Who is Inquilion designed for?

Inquilion is designed for people with oversight accountability, not operational responsibility. This includes board directors, non-executive directors, trustees, audit committee members, CFOs, COOs, and company secretaries. If your role requires you to hold management to account for technology risk but you do not control the technology yourself, Inquilion is built for you.

Is Inquilion a technical IT audit?

No. Inquilion is not a technical configuration audit for IT teams. That is delivery, not governance. Inquilion provides independent governance assurance designed for the boardroom, translating Microsoft 365 configuration into evidence that directors can review, challenge, and act on.

Does Inquilion fix the issues it finds?

No. Inquilion reports. It does not remediate. Independence from delivery is absolute. Findings are framed as actions for management, and the board oversees remediation through its existing governance structures.

Does Inquilion work for EU organisations under DORA and NIS2?

Yes. DORA explicitly requires ICT risk governance at board level and evidence of oversight over third-party technology providers. NIS2 requires operational resilience evidence as a board obligation. Inquilion's methodology covers both frameworks. The governance methodology applies equally across UK and EU Microsoft 365 tenants, and Inquilion already serves clients in Ireland through its partnership network.

Who Is This For? | Inquilion — Independent M365 Governance Assurance

Q: Does Inquilion work for non-regulated organisations?

Yes. The absence of a regulator does not mean the absence of accountability. Cyber insurers are tightening policy wording around configuration governance, acquirers are asking about it in due diligence, and clients in regulated industries are flowing governance expectations down to their suppliers. Inquilion serves mid-market corporates, professional services firms, businesses with outsourced or managed IT, and growth-stage companies preparing for investment or acquisition.

Honest boundaries

We would rather be clear now than waste your time later.

You are looking for a technical configuration audit for your IT team. That is delivery, not governance. Your IT provider or an MSP can do that.

You want someone to fix what they find. Inquilion reports. It does not remediate. Independence from delivery is absolute.

You are looking for a penetration test or vulnerability scan. Inquilion assesses governance posture, not technical attack surface.

You want a compliance certificate or a tick-box exercise. Inquilion provides evidence and assurance, not certification.

Your organisation does not use Microsoft 365. Inquilion is purpose-built for M365 environments exclusively.

Who Is This For?

Roles

This is for the people who govern, not the people who operate.

Inquilion reports are written for the boardroom, not the server room. Every finding is translated into governance language that directors can review, challenge, and evidence. If your role requires you to hold management to account for technology risk but you do not control the technology yourself, you are exactly who this is for.

Board Directors and Non-Executive Directors

You are accountable for the governance of your organisation, including operational resilience and data protection. You receive IT updates but have no independent means of verifying what is actually configured. Inquilion gives you evidence where previously there was assumption.

Trustees

Charity trustees carry personal liability for governance failures. Microsoft 365 is the operational backbone of most charities, yet trustee boards rarely have visibility of its configuration. Inquilion provides the independent assurance that satisfies both the Charity Commission and your own duty of care.

Audit Committee Members

Your role is to provide independent challenge to management assertions. When management says "our systems are secure" or "we are compliant," Inquilion gives you the evidence to test that claim, framed in the governance language your committee already works in.

CFOs and COOs

You own the operational risk register. Microsoft 365 configuration sits on it whether you know it or not. Inquilion translates configuration state into risk language you can act on, escalate, or report to the board with confidence.

Investment Managers and Portfolio Directors (Private Equity)

You oversee acquisitions, manage portfolio companies, and report to an investment committee. Microsoft 365 configuration risk exists in every holding but rarely appears in operational due diligence or portfolio monitoring. Inquilion gives you standardised, independent governance visibility across your portfolio without relying on each company's IT function to self-report. The engagement models page covers how transaction assurance supports pre-acquisition due diligence and carries forward into standing portfolio oversight.

Company Secretaries

You are responsible for ensuring the board has adequate information to discharge its duties. Inquilion provides structured, independent reporting that gives the board visibility it currently lacks over one of the organisation's most critical platforms.

