Solutions / Audit & Assurance

Audit and assurance reviews, grounded in your client's evidence

Normain reads client reports, policies and evidence and returns structured, verifiable findings, each one linked to the exact page it came from. Your team tests, challenges and signs off in a fraction of the time.

Your documents
SOC 2 Type II
ISO 27001 cert
SIG Lite
Question
Any exceptions or deviations noted in this SOC 2 report?
2 minor exceptions, both with management responses.
High confidenceSource p.42
How it works
1
Add your knowledge
Standards, internal policies and the client evidence your team relies on. Normain reads and understands each source.
2
Define the questions once
Tell Normain what to extract, how to analyze it and what the output should look like. It handles the framework logic and scoring.
3
Get verified output
Structured answers in seconds, every finding linked to its source, so your team reviews, challenges and signs off with confidence.
Built for audit & assurance teams

Recognize the work you do every day

These are the tests audit and assurance teams run by hand today: the same evidence, the same criteria, the same workpapers. Normain does the reading and gives you structured, source-linked conclusions to review and sign off.

Repeat project

Vendor and subservice SOC report review

Built forIT audit · third-party risk analysts · SOC reviewers

Run the same review checklist over every vendor's SOC 2 or ISAE 3402 report. What takes an afternoon of reading 60-page PDFs becomes one row per report, each cell linked to the page it came from.

Repeat for each report
Data source
Opinion
Exceptions
Period
Okta — SOC 2 Type II
Unqualified
1 (remediated)
Covers ours
AWS — ISAE 3402
Unqualified
0
Gap — bridge
Datadog — bridge letter
N/A (assertion)
No test cover
SOC 2 §4, p.61
Example questions
  • Does the report period cover our full audit period, or is a bridge letter required to close the gap?
  • Is the service auditor's opinion unqualified? List every exception in the tests of controls and management's response.
  • List all Complementary User Entity Controls (CUECs) we are responsible for operating.
  • Are any subservice organizations carved out, and which Trust Services Criteria do they cover?
…and any others you write.
Spreadsheet project

SOC 2 control testing and evidence review

Built forSOC 2 engagement teams · IT auditors

Assess the client's evidence against each Trust Services Criterion, control by control, and produce the tested-controls matrix that feeds your workpapers — design and operating effectiveness in one grid.

Control matrix
Data sources
Access provisioning policy
Change-management tickets (export)
Joiner / leaver evidence
Incident response runbook
Question
Assessment
Explanation & evidence
1
CC6.1 — Approval required before access, and MFA enforced for privileged accounts?
Effective
Manager approval mandated §4.2; MFA required for admins §4.5. Provisioning policy p.7–8.
2
CC6.2 — Terminated access revoked within the 24h SLA for the sample?
Exception
2 of 15 leavers revoked in 3–4 days vs 24h SLA. Joiner/leaver evidence p.12, p.19.
Provisioning policy p.7
Example questions
  • CC6.1 — Does the access-provisioning policy require documented approval before access is granted, and is MFA enforced for privileged accounts?
  • CC6.2 — For the sampled population, was terminated users' access revoked within the stated SLA?
  • CC8.1 — Were all production changes tested and approved before deployment per the change procedure?
  • For every control with a deviation, quantify the population impact and cite the evidence reviewed.
…and any others you write.
Simple project

Control environment and policy gap assessment

Built forInternal audit · readiness consultants · FS auditors

Ask pointed questions across the client's whole policy library at once to build your understanding of the entity, prove coverage under ISA 315, and flag what is missing before fieldwork starts.

One clear answer
Data sources
Information security policy
HR handbook
Data retention & privacy policy
Business continuity plan
Risk assessment process
Instruction
Is there an annual risk-assessment process that addresses fraud risk?
Answer
Partially. An annual enterprise risk assessment is required, but no explicit fraud-risk component is documented — a gap for ISA 315. Recommend requesting the risk register.
High confidenceInfoSec §3.1Review
InfoSec policy
Instruction
Is the information security policy board-approved and current?
Answer
Yes. Approved by the board 14 Feb 2025 with an annual review cycle. Within period; no exception.
High confidenceCover + §1.4Review
Example questions
  • Is there a documented risk-assessment process performed at least annually, and does it address fraud risk? (ISA 315)
  • Is there a formal, board-approved information security policy, and when was it last reviewed?
  • Where is the data-retention schedule defined, and does it specify periods by data category?
  • Which framework requirements have no backing policy clause?
…and any others you write.

Hear what our customers say

Normain fits directly into our current business processes and made an impact from day one

Mattias Ullsten
Founder & Managing Director, Advisense

Normain frees our accountants to focus on the insights that truly matter

Martin Sandstedt
Founding Partner, Klara Consulting

Normain is how all our offices can work as one, with the same quality and deep expertise for every client

Victoria Thore
CEO, Klara Consulting

Beyond audit & assurance

The same engine, on the work every team shares

Whatever you specialise in, these patterns cut across every industry we serve.

Benchmarking a set of reports
Line up annual reports, policies or filings side by side, one row each, every figure linked to the page it came from.
Answering a due-diligence questionnaire
Turn an inbound security or ESG questionnaire into answers drawn straight from your own published documents.
Monitoring regulatory change
Track what moved in a standard or regulation and see exactly which of your controls and policies it touches.

See it on your own workpapers

Bring a client report and your review checklist. We will show you a source-linked finding in minutes.

SOC 2 Type II · ISO 27001 · GDPR