In This Article
Compliance teams at financial institutions spend a remarkable amount of time hunting for evidence they already have. The Unified Audit Log inside Microsoft 365 captures every file open, every mailbox access, every Conditional Access change, every Copilot prompt. When an examiner asks who touched a loan file or how MFA was enforced in March, the answer is sitting in the tenant. The question is whether your team built a habit of looking.
This guide walks through the quarterly self-audit framework Access Business Technologies runs across the 750-plus credit unions, banks, and mortgage companies in our Microsoft Cloud Solution Provider footprint. The framework is built entirely on tools that already ship inside your Microsoft 365 tenant: Microsoft Compliance Manager, Microsoft Purview Audit, Microsoft Secure Score, Microsoft Defender for Cloud Apps, and Microsoft Entra ID. No new licenses, no third-party SIEM required to start. Just a repeatable cadence that turns "we think we are compliant" into "here is the report."
Run it ahead of every exam window and the document request stops being a fire drill. Your compliance officer pulls a binder, the examiner moves on, your team gets back to closing loans and serving members.
Why a Quarterly Self-Audit Pays Off
Annual external audits remain the headline event. They satisfy the board, the regulators, and the cyber insurance carrier. But twelve months is a long time to wait for a finding, and external reviewers can only validate what your team has documented. A quarterly self-audit fills the gap between formal exams and gives your compliance officer a running view of how the tenant actually behaves.
The productivity payoff is real. Self-audits surface stale admin assignments, dormant external sharing links, and misfiring data loss prevention rules before they become exam findings or breach precursors. Cleaning those up quarterly means your bankers, processors, and underwriters spend less time in approval queues, fewer help desk tickets get logged for "why can I not open this file," and your privileged identity reviewers see a shorter list every quarter instead of a year-long backlog.
Security follows naturally. The same audit-log review that catches a sharing-link drift also catches the early signal of a compromised account: impossible-travel sign-ins, mass downloads, mailbox forwarding rules that suddenly route outside the tenant. Microsoft Defender for Cloud Apps and the Microsoft 365 unified audit log surface those signals together. A monthly habit of looking at them transforms incident response from reactive to proactive.
The Gap Most Financial Institutions Miss
External auditors typically sample one to two percent of audit log events across a year. Internal teams that run quarterly self-audits review tens of thousands of events across the same period. The depth difference is why the most prepared community banks, credit unions, and mortgage companies use external audits to validate, not to discover.
Governance is the closer. Once you have a quarterly cadence, the binder of evidence builds itself. FFIEC examiners, NCUA examination teams, state DFS regulators, and FDIC IT examination teams all expect the same artifacts: who has privileged access, how that access is monitored, what events trigger investigation, and how findings are tracked to closure. A team that runs the framework below has those artifacts in hand before the request letter arrives.
The Regulatory Pressure Behind Self-Audits
Federal and state regulators have moved decisively toward continuous monitoring expectations. The FFIEC IT Examination Handbook treats audit logging as a core control. The NCUA's 2025 Cybersecurity and Credit Union System Resilience Report to Congress documented 1,072 cyber incidents at federally insured credit unions between September 2023 and August 2024, with the agency noting that approximately seven in ten of those incidents involved a third-party vendor, technology provider, or supply chain partner. The board briefing letter that accompanied the report explicitly called for stronger third-party risk monitoring and continuous evidence of control effectiveness.
OCC Bulletin 2023-37 on third-party risk management asks supervised banks to demonstrate ongoing oversight of critical relationships, including the cloud platforms that store customer data. The FTC Safeguards Rule, as amended in 2023, requires nonbanking financial institutions covered under Gramm-Leach-Bliley to maintain an information security program with documented monitoring, periodic risk assessments, and incident response evidence. State regulators have layered on top: the New York DFS Part 500 cybersecurity regulation requires audit trails for access to nonpublic information, and California's amended CCPA framework requires annual cybersecurity audits for covered entities.
