Internal Audit • Client Data Protection • Case Files • ISO 27001 • Professional Services
Checklist: Internal Audit Controls for Confidential Client Data and Case Files
Confidential client data is the heart of every professional services firm. Internal audit should prove that client files are protected, access is reviewed, vendors are controlled, and evidence is ready.
Quick Snapshot
| Audit Area | What to Check |
|---|---|
| Client Data Scope | Where client data is stored, shared, archived, and backed up. |
| Access Control | Who can access client files, portals, SharePoint sites, and admin tools. |
| File Sharing | Whether guest access, links, downloads, and external sharing are controlled. |
| Vendor Risk | Which vendors can access, process, or support client data. |
| Outcome | A practical audit checklist that proves client data is protected and reviewed. |
Introduction
Confidential client data is not just another business asset.
It is trust.
For law firms, this may include case files, legal opinions, contracts, evidence, settlement documents, and privileged communication.
For accounting and advisory firms, it may include tax files, payroll data, financial statements, audit working papers, and client banking information.
For consulting firms, it may include strategy documents, pricing models, employee data, project notes, and confidential reports.
If this data is exposed, the damage can be serious. It can affect client trust, legal duties, reputation, insurance, and revenue.
Therefore, internal audit should test client data controls directly. It should not only confirm that policies exist.
Want a Client Data Internal Audit Checklist Built for Your Firm?
Canadian Cyber helps law firms and professional services firms review Microsoft 365, SharePoint, client portals, vendor access, case file controls, and ISO 27001 evidence readiness.
Why Internal Audit Must Focus on Client Data
Many internal audits are too broad.
They check policies, training, MFA, vendors, and backups. These areas matter. However, they do not always answer the main question.
Can we prove that confidential client data is protected?
To answer that question, audit the systems where client data actually lives and moves.
| Client Data Location | Why It Matters |
|---|---|
| Microsoft 365 | Email, Teams, calendars, attachments, and shared files. |
| SharePoint | Client folders, matter sites, project records, and evidence libraries. |
| OneDrive | Draft files, personal working documents, and synced folders. |
| Client Portal | Secure file exchange, client access, uploads, and downloads. |
| Vendor Platforms | E-signature, payroll, tax, transcription, AI, support, and document tools. |
The goal is not more paperwork. The goal is to prove that client confidentiality is controlled.
Checklist Area 1: Client Data Inventory
Start with the data inventory.
You cannot audit client data controls if you do not know where the data lives.
| Audit Question | Evidence to Request |
|---|---|
| Has the firm identified where client data is stored? | Client data inventory. |
| Are case files and matter records included? | System inventory. |
| Are email, Teams, OneDrive, and SharePoint included? | Microsoft 365 data map. |
| Are backups and archives included? | Backup and archive inventory. |
| Is there an owner for each location? | Ownership matrix. |
Good Evidence
- client data map
- system inventory
- SharePoint site inventory
- client portal list
- backup coverage report
- vendor data handling register
Practical tip: Start with the top 10 places where client data is most likely to live.
Checklist Area 2: Access Control for Client Files
Access control is one of the highest-impact audit areas.
Internal audit should test whether users only have the access they need.
| Audit Question | Evidence to Request |
|---|---|
| Who can access client folders? | Permission export. |
| Are rights based on role, matter, team, or client need? | Role matrix. |
| Are former employees removed from all systems? | Offboarding samples. |
| Are guest users reviewed? | Guest access review. |
| Are exceptions approved? | Exception register. |
Systems to Test
- Microsoft 365 and Entra ID
- SharePoint, Teams, and OneDrive
- case or matter management systems
- document management systems
- client portals
- backup platforms
Can You Prove Who Can Access Client Files?
If your firm cannot prove who can access client files, your internal audit should start with access control.
Checklist Area 3: SharePoint and Teams File Sharing
For many firms, SharePoint is where client files live.
