Achieving SFC Type 9 IT Audit Readiness in 4–8 Weeks: A Hong Kong Asset Manager Case Study | BROCENT

Client name has been anonymized as “Horizon Capital” to protect confidentiality. This case study reflects our actual methodology and a real engagement completed in 2026.

As a Senior IT Security Account Manager at BROCENT, I spend most of my time helping regulated financial services firms in Hong Kong navigate the intersection of technology, governance, and compliance. Few projects illustrate the power of a pragmatic, well-scoped approach better than our recent work with Horizon Capital, a new public fund management company preparing its SFC Type 9 (Asset Management) license application.

Horizon Capital faced a classic new-entrant dilemma: ambitious growth plans (scaling from a small team to 10–20 professionals within 24 months), a hard regulatory deadline, and zero dedicated IT infrastructure. They were operating from shared office space and network resources provided by their mother company. The objective was clear — achieve a positive IT security audit outcome that would support their license application without derailing the timeline or inflating costs.

This post walks you through exactly how we approached the challenge, why we rejected the “just audit the shared environment” path, and how our three-stage blueprint delivered a production-ready, fully auditable IT foundation in 4–8 weeks.

The SFC Type 9 IT Reality in 2026

Before diving into the solution, it is worth understanding what the Securities and Futures Commission (SFC) actually examines during a Type 9 application.

In the Business Plan and Internal Control Questionnaire, applicants must demonstrate:

• Clear mapping of core business processes (client onboarding, trade execution, portfolio management, settlement) to the IT systems that support them.
• Robust controls against unauthorized access, hacking, and data leakage — including encryption, access management, and monitoring.
• Documented backup and disaster recovery arrangements with tested business continuity plans.
• Where cloud or external data storage providers (EDSPs) are used for regulatory records, proper disclosure, provider compliance confirmation letters, and appointment of at least two Hong Kong-based Managers-In-Charge (MICs) responsible for the systems.

SFC does not always mandate an external IT audit report for straightforward Type 9 applications. However, they conduct substantive review of IT systems, internal controls, data security, and operational resilience. In higher-risk scenarios (virtual asset management exceeding 10% of AUM, high-frequency or algorithmic trading systems, or large-scale proprietary trading/settlement platforms), they are more likely to request independent third-party assessments.

For most traditional public fund managers like Horizon Capital, the bar is high but achievable — if the IT environment has clear boundaries, documented ownership, and evidence of ongoing control effectiveness. This is where many shared-environment setups fail.

Horizon Capital’s Starting Point

Horizon Capital was incorporated as a new legal entity with no independent IT footprint. They were leveraging their mother company’s office facilities, network, and some shared services. The team was small but expected to grow quickly. Their target: complete IT setup, framework documentation, and initial compliance measures before the end of August 2026 to support a timely SFC license submission via the WINGS platform.

Attempting a security audit directly on the heavily shared mother-company environment carried significant risks:

• Ambiguous scope and control ownership (whose firewall rules? whose logs? who remediates findings?).
• Data commingling that complicates incident investigation and evidence integrity.
• Potential qualified audit findings or lengthy remediation that could delay the license application.
• Higher long-term cost and complexity as the company scales.

We advised against forcing an audit on the shared infrastructure. Instead, we proposed building a lightweight, independent, and fundamental IT footprint that is physically and logically segregated while still cost-optimized by sharing the mother company’s data center rack space, power, and cooling.

Our Recommended Three-Stage Solution

We structured the engagement in three integrated stages, with Stages 1 and 2 running largely in parallel to compress the timeline to 4–8 weeks from kick-off to initial operational state with released framework and basic practices running.

Stage 1: Build Fundamental IT Infrastructure (≈3 weeks)

Objective: Establish a clean, segregated, auditable network and collaboration foundation with clear boundaries.

Key components delivered:

• Network Segregation — Dedicated physical/logical network for Horizon Capital using its own firewall, switch, and Wi-Fi access points. The network shares the same data center facility (rack, power, cooling) for cost and speed but is fully segregated from the mother company’s production network. This creates unambiguous audit scope and evidence ownership.
• Dedicated Internet Line — A separate business-grade circuit (bandwidth sized to requirement, typically 200–500 Mbps) to avoid shared-circuit complications during audits or incidents.
• Core Hardware — FortiGate next-generation firewall (model sized for 20–50 users) with full FortiGuard Unified Threat Protection (UTP) and FortiCare bundle. This provides enterprise-grade intrusion prevention, antivirus, web filtering, application control, and centralized logging — exactly the layered controls SFC expects under cybersecurity and data protection requirements.
• Enterprise Wi-Fi & Switching — Ubiquiti UniFi enterprise-grade PoE switch and Wi-Fi 6 access points with centralized remote management via Cloud Key or UniFi OS. VLAN support enables clean segmentation, and the controller gives Horizon Capital (and BROCENT as managed service provider) full visibility without touching mother-company systems.
• Email, Collaboration & Document Management — Microsoft 365 Business Premium tenant provisioned specifically for Horizon Capital (custom domain). This delivers professional email, Teams collaboration, SharePoint/OneDrive with versioning, retention policies, Data Loss Prevention (DLP), sensitivity labels, unified audit logging, and Intune for device compliance management — all critical sources of audit evidence.