Management should establish, implement, and maintain an effective audit program that provides reasonable assurance regarding the achievement of the institution's information security objectives.
None of those frameworks prescribe specific tooling. They ask for evidence. Microsoft 365 produces that evidence by default, but only if your team knows where to look and runs the review on a predictable schedule. Quarterly cadence is the minimum that satisfies both the spirit and the letter of the regulatory expectations.
The Five-Pillar Microsoft 365 Self-Audit Framework
The framework groups Microsoft 365 controls into five pillars that map cleanly to the documentation an examiner will request. Each pillar uses a native Microsoft 365 surface that already ships in your tenant. The work runs in the order below because each step builds context for the next.
Pillar 1: Microsoft Compliance Manager (Baseline Posture)
Microsoft Compliance Manager is the starting point because it scores your tenant against the regulatory templates that matter for your charter. The portal ships with assessment templates for FFIEC Information Security, NCUA Cybersecurity, NIST CSF, NIST SP 800-53, ISO 27001, GLBA Safeguards Rule, and Payment Card Industry standards. Each template breaks regulatory requirements into improvement actions, scores your tenant on each one, and tracks remediation evidence.
Your quarterly review starts here. Pull the assessment scores for the templates that match your examination cadence. Note which improvement actions slipped backward (a control that was implemented and is now showing as non-compliant), which improvement actions remain unstarted, and which evidence attachments are stale or missing. Compliance Manager produces an exportable report that becomes the cover page of your evidence packet.
Pillar 2: Microsoft Purview Audit (Activity Evidence)
Microsoft Purview Audit is the Unified Audit Log. It captures user and admin activity across Exchange Online, SharePoint, OneDrive, Teams, Defender, Entra ID, Purview itself, and most other Microsoft 365 services. Standard retention is 180 days on most license SKUs, and Audit Premium extends retention to one year (10-year retention is available as an add-on for institutions that need it).
The Purview review answers the four questions every examiner asks: who accessed what, who shared what externally, who changed administrative configuration, and how those events were investigated. Search by time range, user, file, or activity. Export the results to CSV or to a Microsoft Sentinel workspace for longer-term retention and correlation.
Pillar 3: Microsoft Secure Score (Configuration Hygiene)
Microsoft Secure Score is the configuration scoreboard. It evaluates your tenant against a catalog of identity, device, app, and data controls, scoring each control between 0 and 100 percent. The score is comparative: Microsoft shows you the average score for tenants of similar size, sector, and license tier, so you see whether your community bank, credit union, or mortgage company is ahead of or behind the peer group on basic hygiene.
Treat Secure Score as grading on a curve, not as an absolute target. Examiners care that your trajectory is improving and that you have documented reasons for any controls you intentionally left disabled. A quarterly review checks the score, reviews newly recommended controls, and updates your improvement plan.
Pillar 4: Microsoft Defender for Cloud Apps (Behavioral Risk)
Microsoft Defender for Cloud Apps surfaces the behaviors that the audit log captures but that humans cannot reasonably spot at scale. Impossible-travel sign-ins, mass downloads, anomalous file activity, suspicious inbox forwarding rules, risky OAuth app consent grants. The product applies machine learning to the audit-log stream and ranks the alerts by risk.
The quarterly review looks at three things: which alerts fired, how each one was triaged, and whether any high-severity alerts are still open. The alerts that closed with documented investigation become exam evidence. Open high-severity alerts become an action item for the compliance committee.
Pillar 5: Microsoft Entra ID (Privileged Access)
Microsoft Entra ID owns the identity story. The quarterly review covers four artifacts: the list of Global Administrators (target zero standing, all activated through Privileged Identity Management), the list of privileged role assignments, the Conditional Access policy inventory, and the sign-in risk report.
