Engagement Methodology

How We Work

Two practices, two service models, one shared commitment to evidence-grade outputs. This page describes how each EONTA practice engages — from first contact through to final deliverable.

EMEA Practice

Eonta Risk and Security Limited
Independent Assurance & Audit

Our Irish practice provides independent assurance and audit services. We assess, examine, and report — we do not advise, consult, or implement. Structural independence is the foundation of our value to clients and regulators.

LATAM Practice

Eonta Cibersegurança Ltda
Advisory & Consulting

Our Brazilian practice provides advisory and consulting services. We design, build, and implement compliance programmes, privacy frameworks, and cybersecurity governance structures alongside our clients.

EMEA Practice — Dublin, Ireland  ·  Eonta Risk and Security Limited

Four-Phase Assurance Programme

Phase 1

Scoping

Typically 1–2 weeks

We begin with a confidential scoping conversation — no cost, no obligation. From this, we produce a written Engagement Proposal defining: the regulatory frameworks and controls in scope; the evidence collection approach; the deliverables; and the timeline. No engagement proceeds until scope is agreed in writing.

Scoping conversations are covered by professional confidentiality. We do not retain or reference scoping information if an engagement does not proceed.

Phase 2

Evidence Collection

Typically 2–5 weeks depending on scope

Evidence collection applies three methods in proportion to the engagement scope:

  • Document and policy review — examination of existing frameworks, policies, procedures, and prior assessments against the applicable standard
  • Control walkthroughs — structured sessions with control owners and responsible stakeholders to understand how controls operate in practice, not just as documented
  • Effectiveness testing — targeted testing of selected controls to evaluate whether they function as designed

We do not conduct unannounced testing. All evidence is handled under our information security policy and treated as client-confidential.

Phase 3

Assessment & Findings Development

Typically 1–2 weeks

Findings are developed against the agreed framework — whether ISO 27001, DORA, EU AI Act, NIST CSF, SWIFT CSP, or a sector-specific standard. Each finding is:

  • Rated by severity and regulatory significance
  • Supported by specific evidence references
  • Categorised as either a control design gap or a control operating effectiveness gap — a distinction that determines the appropriate remediation response

Draft findings are shared with the engagement team for factual accuracy review before finalisation. We correct factual errors. We do not adjust findings under commercial pressure.

Phase 4

Reporting & Debrief

Typically 1 week

The final report is structured in two parts:

  • An executive summary suitable for board presentation, audit committee review, and regulatory submission — written for senior decision-makers, not technical specialists
  • A detailed findings annex with evidence references, severity ratings, and prioritised remediation recommendations

A debrief session with senior stakeholders is included in every engagement. The report is the property of the client. EONTA Ireland retains no right to reference or disclose engagement findings without explicit client consent.

What EONTA Ireland does not do

  • Issue compliance certificates — only accredited certification bodies can issue these
  • Guarantee regulatory outcomes
  • Provide remediation advice as a paid service following an assurance engagement
  • Conduct unannounced or adversarial testing without explicit written authorisation
  • Accept engagements where our independence would be impaired

LATAM Practice — São Paulo, Brazil  ·  Eonta Cibersegurança Ltda

Three-Phase Advisory Programme

EONTA Brasil works alongside financial institutions and corporations to build, improve, and operationalise their compliance, privacy, and cybersecurity programmes. Our engagements are collaborative — we bring frameworks and methodology; our clients bring institutional knowledge and operational context.

Phase 1

Diagnóstico / Diagnosis

Typically 2–4 weeks

We assess your current state against the applicable regulatory framework — LGPD, BACEN resolutions, ISO standards, or sector-specific requirements. The diagnostic produces a structured gap analysis: what is in place, what is partially developed, and what requires building. This phase concludes with a prioritised remediation roadmap and a clear picture of regulatory exposure.

Phase 2

Programme Design

Typically 3–8 weeks

We design the policies, procedures, controls, and governance structures needed to address identified gaps. Design work is conducted collaboratively with your internal teams. Our objective is to produce frameworks your organisation can own, operate, and sustain independently — not frameworks that create ongoing dependence on external support.

Phase 3

Implementation Support

Fixed-term or ongoing — scoped separately

Where required, we support implementation: facilitating stakeholder workshops, training internal teams, reviewing implemented controls, and preparing documentation for regulatory submission or external audit. Implementation support is always scoped and priced separately from diagnostic and design phases — clients who need only diagnosis and design are not required to engage for implementation.

Our Independence

The following applies to EONTA Ireland — Independent Assurance & Audit.

We do not advise on what we assess.

EONTA Ireland does not provide consulting, advisory, or implementation services. We do not design the frameworks, policies, or controls that our assurance engagements subsequently examine. This separation is absolute.

We do not sell products or technology.

EONTA Ireland has no commercial relationships with technology vendors, software providers, or solution resellers. Our findings are not influenced by any product affiliation. When our assessments reference specific tools or frameworks, those references reflect independent professional judgement.

We do not receive referral fees.

Our revenue derives exclusively from professional fees for assurance and audit engagements. We have no commission or referral arrangements with any third party.

We do not implement remediation.

Where our assurance identifies control gaps, remediation is the responsibility of the client and their chosen advisers. EONTA Ireland does not offer to fix what it finds. Doing so would compromise the independence that makes our findings credible to regulators, boards, and audit committees.

Why this matters for our clients.

Financial regulators — including the ECB, EBA, PRA, and Central Bank of Ireland — expect assurance provided to boards and audit committees to come from genuinely independent sources. An assurance opinion from a firm that also implements the controls it is assessing is not independent assurance. EONTA Ireland’s structural model eliminates that conflict at its source.

Clients who require both independent assurance and implementation support engage EONTA Ireland for one and a separate firm — or our Brazilian advisory practice — for the other. We will clarify this at the outset of every engagement conversation.

EONTA Brasil — Advisory & Consulting operates under a different model. Our Brazilian practice provides advisory and consulting services — designing programmes, building frameworks, and supporting implementation alongside clients. We do not hold ourselves out as independent of our advisory clients, nor do we issue independent assurance opinions. Clients requiring independent assurance of programmes designed by EONTA Brasil should engage EONTA Ireland or another independent assurance provider for that function.

Group-level engagements. Where a client engages both EONTA Ireland and EONTA Brasil on related subject matter, scope boundaries are documented in writing and the dual relationship is disclosed in all assurance reports. Consulting work conducted by EONTA Brasil does not impair the independence of any concurrent or subsequent assurance engagement by EONTA Ireland, provided scope separation is maintained.

Start a Conversation

All scoping conversations are confidential and carry no obligation to proceed. We will tell you at the outset whether your requirement falls within our assurance or advisory practice — or both.

Book a Scoping Conversation →