Implementation scope included hardware procurement & installation, baseline firewall policies aligned to the future governance framework, M365 tenant setup with initial security hardening, network segmentation, Wi-Fi deployment, and user onboarding support.

Why this stack? FortiGate gives deep packet inspection and threat intelligence in a single appliance that is straightforward to audit. UniFi delivers enterprise features at a fraction of legacy vendor cost while supporting centralized policy management ideal for a growing but still lean team. M365 Business Premium provides the compliance tooling (Purview, Defender for Endpoint/Office, Conditional Access, audit logs) that would otherwise require significant custom development or multiple point solutions.

Stage 2: IT Management Framework Development (≈4 weeks, parallel with Stage 1)

Objective: Create a complete, board-approved IT governance and security management framework tailored to Horizon Capital’s size, risk profile, and SFC expectations.

The framework covered:

• IT Organization & Governance — Roles, responsibilities, and RACI matrix, including the engagement model with BROCENT as the primary IT/security partner. Even for a 10–20 person team, clear ownership (who is the IT MIC, who approves changes, escalation paths) is essential for both audit and operational resilience.
• Core IT Policies — Acceptable Use, Access Control, Password, Remote Access, Data Classification & Handling, Mobile Device, Third-Party Risk, and more. Where the mother company already maintained mature policies, we reviewed, refreshed, and adapted them rather than starting from a blank page — saving time while ensuring Horizon Capital-specific tailoring.
• IT Security Management Framework — Risk assessment methodology, asset management, incident response & management, vulnerability management, logging & monitoring requirements, and third-party risk oversight.
• IT Operations Guidelines — Change management, backup & recovery, patching, capacity management, and business continuity considerations.

BROCENT led the overall design, coordinated review cycles with Horizon Capital’s management, facilitated formal approval, and managed the release process. The parallel execution meant the framework was informed by the actual infrastructure being built, not theoretical.

Stage 3: Routine IT Security Practices & Compliance Evidence (1–2 weeks, commencing upon framework approval)

Objective: Operationalize the approved framework with repeatable, auditable processes and evidence collection from day one.

Once the framework was formally released, we designed and implemented scheduled security management activities:

• Weekly tasks — Review of critical logs and security alerts, patch compliance status.
• Monthly tasks — User access reviews (especially privileged accounts), backup verification and test restores, account lifecycle hygiene (dormant account cleanup after 45 days).
• Periodic/Annual tasks — Policy review & update, risk assessment refresh, penetration test coordination (as needed), incident response tabletop exercises, and compliance evidence pack compilation.
• Standardized templates — Compliance proof document templates and a structured evidence repository (SharePoint-based) so Horizon Capital’s internal team and future auditors could easily locate what they needed.

We also introduced our proprietary FINOS Security IT Audit platform. FINOS automates continuous monitoring and specialized scans across Microsoft 365 environments (Entra ID / Azure AD, Intune, Microsoft Defender for Endpoint, Conditional Access policies, app permissions, risky users, and exposure scores). It turns what used to be manual, error-prone evidence gathering into reliable, reportable output that directly supports monthly/quarterly compliance reviews and audit readiness.

Project Timeline & Parallel Execution Advantage

Overall duration: 4–8 weeks from kick-off to initial operational state with released framework and basic practices live.

StageKey ActivitiesDurationTiming1Infrastructure procurement, delivery, installation, M365 deployment, network segregation, basic security configuration & testing~3 weeksWeek 1–32Framework documentation drafting, internal reviews, management presentation, approval & formal release~4 weeksWeek 1–4 (parallel)3Rollout of scheduled tasks, training/communication, evidence collection processes go-live, handover1–2 weeksStarts ~Week 4–5

Key milestones achieved:

• Week 1: Project kick-off & hardware procurement initiated
• Week 3: Infrastructure installation & basic configuration complete
• Week 4: IT Management Framework drafted & ready for management review
• Week 5: Framework approved & Stage 3 operational practices begin
• Week 6–8: Full handover with compliance evidence processes live and FINOS monitoring active

Running Stages 1 and 2 in parallel was critical. The infrastructure decisions informed policy content (and vice versa), and management saw tangible progress early, building confidence for timely approvals.

Investment Summary (Transparent & Scope-Dependent)

All pricing is customized and provided in a formal quotation after the discovery workshop. Indicative categories (Hong Kong market, June 2026) are shown below with final figures marked TBC pending exact scope, hardware lead times, and any reuse of existing equipment.