Therefore, SharePoint permissions and sharing settings need close review.
| Audit Question | Evidence to Request |
|---|---|
| Are client SharePoint sites identified? | SharePoint site inventory. |
| Are anonymous links restricted? | Sharing settings. |
| Is external sharing limited? | External sharing configuration. |
| Are Teams private channels reviewed? | Teams membership export. |
| Are recordings controlled? | Recording storage settings. |
Review guest users, anonymous links, broad groups, and old client sites first.
Organize Client Data Evidence in SharePoint
Canadian Cyber’s ISMS SharePoint solution helps firms manage evidence, access reviews, policies, risk registers, internal audits, and management review records.
Checklist Area 4: Email and Attachment Controls
Email is still one of the biggest client data risks.
Client files often move through attachments, forwarded messages, shared mailboxes, and external recipients.
| Audit Question | Evidence to Request |
|---|---|
| Are phishing protections enabled? | Email security policy. |
| Are SPF, DKIM, and DMARC configured? | DNS evidence. |
| Are forwarding rules restricted? | Forwarding rule report. |
| Are shared mailboxes reviewed? | Shared mailbox access review. |
| Are mailbox permissions reviewed? | Mailbox permission export. |
Checklist Area 5: Client Portal and External Access
Client portals can reduce risky email sharing.
However, they still need access control, logging, retention, and vendor review.
| Audit Question | Evidence to Request |
|---|---|
| Who can access the client portal? | User list. |
| Are client users approved? | Approval record. |
| Are inactive users removed? | Review record. |
| Are uploads and downloads logged? | Portal audit logs. |
| Is the portal vendor reviewed? | Vendor review evidence. |
A login page does not make a client portal audit-ready. You still need proof.
Checklist Area 6: Vendor and Third-Party Access
Professional services firms rely on many vendors.
Some vendors may access, store, process, or support confidential client data. Therefore, they need formal review.
| Audit Question | Evidence to Request |
|---|---|
| Which vendors process client data? | Vendor register. |
| Which vendors have admin access? | Vendor access list. |
| Are vendors risk-rated? | Vendor risk rating. |
| Is assurance reviewed? | SOC 2, ISO certificate, or questionnaire. |
| Are approvals documented? | Approval decision. |
Free Download: Confidential Client Data Vendor Review Template
Use this template to review vendors that store, process, access, or support confidential client data.
Checklist Area 7: Retention, Backup, and Recovery
Client files need clear retention and recovery rules.
Internal audit should test whether files are archived properly and whether recovery has been proven.
| Audit Question | Evidence to Request |
|---|---|
| Is there a file retention policy? | Retention policy. |
| Are closed files archived? | Archive procedure. |
| Who can access archived files? | Archive access review. |
| Are client files backed up? | Backup coverage report. |
| Has restore testing been performed? | Restore test record. |
Backups are not enough. Recovery must be tested and recorded.
Checklist Area 8: Incident Response for Client Data
Client data incidents need a clear response plan.
Examples include wrong-recipient email, lost laptop, compromised mailbox, ransomware, public SharePoint links, vendor breach, and bulk downloads.
| Audit Question | Evidence to Request |
|---|---|
| Is there an incident response plan? | Approved IR plan. |
| Are client data incidents defined? | Incident classification matrix. |
| Has the plan been tested? | Tabletop record. |
| Are incidents logged? | Incident register. |
| Are client notification decisions documented? | Decision log. |
Run a Client Data Incident Tabletop
Canadian Cyber can run a tabletop exercise and turn it into audit-ready evidence with scenarios, decisions, action items, and lessons learned.
Checklist Area 9: Staff Awareness and AI Governance
People handle client files every day.
Therefore, training and AI governance must be part of the audit.
| Audit Question | Evidence to Request |
|---|---|
| Do staff receive security training? | Training completion report. |
| Are confidentiality rules documented? | Confidentiality policy. |
| Are AI tools approved before use? | Approved AI tool register. |
| Is client data allowed in AI prompts? | AI use policy. |
| Are AI outputs reviewed by people? | Human review procedure. |
If AI touches confidential client data, it belongs in the internal audit scope.