Every privileged role should map to a named business owner with a documented justification. Conditional Access policies should match the institution's documented access policy: where users can sign in from, what device posture is required, what data is gated behind multi-factor authentication. Drift between the policy document and the live Entra ID configuration is the single most common exam finding our team sees.
Microsoft 365 E5 customers already pay for every pillar in this framework. Compliance Manager templates, Audit Premium retention, Defender for Cloud Apps, and Entra ID P2 are bundled. The most common reason financial institutions buy additional compliance tooling is not a capability gap; it is that no one inside the organization has built the quarterly review habit that surfaces what the bundled tools already see.
A Quarterly Cadence Your Team Can Actually Run
The framework only works if it runs. Most compliance teams have run it once, generated a 40-page report, and then never repeated the exercise because the workload felt prohibitive. The trick is to spread the five pillars across the quarter so the review becomes a recurring weekly habit instead of a one-time sprint.
Compliance Manager assessment refresh. Pull template scores, identify regressions, assign improvement actions.
Purview Audit log review. Sample by user role, by file sensitivity label, by external sharing activity.
Secure Score and Defender for Cloud Apps. Score trend, peer comparison, alert triage.
Entra ID privileged access review. Roles, PIM activations, Conditional Access drift, sign-in risk.
Evidence packet assembly. Sign-off by compliance leadership. Quarterly report filed.
Two compliance staff can carry the cadence on top of their existing duties. Each week's review runs in roughly two to four hours once the team builds familiarity with the portals. Larger institutions assign each pillar to a different functional owner: information security for Secure Score and Defender, identity team for Entra ID, compliance officer for Compliance Manager and Purview. The evidence still rolls up into a single quarterly packet.
Microsoft Sentinel customers get one extra step: a workbook that pulls metrics from all five pillars into a single dashboard. The dashboard does not replace the manual review; it accelerates it. Trends that take an hour to spot inside individual portals become obvious in a Sentinel workbook.
Escalation Triggers That Demand Immediate Attention
A quarterly cadence is the floor. Some events require out-of-band investigation the day they appear, not the next scheduled review. The escalation triggers below are the items our managed Microsoft 365 team monitors on a daily basis across our financial institution footprint. Each item should produce an immediate ticket, an investigation, and a documented closure.
- Impossible-travel sign-in. A single account authenticating from two geographies far enough apart that travel between them is implausible within the elapsed time. Defender for Cloud Apps flags these natively.
- New inbox forwarding rule to an external domain. A common artifact of compromised mailboxes. Purview Audit logs the rule creation; Defender for Office 365 alerts on the pattern.
- Mass file download or sharing event. A user downloading or externally sharing more files in an hour than they typically handle in a week. Defender for Cloud Apps surfaces the anomaly.
- Global Administrator activation outside the PIM workflow. Standing Global Administrator assignments should be zero. Any activation outside Privileged Identity Management is a configuration regression worth investigating the same day.
- Conditional Access policy disabled or modified by someone outside the identity team. Policy drift quietly weakens the tenant. Entra ID audit logs every policy change with the actor and the prior configuration.
Define the triage and closure workflow before the alerts start firing. A documented response plan that says "the security operations team triages within four hours, escalates to the chief information security officer if confirmed, and the chief information security officer notifies the chief compliance officer for incidents involving member or borrower data" turns alert noise into auditable response evidence.
Building an Evidence Trail Examiners Trust
Examiners ask for evidence in two flavors. The first is point-in-time: a snapshot of the configuration on a specific date. The second is continuous: documented review activity across the audit period. The quarterly self-audit framework produces both, but only if the evidence is stored where the examiner can review it without your team scrambling to find it.
Quarterly PDF exports of each active assessment template, stored in a SharePoint document library with retention labels applied.
CSV exports of the sampled audit log queries that supported the quarterly review, named by quarter and reviewer.
Screenshot or export of the score trend graph, with notes on any controls deliberately left disabled and the business reason.
