How does an Inquilion engagement start?

Every governance assurance programme begins with a baseline assessment across eleven domains. This is the foundation of the assurance, not a separate product. The baseline establishes the starting position against which all future assessments are measured, and produces a Board Governance Report, Risk Report, and Compliance Report.

What is event-based assurance?

An independent assessment for PE houses, family offices, and holding companies, providing Microsoft 365 configuration evidence for technical due diligence, portfolio oversight, or post-acquisition governance. It covers the same eleven domains using the same methodology, with findings framed for investment committee review and portfolio-wide comparability.

The Models | Inquilion — Standing and Event-Based Governance Assurance

FOR BOARDS AND ORGANISATIONS

Standing governance assurance that starts with a clear picture and builds from there.

The governance assurance programme is how most organisations engage with Inquilion. It provides ongoing, independent oversight of Microsoft 365 configuration, aligned to the board's reporting cadence. The value is in the continuity: not a single snapshot, but a governance record that builds over time.

Every programme begins with a baseline assessment. This is not a separate product or an optional first step. It is the foundation of the assurance. The baseline produces a complete governance position across eleven domains, establishing the starting point against which all future assessments are measured. Without it, there is nothing to trend against, nothing to compare, and no evidence of progress.

From the baseline, standing assurance continues at a cadence matched to the board's reporting cycle, typically monthly or quarterly. Each assessment cycle produces a fresh governance position showing whether the organisation's posture is improving, stable, or deteriorating. A cumulative findings tracker shows remediation progress across all periods. Material findings from previous cycles are followed through. New findings are identified. Over time, the board builds a governance record that demonstrates active, evidenced oversight of Microsoft 365 configuration.

What every assessment produces

Every assessment, from the first baseline through every subsequent cycle, produces three deliverables from a single non-invasive assessment:

Board Governance Report — the assurance itself. RAG-rated across eleven domains, written for the boardroom, with board challenge questions and prioritised actions.
Risk Report — translates findings into risk register language for the CFO, COO, or risk committee.
Compliance Report — translates findings into operational language for the CTO, IT director, or MSP, helping management address what the board will be asking about.

See what the deliverables look like

How it works

Common reasons organisations start

Baseline

A complete governance assessment across eleven domains. The board sees its starting position. Material findings are identified and framed as actions for management. This is the first deliverable of the programme, not a separate engagement.

No independent evidence exists

The board has never received independent evidence on how Microsoft 365 is configured, or a new NED, trustee, or audit committee member wants to understand current risk.

Management responds

The board oversees remediation through its existing governance structures. Inquilion does not remediate. Independence requires separation from delivery. The Compliance Report gives management the context to scope and commission the work.

External pressure requires it

A regulator or auditor has asked about digital governance controls, or cyber insurance renewal requires evidence of configuration posture.

Standing assurance

Each subsequent assessment cycle builds on the baseline. The board sees trend, progress, and any new findings. Configuration risk becomes a standing item on the board's agenda. Discontinuing the programme means losing the governance record and the trend history.

Oversight is overdue

The organisation has experienced an incident and wants ongoing oversight, or IT is outsourced and the board wants independent visibility of the MSP's work.

See the Deliverables Start a Conversation

FOR PRIVATE EQUITY AND INVESTMENT OVERSIGHT

Independent configuration evidence for the investment lifecycle.

Event-based assurance provides independent evidence of Microsoft 365 configuration risk in a target or portfolio organisation, structured for investment committee review and aligned to your deal timeline.

Findings are framed for technical due diligence, deal terms, warranties, and post-completion remediation planning. Every portfolio company is assessed against the same governance benchmarks, producing comparable reporting regardless of company size, sector, or Microsoft 365 licence tier. An investment committee can review RAG positions across all holdings in a single view.

Each engagement is commissioned on a per-assessment basis. One target, one assessment, one cost. There is no subscription, no retainer, and no ongoing commitment. The PE house, family office, or holding company commissions the assessment, receives the three deliverables, and the engagement is complete.

If the portfolio company subsequently wants standing governance oversight, the assessment carries forward as the baseline for a governance assurance programme. That is a separate decision, made by the portfolio company board, at a later date.

What the commissioning party receives

Three deliverables from a single non-invasive assessment, framed for the private equity and portfolio oversight context:

Board Governance Report — governance position across eleven domains, suitable for the portfolio company board and the investment committee.
Risk Report — findings mapped to risk impact for integration into the investment risk framework.
Compliance Report — operational findings for the portfolio company's management team or MSP to address post-completion.

See what the deliverables look like

Common triggers

Pre-acquisition due diligence on a target's M365 environment
Post-acquisition governance baseline for a new portfolio company
Portfolio-wide governance standardisation across multiple holdings
Vendor preparation ahead of a disposal or exit
Investment committee seeking comparable configuration risk data across the portfolio

Standing Assurance Start a Conversation

Engagement scope and deliverables reflect the Inquilion methodology current at the time of engagement. Domain coverage, assessment checks, and regulatory framework mapping may be updated between the descriptions shown here and the point of engagement. The engagement letter defines the specific scope for each client.

Every engagement starts with a conversation.

Whether you are a board looking for ongoing governance oversight or a PE house that needs configuration evidence on a deal timeline, the first step is the same. Tell us about your organisation and we will explain how the engagement works.

Start a conversation