Microsoft Project Online retires September 30, 2026, migrate to a modern platform before it's too late.Start migration
Back to BlogProject Online Migration in Financial Services: Compliance Edition
Migration

Project Online Migration in Financial Services: Compliance Edition

Project Online financial services migrations carry SOX, audit trail continuity, and data residency requirements that extend every timeline. Here's the plan.

Onplana TeamJune 3, 20269 min read

Here's the pattern. A Project Online financial services PMO starts its migration planning in February 2026. The compliance review launches in March. Infosec flags three open items in April. The vendor questionnaire cycles back and forth through May. It is now June. The migration has not started. Three months remain before retirement.

This is not a hypothetical. It describes how most regulated financial services migrations unfold, because the compliance process that protects these organizations is also the process that consumes the migration runway. The question is not whether to do the compliance work. The question is whether you have planned for the time it takes.

Every Project Online financial services migration faces the same set of obligations that commercial PMOs skip: SOX audit trail continuity, segregation of duties control mapping, data residency verification, and a vendor security assessment that moves at information security team speed, not migration speed. These obligations do not disappear because the retirement deadline is fixed. They have to fit inside the window that is left.

TL;DR Financial services PMOs migrating from Project Online need 16 to 20 weeks, not the 12 weeks a commercial migration takes. The extra time goes to vendor security assessment (four to six weeks), SOD control mapping (two to four weeks post-cutover), and audit trail export design. The vendor assessment must start before the migration starts. Run the Project Online Inventory Checklist first to give infosec a concrete scope, not a guess.

Why Project Online financial services migrations take longer than any other sector

A commercial PMO choosing a new tool goes through procurement, IT review, and user training. A financial services PMO does all of that and adds a vendor risk assessment, a data residency review, a SOX impact analysis, a change control record, and a post-cutover SOD validation. Each of these has its own queue.

The vendor risk assessment is the biggest time sink. Information security teams at banks, insurers, and asset managers run structured vendor questionnaires that can run 200 to 400 questions long. These questionnaires cover data handling, encryption standards, access controls, penetration testing, business continuity, subprocessors, and jurisdictional data flows. Vendors typically take two to four weeks to respond. Infosec teams take another two to four weeks to review and resolve findings. The result is a four to eight week addition before the migration can start in earnest.

The change control board is a second gate. In a regulated financial institution, changing a system that touches regulated data or financial processes requires formal change approval. The change record documents what is changing, who reviewed it, and what rollback plan exists. Getting this through the CCB typically takes two to three weeks, depending on meeting cadence.

If you add these together and count backward from September 30, 2026, most financial services PMOs that have not yet started infosec review are working with a compressed window. A compressed window does not make the work disappear; it makes each step higher risk.

SOX and the audit trail you cannot afford to lose

SOX Section 404 requires publicly traded companies to maintain internal controls over financial reporting and document them. Project Online PMOs that manage projects touching financial systems, regulatory filings, or internal audit processes may have SOX-relevant records in their tenant.

What SOX requires during a migration: a documented record of what changed, who approved it, and how data integrity was verified. This is not the same as a general migration plan. It is a change control record with a scope statement, a risk assessment, test results confirming data transferred correctly, and sign-off from whoever owns internal controls in your organization.

What SOX requires of the data: audit trails must be preserved and accessible. Financial services auditors ask for project records going back three to seven years depending on your regulatory obligations. If those records live in a Project Online tenant that goes dark on October 1, 2026, without an export and archive strategy, you will not be able to produce them.

The export strategy has two parts. First, pull structured project data: status history, approval records, resource assignments, baseline comparisons. These come out via OData feeds. Second, pull unstructured records: project documents stored in SharePoint document libraries attached to PWA. These are not covered by the OData feed and require a separate SharePoint export. Both need to land in a compliant archive before the tenant closes.

Microsoft's compliance documentation for SOX covers how its cloud services support customer SOX obligations through SOC 1 Type 2 attestations. Review the Microsoft SOX compliance documentation to understand what the tenant-side controls look like before your auditor asks.

Segregation of duties: the control that does not transfer automatically

SOD controls are among the most important internal controls in a financial services PMO, and they are among the least likely to survive migration without explicit attention.

Project Online's permission model uses a category and group structure that is specific to PWA. Each user belongs to security categories that define which projects they can see, and to groups that define what they can do. This model does not translate to the role-based access control model used by most modern PM tools.

The typical SOD failure in a migration: the project manager who creates a project also has the permissions to approve that project's status updates and edit its baselines. In PWA, these permissions were separated by category. In the new tool, they defaulted to a single "project manager" role that includes all three. The control breaks silently. The first time an auditor runs an access review, it shows up as a finding.

Before cutover, document the SOD rules your organization requires for project management data. For each role in Project Online, record what it can create, what it can edit, and what it can approve. Map each PWA role to the closest equivalent in the replacement tool and flag any SOD rule that cannot be maintained. Bring those flags to your internal controls team before go-live, not after.

The diagram below shows the migration timeline with compliance checkpoints for a financial services PMO.