Quarter-over-quarter trend of alert volume by severity, with closure notes for high-severity items.
List of every privileged role holder at quarter close, including PIM activation history and business justification.
Documented review of the quarterly evidence packet by the compliance committee or equivalent governance body, with sign-off.
Store the evidence in a SharePoint document library with a retention label that matches your record-retention policy (typically seven years for banking, five to seven for credit unions, two to seven for mortgage based on state requirements). Restrict the library to the compliance team plus read access for the chief executive officer, the chief financial officer, and external auditors. The retention label prevents accidental deletion and produces a defensible chain of custody.
Key Takeaway
The audit log is already running. The compliance manager already has assessment templates loaded. The Defender alerts are already firing. The discipline that separates ready institutions from scrambling ones is the quarterly habit of reviewing, exporting, and storing the evidence before the examiner asks for it.
Access Business Technologies has built and managed the Microsoft 365 tenant for credit unions, banks, and mortgage companies since 1999. Our managed service customers receive the quarterly self-audit packet as part of their monthly Guardian operating model deliverables. For institutions that prefer to run the framework with their own team, the tools and templates ship inside the Microsoft 365 license you already own.
Build the quarterly self-audit habit with help from a partner who runs it every day
ABT manages Microsoft 365 tenants for more than 750 credit unions, banks, and mortgage companies. We can run the framework as a managed service, train your team to run it, or audit your existing process. The choice is yours.
Frequently Asked Questions
Microsoft 365 retains unified audit logs for 180 days by default on most license SKUs. Microsoft Purview Audit Premium extends retention to one year, and a 10-year retention add-on is available for institutions with longer record-retention obligations. Credit unions, banks, and mortgage companies should verify retention settings against their charter requirements and export critical log subsets to a SharePoint library or Microsoft Sentinel workspace before the retention window closes.
The framework uses Microsoft Compliance Manager for assessment baselines against FFIEC, NCUA, NIST CSF, and GLBA templates, Microsoft Purview Audit for the unified activity log review, Microsoft Secure Score for configuration hygiene scoring against peer institutions, Microsoft Defender for Cloud Apps for behavioral risk detection on the audit log stream, and Microsoft Entra ID for privileged access review covering Global Administrators, Privileged Identity Management activations, and Conditional Access policy drift.
The FFIEC IT Examination Handbook, the NCUA Cybersecurity and Credit Union System Resilience Report to Congress, and OCC Bulletin 2023-37 on third-party risk management each expect documented, ongoing oversight of cloud platforms holding customer data. The quarterly framework produces the artifacts examiners request: privileged access inventories, audit log review evidence, configuration trend reports, alert triage history, and compliance committee sign-off. Storing the evidence in a labeled SharePoint library produces a defensible chain of custody.
No. Compliance Manager, Secure Score, the 180-day unified audit log, and Entra ID Conditional Access ship across most Microsoft 365 SKUs including Business Premium and E3. Microsoft 365 E5 adds Audit Premium (one-year retention, faster search), Defender for Cloud Apps full capabilities, and Entra ID P2 with Privileged Identity Management. Institutions running E3 or Business Premium can start the framework today and add E5 capabilities as the audit cadence matures.
Two compliance staff can run the framework on top of their existing duties at roughly two to four hours per week. The five pillars spread across the quarter so the review becomes a recurring weekly habit instead of a one-time sprint. Larger institutions assign each pillar to a functional owner. Quarterly evidence packet assembly typically adds another four to eight hours during the final week of the quarter.
Access Business Technologies manages Microsoft 365 tenants for more than 750 credit unions, banks, and mortgage companies as a Tier-1 Microsoft Cloud Solution Provider. Managed service customers receive the quarterly self-audit packet as part of the Guardian operating model deliverables. ABT also offers framework training for institutions that prefer to run the cadence with their own compliance team, and process audits for institutions that want a second set of eyes on an existing program.