Audit and assurance reviews, grounded in your client's evidence
Normain reads client reports, policies and evidence and returns structured, verifiable findings, each one linked to the exact page it came from. Your team tests, challenges and signs off in a fraction of the time.
Recognize the work you do every day
These are the tests audit and assurance teams run by hand today: the same evidence, the same criteria, the same workpapers. Normain does the reading and gives you structured, source-linked conclusions to review and sign off.
Vendor and subservice SOC report review
Run the same review checklist over every vendor's SOC 2 or ISAE 3402 report. What takes an afternoon of reading 60-page PDFs becomes one row per report, each cell linked to the page it came from.
- Does the report period cover our full audit period, or is a bridge letter required to close the gap?
- Is the service auditor's opinion unqualified? List every exception in the tests of controls and management's response.
- List all Complementary User Entity Controls (CUECs) we are responsible for operating.
- Are any subservice organizations carved out, and which Trust Services Criteria do they cover?
SOC 2 control testing and evidence review
Assess the client's evidence against each Trust Services Criterion, control by control, and produce the tested-controls matrix that feeds your workpapers — design and operating effectiveness in one grid.
- CC6.1 — Does the access-provisioning policy require documented approval before access is granted, and is MFA enforced for privileged accounts?
- CC6.2 — For the sampled population, was terminated users' access revoked within the stated SLA?
- CC8.1 — Were all production changes tested and approved before deployment per the change procedure?
- For every control with a deviation, quantify the population impact and cite the evidence reviewed.
Control environment and policy gap assessment
Ask pointed questions across the client's whole policy library at once to build your understanding of the entity, prove coverage under ISA 315, and flag what is missing before fieldwork starts.
- Is there a documented risk-assessment process performed at least annually, and does it address fraud risk? (ISA 315)
- Is there a formal, board-approved information security policy, and when was it last reviewed?
- Where is the data-retention schedule defined, and does it specify periods by data category?
- Which framework requirements have no backing policy clause?
Hear what our customers say

Normain fits directly into our current business processes and made an impact from day one
Mattias Ullsten
Founder & Managing Director, Advisense

Normain frees our accountants to focus on the insights that truly matter
Martin Sandstedt
Founding Partner, Klara Consulting

Normain is how all our offices can work as one, with the same quality and deep expertise for every client
Victoria Thore
CEO, Klara Consulting
The same engine, on the work every team shares
Whatever you specialise in, these patterns cut across every industry we serve.
See it on your own workpapers
Bring a client report and your review checklist. We will show you a source-linked finding in minutes.