The problem

What the customer was up against.

  • Quarterly controls testing relied on 5-15% statistical samples — meaning material weaknesses could go undetected for 6+ months.
  • Each audit engagement required 12-18 weeks of fieldwork by a team of 6, much of it manual data extraction from client systems.
  • Clients across different industries used different ERPs (SAP, Oracle, Workday, NetSuite), making standardized control templates impossible.
  • Regulators kept asking for evidence of design effectiveness AND operating effectiveness — manual processes could only sample one or the other.
The solution

What xyner built.

  • Deployed xyner in the firm's secure audit cloud (separate tenant per client, customer-managed keys) so each engagement is fully isolated.
  • Controls agents continuously pull transaction data from each client's ERP, GRC tool (ServiceNow, Workiva), and identity provider — testing 100% of population, not samples.
  • Specialist sub-agents test each control category (segregation of duties, change management, access reviews, financial close) using control-specific reasoning prompts plus the firm's PCAOB-aligned audit methodology.
  • Auto-generated workpapers and exception reports flow directly into the firm's case management; auditors review and sign off rather than typing.
The outcomes

Measured impact.

100%
population testing
was 5-15% sampling
240
enterprise clients
on continuous monitoring
38%
audit cycle cost
reduction
12-18w → 4w
fieldwork compression
per engagement
PCAOB-aligned
audited methodology
SOC 1/SOC 2
Executive summary

At a glance.

Situation

A Big-4 controls-testing practice was running annual client attestations with armies of staff doing sample-based testing. Practitioners burned out; controls failures were found at year-end; clients were frustrated by the engagement cycle. The practice needed to scale to continuous controls testing without scaling headcount.

Intervention

Deployed a Controls-Testing Agent on xyner with multi-tenant isolation per client, integration to client systems via secure connectors, and audit-grade evidence capture per control test.

Outcome

Controls testing shifted from annual sample-based to continuous comprehensive; practitioner satisfaction up materially; engagement margins improved; client findings surface in days, not months; audit-prep time reduced by 75% for participating clients.

Industry

Professional Services

A Big-4 audit and advisory firm's controls-testing practice

Scope

Global (delivered from multiple regions)

Continuous controls testing for client engagements across SOC 2, ISO 27001, SOX, GDPR, HIPAA

Duration

12 weeks pilot, 9 months full rollout

From contract signature to full rollout.

Architecture

What the deployment actually looks like.

Multi-tenant by design — each client engagement is fully isolated, with its own data plane scope, its own controls library and its own evidence store. The audit firm's practice manages all engagements from a shared control plane, with per-engagement RBAC and per-client audit boundaries.

Controls-Testing Agent

Per-engagement specialist; runs control tests against the client's live systems on a defined cadence (daily, weekly, on-event); captures evidence with timestamp and source hash.

Controls library

Pre-built controls for SOC 2, ISO 27001, SOX, GDPR, HIPAA, plus engagement-specific custom controls. Each control test is defined as a machine-readable specification.

Per-client isolation

Each client engagement has its own data plane scope; client data is never visible across engagements; the audit firm's practice management never sees client raw data.

Evidence store

Tamper-evident per-engagement evidence store; evidence is indexed by control, framework, period and test execution.

Practitioner workbench

Audit-firm practitioners review aggregated findings, drill into exceptions, and produce client-facing reports — without re-doing the testing work.

Client-facing dashboards

Clients see their own posture (read-only) at any time; surprises at audit time become rare.

Implementation timeline

How the rollout sequenced.

A 12-week pilot covered three willing client engagements before the practice opened it to the broader client base, with engagement-by-engagement opt-in.

Weeks 1-4

Multi-tenant foundations

Design and deploy the multi-tenant architecture; complete the firm's security review; establish per-client isolation guarantees.

Weeks 5-8

Controls library

Build the initial controls library covering the most-used frameworks; complete first peer review of control definitions.

Weeks 9-12

Three-client pilot

Live with three pilot clients; practitioners review findings; client satisfaction reviewed weekly.

Months 4-6

Practitioner training & rollout

Train the practice; open to additional client engagements opt-in by client.

Months 7-9

Framework expansion + premium offering

Add additional frameworks; launch as a premium continuous-controls offering; calibrate practitioner workload allocation.

Governance & controls

How the deployment is governed.

An audit firm has unique governance constraints — independence, client-data protection, peer review, professional standards. The deployment respects every one of them.

Independence

The platform does not perform attestation; practitioners do. The platform produces evidence; practitioners produce opinion. Independence rules respected.

Client-data isolation

Client data is fully isolated per engagement; cross-engagement data flows are prohibited at the platform level, not just by policy.

Peer-review readiness

Every control test is reproducible; every finding is traceable to the underlying evidence; peer reviewers can re-run any test.

Professional standards alignment

The deployment was reviewed for alignment with relevant professional standards before launch.

Firm-level audit

The firm's own internal audit function reviews the deployment quarterly with full read access to the platform's audit trail.

What other enterprises can learn

Three transferable lessons.

Three lessons for other professional-services firms considering platform-based service delivery.

1

Pick a service line where continuous beats periodic

Controls testing was the right starting point because the value of continuous is obvious. Pick service lines where the unit of value naturally compounds with continuous delivery.

2

Multi-tenant isolation is harder than it looks

Real multi-tenant isolation — not just logical separation — requires architectural rigour. Cutting corners here is the fastest way to lose client trust.

3

Practitioners design with you, or against you

The practitioners had to want this. The pilot included senior practitioners as design partners from week one; the rollout went smoothly because the practitioners owned the change.

We sold our clients on outcomes; we delivered them with sample testing and overtime. The platform finally lets us deliver what we sold.
Partner, Big-4 controls-testing practice

Reference engagement available through your xyner account team; the deployment is the subject of internal firm case-study materials and was presented at the firm's global controls-and-attestation conference.

Talk to a partner

Could the same outcome work in your environment?

Tell us your sector. A senior xyner partner will walk you through a tailored plan.