will be mitigated, accepted, transferred, or avoided.
Evidence Link Connects treatment to proof.

Example Risks

Risk Treatment
Former staff retain access to client files. Run quarterly access reviews and improve offboarding.
Client data is overshared through SharePoint links. Restrict external sharing and review site owners.
Vendor outage affects payroll delivery. Review critical vendors and document continuity plans.
Incident response process is untested. Run a tabletop exercise and capture actions.

The risk register helped the firm move from vague concern to clear action.

Workstream 4: Reviewing Vendors and Sub-Processors

Accounting firms rely on vendors.

NorthBridge used vendors for:

  • Microsoft 365
  • payroll software
  • tax software
  • client portals
  • e-signatures
  • managed IT
  • backup services
  • security tools

Before the internal audit, vendor information existed. But it was incomplete.

Vendor Review Area What the Firm Checked
Data Handled Does the vendor process client financial, payroll, tax, or employee data?
Criticality Would service failure disrupt client delivery?
Assurance Does the vendor have SOC 2, ISO 27001, or similar assurance?
Access Can vendor support access firm or client data?
Review Date When will the vendor be reviewed again?

What Changed

NorthBridge created a vendor register. It reviewed high-risk vendors first.

The firm did not try to review every small supplier at the same depth. It focused on vendors that touched sensitive client data or supported critical service delivery.

Evidence included:

  • vendor register
  • critical vendor list
  • SOC 2 or ISO report review notes
  • risk rating
  • approval decision
  • contract or DPA location
  • next review date

Internal audit lesson: Vendor governance is not about collecting PDFs. It is about showing clear decisions.

Workstream 5: Organizing Policies and Approvals

NorthBridge had policies. But some were outdated. Some had no approval date. Some did not match current operations.

For internal audit, the firm needed a controlled policy library.

Policy Audit Focus
Information Security Policy Leadership commitment and security direction.
Access Control Policy MFA, permissions, access reviews, and offboarding.
Supplier Security Policy Vendor review and approval requirements.
Incident Response Plan Detection, escalation, response, and lessons learned.
Backup and Recovery Procedure Backup coverage and restore testing.
Data Classification Policy Handling of client and internal data.

What Changed

  • Policies were centralized in SharePoint.
  • Policy owners were assigned.
  • Approval dates were added.
  • Review dates were added.
  • Old versions were archived.
  • Leadership approval was captured.

A policy library is not audit-ready just because documents exist. It needs ownership, approval, and version control.

Workstream 6: Preparing Evidence Packs

Evidence was the biggest practical issue.

The firm had useful proof, but it was scattered across tickets, emails, SharePoint, vendor portals, screenshots, and managed IT records.

NorthBridge created evidence packs to make internal audit easier.

Evidence Pack What It Included
Access Reviews User exports, review notes, removals, and exceptions.
Vendor Reviews Vendor register, risk ratings, and assurance notes.
Risk Management Risk register, treatment actions, and review notes.
Policies Approved policies, review dates, and owner list.
Incident Response IR plan, tabletop exercise, and incident log.
Management Review Meeting pack, minutes, actions, and decisions.

Evidence naming examples:

AccessReview-ClientFolders-2026-Q1.pdf
VendorReview-CriticalVendors-2026-Q1.xlsx
RestoreTest-FileRecovery-2026-02.pdf
ManagementReview-ISMS-2026-Q1-Minutes.docx

Workstream 7: Running a Mock Internal Audit Interview

Before the formal internal audit, NorthBridge ran a short mock interview session.

The session included:

  • IT lead
  • operations manager
  • partner sponsor
  • HR representative
  • managed IT provider
  • client services lead
  • ISMS owner

The goal was simple. Could each person explain their controls and produce evidence?

Control Area Mock Interview Question
Access Control How do you know former employees are removed from all systems?
SharePoint Who reviews client folder permissions?
Vendors Which vendors are critical, and when were they reviewed?
Incidents What would staff do if a client file was sent to the wrong person?
Backups When was the last restore test completed?

What the Mock Session Found

Some answers were strong. Others were too vague.

Before After
“We review access when needed.” “Access reviews are completed quarterly and recorded here.”
“Our vendor is secure.” “The vendor was reviewed, risk-rated, approved, and scheduled for annual review.”
“We have backups.” “We tested restore on this date and documented the result.”
“Leadership discusses security.” “Management review minutes show decisions, actions, and owners.”

Control owners do not need perfect scripts. They need clear answers and easy access to evidence.

Workstream 8: Running Management Review Before Internal Audit

NorthBridge completed management review before finalizing the internal audit.

This helped show leadership involvement.

