This is a sample preview. The real auditor portal is token-gated and loads live programme data.
All numbers, evidence titles, findings, and policy entries on this page are synthetic and refer to no real organisation.
Acme Logistics (sample)
Auditor packet — SOC 2 Type II — surveillance Q3 2026 · Sample Audit Co.
Scope
- Frameworks
- SOC2, ISO27001
- Period
- 2026-01-01 → 2026-06-30
- Generated
- sample preview
Control coverage
| Framework | Implemented | Total | Coverage |
|---|---|---|---|
| soc2 | 187 | 201 | 93% |
| iso27001 | 89 | 93 | 96% |
Operating effectiveness (Type II)
Evidence (6 of 1,842 shown)
| Title | Control | Framework | Collected | Status |
|---|---|---|---|---|
| AWS IAM access review — Q1 2026 | CC6.1 | soc2 | 2026-03-31 | collected |
| GitHub branch-protection snapshot | CC8.1 | soc2 | 2026-04-12 | collected |
| Okta MFA enforcement export | CC6.6 | soc2 | 2026-04-15 | collected |
| Patch cadence — production fleet | A.8.8 | iso27001 | 2026-05-02 | collected |
| Backup integrity test — restore drill | A.8.13 | iso27001 | 2026-05-18 | collected |
| Quarterly access certification — finance | CC6.2 | soc2 | 2026-06-12 | collected |
Internal audit findings (2)
| Control | Finding | Severity | Status |
|---|---|---|---|
| CC7.2 | One vendor security review overdue (review cycle 30 days, last reviewed 47 days ago). | minor | remediated |
| A.8.16 | Two SIEM alert rules without documented runbook references. | low | in_progress |
Approved policies (4)
| Policy | Framework | Last updated |
|---|---|---|
| Information Security Policy | iso27001 | 2026-05-14 |
| Access Control Policy | iso27001 | 2026-04-22 |
| Incident Response Procedure | soc2 | 2026-05-30 |
| Business Continuity Plan | iso27001 | 2026-03-11 |
A working audit surface — not just a data room
Your auditor requests specific evidence; you’re emailed, respond and attach the exact items, and they accept, reject or ask for follow-up — the whole loop in one place.
A per-control view of status, the evidence mapped to it and the policies that satisfy it — export any control’s full evidence population to CSV for sampling.
A per-control calendar of daily evidence collection across the period — visual proof a control operated throughout, with coverage % and longest-gap detection.
Every evidence item is sealed with a SHA-256 hash at collection and re-verified on view — provenance (which connector, when) is shown for each.
Give each auditor their own magic link — individually revocable, with their actions attributed to them. No shared passwords.
Author the system description, subservice orgs and CUECs — with an AI first draft — shown read-only to the auditor and in the packet PDF.
This is what your auditor will see.
The real surface is token-gated, scope-bounded by frameworks and date range, and pulled directly from your live programme — no copy-paste, no manual extract.