Compliance Last updated: 29 March 2026 · 4 min read

Auditor Portal & External Access

When external auditors arrive for a SOC 2, ISO 27001, or other certification audit, they need to review your policies, acknowledgement records, and compliance evidence. Traditionally this means weeks of back-and-forth emails with spreadsheet attachments and PDF exports. The PolicySuite auditor portal eliminates that friction by giving auditors secure, self-service access to exactly the evidence they need — with no full account required.

1. What the auditor portal is

The auditor portal is a separate, read-only interface that external auditors access via a secure, time-limited invite link. It is completely isolated from your main application — auditors cannot modify policies, change settings, or access anything beyond what you explicitly share with them.

The portal is designed for the specific needs of compliance auditors: they can review policy documents, examine version history, check acknowledgement completion rates, view control framework mappings, and download evidence bundles — all without needing to ask you to export files on their behalf.

2. Creating an auditor invite

To invite an external auditor, navigate to Auditor Portal from the main sidebar and click Create Invite. You will need to provide:

Auditor email — the email address of the external auditor who will receive the invite link
Policies to share — select which policies the auditor should have access to. You can share all policies or select specific ones relevant to the audit scope
Access duration — set how long the invite remains valid, from 1 to 365 days. For a typical SOC 2 audit, 30 to 90 days is common. For a quick spot check, a few days may suffice

Once you create the invite, the auditor receives an email with a secure link. They click the link to access the portal immediately — no account registration, no password to remember, no onboarding steps.

Best practice: Create auditor invites with the narrowest scope necessary. If the audit only covers your information security policies, share only those — not your entire policy library. This follows the principle of least privilege and keeps auditors focused on what matters.

3. What auditors can see

Once inside the portal, auditors have read-only access to the following for each shared policy:

Policy documents — the full text of each shared policy in its current published version
Version history — a complete log of all versions, including when each version was published, who published it, and what changed
Acknowledgement rates — completion statistics showing how many employees acknowledged each policy, when they acknowledged, and who has not yet completed
Control mappings — which compliance framework controls (e.g. SOC 2 CC6.1, ISO 27001 A.5.1) each policy maps to, demonstrating your control coverage

Auditors cannot see user management settings, billing information, other organisations' data, or any policies you did not explicitly share in the invite.

4. Evidence bundle download

For auditors who prefer to work offline or need to attach evidence to their working papers, the portal includes an Evidence Bundle download. This generates a ZIP archive containing:

PDF exports — formatted copies of each shared policy with version number, publication date, and author
CSV exports — acknowledgement records with employee name, email, policy title, sent date, acknowledged date, and IP address
JSON metadata — structured data about policy versions, control mappings, and distribution history for programmatic analysis
Hash verification — SHA-256 hashes for each file in the bundle, allowing auditors to verify that evidence has not been tampered with after download

The evidence bundle is generated on demand and reflects the current state of your data at the time of download.

5. Managing auditor sessions

You retain full control over auditor access at all times. From the Auditor Portal management page, you can:

Extend access — if the audit takes longer than expected, extend the invite duration without creating a new link
Revoke access — immediately terminate an auditor's access if it is no longer needed or if the engagement ends early. The portal link stops working instantly
Resend invite — if the auditor cannot find the original email, resend the invite link to the same email address
View activity — see when the auditor last accessed the portal and which policies they reviewed

Expired invites are automatically deactivated. Auditors who click an expired link see a clear message explaining that access has ended and directing them to contact you if they need it renewed.

6. Security features

The auditor portal is built with several security measures to protect your data while providing the access auditors need:

Token-based access — each invite generates a unique, cryptographically secure token. There are no shared passwords or generic logins
Rate limiting — the portal enforces rate limits on API requests to prevent bulk data scraping or automated access
Watermarked PDFs — policy documents viewed and downloaded through the auditor portal include a watermark identifying the auditor and the access date, creating accountability for any shared documents
Time-limited access — every invite has a mandatory expiration date. There is no "permanent" auditor access — you must consciously set and manage the duration
Audit logging — all auditor portal activity is recorded in your organisation's audit trail, so you have a record of exactly what was accessed and when

Still need help?

Email our support team at support@policy-suite.com — we typically respond within 24 hours.