An independent review of security controls by a 3rd party is often required by organizations. This process involves a 3rd party who is hired to evaluate your systems and policies against a list of information assurance controls that are part of a standard. This standard can box SOX, CORBIT, FedRAMP, or any other standards depending on the industry or agency and the nature of the data.
They are asking this to ensure that their data is safe with your organization. This requirement may be based on good practices, industry standards, government regulations or the law.
The expectation is that you have contracted with a certified 3rd party to audit and evaluate your systems and policies against a specific standard. The evaluation needs to have been completed and the report available if requested. Some standards have a pass/fail, others have a level of risk. It is expected that your organization passed or that the level of risk is acceptable as they define it.