Auditor Portal Guide
Last updated: 2026-04-29
Status: Stable
Audience: External Auditors, Compliance Officers, CISOs
Purpose
The Auditor Portal is a dedicated, read-only view inside URIP designed specifically for external auditors. It gives them everything they need to perform their assessment — control status, evidence, policies, and risk findings — without giving them access to modify anything, see other tenants, or view your credentials.
This guide covers both sides: how a Compliance Officer invites an auditor, and how the External Auditor uses the portal once invited.
What the Auditor Portal Is (and Is Not)
| The auditor portal IS | The auditor portal IS NOT |
|---|---|
| A time-bound, framework-scoped read-only view | A full URIP user account |
| Accessible via a single invitation URL | A way for the auditor to edit controls or upload their own files |
| A place to request evidence directly from the compliance team | A way to see other organisations' data |
| A transparent view of how URIP evaluates each control | A way to see connector credentials or internal user lists |
| A communication channel for evidence requests and test notes | A substitute for the auditor's own professional judgment |
Part 1 — For Compliance Officers: Inviting an Auditor
Before You Invite
Gather the following: - Auditor name and email (for your records) - Which frameworks they will audit (you can scope access to specific frameworks) - How long they need access (7 / 14 / 30 / 60 / 90 days) - Whether they need to sign an NDA before viewing
Step-by-Step Invitation
- Navigate to Compliance → Auditor Invitations (
/compliance-auditor-invitations.html) - Click New Invitation
- Fill in: - Auditor name — e.g., "Jane Smith — Deloitte" - Email — the auditor's business email - Framework scope — select one or more frameworks (e.g., SOC 2 only, or SOC 2 + ISO 27001) - Expiry — choose based on your audit timeline - Require NDA — toggle on if your organisation requires an e-signed NDA first
- Click Generate Invitation
- Copy the long invitation URL
- Send it to the auditor manually via your preferred secure channel (email, secure file share, or your audit management system)
Important: URIP does not send the invitation email automatically. You must copy and send the link yourself.
Managing Active Invitations
| Action | How to do it |
|---|---|
| See who has accessed the portal | Compliance → Auditor Activity — shows login time, pages viewed, evidence accessed |
| Revoke access early | Auditor Invitations → find the invitation → Revoke — access stops immediately |
| Renew an expiring invitation | Revoke the old one and create a new invitation with a fresh expiry |
| Restrict to fewer frameworks | You cannot edit an existing invitation's scope. Revoke and reissue with the correct frameworks. |
Part 2 — For External Auditors: Using the Portal
Logging In
- Open the invitation URL your compliance officer sent you
- If an NDA is required: read the NDA, enter your name and email, click Accept NDA — this acceptance is timestamped and logged
- You land on the Auditor Dashboard — a read-only view of the frameworks you were invited to audit
Trouble accessing? If you see "Token expired" or "Not found," the link may have expired or been truncated when copied. Contact your compliance officer and ask them to reissue the invitation. Do not contact URIP support directly — the compliance officer manages access.
What You Can See
| Section | What It Shows |
|---|---|
| Framework Scorecard | Overall pass/fail percentage for each framework you are auditing |
| Control Inventory | Every control in the framework, its status (pass / fail / inconclusive), and the evidence linked to it |
| Risk Findings | The specific CVEs and misconfigurations causing control failures, with severity scores |
| Evidence Library | All evidence files uploaded by the compliance team: policies, screenshots, logs, reports, attestations |
| Policies | The organisation's policy documents (Information Security Policy, Access Control Policy, etc.) |
| Evidence Requests | Your own requests and their status (submitted / fulfilled / pending) |
What You Cannot See
- Other tenants' data
- Connector credentials or API keys
- Internal user lists or role assignments
- The audit log of internal user actions (you can request this via an evidence request)
- Any framework outside the scope of your invitation
Requesting Evidence
If you need a file or document that is not already in the Evidence Library:
- Navigate to Evidence Requests inside the Auditor Portal
- Click New Request
- Fill in: - Title — e.g., "Q1 2026 Access Review Sign-Off" - Framework and Control — which control this evidence supports - Description — what you need and in what format - Due date — when you need it by
- Click Submit
The compliance officer receives a notification. When they upload the file, you will see it marked as Fulfilled in your request list, and the file appears in the Evidence Library for that control.
