THE ASSURANCE AND THE TOOLS TO ACT ON IT
Independent assurance for the board. Practical deliverables for everyone who needs to respond.
Primary deliverable
Board Governance Report
For: Board directors, NEDs, trustees, audit committee members
The assurance itself. Translates Microsoft 365 configuration into governance language across eleven domains. RAG-rated with board challenge questions, prioritised actions, and an evidence statement. Designed to be read, challenged, and acted upon by any director with no technical background. This is the report that goes into the board pack. It is the independent evidence that the board is governing configuration risk.
Supporting deliverable
Risk Report
For the board to share with: CFOs, COOs, risk committees, compliance officers
Helps the organisation integrate the assurance findings into its risk management framework. Each governance finding is mapped to risk impact, likelihood, control effectiveness, and residual risk. Gives the risk owner what they need to update the risk register without interpretation or translation. Produced from the same assessment at no additional cost.
Supporting deliverable
Compliance Report
For the board to share with: CTOs, IT directors, heads of IT, managed service providers
Helps management act on the findings the board will be asking about. Identifies what needs addressing, in which domain, at what priority, with enough technical context to scope and commission remediation. Inquilion does not direct how to remediate. It identifies what the board expects management to address and provides the operational context to make that actionable. Can be shared directly with the organisation's MSP. Produced from the same assessment at no additional cost.
All three deliverables are provided to the board. The board decides who else receives them and when. Inquilion's relationship is with the board, not with management or operational teams. That separation is what makes the assurance independent.
For PE houses, family offices, and holding companies commissioning event-based assurance, the same three deliverables are produced but framed for the investment context. See how findings read for private equity.
THE BOARD GOVERNANCE REPORT
What the boardroom sees.
EXECUTIVE SUMMARY
The board position at a glance.
Overall Governance Position: Amber
The organisation's Microsoft 365 environment is partially governed. Controls exist in some domains but are inconsistently applied and not evidenced at board level. Three of eleven domains require immediate board attention. Two domains meet the expected governance baseline. Four domains show partial governance with specific gaps identified.
This assessment was conducted without remediation changes across eleven governance domains. Evidence was collected through the agreed access model, using app registration where supported and dedicated assessment access where required. The findings below reflect the state of the environment at the time of assessment and are framed for board oversight, not operational remediation.
The executive summary gives the board an immediate governance position without requiring technical interpretation. The RAG rating is supported by the domain detail that follows.
DOMAIN OVERVIEW
Eleven domains. One governance position.
Each domain is assessed independently. The board can see at a glance where governance is strong, where gaps exist, and where immediate attention is needed. Trend indicators are included in standing assurance engagements to show movement over time.
DOMAIN DETAIL
What a single domain finding looks like.
Domain 1: Identity and Access
Rating: Amber
Authentication controls are partially configured. Conditional access policies exist but do not consistently enforce multi-factor authentication across all access scenarios. Privileged accounts do not operate under a dedicated access tier. Third-party application permissions have been granted through OAuth consent but have not been formally reviewed or approved through a governance process.
The organisation cannot currently evidence to the board that access to its Microsoft 365 environment is governed to a standard consistent with its risk appetite or regulatory obligations.
Board challenge questions:
- Has management confirmed that multi-factor authentication is enforced for all users, including privileged accounts and service accounts?
- When was the last formal review of which third-party applications have been granted access to organisational data, and who approved that access?
- Can management evidence that access controls are tested periodically, not just configured once?
The governance narrative tells the board what the position is. The board challenge questions tell the board what to ask management. Inquilion provides the evidence. The board provides the accountability.
PRIORITISED ACTIONS
What the board should ask for next.
Priority 1 (Immediate)
The board should seek assurance from management that authentication controls are applied consistently across all access scenarios. A defined timeline for remediation should be requested, with evidence of completion reported back to the board or audit committee.
Priority 2 (Within 30 days)
Management should conduct a formal review of all third-party applications with access to organisational data and present the findings to the board. Any application consent that cannot be attributed to a business requirement should be revoked.
Priority 3 (Within 90 days)
The board should request that management implement a rolling review cycle for application permissions, external sharing configurations, and guest access. This review should be evidenced and reported as part of standing governance oversight.
