Home » IT Security & Technology Blog » What We Actually Find When Financial Services Firms Let Us In
By — Managing Director |

The conversation has changed. A few years ago, financial services firms and wealth management businesses came to us because something was broken or they needed a faster help desk. Now, the first thing most of them say is some version of: “We’ve got an audit coming” or “Our insurer is asking questions we can’t answer.”

Compliance and governance are driving IT decisions in this sector like nothing else right now, and rightly so. APRA CPS 230, ASIC AI governance, AUSTRAC, mandatory ransomware reporting — the obligations are stacking up. If your IT provider doesn’t understand what those mean for your business day-to-day, the relationship isn’t going to work.

Here’s what we consistently find when we start working with firms in this space, and what good actually looks like.

Most firms are at one of two extremes, and neither is working

When we do an initial assessment, businesses have generally gone one of two ways. The first group has quietly hoped the compliance problem would resolve itself. It hasn’t and it won’t. The second group has brought in so much process and complexity in the name of cybersecurity that their people can barely operate. Both groups are struggling.

What we aim for is the middle: a clear picture of what the organisation genuinely needs to comply with, then practical steps to get there without grinding operations to a halt. The goal is to make compliance easier to maintain, not harder to live with.

How do you demonstrate compliance maturity before an audit arrives?

If an ASIC review or licensing audit landed on your desk tomorrow, the question auditors are really asking isn’t whether your controls are in place today. They want to see maturity. What have you been doing over the last 12 months? Can you demonstrate that you identified risks, analysed them, and responded to them in a documented, consistent way?

We recently helped a client respond to a zero-day exploit in a third-party software platform. The software vendor had a vulnerability that needed patching immediately. Because we had a managed process in place, we could show exactly when we identified the issue, what we did to cover the risk, and how we followed the recommended response. That’s the kind of evidence that satisfies auditors.

You can get controls in place relatively quickly. Some things, though, take time to demonstrate. The only way to have that runway when you need it is to start building it now.

You probably don’t know who has access to what

Every business has logins scattered across dozens of platforms: financial planning software, compliance tools, CRM, marketing platforms, vendor portals, and everything in between. Most organisations significantly underestimate that number until someone actually tallies it up.

What we find, consistently, is that no one has ever done a proper audit of who has access to what. And when we do that audit, there are almost always former employees still actively accessing systems — sometimes months after they left, occasionally years.

The fix isn’t complicated. We run a thorough access audit, then set up automated onboarding and offboarding tied to the organisation’s Microsoft 365 or Google Workspace profile. When someone leaves, you disconnect them once and access to every connected platform is removed. No manual checklist, no relying on someone remembering to action it. One disconnection, full coverage.

The added benefit: you almost always find subscriptions you’re paying for that no one is using, which brings the cost down too.

Client data is sitting in places you don’t know about

Related to access, but worth addressing separately: we regularly find that client and business data has spread well beyond where the organisation thinks it lives.

Someone created a personal Google Drive or a Box account three years ago to share a file quickly. It never got cleaned up. It’s not connected to the main IT environment. It probably doesn’t have multi-factor authentication. The password is saved in someone’s browser. And there’s sensitive client information sitting in it.

This is becoming a bigger problem as AI tools enter the workplace. When staff use AI platforms that can query company data, weak access controls and poor data organisation mean people can surface information they shouldn’t have access to — payroll details, contracts, other employees’ records. The foundation has to be right before AI becomes useful rather than a liability.

Getting control of where data lives and who can access it isn’t a heavy lift once you have a proper process. But it needs to be done deliberately, and it needs to be maintained ongoing.

Family offices have unique requirements and deserve specialist care

We look after a number of prominent private family offices across Australia, New Zealand, and internationally, covering all of their IT and often the technology needs of subsidiary businesses as well.

These organisations operate differently. Privacy is essential. They handle significant deal flow, often working with data rooms and other private family offices. Key principals travel extensively and need reliable, secure access from anywhere. The technology requirements are highly individual.

What family offices often tell us is that IT was never properly set up — it just grew alongside the business. That usually means fragmented systems, inconsistent security, and no clear ownership of how technology is managed. We bring the same structured, accountable approach we use across all our financial services clients, adapted to the specific nature of how these offices work.

Three things every financial services firm should look at today

After working in this sector for years, the advice we give consistently comes back to three things.

Work with a provider that knows your industry. Wealth management, financial planning, family offices — they all have compliance obligations, vendor ecosystems, and operational rhythms that a generalist IT provider won’t understand. If you’re ringing your IT provider to ask about an APRA requirement and they’re not already across it, that’s a problem.

Get governance and compliance in order now, not when the auditor calls. The runway matters. Start building the documented evidence of good practice before you need to show it.

Prioritise speed of access to your IT support. People in this sector work under time pressure. Clients need responses fast. Advisers need systems working during market hours. Our instant chat support through Microsoft Teams or Slack connects your team directly to engineers who know your environment and can move quickly. That’s not a nice-to-have in financial services. It’s a basic expectation.

If any of this sounds familiar, we’re straightforward to talk to. See how our managed IT and cybersecurity works, or reach out directly.

Frequently asked questions

What’s the first thing a wealth management firm should fix to get audit-ready?

Run a proper access audit. Most firms don’t know who has access to what across their financial planning software, CRM, compliance tools, and vendor portals. Tally it up, remove access for anyone who’s left, and tie onboarding and offboarding to your Microsoft 365 or Google Workspace profile so it stays clean.

How long does it take to get ready for an APRA CPS 230 or ASIC review?

Putting controls in place is reasonably quick. Demonstrating maturity is the slow part. Auditors want 12 months of documented evidence showing you identified risks, analysed them, and responded consistently. The only way to have that runway when you need it is to start building it now.

Why do family offices need a different IT approach?

Privacy is essential, principals travel and need secure access from anywhere, and they often work across data rooms and other private offices on significant deal flow. IT in family offices usually grew alongside the business rather than being designed for it, so most need a structured reset rather than another layer of tools.

We’re a smaller firm. Do these compliance obligations actually apply to us?

If you hold an AFSL, handle client data, or sit inside the AML/CTF framework, yes. APRA CPS 230, ASIC AI governance, AUSTRAC obligations, and mandatory ransomware reporting apply regardless of size. The bar is the same; the way you meet it should be proportionate to your business.

All IT Services is a managed IT and cybersecurity provider specialising in financial services, wealth management, and not-for-profit organisations across Australia.

Posted in Data Finance Local IT Security Strategic

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US