Tip: Be specific in your description. "Upload the Q1 access review email approval from the CISO" is easier to fulfil than "Need access review evidence."
Tracking Your Requests
| Status | Meaning |
|---|---|
| Submitted | The compliance team has been notified but has not yet responded |
| In Progress | The compliance team is gathering the evidence |
| Fulfilled | The evidence has been uploaded and is visible in the Evidence Library |
| Declined | The compliance team has declined the request with a reason (e.g., does not exist, confidential) |
Understanding Control Evaluation
URIP evaluates controls automatically against data from the organisation's connected security tools. When you open a control, you see:
- Control text — the requirement from the standard
- Status — pass, fail, inconclusive, or not evaluated
- Linked risks — the specific findings causing a failure
- Linked evidence — files the organisation uploaded to demonstrate compliance
- Connector mapping — which tools feed data for this control
If a control is marked fail, the linked risks show you exactly why: for example, "CC6.1 fails because Entra ID reported 3 users without MFA enforced." You can drill into each linked risk to see the CVE, the affected asset, and the remediation timeline.
Communicating Test Results
URIP's Auditor Portal is read-only for auditors. You cannot mark a control as "tested" or "passed" inside URIP. This is intentional — it preserves the independence of your professional opinion.
How to communicate results: - Use your firm's standard audit workpapers and management letter process - Reference URIP control IDs and evidence filenames in your documentation - If you need additional evidence, use the Evidence Request feature - If you find a discrepancy, note it in your workpapers and discuss it with the compliance officer
Downloading Evidence
You can download individual evidence files from the Evidence Library. Each download is logged in the Auditor Activity log.
If you need a bulk export, ask the compliance officer to generate a Full Audit Package report from Compliance → Reports. This PDF includes all controls, evidence inventory, and open risk summaries in one document.
Part 3 — Security & Privacy for Auditors
Can I See Other Tenants' Data?
No. Your invitation token is scoped to exactly one tenant and one set of frameworks. There is no mechanism in the Auditor Portal to switch tenants, search across tenants, or view data from any other organisation. URIP's tenant isolation is enforced at the data layer, not just the UI layer.
What Data Does URIP Store About Me?
When you use the Auditor Portal, URIP stores: - Your name and email (provided by the compliance officer) - Your NDA acceptance timestamp (if applicable) - Every page you visit and every file you download (Auditor Activity log) - The evidence requests you submit
This data belongs to the inviting tenant and is included in their audit trail. URIP does not use auditor data for marketing, analytics, or any purpose outside the audit engagement.
Is the Auditor Portal Secure?
- The invitation URL is a cryptographically random token
- Access expires automatically after the set period
- All communication uses TLS encryption
- Sessions time out after inactivity
- The portal is read-only — no data can be modified
Troubleshooting for Auditors
| Problem | Cause | Fix |
|---|---|---|
| "Token expired" | The invitation period ended | Ask the compliance officer to create a new invitation |
| "Not found" | The URL was truncated or copied incorrectly | Ask for the full URL again — it is long and must be complete |
| "NDA already signed" | You signed an NDA on a previous engagement | Your new invitation may reuse the previous NDA record; contact the compliance officer if there is a new NDA version |
| Cannot download a file | The file is large and still uploading, or your browser blocked the download | Wait 30 seconds and retry; check your browser's pop-up blocker |
| Page is blank | Browser extension blocking content | Try a different browser or disable extensions temporarily |
See Also
- Compliance Workflow — full 8-step compliance guide for internal teams
- Compliance Frameworks — all 20 supported frameworks
- Troubleshooting — general troubleshooting