The Any Auditor Guarantee

1. Purpose

This document sets out the procedure, terms, and conditions governing the OneClickComply Any Auditor Guarantee. It is published on the OneClickComply Help Centre for the benefit of customers, prospective customers, and OneClickComply staff. It should be read in full before any readiness assessment is scheduled.

This procedure should be read alongside the relevant customer agreement with FAT32 LTD (trading as OneClickComply), specifically the terms set out under Clause 21 (Audit, Assessment and Accreditation Guarantee) of the customer's executed agreement. In the event of any conflict between this procedure document and the executed agreement, the executed agreement shall prevail.

2. Scope

The Any Auditor Guarantee applies exclusively to the following certification frameworks:

• SOC 2 Type II

• ISO 27001:2022

• Cyber Essentials Plus

No other framework, standard, or certification is covered under this guarantee. If a customer is pursuing a framework outside of these three, the guarantee does not apply and must not be offered or implied. Customers whose agreements include additional standards (for example, ISO 9001, CIS v8, or NHS DSPT) should note that those standards fall outside the scope of the guarantee, even though they may be included within the customer's subscription.

3. Definitions

For the purposes of this document:

• Readiness Assessment means a structured, time-limited evaluation conducted by OneClickComply to determine whether a customer's control environment is sufficiently mature to pass a formal external audit or certification assessment.

• Readiness Report means the written output of a Readiness Assessment, detailing findings, observations, and a determination of audit readiness. The Readiness Report is and remains the intellectual property of OneClickComply at all times.

• Assessment Day means the single allocated working day during which the Readiness Assessment is conducted on-site or remotely.

• Report Delivery Window means the period of ten (10) working days following the Assessment Day during which the Readiness Report is compiled, reviewed, and delivered.

• Audit Ready means a determination issued by OneClickComply indicating that, based on the information presented, the customer's environment meets the threshold for a reasonable likelihood of passing the target certification.

• Not Audit Ready means a determination indicating that material gaps, weaknesses, or deficiencies exist that present a meaningful risk of audit failure.

• Likelihood of Success Rating means a structured rating included within the Readiness Report, comparable to a risk assessment a legal insurer might require before underwriting a policy. This rating reflects OneClickComply's professional judgement based solely on the evidence presented.

• Peer Review means the mandatory internal quality assurance process whereby a second qualified assessor reviews the draft Readiness Report for accuracy, consistency, completeness, and professional standards before it is released to the customer.

• Third-Party Consultant means any external individual or organisation engaged by OneClickComply, at its sole discretion, to provide specialist advice, technical opinion, or formal consultancy input in connection with a Readiness Assessment or its findings.

• Qualified Auditor means a duly qualified and independently certified auditor as determined by the Provider, in accordance with Clause 21 of the customer agreement. See Section 11 for full requirements.

• Customer means the organisation or entity that has engaged OneClickComply and is subject to the Any Auditor Guarantee terms under their executed agreement.

• Provider means FAT32 LTD, trading as OneClickComply, company number 14783478.

4. Overview of the Any Auditor Guarantee

The Any Auditor Guarantee, as set out in Clause 21 of the customer agreement, provides that if a customer fails an independently accredited audit for SOC 2 Type II, ISO 27001:2022 or Cyber Essentials Plus during the Initial Term, OneClickComply will refund the cost of the failed audit (evidenced by valid invoices, up to a maximum of GBP 10,000) and all monies paid by the customer under the agreement during the relevant term.

This guarantee is subject to a number of conditions and exclusions, which are summarised in this document and set out in full in the customer agreement. The Readiness Assessment process described in this procedure is one of the mechanisms through which those conditions are applied and verified.

5. Procedure: Booking and Conducting a Readiness Assessment

5.1 Booking a Readiness Assessment

Customers must book a Readiness Assessment slot through their designated OneClickComply account manager or via the scheduling facility provided within the platform. Assessment slots are subject to availability and must be confirmed in writing (email confirmation is sufficient). Customers should allow reasonable lead time when booking, as slots are allocated on a first-come, first-served basis.

Prior to the Assessment Day, the customer will be provided with a preparation checklist relevant to the target framework. This checklist will outline the documentation, evidence, system access, and personnel availability expected on the day. Failure to adequately prepare may limit the scope or depth of the assessment and may affect the resulting determination.