Internal Audit Evidence Pack
Build the evidence pack before the audit begins.
This makes the audit faster and more useful. It also supports ISO 27001 readiness, client reviews, and cyber insurance renewals.
| Evidence Section | What to Include |
|---|---|
| Client Data Inventory | Data map, system list, and owner matrix. |
| Access Control | Access reviews, permission exports, and offboarding samples. |
| SharePoint and Teams | Site permissions, sharing settings, and guest reviews. |
| Vendor Risk | Vendor register, reviews, and approval decisions. |
| AI Governance | AI tool register, AI policy, and vendor reviews. |
Want This Evidence Pack Structure Built in SharePoint?
Canadian Cyber can build a client data evidence vault with metadata, access reviews, vendor reviews, audit findings, corrective actions, and management review evidence.
Internal Audit Checklist
Use this checklist as a practical starting point.
| Question | Yes / No |
|---|---|
| Do we have a client data inventory? | |
| Are Microsoft 365, SharePoint, Teams, and OneDrive included? | |
| Are client file access reviews completed? | |
| Are guest users reviewed? | |
| Are anonymous sharing links restricted? | |
| Are vendors handling client data risk-rated? | |
| Are backups tested through restore exercises? | |
| Is incident response tested for client data scenarios? | |
| Are AI tools reviewed before client data use? | |
| Is evidence stored in a controlled location? |
If several answers are “no,” fix those gaps before a client review, external audit, or cyber insurance renewal.
Common Mistakes to Avoid
- Mistake 1: Auditing policies but not client folders. Policies matter. However, the audit must also test where files live.
- Mistake 2: Ignoring SharePoint guest access. Guests can keep access longer than intended.
- Mistake 3: Treating managed IT as fully responsible. The provider may support controls, but the firm owns the risk.
- Mistake 4: Forgetting Teams and OneDrive. Client documents often move outside formal document libraries.
- Mistake 5: Not testing restore capability. Backups are not enough. Recovery must be proven.
- Mistake 6: Reviewing vendors without decisions. Collecting vendor reports is not the same as approving vendor risk.
- Mistake 7: Ignoring AI use. AI tools can create new confidentiality risk.
What Good Looks Like
A strong internal audit can show that:
- client data is mapped
- client file access is reviewed
- SharePoint permissions are controlled
- external sharing is restricted
- vendors are risk-rated
- managed IT access is governed
- backups are tested
- incidents are rehearsed
- AI tools are governed
- findings are tracked to closure
This gives leadership, clients, auditors, and insurers more confidence.
Canadian Cyber’s Take
At Canadian Cyber, we often see firms with a strong confidentiality culture but weak audit evidence.
The firm cares about protecting client files. Yet the evidence is often scattered.
Common gaps include informal access reviews, messy SharePoint permissions, unreviewed vendors, untested incident response, missing restore evidence, and unmanaged AI use.
Internal audit brings these gaps into view before a client, insurer, regulator, or external auditor does.
For firms that handle confidential client data, internal audit should be a trust test.
Takeaway
Confidential client data deserves focused internal audit attention.
Do not only audit policies. Audit the real data paths.
That includes Microsoft 365, SharePoint, Teams, OneDrive, case systems, client portals, vendors, backups, archives, AI tools, and email.
The goal is simple. Know where client data lives. Control who can access it. Review sharing. Govern vendors. Test incidents. Prove recovery. Train staff. Track findings. Keep evidence ready.
How Canadian Cyber Can Help
Canadian Cyber helps law firms, accounting firms, consulting firms, and professional services organizations audit and protect confidential client data.
- client data internal audits
- Microsoft 365 and Entra ID reviews
- SharePoint permission reviews
- Teams and OneDrive access reviews
- vendor risk reviews
- incident response tabletops
- AI governance reviews
- SharePoint ISMS evidence vault setup
Stay Connected With Canadian Cyber
Follow Canadian Cyber for practical guidance on internal audits, ISO 27001, client data protection, SharePoint ISMS, vendor risk, incident response, AI governance, and vCISO support.
