Price Enquiry

Licensed Service Provider
for Company Formations and
Corporate Services, since 1998

Audits & Assessments

  1. Home
  2. Compliance
  3. Audits & Assessments

Evidence-Led Audits for Licensing & Oversight

We deliver independent audits and assessments across risk & governance, AML/financial crime, ICT/DORA compliance, on-chain assurance and data protection. Our methodology follows ISO 19011 audit principles and references EU supervisory guidance (EBA/ESMA/ECB). Each engagement produces clear and traceable evidence mapped to obligations and deadlines so findings can be actioned and verified.

Work can be commissioned as a one-off audit or recurring assurance. We set the scope to the minimum useful set of tests, operate with least-privilege access in your environment and provide a concise evidence pack with risk-ranked findings, practical guidance and re-test options to confirm closure.

Trusted by regulated firms across the EU, our approach helps organisations demonstrate compliance, meet licensing conditions and respond to supervisory requests without unnecessary overhead. Whether you need pre-license readiness, post-license health checks or targeted deep dives, we can provide practical solutions.

Independent Audits & Assessments

We provide evidence-led audits across Risk & Governance, AML, ICT/DORA, on-chain assurance and data protection.

Book a meeting with our team today!

Book a meeting »

Services we provide for Audits & Assessments

1) Regulatory & Financial Crime 2) ICT & Operational Resilience 3) On-Chain & Security 4) Data Protection & Privacy

1) Regulatory & Financial Crime

Board-ready oversight of risk management, sanctions, AML and governance with evidence you can trace.

Send Enquiry

Risk Management & Sanctions Oversight

RegulatoryBoard-ready

Scope & Tests

  • Risk framework, registers, appetite/tolerance, KRIs, escalation & reporting
  • Sanctions governance: list sourcing, thresholds, alert QA, case handling
  • Incident/case management, exception handling, independence safeguards

Deliverables

  • Risk/controls map, issue register, remediation plan
  • Sanctions QA guidance
  • Board-ready summary

What we do in practice: Sample alerts end-to-end, check escalation timeliness, and test governance registers for completeness.

AML & Corporate Governance

AMLGovernance

Scope & Tests

  • CDD/EDD playbooks, onboarding/remediation, PEP/adverse media checks
  • Transaction monitoring rules, alert/case quality, SAR/STR timeliness
  • MLRO mandate & support, registers, escalation logs

Deliverables

  • Findings ranked by risk with evidence references
  • KPIs for turnaround, quality & backlog thresholds
  • Inspection-ready evidence pack

What we do in practice: Re-perform KYC samples, validate transaction monitoring rules, and review SAR timeliness vs standards.

2) ICT & Operational Resilience

DORA-aligned controls across ICT governance, testing, and recovery so critical services withstand disruption and recover fast.

Send Enquiry

DORA / ICT Assurance

DORAICT

Scope & Tests

  • ICT risk governance, incident management, BCP/DR
  • Third-party criticality & audit rights
  • Scenario / TLPT readiness testing

Deliverables

  • Report mapped to DORA obligations & owners
  • Third-party scorecard & testing roadmap
  • Board pack summary

What we do in practice: Reconcile ICT registers with contracts, review post-mortems, and sample resilience test evidence.

Cyber Incident Response & Recovery Audit

IncidentRecovery

Scope & Tests

  • Incident response playbooks & escalation pathways
  • Testing evidence: tabletop, drills, red/blue-team exercises
  • Notification flows & timeliness; post-incident reviews & lessons learned

Deliverables

  • Response maturity scorecard
  • Gap analysis vs regulatory expectations
  • Playbook improvement plan

What we do in practice: Test escalation routes, review drill evidence, and validate regulator notification timelines.

3) On-Chain & Security

Assurance for crypto-native reserves and secure software delivery across smart contracts and infrastructure.

Send Enquiry

Proof of Reserves (PoR)

ReservesOn-chain

Scope & Tests

  • Wallet ownership verification & on-chain balance confirmation
  • Liabilities set construction with Merkle-tree sampling/exclusion rules
  • Reserve ratio analysis, timestamping, re-test cadence

Deliverables

  • Methodology report + limitations disclosure
  • Public-facing summary & verifiable hashes (if agreed)
  • Internal working papers & evidence pack

What we do in practice: Reconcile exchange, custodian and on-chain data; test proof construction; and publish verifiable outputs.