5.2 The Requirement to Inform OneClickComply Before Audit

Under the terms of the customer agreement (Clause 21), the customer must inform OneClickComply prior to undertaking any audit. OneClickComply may suspend such audit taking place in order to assess the customer's current security and compliance posture and to form an opinion of whether the customer is likely to pass. The Readiness Assessment is the mechanism through which this pre-audit assessment is conducted.

5.3 Conducting the Assessment

All Readiness Assessments, regardless of organisational size or complexity, are conducted within a fixed window of one (1) working day. During this period, the assigned assessor will review the customer's control environment, documentation, evidence, and configurations relevant to the target framework. The assessment is structured but necessarily time-constrained, and the depth of coverage will reflect the time available.

With the customer's knowledge and consent, interviews and walkthroughs conducted during the Assessment Day will be recorded. These recordings form a critical part of the post-assessment process and are retained by OneClickComply in accordance with its data retention policy. The purpose and handling of these recordings is detailed in Section 8 below.

6. Report Production and Delivery

6.1 The Report Delivery Window

The Readiness Report will be produced and delivered to the customer within ten (10) working days following the Assessment Day. This ten-day window is essential to the quality and integrity of the report, and customers should plan their audit timelines accordingly.

6.2 Why Ten Working Days Are Required

The Report Delivery Window exists to accommodate a thorough, multi-stage post-assessment process. A single Assessment Day generates a substantial volume of raw material, including interview recordings, notes, documentary evidence, screenshots, configuration outputs, and observational findings, all of which must be carefully processed before a professional determination can be issued. The ten-day window allows for the following activities:

Stage 1: Recording Review and Transcription (Days 1 to 3)

Following the Assessment Day, the lead assessor will systematically review all interview recordings and walkthrough sessions captured during the day. This review is essential because the pace of a time-constrained assessment means that nuance, context, and detail captured in recordings may not have been fully documented in real-time notes. The assessor will extract key statements, clarifications, and evidential points from the recordings to ensure that the report accurately reflects what was discussed, demonstrated, and observed. Where necessary, relevant portions of recordings will be transcribed or summarised in written form for inclusion in the working papers.

Stage 2: Evidence Correlation and Analysis (Days 2 to 5)

The assessor will correlate the information gathered during interviews and walkthroughs against the documentary and technical evidence presented. This stage involves mapping evidence to specific control objectives, clauses, or criteria within the target framework, identifying gaps between stated controls and demonstrated evidence, assessing the maturity and operating effectiveness of controls based on what was presented, and formulating preliminary findings and observations. This is a detailed analytical process and forms the substantive basis of the Readiness Report.

Stage 3: Specialist Consultation, Advisory Input, and Third-Party Engagement (Days 3 to 6)

Where the assessment has revealed areas of complexity, ambiguity, or borderline findings, the lead assessor may seek advice from specialist colleagues within OneClickComply. Additionally, OneClickComply may, at its sole discretion, engage third-party consultants or external auditors for formal advice during this stage (see Section 10 for full details). This advisory input ensures that the determination and recommendations reflect collective professional expertise, not solely the judgement of a single assessor.

Stage 4: Report Drafting (Days 4 to 7)

The lead assessor will compile the Readiness Report, incorporating all findings, observations, evidence references, and the Likelihood of Success Rating. The report will be structured in accordance with OneClickComply's standard report template for the relevant framework and will include all sections described in Section 6.4 below.

Stage 5: Internal Peer Review (Days 7 to 9)

Before any Readiness Report is released to a customer, it must undergo a mandatory internal peer review. A second qualified assessor, one who was not involved in the original assessment, will independently review the draft report. The peer reviewer will evaluate the report for factual accuracy and consistency with the evidence described, logical coherence of the findings and the resulting determination, appropriate application of the relevant framework's requirements, clarity and professionalism of the written output, whether the Likelihood of Success Rating is reasonably supported by the findings, and completeness, ensuring no material areas within the assessment scope have been overlooked or inadequately addressed. The peer reviewer may raise queries or request amendments. Any such queries will be resolved between the lead assessor and the peer reviewer before the report is finalised.