Management Review Input What Was Reviewed
Risk Register Top risks and treatment status.
Access Reviews Removals, exceptions, and overdue reviews.
Vendor Reviews Critical vendors and open issues.
Incident Readiness Tabletop result and action items.
Resource Needs Tools, consulting, staff time, and process support.

Management review should not be a passive update. It should show decisions.

The Internal Audit Findings

The internal audit did find issues. That was expected.

A good internal audit should find gaps before the certification auditor or customer does.

Finding Priority Corrective Action
Guest users were not reviewed consistently. High Create a quarterly guest access review.
Some vendor reviews lacked approval decisions. Medium Add approval field and review owner.
SharePoint site ownership was unclear for some libraries. High Assign site owners and review permissions.
Backup restore test evidence was incomplete. High Repeat restore test with full documentation.
Policy review dates were inconsistent. Medium Add metadata and review workflow.

These findings were not a failure. They gave the firm a corrective action plan.

Each finding had an owner, due date, corrective action, evidence need, and closure review.

Results After the Preparation

NorthBridge was much better prepared after the internal audit process.

Before After
Evidence scattered across tools. Evidence organized by control area.
Access reviews were informal. Access reviews were documented and scheduled.
Vendor list was incomplete. Critical vendors were risk-rated and reviewed.
Policies were inconsistent. Policies were approved, owned, and version-controlled.
Leadership discussions were undocumented. Management review minutes captured decisions.

The firm did not become perfect. It became audit-ready in a practical way.

Lessons for Other Accounting Firms

Lesson Why It Matters
Start with client data access. Client folders, portals, payroll tools, tax systems, and Teams sites can all create access risk.
Give SharePoint clear ownership. Every sensitive site should have an owner, access review, and sharing rules.
Vendor reviews need decisions. Collecting a SOC 2 report is not enough.
Collect evidence as work happens. Evidence gathered months later is weaker.
Use internal audit to improve. The goal is not to hide gaps. The goal is to find and fix them early.

Common Mistakes to Avoid

  • Mistake 1: Treating internal audit like paperwork. Internal audit should test whether controls operate.
  • Mistake 2: Leaving partners out of the process. Leadership must approve decisions and support corrective actions.
  • Mistake 3: Ignoring seasonal access. Temporary staff need start dates, end dates, approvals, and removal evidence.
  • Mistake 4: Forgetting client portals. Client portals may hold tax files, payroll records, and signed documents.
  • Mistake 5: Not testing incident response. A plan that has never been tested is weak evidence.
  • Mistake 6: Reviewing vendors too late. Vendor gaps take time to fix.
  • Mistake 7: Closing findings without proof. A corrective action is not closed until evidence shows the fix worked.

What Good Looks Like

An accounting firm is well prepared for ISO 27001 internal audit when it can show:

  • clear ISMS scope
  • approved policies
  • active risk register
  • client data access reviews
  • SharePoint permission reviews
  • vendor risk decisions
  • incident response testing
  • backup restore evidence
  • management review minutes
  • corrective action tracking

The firm does not need to look like a large bank. It needs to show that information security is managed, reviewed, evidenced, and improved.

Canadian Cyber’s Take

At Canadian Cyber, we often see accounting firms with good security intentions but weak audit evidence.

They care about client confidentiality. They use modern tools. They have managed IT support. They want to protect sensitive records.

But ISO 27001 internal audit requires more than trust.

It requires proof.

The strongest accounting firms prepare by focusing on the areas that matter most: client data access, SharePoint permissions, vendor risk, incident readiness, backups, policies, risk treatment, and management review.

Internal audit should not be feared. It should be used as a rehearsal.

Takeaway

For accounting firms, ISO 27001 internal audit is a practical trust exercise.

It helps prove that client data is protected, access is reviewed, vendors are governed, incidents are prepared for, and leadership is involved.

The best preparation starts with scope, ownership, access reviews, vendor reviews, risk register cleanup, evidence packs, management review, and mock interviews.

The goal is not to pass an audit by luck. The goal is to build an ISMS the firm can actually operate.

That is what clients, auditors, and partners need to see.

How Canadian Cyber Can Help

Canadian Cyber helps accounting firms prepare for ISO 27001 internal audits and certification readiness.

  • ISO 27001 internal audit preparation
  • ISMS scope definition
  • risk register setup and review
  • SharePoint ISMS workspace setup
  • client data access reviews
  • Microsoft 365 and Entra ID reviews
  • vendor risk reviews
  • policy review and approval workflows
  • incident tabletop exercises
  • backup and restore evidence reviews
  • management review preparation
  • corrective action tracking
  • vCISO support for accounting firms

Talk to Canadian Cyber
Explore Our Services

Stay Connected With Canadian Cyber

Follow Canadian Cyber for practical guidance on ISO 27001, internal audits, accounting firm security, evidence readiness, client data protection, and vCISO support.