Auditor Portal
The Auditor Portal is a dedicated interface for external auditors who are invited to participate in assessments. Auditors authenticate separately and can access multiple assessments across different firms, making it suitable for contract auditors who work with several organizations.
Access
Auditors access the portal at a dedicated URL and authenticate with Cognito credentials tied to their email address. The system matches the authenticated email to auditor contact records to determine which assessments they can access.
Login Flow
- Navigate to the Auditor Portal URL
- Enter email and password (or use SSO if configured)
- If invited to multiple assessments, an Assessment Picker shows all available engagements
- Select an assessment to enter its workspace
My Assessments
After login, auditors see a list of all assessments they've been invited to, with:
- Assessment name and client
- Framework being assessed
- Status and progress
- Due date
- Their role (Lead Auditor or Team Member)
Auditor Workspace
Once inside an assessment, auditors have full access to:
Control Testing
The primary auditor workflow:
- Navigate clauses - Browse controls organized by domain/section
- Review evidence - See what the client has submitted for each control
- Perform testing - Document testing procedures and results
- Record status - Mark each clause as Conforming, Non-Conforming, or Not Applicable
- Add auditor notes - Internal observations not visible to clients
Evidence Review
- View all client-submitted evidence
- Accept or reject submissions with comments
- Request additional evidence or clarification
- Upload auditor-side evidence (testing screenshots, sampling records)
Finding Recording
When control testing reveals issues:
- Create finding - Linked to the relevant clause
- Classify - Set conformity type and severity
- Describe - Document the non-conformity in detail
- Recommend - Provide remediation guidance
- Track - Monitor client management response and remediation status
Comments & Collaboration
- Threaded comments on evidence requests and findings
- @mention client contacts to request clarification
- Activity feed showing assessment-wide progress
Auditor vs. Client Visibility
Auditors see everything; clients see a filtered view:
| Feature | Auditor | Client |
|---|---|---|
| All clause details | Yes | No (only public fields) |
| Auditor notes | Yes (read/write) | No |
| Testing procedures | Yes (read/write) | No |
| Evidence reviewed summary | Yes (read/write) | No |
| Client evidence submissions | Yes | Yes |
| Findings | Yes (create/edit) | Yes (read + management response) |
| Management responses | Yes (read) | Yes (read/write) |
| Assessment progress | Yes | Yes (limited) |
Permissions
Auditor Portal access is controlled through invitations:
- Auditor contacts are registered with an email address
- Contacts are invited to specific assessments
- Invites can be enabled or disabled without deleting the contact
- Removing an invite immediately revokes portal access to that assessment
AI Features
When AI is enabled for an assessment, auditors can:
- Use AI-assisted document summarization on uploaded evidence
- Get relevance assessments for evidence against control requirements
- Generate draft finding descriptions from testing notes
AI features are opt-in per assessment and controlled by whoever manages the assessment, not the auditor.