Stage 6: Finalisation and Quality Assurance (Days 9 to 10)

Following peer review, the lead assessor will incorporate any amendments, conduct a final quality assurance check, and prepare the report for release. The finalised report will be approved by the assessor and the peer reviewer before being issued. The report is then delivered to the customer via the agreed delivery method (typically secure email or platform delivery).

6.3 Requests for Expedited Delivery

OneClickComply does not offer expedited report delivery as a standard option. The ten-day window exists to protect the quality and reliability of the output, and compressing this timeline would compromise the peer review and advisory stages. In exceptional circumstances, requests for earlier delivery may be discussed with the Compliance Operations team, but no commitment to a shorter timeline will be made and any such arrangement would be at OneClickComply's sole discretion.

6.4 The Readiness Report: Contents

The Readiness Report will include:

• Executive Summary: A high-level overview of the assessment scope, approach, and outcome, suitable for senior stakeholders.

• Scope and Methodology: A description of the assessment scope, the framework assessed against, the approach taken, and any limitations or constraints.

• Impartiality Statement: A mandatory disclosure addressing the inherent conflict of interest arising from OneClickComply's dual role as both the provider of the compliance platform and the assessor of readiness. See Section 9 for full details.

• Findings and Observations: Detailed findings organised by control domain, clause area, or criteria grouping as appropriate to the target framework. Each finding will describe the expected control or requirement, what was observed or evidenced, the assessor's evaluation, and any associated risk or gap.

• Likelihood of Success Rating: A structured professional determination of the customer's likelihood of passing the target audit, expressed as a clear rating with supporting rationale.

• Determination: A formal statement of either Audit Ready or Not Audit Ready, with a summary of the basis for that determination.

• Recommendations and Remediation Actions: Where gaps or weaknesses have been identified, specific, actionable recommendations for remediation, prioritised where appropriate.

• Appendices: Supporting information, including a log of interviews conducted, documents reviewed, and any other relevant reference material.

6.5 Report Ownership and Intellectual Property

The Readiness Report is and remains the intellectual property of OneClickComply at all times. The customer is granted a licence to use the report for their own internal purposes, including sharing it with their external auditor, certification body, or relevant internal stakeholders, but the customer does not acquire ownership of the report, its structure, methodology, or content.

The customer may not reproduce, redistribute, publish, or make the report available to any third party beyond those directly involved in the customer's audit or certification process without the prior written consent of OneClickComply. The report may not be altered, redacted, or modified by the customer. If the customer wishes to share the report with a party outside the immediate audit or certification context, they must request permission from OneClickComply in writing.

OneClickComply reserves the right to retain copies of all Readiness Reports and associated working papers for its own records, quality assurance, regulatory, and legal purposes.

7. Decision Outcomes and Guarantee Conditions

7.1 Requirement to Hold Pending Report Delivery

The customer may not proceed to audit under the protection of the Any Auditor Guarantee until the Readiness Report has been delivered and a formal determination has been issued. In the absence of a delivered Readiness Report from OneClickComply, the customer does not have authorisation to proceed to audit under the guarantee, regardless of any informal or verbal indication that may have been given during or after the Assessment Day. The guarantee is contingent upon a written determination contained within the finalised, peer-reviewed Readiness Report. Any decision by the customer to proceed to audit before receiving the report is taken entirely at the customer's own risk and outside the scope of the guarantee.

7.2 If the Determination is "Audit Ready"

The customer may proceed to their formal external audit. If the customer then fails the audit for reasons that fall within the scope of the assessment, and all other conditions of Clause 21 of the customer agreement are met, the Any Auditor Guarantee is engaged and the customer is eligible for a refund in accordance with the guarantee terms.

7.3 If the Determination is "Not Audit Ready"

The customer will be advised of the gaps identified and given the opportunity to remediate before requesting a further assessment. If the customer receives a "Not Audit Ready" determination and chooses to proceed to audit regardless, the Any Auditor Guarantee is void. In this scenario, if the customer fails the audit, no refund will be issued. The customer accepts this risk by proceeding against the recommendation.