Honest Boundaries Which Sectors?

Sectors

Governance accountability exists everywhere. Regulation just makes it louder.

Inquilion works across three distinct audiences. The common thread is not industry. It is that someone, somewhere, is accountable for what is configured in Microsoft 365 and currently has no independent way of knowing.

Ownership and Portfolio Oversight

You do not run the organisation. You own it, fund it, or oversee it. Your concern is portfolio-wide governance visibility, standardised risk reporting across holdings, and knowing what configuration risk you are inheriting or carrying. Inquilion provides assurance at the fund, group, or trust level, not just the individual entity.

For investment teams, Microsoft 365 governance assurance serves the full investment lifecycle. Before acquisition, a transaction assurance assessment provides independent evidence of configuration risk, allowing material findings to inform deal terms, warranties, or post-completion remediation plans. After completion, that same assessment becomes the governance baseline for the portfolio board, avoiding duplicated work and giving the investment committee a clear starting position from day one.

Across the portfolio, every company is assessed against the same governance benchmarks. This produces comparable reporting for investment committee review regardless of company size, sector, or Microsoft 365 licence tier. Standing assurance then maintains continuous independent oversight, so the portfolio board always knows where each holding stands and whether management is responding to findings.

Private equity houses. Venture capital firms. Family offices. Holding companies. Multi-academy trusts.

See Transaction and Standing Assurance models

Regulated Organisations

Your regulator expects evidence of operational resilience, data protection controls, and governance oversight. In the UK, this means FCA expectations around SYSC and operational resilience. In the EU, DORA now explicitly requires ICT risk governance at board level and evidence of oversight over third-party technology providers, which is precisely what Microsoft 365 is. Across both jurisdictions, GDPR places accountability for data processing controls at board level. Microsoft 365 is the platform that underpins most of this, yet configuration governance is rarely evidenced at board level. Inquilion provides the independent assurance that satisfies regulatory expectation without creating operational disruption.

Sectors (UK): FCA-authorised firms. Charities (Charity Commission). Housing associations. Legal practices (SRA-regulated). Healthcare providers. Education institutions.

Sectors (EU): DORA-scope financial entities (banks, insurers, investment firms, payment institutions). GDPR-accountable organisations where M365 is the primary data processing platform. NIS2-scope entities where operational resilience evidence is now a board obligation.

Inquilion already serves clients in Ireland through its partnership network, and the governance methodology applies equally across UK and EU Microsoft 365 tenants.

See how boards use Inquilion reporting

Non-Regulated Organisations

The absence of a regulator does not mean the absence of accountability. Cyber insurers across the UK and EU are tightening policy wording around configuration governance. Acquirers are asking about it in due diligence. Clients in regulated industries are flowing governance expectations down to their suppliers. The market is regulating you even if the state is not.

Mid-market corporates (UK and EU). Professional services firms. Businesses with outsourced or managed IT (where independent oversight of your MSP adds a layer of accountability). Growth-stage companies preparing for investment or acquisition.

Explore engagement models

Your Role Sound Familiar?

Sound familiar?

If any of these resonate, a conversation costs nothing.

"Your board receives IT updates but nobody can independently verify what is actually configured."

"You renewed your cyber insurance without evidence of what controls are in place."

"You inherited a Microsoft 365 environment through acquisition and have no governance visibility over it."

"Your IT is outsourced and you have no independent way of knowing whether your provider's assurances are accurate."

"A regulator or auditor asked about your M365 controls and no one could answer with evidence."

"DORA requires your board to evidence ICT risk oversight, but no one can tell you what is actually configured in your Microsoft 365 tenant."

"You know Microsoft 365 matters but it has never appeared on the board risk register."

Your Sector Request a Board Review

Start with a Board Review.

A single, independent assessment across nine governance domains. No disruption. No jargon. Evidence where previously there was assumption.

Request a Board Review