What auditors actually look for in 2026

Microsoft 365 has become standard infrastructure for fund managers, independent wealth managers and private banks. Email, document management, identity and collaboration now sit in a single cloud environment. For many institutions, it feels operational. For FINMA, it is part of the control environment.

The FINMA Risk Monitor 2025 reinforces supervisory focus on operational resilience, outsourcing dependencies and data integrity. The 2025 audit programmes for cyber risk and critical data risk translate those themes into concrete test procedures. In 2026, Microsoft 365 will be examined through that lens.

The platform itself is not the issue. Governance, configuration and oversight are.

Data inventory and classification

For fund managers and independent wealth managers, Microsoft 365 often hosts investor data, portfolio reports, mandates, contracts and internal decision records. Under FINMA’s audit programmes, institutions must demonstrate systematic identification and categorisation of critical data.

Auditors will not ask whether SharePoint is in use. They will ask:

• Which data stored in Microsoft 365 is classified as critical
• Who owns that data
• Where it is stored geographically
• Which systems and third parties interface with it

For smaller asset managers, this is frequently where gaps emerge. Files are structured operationally rather than by risk criticality. In 2026, that distinction matters.

Identity and privileged access

Microsoft 365 is primarily an identity platform. Access to email, files and Teams is governed through Azure Active Directory. FINMA’s audit programmes place explicit emphasis on need-to-know principles, segregation of duties and monitoring of privileged accounts.

Auditors will test:

• How privileged roles are assigned and reviewed
• Whether technical and system accounts are controlled
• Whether logs are retained and reviewed
• Whether access reviews are documented

For private banks and larger asset managers, expectations around formal periodic reviews are higher. For smaller independent wealth managers, proportionality applies, yet the principle remains unchanged. Informal access management is difficult to defend under sample testing.

Outsourcing and cross-border access

Microsoft 365 is a cloud service whose data residency and access model must be clearly understood and governed. Even where data is hosted in Switzerland, institutions must assess cross-border access, support arrangements and outsourcing risks in line with FINMA expectations. FINMA’s 2025 audit programme gives explicit attention to data stored abroad or accessible from abroad.

• Fund managers and private banks must demonstrate that:
• They understand where their tenant data is hosted
• Cross-border access is controlled and risk assessed
• Contracts and due diligence processes reflect this exposure

The cyber risk audit programme for fund management companies and managers of collective assets reinforces oversight of outsourced ICT environments.

This is not about prohibiting cloud use. It is about evidencing control.

Logging, monitoring and incident response

Microsoft 365 generates extensive audit logs. FINMA’s cyber risk audit programme requires testing of logging and detection capabilities and verification that reporting processes function effectively.

In 2026, auditors are likely to review:

• Whether critical systems feed logs into a central monitoring process
• How suspicious activity is identified
• How incidents affecting data confidentiality or integrity are escalated
• Whether reporting obligations were fulfilled in past cases

For smaller managers without internal security teams, reliance on external providers must be clearly documented and overseen.

Recovery and resilience

Operational resilience applies equally to cloud environments. FINMA expects recovery processes to be defined and tested.

For Microsoft 365, this means:

• Understanding backup and retention mechanisms
• Clarifying responsibilities between the institution and service providers
• Testing recovery of data and access in defined scenarios

Private banks with complex environments face deeper scrutiny. Independent wealth managers face more direct questions around clarity of responsibility.

What differs by institution type

Private banks

Expect more formal governance documentation, structured board oversight and integrated risk tolerance frameworks. Microsoft 365 configuration must align with enterprise-wide operational risk management.

Fund management companies

Supervised under FinIA and CISA and assessed under FINMA’s audit programme Cyber risk management for fund management companies and managers of collective assets (Version 3 June 2025). Supervisory attention will focus on outsourcing oversight, data protection and ICT asset inventory.

Independent wealth managers

Smaller scale does not remove obligation. Supervisors will look for clarity: defined data ownership, controlled access and documented oversight of cloud environments.

The supervisory direction

Microsoft 365 has shifted from a productivity tool to being treated as regulated infrastructure in the supervisory conversation

That means that in 2026, auditors will will focus on whether governance, access control, data classification and incident processes align with FINMA’s operational risk expectations, rather than simply looking at which Microsoft 365 is being used.

Overall, the question will not be whether Microsoft 365 is deployed. It will be whether it is governed correctly.