7.4 Critical Rule

A customer may only proceed to audit under the protection of the guarantee if the most recent Readiness Assessment determination is "Audit Ready" and that determination has been delivered in writing within a finalised Readiness Report. Proceeding without this determination, against a "Not Audit Ready" finding, or before the report has been delivered, removes all guarantee protections.

7.5 Additional Conditions from the Customer Agreement

The guarantee under Clause 21 of the customer agreement is subject to the following conditions (summarised here for convenience; refer to the executed agreement for full terms):

• It must be the first and only audit failure claimed under the agreement.

• The customer must have fully implemented all Provider advice, recommendations, and deliverables before the audit.

• The failure must be directly attributable to deficiencies within the scope of the Provider's services.

• The customer must give written notice within 14 days of the final audit report, together with a full unredacted copy of the report and relevant invoices.

• The audit must have been conducted by a Qualified Auditor as determined by the Provider (see Section 11).

• The customer must have informed the Provider prior to undertaking the audit.

7.6 Exclusions from the Customer Agreement

The guarantee does not apply if (summarised here; refer to the executed agreement for full terms):

• The failure arises from non-disclosure, omission, or misrepresentation by the customer.

• The failure results from acts or omissions of third parties not engaged by the Provider.

• The customer deviated from the Provider's recommendations.

• The failure results from external circumstances beyond the Provider's reasonable control, including changes in audit frameworks or regulations after delivery.

8. Readiness Assessment Allowance and Additional Charges

By default, each customer is entitled to two (2) Readiness Assessments as part of the Any Auditor Guarantee programme at no additional cost. These two assessments are referred to as "Audit Pre-Submission Reviews" within the customer agreement and order form. They are intended to allow for an initial assessment and, if necessary, a follow-up assessment after remediation.

Any Readiness Assessment requested beyond the initial two will be charged at a rate of GBP 1,000 excluding VAT per assessment. This charge applies per assessment regardless of organisational size, complexity, or framework. The customer will be informed of this charge before the additional assessment is scheduled and must confirm acceptance in writing before the assessment proceeds. Payment terms for additional assessments are net 14 days from invoice date, consistent with the payment terms of the customer agreement.

9. Impartiality, Conflict of Interest, and Use of the Readiness Report as an Internal Audit

9.1 Inherent Conflict of Interest: Mandatory Disclosure

Customers must understand and acknowledge an inherent and unavoidable conflict of interest in the Readiness Assessment process. OneClickComply occupies a dual role: it is both the provider of the compliance platform that the customer uses to implement controls, manage evidence, and maintain their compliance posture, and the party conducting the Readiness Assessment of that same control environment.

This dual role means that OneClickComply is, in effect, assessing the output of its own tooling. The controls the customer has implemented may have been configured using OneClickComply's platform. The evidence the customer presents may have been collected, organised, and stored within OneClickComply's systems. The policies and procedures the customer relies upon may have been generated, templated, or guided by OneClickComply's product features. The assessor is therefore reviewing an environment that has been materially shaped by the very organisation now evaluating its adequacy.

OneClickComply takes this conflict seriously and has implemented the following mitigations to promote objectivity:

• The mandatory internal peer review (Section 6.2, Stage 5) provides a second set of eyes from an assessor not involved in the original assessment, reducing the risk of confirmation bias or unconscious leniency.

• The third-party consultation provision (Section 10) allows OneClickComply to seek independent external advice, including from qualified auditors, where findings are complex or borderline.

• Assessors are instructed to apply framework requirements objectively and to assess the substance and effectiveness of controls, not merely their presence within the platform.

• The Readiness Report includes an Impartiality Statement (see Section 6.4) that explicitly discloses this conflict to the customer and to any party who subsequently reviews the report.

Despite these mitigations, the conflict of interest cannot be entirely eliminated. The customer should be aware that a Readiness Assessment conducted by OneClickComply is not, and cannot be, fully equivalent to an assessment conducted by an entirely independent third party with no commercial relationship to the customer's compliance tooling or evidence management processes.

9.2 Implications for Use as an Internal Audit

This conflict of interest has direct and significant implications for any customer considering using the Readiness Report as an internal audit artefact.

