Start Trial
PortalMeridianKeystoneRMM
Audit & Compliance Manual

Auditor Portal

Bounded external access, auditor collaboration, and the model Meridian uses to share review material without losing control.

Audience: Audit owners and external review coordinatorsFocus: Auditor collaboration and bounded accessStatus: Public manual

Scope

External auditors need visibility, but they do not need unrestricted access to the operating system. This guide focuses on the public-safe collaboration model rather than the private implementation surface.

This guide covers managing external auditor access to Meridian audit cycles — inviting auditors, monitoring their activity, generating evidence packages, and revoking access when needed.

Permissions required: Meridian.audit to create invites, revoke invites, and generate evidence packages.

Inviting Auditors

Creating an Invite

  1. Navigate to the audit cycle detail page (the relevant workflow).
  2. Click the Auditor Invites tab.
  3. Click Create Invite to open the invite form.
  4. Fill in:
  5. Email: the auditor’s email address (used for OTP verification during acceptance).
  6. Name: the auditor’s display name (shown in the portal header).
  7. Firm (optional): the auditing firm.
  8. Role: Lead Auditor, Staff Auditor, or Observer. Roles are informational — they do not affect what the auditor can access. Permissions control access.
  9. Permissions (checkboxes, at least one required):
    • view_controls — view audit overview, control list, and control detail
    • view_evidence — download individual evidence files
    • submit_irl — submit information request list items
    • download_package — download evidence packages
  10. Expiry: defaults to 90 days from now, hard cap at 365 days.
  11. Click Create. The one-time invite code appears in a copy-to-clipboard modal.

The invite code is shown exactly once and cannot be retrieved later. Copy it immediately. If lost, revoke the invite and create a new one.

What the Auditor Receives

Permission Guidelines

Every auditor needs at least view_controls to see anything in the portal. Typical permission sets:

Role Recommended permissions
Observer view_controls

Managing Invites

Viewing Invites

The Auditor Invites tab on the audit detail page shows a paginated table of all invites for the cycle. Filter by status using the dropdown:

Badge Meaning
Green (active) Invite is live and can be accepted
Blue (accepted) Auditor has accepted and verified via OTP
Red (revoked) Invite was explicitly revoked by an operator
Yellow (expired) Invite passed its expiry without being accepted or revoked

The table shows: email, name, firm, role, permissions, created date, and expiry date.

Revoking Access

Click the Revoke button on any active or accepted invite. Revoking an invite:

  1. Sets the invite to revoked status immediately.
  2. Writes audit log entries for both the revoke action and the session sweep.

A revoked invite cannot be un-revoked. Issue a new invite if the auditor needs access again.

Generating Evidence Packages

When to Generate

Generate an evidence package when you are ready to share the full audit evidence set with external auditors. Typical timing: after all control reviews are rendered and before or during the reporting phase.

How to Generate

  1. On the audit detail page, scroll to the Evidence Package panel.
  2. Click Generate package.
  3. The backend walks the entire cycle — controls, reviews, tests, executions, evidence, and findings — and builds a deterministic ZIP with a canonical manifest.
  4. Generation is synchronous. Small cycles finish in seconds; larger cycles may take up to a minute (the panel shows a long-running warning at 30 seconds).

What is Included

The generated ZIP contains:

  • Evidence files — one directory per evidence artifact, keyed by evidence ID.

The manifest carries a SHA-256 manifest_hash that auditors reference in their workpapers. This hash is the package’s identity — it proves the auditor is looking at the exact same data you generated.

Idempotent Regeneration

Re-generating a package when the underlying data has not changed returns the existing package (same manifest_hash). Adding new evidence, recording new test executions, or updating reviews between generations produces a new package with a new hash. The old package remains in storage.

Size Limits

The package generation enforces hard caps: 10,000 evidence artifacts or 2 GiB bundle size. Hitting either cap returns a structured error. Type 2 cycles with high-frequency connector snapshots are the most likely to hit these limits.

Sharing Packages

Auditors with the download_package permission can download the latest published package directly from the portal. Alternatively, use the share token system (issue HMAC-signed download URLs) described in the audit workflow manual.

Monitoring Auditor Activity

Last Accessed Tracking

Every authenticated portal request updates last_accessed_at on both the session and the invite. The invite list shows when each auditor last accessed the portal.

Audit Log

Meaningful state-changing actions are recorded in the audit log:

Event What happened
auditor.invite.created Operator created an invite (email hash, role, permissions logged)
auditor.invite.accept_attempted Someone attempted to accept an invite (email hash logged)
auditor.invite.accepted Auditor successfully accepted an invite and established a session
auditor.invite.revoked Operator revoked an invite (killed session count logged)
auditor.session.logout Auditor explicitly logged out
auditor.evidence.downloaded Auditor downloaded an evidence file (content hash logged)
auditor.irl.submitted Auditor submitted an information request (subject prefix logged)
auditor.package.downloaded Auditor downloaded the evidence package (manifest hash logged)

Audit log entries for portal events are attributed to the system actor (external auditors are not Meridian users). The invite ID and a short session ID prefix (8 characters) are included in every entry for correlation.

Privacy: email addresses are never written to the audit log in plaintext. A SHA-256 hash prefix is used for correlation.

Information Request List (IRL)

When auditors submit information requests through the portal, they appear in the standard evidence request inbox for the control under review.

Seeing Auditor Requests

Portal-originated evidence requests are distinguishable by their requested_by value (negative numbers indicate portal users). They follow the same open -> fulfilled | cancelled lifecycle as internal requests.

Fulfilling Requests

Fulfill auditor requests the same way you fulfill internal requests: upload or link evidence from the control’s program. The auditor sees the updated status on their next portal visit.

What Auditors See

For a full walkthrough of the auditor experience, see the Auditor Guide.

Audit Overview

Summary page with cycle name, dates, framework, program, and counts: total controls, reviewed, with findings, open/closed findings. The auditor’s identity (name, firm, role) and granted permissions are displayed.

Control List

Paginated table of all controls in scope for the cycle. Searchable by control ref and title. Filterable by review status (not started / in review / reviewed / exception). Each row shows evidence and findings counts.

Control Detail

Full control information: description, objective, framework requirement mappings, test definitions with last run results, evidence artifacts collected within the audit window, and the review conclusion with reviewer notes.

Evidence Download

Individual evidence files can be downloaded. Each download verifies the file’s SHA-256 hash against the stored hash (corruption detection) and writes an audit log entry.

Evidence Window

Auditors only see evidence collected within the cycle’s date window (start_date to end_date). Evidence from before or after the audit period is excluded. This is a SOC 2 audit-chain requirement.

Common Issues

Symptom Cause Resolution
Auditor cannot accept invite Invite expired, already accepted, or revoked Check invite status in the invites tab; create a new invite if needed
Auditor cannot see evidence files Missing view_evidence permission Create a new invite with the correct permissions
Auditor cannot submit IRL items Missing submit_irl permission Create a new invite with submit_irl
Auditor cannot download package Missing download_package permission, or no published package exists Check permissions; generate a package if none exists
No package available for download Package has not been generated yet Generate one from the Evidence Package panel
IRL requests not appearing The auditor submitted to a different cycle IRL requests are scoped per cycle; check the correct audit