ConcertoGRC for Audit Firms
ConcertoGRC includes a dedicated product for audit firms and assessment practices - organizations whose business is conducting compliance assessments on behalf of clients. This is not a feature within the GRC platform; it is a standalone offering with its own tenant type, navigation, and purpose-built workflows.
Audit firms get their own ConcertoGRC instance with everything needed to run an assessment practice:
What You Get
| Capability | Description |
|---|---|
| Client Management | Directory with status tracking (Active, Inactive, Prospect) and contact details |
| Multi-Framework Assessments | SOC 2, ISO 27001, PCI DSS, HIPAA, ISO 42001, and custom frameworks |
| Control Testing Workspace | Clause-level testing with structured auditor workflows and status tracking |
| Evidence Collection Pipeline | Request-and-response evidence workflow with client submissions and auditor review |
| Findings Management | Non-conformity tracking with severity classification and remediation monitoring |
| Client Portal | Branded portal where clients upload evidence and provide management responses |
| Auditor Portal | Remote access for team members to test controls and record findings |
| Roll-Forward | Copy controls, evidence requests, and findings from prior assessments |
| Report Generation | Framework-specific report templates with data pulled from the workspace |
| Firm Branding | Custom logo, colors, and contact details on portals and deliverables |
| AI-Assisted Review | Opt-in AI evidence summarization and relevance assessment per engagement |
How It Works
Three-Portal Architecture
Each assessment connects three participant groups through dedicated interfaces:
| Portal | Who Uses It | What They Do |
|---|---|---|
| Firm Dashboard | Firm staff | Manage clients, create assessments, assign teams, generate reports |
| Auditor Portal | Auditors (including remote/contract) | Test controls, review evidence, record findings |
| Client Portal | Assessment clients | Upload evidence, respond to findings, track progress |
Each participant authenticates independently. Field-level visibility ensures auditor notes, testing procedures, and internal observations are never exposed to clients.
Assessment Lifecycle
UPCOMING --> IN_PROGRESS --> CLOSED --> ARCHIVED
- Upcoming - Assessment scoped with framework, client, dates, and team assigned
- In Progress - Auditors actively testing controls and collecting evidence
- Closed - Assessment complete, report delivered to client
- Archived - Historical record retained for roll-forward reference
Assessment Types
| Type | When to Use |
|---|---|
| Initial Certification | First-time assessment against a framework |
| Surveillance | Periodic check between full assessments (e.g., ISO annual surveillance) |
| Recertification | Full reassessment at end of certification cycle |
| Readiness Review | Pre-audit evaluation to identify gaps before formal certification |
| Gap Assessment | Identify gaps and build a remediation roadmap |
| Compliance Audit | General compliance verification engagement |
Firm Navigation
Audit firm tenants see a purpose-built navigation structure:
| Section | Purpose |
|---|---|
| Dashboard | Active engagement overview, upcoming deadlines, team workload |
| Assessments | Create and manage all client engagements |
| Clients | Client directory with contact and status tracking |
| Team | Auditor roster and role management |
| Branding | Logo, colors, and portal customization |
| Report Templates | Framework-specific report templates |
Documentation
Explore each area of the platform in detail:
- Firm Dashboard and Clients - Client management, team administration, and practice overview
- Assessment Workspace - Creating assessments, testing controls, collecting evidence, recording findings
- Client Portal - What your clients see and how they interact with engagements
- Auditor Portal - Remote auditor access for control testing and evidence review
- Reports and Branding - Report templates, firm branding, and deliverable customization
For GRC Tenants Being Audited
If you are a GRC tenant (not an audit firm) and need to manage an external audit of your organization, see Managing External Audits for how to register audit firms, invite auditors, and coordinate evidence collection from within the standard ConcertoGRC app.