Most recognised frameworks, including ISO 27001:2022 at Clause 9.2, require that internal audits be conducted with appropriate objectivity and impartiality. The principle underlying this requirement is that the party conducting the audit should not be assessing their own work. A Readiness Assessment conducted by OneClickComply, as the provider of the platform upon which the customer's control environment is substantially built, does not fully satisfy this impartiality requirement. The assessor is, to a meaningful degree, reviewing the output of their own organisation's product, guidance, and implementation support.

Customers should therefore consider the following when deciding whether to reference the Readiness Report in their internal audit programme:

For smaller, less complex organisations where the scope of the management system is limited and the organisation's reliance on external audit scrutiny of the internal audit function is lower, the Readiness Report may serve as a useful supplementary input alongside other internal audit activities. Even in these cases, the customer should document the conflict of interest and their rationale for relying on the report within their internal audit records.

For larger, more complex organisations, particularly those with multiple business units, significant technology estates, regulatory obligations, or certification bodies known to scrutinise internal audit independence, it is strongly advised that the Readiness Report is not treated as a substitute for a dedicated, independent internal audit. The time-constrained nature of the assessment (one working day regardless of organisational complexity) compounds this concern: not only is the assessment conducted by a party with an inherent conflict, but it is also conducted within a timeframe that will not permit the depth and breadth of examination that a comprehensive internal audit of a complex organisation demands.

For all customers, the Readiness Report should be understood as a readiness indicator and gap analysis produced by a party with a declared interest, not as an independent assurance activity. If a customer's certification body, external auditor, or governing board requires evidence of an independent internal audit, the Readiness Report alone is unlikely to satisfy that requirement without supplementary independent assessment.

OneClickComply accepts no liability for any consequences arising from a customer's decision to use the Readiness Report as their sole internal audit where the conflict of interest or the scope and complexity of the organisation warranted a more independent or thorough exercise. The decision to use the report in this way is taken entirely at the customer's own risk and judgement. Customers are encouraged to discuss this matter with their external auditor or certification body if they are uncertain about the acceptability of the report for internal audit purposes.

9.3 Disclosure Within the Report

Every Readiness Report will contain an Impartiality Statement that discloses the matters set out in this section. This statement is included as a matter of professional transparency and is intended to ensure that any party reviewing the report, including external auditors, certification body assessors, and the customer's own governance bodies, is aware of the relationship between OneClickComply and the customer's control environment.

10. Third-Party Consultation and External Advisory

10.1 OneClickComply's Right to Engage Third Parties

OneClickComply reserves the right, at its sole discretion, to subcontract, consult with, or otherwise engage third-party consultants in connection with any aspect of the Readiness Assessment process. This includes, but is not limited to:

• Engaging external auditors who are not contracted by the customer to provide a formal or informal second opinion on specific findings, borderline determinations, or areas of technical complexity.

• Consulting framework-specific subject matter experts outside of OneClickComply's internal team where specialist knowledge is required.

• Engaging legal, regulatory, or technical advisors where the assessment raises questions that fall outside the assessor's primary expertise.

• Commissioning independent technical testing or verification where the assessor considers that additional assurance is needed to support the determination.

This right is consistent with the subcontracting provision at Clause 18 of the customer agreement.

10.2 Customer Notification and Confidentiality

The customer acknowledges and agrees that OneClickComply may engage third parties as described above without requiring the customer's prior approval on a case-by-case basis, provided that appropriate confidentiality arrangements are in place in accordance with Clause 9 (Confidentiality) of the customer agreement. OneClickComply will ensure that any third party engaged under this section is bound by confidentiality obligations no less protective than those OneClickComply owes to the customer. Only the minimum information necessary to obtain the relevant advice or input will be shared with third parties.

Where a third-party consultation materially influences the determination or findings within the Readiness Report, this will be noted within the report. The identity of the third party will not be disclosed to the customer unless OneClickComply considers it appropriate or unless disclosure is required by law.

10.3 Independence of Third-Party Auditors

Where OneClickComply consults with external auditors under this section, those auditors will be entirely independent of the customer's own engaged audit or certification body. OneClickComply will not engage, consult, or share assessment information with any auditor or certification body that the customer has contracted or intends to contract for their formal audit, unless the customer provides explicit written consent to do so. This separation exists to preserve the independence and integrity of the customer's formal audit process.