Financial Services Project Online Migration Timeline with SOX Compliance Gates FINANCIAL SERVICES PROJECT ONLINE MIGRATION TIMELINE Phase progression: each phase must clear its compliance gate before the next begins INVENTORY Audit trail scope + data map Wks 1-2 VENDOR ASSESS Infosec review + questionnaire Wks 3-8 CHANGE CTL CCB approval + SOX record Wks 7-10 MIGRATE Export, import, parallel run Wks 11-16 SOD VALIDATE Access review + control mapping Wks 17-18 GO LIVE Controls verified; audit trail secure Wks 19-20 Vendor assessment (wks 3-8) and change control (wks 7-10) run in parallel where your CCB cadence allows. Total elapsed time: 18-20 weeks. Starting in June 2026 means cutover lands in October 2026, after the retirement date. Teams starting now: vendor assessment must begin this week to have any chance of clearing before the September window. Use the compressed path in the final section of this post to prioritize the steps that create the most risk if skipped.

The diagram makes the time math visible. Teams that start the vendor assessment now, in June, will clear infosec review by late July or early August. That leaves September for migration and parallel running, with data cutover targeting September 28 or 29, leaving one day of buffer before retirement. There is no room for infosec findings that require remediation. Run a pre-assessment gap analysis before you send the questionnaire so you can resolve obvious issues first.

Data residency: where your project data can and cannot go

Financial services firms operate under a patchwork of data residency requirements. EU firms under GDPR face restrictions on transferring personal data outside the European Economic Area without adequate safeguards. UK firms face FCA guidance on operational resilience and third-party risk. US firms in certain states face state-level privacy laws that affect how project data referencing employees or clients can be processed.

Project management data sits in a gray zone. The projects themselves are usually not personal data. But project records often contain resource names, communication logs, and references to client-facing work. In some cases, project notes contain client identifiers or case references that bring them into scope.

Before selecting a replacement PM tool, your data residency review needs to answer three questions: what categories of personal or regulated data appear in your Project Online tenant, where will that data reside in the replacement tool's cloud, and does the replacement tool offer data residency controls that meet your regulatory requirements.

Most modern SaaS PM tools offer regional data residency. Verify that the region option available in the product tier you will license (not just in the enterprise plan the vendor is pitching you on) matches your requirements. If regional data residency is not available in the tier you need, a cloud-agnostic deployment where you control data location eliminates this variable entirely.

The vendor security assessment on your migration timeline

The vendor security assessment is the longest single step in a financial services migration. Most organizations use a standardized questionnaire framework, such as the SIG (Standardized Information Gathering), the VSA (Vendor Security Alliance), or an internal template. Questionnaire length ranges from 150 to 400 questions. Response time from vendors ranges from one to four weeks. Review and finding resolution adds another two to four weeks.

Three things accelerate the assessment. First, provide the vendor's existing compliance certifications early: SOC 2 Type II, ISO 27001, PCI DSS where relevant. Assessors who review these first spend less time on the questionnaire. Second, use a pre-scoped questionnaire. If you can identify which data categories will flow to the PM tool before the assessment starts, you can focus the questionnaire on the relevant control domains instead of running the full framework. Third, run a gap analysis meeting between your infosec team and the vendor's security team before the formal questionnaire exchange. Surface the questions that are most likely to produce findings and resolve them verbally first.

Structuring the migration to produce a clean audit trail

The migration itself needs to produce a clean change control record. That record should include: the business case for the change, the scope of systems and data affected, the risk assessment (including rollback triggers), the test results verifying data integrity after transfer, and the sign-off chain matching your internal controls requirements.

The change control record is separate from the migration plan. The migration plan describes what steps happen in what order. The change control record documents that the right people reviewed those steps and that the results were verified. Build both in parallel, not sequentially.

After cutover, run a data reconciliation exercise: compare record counts, baseline values, and key field values between your Project Online export and the new tool's import. Unexplained discrepancies are findings. Document what was verified, what was found, and how discrepancies were resolved. Your auditor will ask.

For more on why financial services migrations fail, the reasons Project Online migrations fail covers the structural patterns that produce audit findings and schedule slips regardless of industry.

The compressed path for teams starting in June 2026

If you are starting now and need to make September 30, the sequence that gives you the best chance:

  1. Run the inventory checklist this week to produce a concrete data scope for infosec.
  2. Send the vendor questionnaire simultaneously with the inventory, not after it. Every day of delay in the questionnaire is a day of delay in infosec sign-off.
  3. Identify the SOD rules you need to preserve and document them now. Do not wait until cutover to discover that the replacement tool's default roles break them.
  4. Draft the change control record in parallel with the vendor assessment. The record does not need to be complete; it needs to be started. The final sign-off happens after migration, but the framework should be in place before.
  5. Set a hard data cutover date: September 26, 2026. Four days of buffer before retirement is not comfortable, but it is something.

The full migration planning overview walks through each phase in detail.

Run the free Project Online Inventory Checklist Your infosec team needs a concrete scope of what data is in your Project Online tenant before they can write a useful vendor questionnaire. The checklist takes about 10 minutes and gives you a structured inventory of projects, resource pools, custom fields, and workflows. No signup required. Open the checklist

Microsoft Project Online™ is a trademark of Microsoft Corporation. Onplana is not affiliated with Microsoft.

Project Online financial servicesfinancial services PMObanking PM toolSOX project managementdata residencyProject Online migrationaudit trail

Ready to make the switch?

Start your free Onplana account and import your existing projects in minutes.

Migration GuideView Pricing

We use strictly-necessary cookies to operate this site (sign-in, anti-spam). With your consent, we also use Google Analytics 4 (anonymized IP) to understand which pages are useful. No ad tracking. See our Cookie Policy and Privacy Policy.