Let Auditors Serve Themselves
The audit back-and-forth - requests, screenshots, follow-ups - is where weeks vanish. The auditor portal gives your assessor scoped, read-only, time-boxed access to the evidence they need.
Illustrative product view
The audit back-and-forth problem
A traditional audit is a queue of evidence requests answered by screenshots and exports over email, each spawning follow-ups. It is slow for you and frustrating for the auditor, who cannot see the underlying system. The auditor portal (/auditor-portal, /auditor-tokens) replaces that with scoped, read-only access so the assessor can look directly at controls, evidence, and the verifiable ledger.
What the auditor can see
| Surface | What the auditor gets | Access |
|---|---|---|
| Controls | Control set and current status | Read-only |
| Evidence | Evidence items linked to controls | Read-only |
| Trust ledger | The ability to verify the chain | Verify |
| Policies | Current, owned policies | Read-only |
| Write actions | None | Denied |
Auditors can verify, not just view
Because the trust ledger is hash-chained and verifiable, an auditor can do more than read the evidence - they can confirm it was not altered. Running the chain verification independently turns your evidence from “trust us” into “check for yourself,” which is exactly the assurance an assessor is looking for.
How it connects
- Exposes the control library and its status
- Surfaces evidence produced by evidence automation
- Lets auditors verify the tamper-evident trust ledger
- Complements the public trust center for customer-facing assurance
Frequently asked questions
What is an auditor portal?
An auditor portal is a scoped, read-only workspace that gives your assessor direct access to controls, evidence, and a verifiable audit ledger, instead of exchanging screenshots over email. Fintra grants access through time-boxed tokens, so auditors see what they need for the engagement and access lapses automatically.
Can auditors change anything in the portal?
No. Access is strictly read-only, with verification of the ledger being the only active capability. Auditors can view controls, evidence, and policies and confirm the integrity of the ledger, but they cannot modify anything, so your record stays authoritative.
How is auditor access controlled?
Through time-boxed auditor tokens. Access is scoped to what the engagement requires and expires when the token does, so you are not leaving a standing account open after the audit ends. Expired tokens revoke access automatically.
Can an auditor independently verify the evidence?
Yes. Because the trust ledger is hash-chained and verifiable, an auditor can recompute the chain to confirm the evidence was not altered after the fact. That moves your assurance from asserting the evidence is intact to letting the auditor prove it.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Cut the audit email thread
Give auditors scoped, read-only, verifiable access to your evidence.
Talk to us