10.4 Cost

Any costs associated with third-party consultation under this section are borne by OneClickComply and will not be charged to the customer. The decision to engage a third party and the selection of that third party are matters entirely within OneClickComply's discretion.

11. Qualified Auditor Requirements

11.1 The Requirement

Under Clause 21 of the customer agreement, the Any Auditor Guarantee applies only if the audit was conducted by a duly qualified and independently certified auditor as determined by the Provider. This requirement exists to ensure that the guarantee is not undermined by the use of unqualified, unaccredited, or otherwise unsuitable audit firms or individuals.

11.2 What Constitutes a Qualified Auditor

The determination of whether an auditor is suitably qualified rests with OneClickComply, and will be assessed on a case-by-case basis. As a general guide, the following criteria apply:

For SOC 2 Type II: The audit must be conducted by a CPA firm (or international equivalent) that is licensed to issue SOC 2 reports. The firm must be a member in good standing of the AICPA or relevant professional body and must be subject to peer review requirements. Individual engagement leads should hold relevant qualifications (for example, CPA, CISA, or equivalent).

For ISO 27001:2022: The audit must be conducted by a certification body that is accredited by a recognised national accreditation body that is a signatory to the International Accreditation Forum (IAF) Multilateral Recognition Arrangement (MLA) for ISMS certification. In the UK, this typically means accreditation by UKAS. The audit team should include individuals with appropriate ISO 27001 lead auditor qualifications.

For Cyber Essentials Plus: The assessment must be conducted by a Certification Body that is authorised under the Cyber Essentials scheme as administered by the NCSC (or its designated scheme operator, currently IASME). The assessor must be qualified to conduct Cyber Essentials Plus assessments under the current scheme requirements.

11.3 Customer Responsibility

It is the customer's responsibility to ensure that the auditor or certification body they engage meets these requirements. If the customer is uncertain whether their chosen auditor would be considered qualified by OneClickComply, they should raise this with their account manager before the audit is scheduled.

11.4 Consequence of Using an Unqualified Auditor

If the customer proceeds to audit using an auditor or certification body that does not meet the Qualified Auditor requirements as determined by OneClickComply, the Any Auditor Guarantee is invalidated. In this scenario, if the customer fails the audit, no refund will be issued regardless of the Readiness Report determination. This exclusion applies even if the customer was assessed as "Audit Ready."

The term "Any Auditor" in the guarantee name refers to the customer's freedom to choose their own auditor from among those who are duly qualified and accredited for the relevant framework. It does not mean that any individual or firm, regardless of qualifications, can conduct the audit under the protection of the guarantee.

12. Basis of Assessment and Limitations

The Readiness Assessment and resulting report are produced solely on the basis of information, evidence, and documentation presented to the assessor during the Assessment Day. OneClickComply's determination reflects professional judgement based on what was made available within the time allocated.

If information provided by the customer is incomplete, inaccurate, misleading, or contains errors or omissions, whether intentional or otherwise, the validity of the Readiness Report and the Likelihood of Success Rating may be materially affected. In such circumstances:

• OneClickComply cannot be held responsible for an incorrect determination arising from poor, incomplete, or inaccurate information.

• The Any Auditor Guarantee may be rendered void if it is subsequently established that the customer failed to present material information, presented information that was factually incorrect, withheld evidence of known deficiencies, or otherwise misrepresented the state of their control environment during the assessment. This is consistent with the non-disclosure, omission, and misrepresentation exclusion in Clause 21 of the customer agreement.

• The customer bears full responsibility for ensuring that all relevant documentation, evidence, configurations, policies, and personnel are made available and that all information presented is accurate and complete at the time of assessment.

• Where the customer's environment includes third-party service providers, shared responsibility models, or outsourced functions, the customer is responsible for ensuring that relevant evidence from those parties is available for review. OneClickComply will assess only what is presented and cannot be expected to pursue or verify information from third parties independently within the assessment window.

OneClickComply will make reasonable efforts to identify gaps or inconsistencies in the information presented, but the time-constrained nature of the assessment means that not all omissions or errors may be detected. The assessment is not an investigation and the assessor is entitled to rely on information presented in good faith.