One-time Infrastructure (Hardware & Core Software): TBC (FortiGate 80F-class NGFW with 3-year UTP + FortiCare bundle, UniFi 24-port PoE+ switch, 2× UniFi Wi-Fi 6 APs + Cloud Key equivalent, plus implementation). Note: If suitable spare hardware already exists, this Capex can be significantly reduced or avoided.

Microsoft 365 Business Premium (Annual Subscription): TBC (sized for projected team; includes 1 TB OneDrive per user, advanced security, and compliance features).

Professional Services – BROCENT:

• IT Management Framework Development (fixed fee) — TBC
• Infrastructure Implementation, Configuration, M365 Provisioning, Security Hardening & Project Coordination — TBC (estimate)

Ongoing IT Security Managed Services & Ad-hoc Support (12-month retainer): TBC monthly (estimated ~34 hours per month across inventory, patch, log, account lifecycle, vulnerability management, endpoint compliance, data protection, responsive support, and FINOS-automated M365 reporting). This retainer ensures continuous audit readiness with minimal internal resource burden.

BROCENT’s model emphasizes transparency. We charge an agreed handling fee only when we procure hardware or licenses on the client’s behalf. All ongoing services are retainer-based with clear deliverables and evidence packs delivered monthly.

Key Benefits & Why This Approach Delivers Positive Audit Outcomes

Horizon Capital now has:

• Clear audit scope and evidence ownership — segregated network, dedicated logging, and isolated M365 tenant mean auditors can focus on Horizon Capital’s controls without ambiguity.
• Faster path to positive audit opinion — reduced remediation cycles and qualified findings.
• Cost-effective and scalable design — right-sized for 10–50 users, leveraging shared data center facilities while maintaining independence.
• Regulatory alignment — framework and practices designed with SFC public fund expectations (operational resilience, cybersecurity, data protection, business continuity).
• Operational simplicity — modern centralized management (FortiGate + UniFi + M365 + FINOS) with remote visibility and minimal on-site IT headcount.
• Future-proof foundation — the same environment supports growth without major re-architecture.

Most importantly, the engagement was completed with minimal disruption to Horizon Capital’s day-to-day business preparation and mother-company relationship.

Continuous Compliance Through BROCENT Managed Services

Audit readiness is not a one-time project. Horizon Capital engaged BROCENT under our standard managed security services retainer, which includes:

• Inventory, software, patch, and log management with monthly reviews and reporting
• Account lifecycle management (onboard/offboard, dormant account cleanup, privileged access reviews)
• Vulnerability management (continuous monitoring + quarterly scans) supported by Microsoft Defender for Endpoint and FINOS
• Data protection enforcement (BitLocker, USB control, sensitivity labeling, encryption)
• Endpoint compliance via Intune with monthly reporting
• IT documentation maintenance and monthly executive service reports
• Responsive support package for incidents, change management with risk assessment, and backup drills
• FINOS Security IT Audit platform continuously scanning the M365 environment and surfacing gaps in identity, Conditional Access, app permissions, and device compliance — generating audit-ready evidence automatically

This model turns compliance from a periodic fire-drill into a steady, low-burden operational rhythm.

Key Takeaways for Other Asset Managers Preparing SFC Type 9 Applications

1. Shared infrastructure is rarely audit-friendly. Attempting to carve out clear controls and evidence from a mother-company environment almost always leads to scope creep, ownership disputes, and delayed remediation.
2. Segregated but cost-optimized is achievable. Sharing physical data center facilities (rack, power, cooling) while maintaining logical and physical network separation delivers the best of both worlds.
3. Parallel execution of infrastructure and framework development compresses timelines dramatically.
4. Modern Microsoft 365 Business Premium + FortiGate + UniFi is a proven, audit-friendly stack for teams of this size — it provides the controls, logging, and evidence generation SFC reviewers expect without excessive complexity or cost.
5. Ongoing managed services with automation (such as FINOS) are the most reliable way for lean teams to maintain continuous audit readiness.

Recommended Next Steps

If you are preparing an SFC Type 9 (or other regulated) license application and recognize similar challenges — shared infrastructure, tight timelines, desire for a clean positive audit outcome — I recommend the following immediate actions:

1. Discovery Workshop (1–2 hours) — Deep-dive into your current setup, regulatory timeline, team growth projections, and any existing mother-company policies or hardware.
2. Detailed Statement of Work & Quotation — Refined scope, exact investment (TBC), resource plan, and milestone schedule.
3. Project Kick-off — Begin parallel infrastructure build and framework development.
4. Ongoing Services Discussion — Finalize the managed security retainer that keeps you audit-ready month after month.

We are confident this pragmatic, segregated-yet-shared approach will deliver the efficient, positive IT security audit outcome your license application deserves while establishing a professional, scalable IT foundation for your public fund business.