The Auditor Portal gives your external auditors a dedicated, read-only view of your compliance data within LowerPlane. Instead of exchanging hundreds of files over email or shared drives, you grant auditors direct access to the evidence, controls, policies, and test results they need to complete their assessment.

What Auditors Can View

Auditors with portal access can view the following areas:

Controls

All controls across applicable frameworks, including implementation status, owner assignments, and linked evidence.

Evidence Vault

Collected evidence artifacts with metadata: file type, collection date, source integration, linked controls, and framework tags.

Policies

Published policies with version history, approval dates, and employee acknowledgment records.

Test Results

All test runs with pass/fail results, execution dates, and supporting details.

Compliance Scores

Framework-level compliance scores, gap analysis, and readiness metrics.

Risk Register

Risk entries with treatment plans, risk levels, and mitigation status.

What Auditors Cannot Do

The Auditor role is strictly read-only. Auditors cannot:
  • Modify controls, evidence, policies, or test configurations
  • Run tests or trigger integration syncs
  • Access integration credentials or connection details
  • View user management or organization settings
  • Access billing information
  • Export raw data in bulk (unless you explicitly enable this)
The Auditor Portal is designed for information consumption, not modification. This protects the integrity of your compliance data while giving auditors everything they need.

Benefits of the Auditor Portal

BenefitDescription
Faster auditsAuditors self-serve the information they need instead of waiting for your team to gather and send files
Reduced back-and-forthEvidence is organized, tagged, and linked to controls, minimizing clarification requests
Real-time dataAuditors see your current compliance posture, not a snapshot from weeks ago
Audit trail integrityAll data is maintained in LowerPlane’s controlled environment, preventing version confusion
Access controlYou control exactly when auditors gain and lose access

How the Audit Process Works with LowerPlane

1

Prepare for the audit

Review your compliance dashboard, resolve any failing tests, and ensure evidence is current. Generate an audit package if your auditor prefers a downloadable format.
2

Grant auditor access

Create an auditor access link or invite the auditor directly. Configure the access scope and expiration. See Auditor Access Management for details.
3

Auditor reviews data

The auditor logs in and reviews controls, evidence, policies, and test results. They can navigate by framework, control domain, or search for specific items.
4

Auditor requests clarification

If the auditor needs additional information, they communicate through your normal audit communication channel. You can upload additional evidence or add notes within LowerPlane.
5

Revoke access after the audit

Once the audit is complete, revoke or let the auditor access expire. All auditor activity is logged for your records.

Auditor Portal Navigation

Auditors see a streamlined interface optimized for compliance review:
  • Framework selector — Choose which framework to review (ISO 27001, SOC 2, HIPAA, GDPR, PCI-DSS, NIST, and 50+ others)
  • Control browser — Navigate controls by domain, category, or status
  • Evidence browser — Browse and download evidence artifacts by control, framework, or date
  • Test results — View all tests with filtering by status, type, and severity
  • Policy list — Access published policies with approval and acknowledgment records
  • Search — Full-text search across controls, evidence, and policies

Supported Audit Types

The Auditor Portal supports evidence review for:
Audit TypeFrameworks
SOC 2 Type IPoint-in-time assessment of control design
SOC 2 Type IIPeriod-of-time assessment of control operation (typically 3-12 months)
ISO 27001 CertificationFull ISMS assessment against ISO 27001 Annex A
ISO 27001 SurveillanceAnnual follow-up audit between certification cycles
HIPAA AssessmentReview of administrative, physical, and technical safeguards
PCI-DSS AssessmentReview of cardholder data environment controls
GDPR ReviewAssessment of data protection practices and documentation
For SOC 2 Type II audits, ensure your evidence covers the entire audit period. Auditors need to see that controls were operating effectively throughout the period, not just at a single point in time.

Security of Auditor Access

Auditor access is secured through multiple layers:
  • Time-limited access — All auditor sessions have an expiration date
  • Read-only permissions — No ability to modify any data
  • Activity logging — All auditor actions are recorded in the audit log
  • Scoped access — Auditors only see compliance-relevant data, not operational settings
  • Revocable at any time — You can revoke access immediately if needed
Always set an expiration date on auditor access. Leaving auditor accounts active indefinitely is a security risk and may itself be flagged as an access management finding in future audits.