13. Assessment Approach

The Readiness Assessment follows a structured approach tailored to the target framework:

For SOC 2 Type II: The assessor will review the design and, where possible within the time available, the operating effectiveness of controls mapped to the applicable Trust Services Criteria. Evidence of control operation over the review period will be sampled. The assessor will consider the scoping of the system description, the completeness of control mappings, and the availability of evidence supporting consistent control operation throughout the examination period.

For ISO 27001:2022: The assessor will review the Information Security Management System documentation, the Statement of Applicability, risk assessment and treatment outputs, and a sample of Annex A control implementations. Alignment with mandatory clauses (4 to 10) will be evaluated, including leadership commitment, the planning process, support and awareness arrangements, operational controls, performance evaluation mechanisms, and the improvement cycle. The assessor will also consider the maturity of the management review and internal audit processes.

For Cyber Essentials Plus: The assessor will review technical controls across the five control themes (boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management) and conduct or review evidence of technical verification testing where available. The assessor will evaluate whether controls are applied consistently across the in-scope network and devices and whether the organisation's self-assessment questionnaire responses are supported by technical evidence.

In all cases, the assessor will conduct interviews with relevant personnel where necessary and review documentary and technical evidence as presented. The assessment is not a full audit. It is a structured evaluation designed to provide a professional judgement on readiness within the constraints of a single working day.

14. Recordings and Data Handling

All interviews and walkthroughs conducted during the Assessment Day will be recorded with the customer's knowledge and consent. These recordings are used exclusively for the purposes described in Section 6.2 (post-assessment review, transcription, evidence correlation, and report production). Recordings are retained by OneClickComply in accordance with its data retention policy and are not shared with any third party unless required in connection with a third-party consultation under Section 10, in which case only the minimum necessary information will be disclosed and appropriate confidentiality arrangements will be in place. Customers may request details of the retention period and handling arrangements from their account manager.

15. Frequently Asked Questions

Q: What does "Any Auditor" mean? It means you are free to choose your own auditor or certification body for your formal audit. You are not required to use an auditor recommended by OneClickComply. OneClickComply will make no such recommendations, you will receive introductions via a panel of auditors but you are not required to use any of these auditors. However, the auditor must be duly qualified and independently certified for the relevant framework. See Section 11 for what constitutes a Qualified Auditor.

Q: Can I book a Readiness Assessment for a framework not listed (for example, PCI DSS or HIPAA)? No. The Any Auditor Guarantee and associated Readiness Assessments apply only to SOC 2 Type II, ISO 27001:2022, and Cyber Essentials Plus. Assessments for other frameworks may be available as a separate service but fall outside the guarantee.

Q: What happens if I am assessed as "Not Audit Ready" and I proceed to audit anyway? If you proceed to audit against a "Not Audit Ready" determination and fail, the guarantee does not apply and no refund will be issued. You proceed entirely at your own risk.

Q: Can I proceed to audit before receiving my Readiness Report? No. The guarantee is contingent upon a written determination in a finalised Readiness Report. If you proceed to audit before the report has been delivered, you do so outside the scope of the guarantee and at your own risk. No informal or verbal indication given during or after the Assessment Day constitutes authorisation to proceed under the guarantee.

Q: Can I request a third Readiness Assessment? Yes, but assessments beyond the first two are charged at GBP 1,000 excluding VAT per assessment. You will be notified of this charge and must confirm acceptance before the assessment is scheduled.

Q: How long does the Readiness Assessment take? The Assessment Day itself is one working day. The Readiness Report will then be delivered within ten (10) working days following the Assessment Day.

Q: Why does the report take ten working days? The ten-day Report Delivery Window allows OneClickComply to review all interview recordings, correlate evidence, seek specialist advice where required, consult third parties if necessary, draft the report, and conduct a mandatory internal peer review. This process ensures the report is accurate, thorough, and professionally quality-assured. See Section 6.2 for full details.

Q: Can I get the report faster than ten working days? Expedited delivery is not offered as standard. In exceptional circumstances, a request may be discussed with the Compliance Operations team, but no guarantee of a shorter timeline can be made.

