Managing auditor access is a critical part of your compliance program. LowerPlane provides tools to grant, monitor, and revoke external auditor access while maintaining a complete audit trail of all access management activities.

Granting Auditor Access

There are two ways to provide auditors with access to your LowerPlane data:
Invite specific auditors by email address. Each auditor creates their own account with the Auditor role.
1

Navigate to Settings > Users

Open the user management page.
2

Click Invite User

Click Invite User and enter the auditor’s email address.
3

Select the Auditor role

Choose Auditor from the role dropdown. This grants read-only access scoped to compliance data.
4

Set an expiration date

Configure when the auditor’s access should automatically expire. Set this to the expected audit completion date plus a reasonable buffer (e.g., 2 weeks after the audit window closes).
5

Send the invitation

Click Send Invite. The auditor receives an email with instructions to create their account and access your compliance data.

Access Expiration

Every auditor access grant should have an expiration date. LowerPlane supports:
SettingDescription
Fixed dateAccess expires on a specific calendar date
DurationAccess expires after a set number of days from creation (e.g., 30 days, 90 days)
Manual revocationAccess remains until explicitly revoked (not recommended)
For SOC 2 Type II audits, set the expiration to the end of the audit period plus 30 days. This gives auditors time to complete their review and request any final clarifications without requiring access extensions.

Extending Access

If an audit runs longer than expected:
  1. Navigate to the auditor’s user entry or access link.
  2. Click Extend Access.
  3. Set a new expiration date.
  4. Save the change. The extension is logged in the audit trail.

Audit Firm Management

For organizations that work with the same audit firms regularly, LowerPlane lets you manage audit firm details:
FieldDescription
Firm nameName of the audit firm
Primary contactLead auditor or engagement manager
Contact emailFirm’s or lead auditor’s email address
Engagement typeSOC 2, ISO 27001, HIPAA, PCI-DSS, or GDPR
Audit periodStart and end dates of the current engagement
Associating auditors with their firm helps you:
  • Track which firm conducted each audit
  • Manage multiple auditor accounts from the same firm
  • Maintain a history of audit engagements

Monitoring Auditor Activity

LowerPlane logs all auditor activity for your review:
ActivityWhat Is Logged
LoginWhen the auditor accessed the portal
Page viewsWhich sections and controls the auditor reviewed
Evidence accessWhich evidence files were viewed or downloaded
Search queriesWhat the auditor searched for
Session durationHow long each session lasted
This activity log serves two purposes:
  1. Security monitoring — Verify that auditor access is used appropriately.
  2. Audit preparation — Understand which areas the auditor focused on, which can help you prepare for follow-up questions.
Auditors are not notified that their activity is logged. This is standard practice for access monitoring and is itself a compliance control (audit logging of system access).

Revoking Access

To immediately revoke an auditor’s access:
1

Find the auditor

Navigate to Settings > Users and locate the auditor account, or go to the access link management page.
2

Click Revoke

Click Revoke Access or Remove User.
3

Confirm

Confirm the revocation. The auditor is immediately logged out and cannot access any data.
Revoked access is logged with a timestamp and the identity of the person who performed the revocation.

Access Management as Compliance Evidence

Your auditor access management practices are themselves compliance evidence:
FrameworkRelevant Controls
ISO 27001A.9.2.2 (Access provisioning), A.9.2.6 (Removal of access rights)
SOC 2CC6.2 (Prior to access, registration and authorization), CC6.3 (Removal when no longer needed)
LowerPlane maintains a complete record of:
  • When auditor access was granted
  • What scope was provided
  • When access expired or was revoked
  • All auditor activity during the access period
Maintaining clean auditor access records demonstrates mature access management practices. Future auditors will review how you managed previous auditor access as part of their assessment.

Best Practices

  • Always set expiration dates. No auditor access should be open-ended.
  • Use the Auditor role, not Member or Admin. The Auditor role provides exactly what auditors need and nothing more.
  • Revoke promptly after audit completion. Do not wait for automatic expiration if the audit finishes early.
  • Review access before granting. Ensure the auditor’s identity is verified before providing access to your compliance data.
  • Password-protect access links. Share passwords through a separate channel from the link itself.
  • Monitor activity during the audit. Review the activity log periodically to ensure access is being used appropriately.
  • Document the engagement. Record the audit firm, engagement type, and period for each audit.