Actions are framed for the board, not for IT. Inquilion does not tell management how to configure. It tells the board what to ask management to evidence. The distinction is deliberate. Independence from delivery is absolute.
REGULATORY ALIGNMENT
Findings mapped to selected governance, security and regulatory references.
Findings are mapped, where relevant, to selected governance, security and regulatory references. The board can see which obligations are supported by current configuration and where gaps may create governance exposure. Inquilion does not provide legal advice, regulatory approval or compliance certification. It provides the governance evidence that supports compliance conversations.
The full regulatory mapping is included in the governance report. The frameworks shown here represent the current scope. Additional frameworks are added as regulatory requirements evolve.
THE RISK REPORT
What the risk register receives.
The Risk Report helps the organisation's risk function integrate assurance findings into its existing risk management framework. The following extract shows how a single governance finding translates into risk register language.
RISK REPORT EXTRACT
From governance finding to risk register entry.
Risk: Inconsistent authentication controls across Microsoft 365 access scenarios
| Domain | Identity and Access |
|---|---|
| Governance Rating | Amber |
| Risk Category | Operational / Information Security |
| Inherent Impact | High |
| Inherent Likelihood | Medium |
| Current Controls | Conditional access policies partially configured. MFA enforced for some user groups. |
| Control Effectiveness | Partial. Does not cover all access scenarios. Privileged accounts not subject to dedicated access tier. |
| Residual Risk | Medium-High |
| Risk Owner | [To be assigned by management] |
| Regulatory Relevance | UK GDPR Article 32, FCA SYSC 13, DORA Article 9 |
| Recommended Action | Management to confirm MFA enforcement across all access scenarios with defined timeline. Evidence of completion to be reported to board or audit committee. |
| Priority | Immediate |
The risk committee does not need to interpret governance language or translate assurance findings into risk terminology. It is already done. Every finding in the Board Governance Report has a corresponding entry in the Risk Report, structured for direct integration into the organisation's risk register. Impact, likelihood, control effectiveness, residual risk, and regulatory relevance are pre-mapped. The risk function can act on the assurance immediately.
THE COMPLIANCE REPORT
What management gets to act on.
The Compliance Report helps the people responsible for remediation understand what the board will be asking about. The following extract shows how a single governance finding translates into operational management language.
COMPLIANCE REPORT EXTRACT
From governance finding to actionable remediation scope.
Finding: Conditional access policies do not enforce MFA across all access scenarios
| Domain | Identity and Access |
|---|---|
| Governance Rating | Amber |
| Priority | Immediate |
| Scope | 10 of 24 user accounts are not subject to MFA enforcement via conditional access. 3 accounts with privileged roles operate without a dedicated administrative access tier. |
| Observed Configuration | Conditional access policies exist but apply selectively. No policy enforces MFA for guest or external access. No break-glass account procedure is documented. |
| Governance Expectation | All user accounts, including privileged, guest, and service accounts, should be subject to authentication controls proportionate to the data and systems they can access. The board expects management to evidence this. |
| Board Action Requested | Confirm MFA enforcement across all access scenarios. Provide timeline for remediation. Report evidence of completion to the board or audit committee. |
| Notes | This finding does not prescribe how to remediate. It identifies what the board expects management to address and provides sufficient context for management to scope the work. |
The Compliance Report gives the CTO or IT director enough context to understand what the board expects them to address, in which domain, at what priority. It bridges the gap between the assurance finding and the remediation scope. Inquilion identifies what. Management decides how. That boundary is maintained in every deliverable.
Where an organisation works with a managed service provider, the Compliance Report can be shared with the MSP to inform remediation. It is written to be self-contained: the MSP does not need access to the Board Governance Report or the Risk Report to understand and act on the findings.
FOR PRIVATE EQUITY AND PORTFOLIO OVERSIGHT
The same deliverables, framed for the investment lifecycle.
For PE houses, family offices, and holding companies, the same three deliverables are produced from a single assessment but framed for the investment context. Findings are structured for investment committee review and comparable across portfolio companies regardless of size, sector, or Microsoft 365 licence tier.
The Board Governance Report becomes the governance baseline for the portfolio company board. The Risk Report maps findings into the investment risk framework. The Compliance Report gives the portfolio company's management team the operational context to address findings post-completion.