Q: Can I use the Readiness Report as my internal audit? You may choose to reference it alongside your internal audit programme, but you should carefully consider the limitations. OneClickComply is the provider of the compliance platform you use to implement controls and manage evidence, which means there is an inherent conflict of interest: we are, in part, assessing the output of our own tooling. This means the report cannot be considered fully impartial. For larger or more complex organisations, or where your certification body expects demonstrable internal audit independence, you should not rely on the report as a substitute for an independent internal audit. See Section 9 for the full disclosure.

Q: Will my external auditor accept the Readiness Report as an internal audit? This depends on your auditor and certification body. Because of the declared conflict of interest (OneClickComply being both your platform provider and the assessor), some auditors may not accept the report as satisfying internal audit independence requirements. You are encouraged to discuss this with your auditor before relying on the report in this way.

Q: What if I provided incorrect or incomplete information during the assessment? The assessment and its findings are based entirely on the information you present. If errors, omissions, or inaccuracies in the information you provided contributed to an incorrect determination, the guarantee may be voided and OneClickComply accepts no liability for the outcome. See Section 12.

Q: Who owns the Readiness Report? The Readiness Report is and remains the intellectual property of OneClickComply. You are granted a licence to use it for your own internal purposes and to share it with parties directly involved in your audit or certification. You may not republish, redistribute, or alter it without OneClickComply's prior written consent. See Section 6.5.

Q: Will OneClickComply share my information with third parties? OneClickComply may, at its sole discretion, consult with external third-party consultants or auditors in connection with your assessment. This is done to strengthen the quality and objectivity of the determination. Appropriate confidentiality arrangements will be in place and only the minimum necessary information will be shared. Any auditors consulted will be independent of your own engaged audit firm. See Section 10.

Q: Will I be told if a third party was consulted during my assessment? If a third-party consultation materially influenced the determination or findings in your report, this will be noted in the report. The identity of the third party will not ordinarily be disclosed.

Q: Will I be charged for third-party consultations? No. Any costs arising from OneClickComply's decision to engage third parties are borne by OneClickComply.

Q: Is the Likelihood of Success Rating a guarantee of passing? No. The rating reflects OneClickComply's professional judgement based on the evidence presented, comparable to the risk assessment a legal insurer would conduct. It indicates a likelihood, not a certainty. The Any Auditor Guarantee terms govern what happens in the event of a subsequent audit failure.

Q: What if my organisation changes significantly between the Readiness Assessment and the audit? The Readiness Report reflects the state of your environment at the time of the Assessment Day. If material changes occur after the assessment (for example, infrastructure changes, staff turnover, policy revisions, or system migrations), the findings may no longer be accurate. It is your responsibility to notify OneClickComply of material changes. A further Readiness Assessment may be required, subject to the assessment allowance and charging terms in Section 8.

Q: What if my auditor is not considered "qualified" by OneClickComply? If your auditor does not meet the Qualified Auditor requirements set out in Section 11, the guarantee is invalidated regardless of the Readiness Report outcome. If you are unsure whether your chosen auditor would be accepted, contact your account manager before scheduling the audit.

Q: Can I choose which assessor conducts my Readiness Assessment? Assessor assignment is managed by OneClickComply based on availability and framework expertise. Specific assessor requests may be accommodated where possible but cannot be guaranteed.

Q: What happens to the recordings made during my Assessment Day? Recordings are retained by OneClickComply in accordance with its data retention policy and used solely for the purposes of producing your Readiness Report and supporting internal quality assurance. They are not shared with third parties except as described in Section 10, and only under appropriate confidentiality arrangements. See Section 14.

Q: Does the guarantee cover partial audit failures or qualified opinions? The guarantee terms under Clause 21 of the customer agreement apply to audit failures within the scope of the assessment. Specific coverage for partial failures, qualified opinions, or scope exceptions should be discussed with your account manager and confirmed against your executed agreement.

Q: How much is refunded under the guarantee? As set out in Clause 21 of the customer agreement, the refund covers the cost of the failed audit (evidenced by valid invoices, up to a maximum of GBP 10,000) and all monies paid by the customer under the agreement during the relevant term.

Q: Can I claim the guarantee more than once? No. The guarantee applies to the first and only audit failure claimed under the agreement.