Smart Contract Security Assessment

SecurityCode Review

Scope & Tests

  • Threat modelling, access controls, upgrade paths & pause/kill-switches
  • Static/dynamic analysis, unit/integration tests, testnet validation
  • Dependency & tooling hygiene, CI/CD and secrets management

Deliverables

  • Findings with severity & exploit paths
  • Fix-validation re-test and attestations
  • Hardening recommendations & owner map

What we do in practice: Replicate exploits, pair-review patches, and provide proofs for critical fixes before mainnet.

4) Data Protection & Privacy

GDPR-aligned reviews of data processing, retention, and governance so privacy risk is controlled and documented.

Send Enquiry

Privacy Program Governance & DPIA Review

GDPRDPIA

Scope & Tests

  • DPIA methodology & risk decisions, RoPA quality, LIA/consent records
  • Privacy by design in change management & vendor onboarding
  • Subject rights handling (DSARs), breach response & regulator contact

Deliverables

  • DPIA/ROPA gap list with priorities
  • Template pack & workflow tweaks
  • Board-level readiness summary

What we do in practice: Sample DPIAs and ROPAs, trace risk decisions to controls, and rehearse DSAR/breach scenarios.

Records of Processing & Retention Audit

RoPARetention

Scope & Tests

  • Accuracy & completeness of processing records vs systems reality
  • Legal bases, retention triggers, deletion evidence & suppression rules
  • Third-country transfers, SCCs & processor oversight

Deliverables

  • Corrected RoPA and retention schedule
  • Deletion evidence pack and controls map
  • Regulator-ready summary with owners & timelines

What we do in practice: Walk the data lifecycle, pull deletion proofs, and align contractual clauses to real data flows.

Frequently Asked Questions

Can outsourced auditors have direct access to our systems and data?

Yes, under least-privilege access with logging and segregation, and in line with your GDPR and contractual requirements. Where regulations (like DORA) apply, contracts must include explicit audit and access rights for the reviewer.

When is a GDPR Data Protection Impact Assessment (DPIA) required?

A DPIA is required when processing is likely to result in a high risk to individuals, for example with systematic monitoring or large-scale use of special-category data. See GDPR Article 35 and the EDPB DPIA guidelines for practical triggers and examples.

How often should we run AML/CTF audits?

Regulators expect an independent AML/CTF audit on a risk-based cadence; at minimum, it should occur periodically and be able to test the effectiveness of controls. FATF Recommendation 18 explicitly calls for independent audit of AML/CTF programs.

What does DORA change for ICT third-party contracts?

DORA requires specific contractual clauses with critical ICT providers, including audit and access rights, cooperation duties, and exit/termination strategies. These are set out directly in Regulation (EU) 2022/2554.

How often should threat-led penetration testing (TLPT) be performed under DORA?

For in-scope financial entities selected by supervisors, TLPT is expected on a three-year cycle (or more frequently if directed). This cadence is reflected in supervisory explainers of DORA’s TLPT framework.

How do you determine the scope of an audit or assessment?

We set scope based on your regulatory obligations, risk profile, and operational footprint, then map tests to specific control owners and evidence items. The plan is calibrated to provide sufficient assurance without unnecessary disruption.

How should incident response be tested and how often?

Run periodic exercises (e.g.tabletops) and review lessons learned to improve detection, response, and recovery. NIST’s incident-response guidance recommends integrating exercises into normal risk management and continuously refining the plan.

What kind of evidence regulators usually expect to see?

Typically: policies and procedures, governance records, logs and configuration exports, samples of case files or alerts, and proof of testing or remediation. We package this into a traceable evidence set that links findings to owners and deadlines.

Questions? Let’s set up an Intro Meeting!

Book a Discovery Call for Audits & Assessments

Schedule a discovery meeting with our team to discuss scope and jurisdictional requirements. We can provide a tailored plan outlining the required assessments, responsibilities and the evidence/documentation needed to demonstrate compliance and close findings. Our approach is designed to give regulated companies clarity, flexibility, and confidence in meeting regulatory expectations across EU markets.

    Contact details

    Please contact us to schedule a meeting with our audit projects manager.

    Central Europe | Baltic States | Scandinavia

    Copyright © 1998-2025 MAXCORP PLC. All rights reserved. Terms of Service | Privacy Policy | Cookie Policy | Contact us