Where multiple portfolio companies are assessed, the investment committee receives comparable RAG positions across all holdings in a single view.
Investment assurance is engaged on a per-assessment basis. One target, one assessment, one engagement, one cost. There is no subscription, no retainer, and no ongoing commitment. The PE house, family office, or holding company commissions the assessment, receives the three deliverables, and the engagement is complete.
If the portfolio company subsequently wants standing governance oversight, the assessment carries forward as the baseline for a governance assurance programme. That is a separate decision, made by the portfolio company board, at a later date.
How findings read for the investment committee
The extracts below show how the same governance findings are reframed when produced for a private equity or portfolio oversight context. The underlying assessment is identical. The language shifts to deal terms, remediation cost exposure, and portfolio comparability.
Executive Summary (PE framing)
The target organisation's Microsoft 365 environment is partially governed. Three of eleven domains present material configuration risk that should be reflected in deal terms or post-completion remediation planning. Estimated remediation effort is moderate and addressable within a standard 100-day plan. Two domains meet the expected governance baseline. The overall governance position is comparable to the lower quartile of assessed portfolio companies in this sector.
Risk Report entry (PE framing)
| Domain | Identity and Access |
|---|---|
| Governance Rating | Amber |
| Deal Relevance | Configuration gap affects authentication controls for all user accounts. If unaddressed, represents ongoing operational risk to the portfolio company and potential warranty exposure. |
| Estimated Remediation | Low complexity. Addressable within existing Microsoft 365 licence. No additional technology spend anticipated. |
| Portfolio Comparability | Finding is consistent with 60% of assessed portfolio companies at point of acquisition. Typically resolved within first remediation cycle. |
Board Action (PE framing)
The portfolio company board should commission remediation of the three red-rated domains within the first 90 days post-completion. The Compliance Report provides sufficient scope for the portfolio company's IT function or MSP to execute without further assessment. Progress should be reported to the investment committee at the first post-acquisition board cycle.
The board-framed extracts below show how these same findings are presented when the audience is the organisation's own board. The methodology is the same. The evidence is the same. The language serves a different governance function.
USING THE REPORT
Designed for your existing governance cycle.
Every Inquilion report is self-contained. A new NED, trustee, insurer or auditor can pick it up and understand the organisation's Microsoft 365 governance posture from first principles. No prior knowledge of the organisation or its technology is required.
The report structure follows a deliberate sequence. The executive summary provides the overall position. The domain overview shows where strengths and gaps sit. Material findings are framed as board actions with defined priorities and timelines. A cumulative findings tracker shows remediation progress across assessment periods. The board sees whether governance posture is improving, stable or deteriorating.
For audit committees, the report provides the evidence layer that supports independent challenge. For insurers, it evidences the controls in place at the time of assessment. For regulators, it demonstrates active oversight rather than assumed compliance.
For PE houses, family offices, and holding companies, the same report structure supports portfolio-level governance oversight. Investment committees can compare RAG positions across holdings, track remediation progress post-acquisition, and evidence governance standards to co-investors or limited partners.
Five questions every board should ask
Any director can ask these questions without technical knowledge. The answers reveal whether governance is operating or being assumed.
Is our Microsoft 365 environment independently assured, or are we relying on the people who run it to tell us it is fine?
If something went wrong today, could we evidence what controls were in place and that we were actively overseeing them?
Do we know whether our configuration is getting better or worse over time, or do we only find out when something breaks?
Could a single compromised password give someone access to our email, documents, client data and financial systems, and do we know whether the controls preventing that are actually working?
When did we last ask management to show us evidence, not reassurance but evidence, that our digital controls are operating as we expect?
If your board cannot confidently answer these questions, the governance gap is already present. Inquilion exists to close it.
Report format, domain coverage, and regulatory framework mapping are subject to ongoing development. The extracts on this page reflect the deliverable format as of March 2026 and use fictional findings for a fictional organisation. The reports delivered to your board will reflect the most current version of the Inquilion methodology at the time of engagement.
Start with a Board Review.
A single, independent assessment across eleven governance domains. No disruption. No jargon. Evidence where previously there was assumption.
Request a Board Review