Client Portal
The Client Portal is a dedicated interface where assessment clients interact with their audit engagement. Clients access the portal via a unique URL and authenticate with their own Cognito credentials, separate from the main ConcertoGRC application.
Access
Clients receive an invitation from the audit firm with a link to their assessment portal. Authentication uses AWS Cognito with credentials specific to the portal. Clients do not need a ConcertoGRC platform account.
The portal URL is scoped to a specific assessment: each engagement has its own portal instance showing only that assessment's data.
What Clients See
The Client Portal provides a focused view of the assessment without exposing auditor-internal information:
Assessment Dashboard
- Assessment name, framework, and status
- Progress indicators (evidence submitted vs. requested)
- Upcoming deadlines
- Recent activity feed
Evidence Requests
The primary interaction point. Clients see all evidence requests created by the auditor and can:
- View request details - What's being asked for and why
- Upload evidence - Attach documents, screenshots, or exports
- Track status - See which requests are pending, submitted, accepted, or need resubmission
- View prior submissions - Historical submissions panel for reference
Evidence uploads support multiple file types (PDF, images, spreadsheets, documents).
Findings
Clients can view findings recorded by auditors (read-only) and:
- Review finding details - Description, severity, clause reference
- Provide management responses - Document how the organization plans to remediate
- Track status - See finding lifecycle from open through remediation
Projects
When the audit firm creates remediation projects linked to findings, clients can view project status and tasks assigned to their team.
Activity Feed
Chronological feed of all assessment activity visible to the client, including evidence submissions, status changes, new findings, and comments.
Comments
Threaded comment system with @mention support for communication between client contacts and auditors. Comments appear in context alongside evidence requests and findings.
Field Visibility
The Client Portal enforces strict field-level visibility. Auditor-internal fields are never exposed:
| Visible to Clients | Hidden from Clients |
|---|---|
| Finding title and description | Auditor notes |
| Evidence request details | Testing procedures |
| Finding severity and status | Evidence reviewed (auditor summary) |
| Management response field | Internal auditor comments |
| Assessment progress | Team workload data |
Authentication
Client Portal uses AWS Cognito for authentication:
- Credentials are issued by the audit firm when inviting client contacts
- Sessions are scoped to a specific assessment
- Password reset and MFA flows are supported
- No access to other assessments or platform data