Reports & Auditor Access
ForgeComply generates audit-ready reports that provide auditors with the information they need. This guide explains how reports work and what auditors can access.
What Are Reports?
Reports are immutable, point-in-time snapshots of your compliance status. When you generate reports, ForgeComply captures the current state of your controls, policies, evidence, and exceptions.
Key characteristics:
- Reports do not auto-update
- Each report has a unique ID and timestamp
- Reports cannot be edited after generation
- Generate new reports to reflect changes
This immutability is intentional. Auditors need to know that what they're reviewing hasn't changed since generation.
Report Types
ForgeComply generates four report types, each serving a specific audit purpose.
Audit Readiness Summary
An executive overview of your compliance status.
Contains:
- Overall readiness status (Pass / At Risk / Fail)
- Control status breakdown
- Policy coverage summary
- Evidence coverage summary
- Exception summary
Use for: Executive review, audit kickoff meetings, status updates.
Control Matrix
A detailed breakdown of every control with its current status.
Contains:
- Each control and its evaluation status
- Linked policies per control
- Evidence count per control
- Owner assignments
- Gaps and issues
Use for: Detailed audit review, gap analysis, remediation planning.
Evidence Index
A complete listing of all evidence for audit sampling.
Contains:
- Evidence items with metadata
- Linked controls
- Upload dates
- Review status
Use for: Auditor evidence requests, sampling, verification.
Exceptions Report
Documentation of all risk acceptances and compensating controls.
Contains:
- Exception details and justification
- Affected controls
- Compensating controls
- Expiration dates
- Approval status
Use for: Risk acknowledgment, auditor review of accepted gaps.
Generating Reports
Reports are generated on demand from the Reports page.
- Navigate to Reports in the sidebar
- Click Generate Reports
- All four report types are generated simultaneously
- Each report receives a unique ID (e.g.,
RPT-20250106-A1B2)
When to generate:
- Before auditor review
- After significant updates
- At milestone completions
- Before audit kickoff
Note: Generating reports does not change your working data. You can continue making changes and generate new reports at any time.
Report Immutability
Once generated, reports cannot be modified. This is a deliberate design choice for audit integrity.
Why immutability matters:
- Auditors need confidence that reports reflect a specific point in time
- Prevents accidental or intentional manipulation
- Creates a clear audit trail
- Matches auditor expectations for compliance artifacts
If you need to correct something:
- Make changes to your controls, policies, or evidence
- Generate a new set of reports
- Provide the new reports to your auditor
Previous reports remain available for reference.
What Auditors Can See
When you grant auditor access, they can view:
| Accessible | Not Accessible |
|---|---|
| ✅ Generated reports | ❌ Draft policies |
| ✅ Evidence linked to reports | ❌ Internal notes |
| ✅ Exception details | ❌ Control response history |
| ✅ Policy documents (approved) | ❌ User activity |
| ✅ Report download (PDF/CSV) | ❌ Generate or modify anything |
Auditors have read-only access to completed, reportable information.
Auditor Role
The Auditor role is specifically designed for external auditors or internal reviewers who need to verify compliance without modifying data.
Auditors can:
- View the Reports page
- View individual reports
- Download report PDFs and CSVs
- View evidence files linked to reports
- Log out
Auditors cannot:
- Access Dashboard, Controls, Policies, or Evidence pages
- Create or modify assessments
- Generate reports
- Change settings
- View draft content
This separation ensures audit integrity and prevents conflicts of interest.
Inviting an Auditor
To grant auditor access:
- Go to Settings → Team Members
- Click Invite User
- Enter the auditor's email
- Select Auditor as the role
- Send invitation
The auditor will receive an email with instructions to access your organization's reports.
Best practices:
- Invite auditors only when reports are ready
- Generate fresh reports before granting access
- Communicate which reports are final vs. preliminary
Report Downloads
Reports can be downloaded in multiple formats:
| Format | Best For |
|---|---|
| Formal documentation, archive, sharing | |
| CSV | Control Matrix and Evidence Index — data analysis, spreadsheet review |
Download buttons appear on each report card and in the report detail view.
Report Versioning
Each time you generate reports, a new set is created with:
- New report IDs
- Current timestamp
- Current data snapshot
Previous reports are retained and accessible. You can view the generation history to track changes over time.
Frequently Asked Questions
Do reports update automatically?
No. Reports are point-in-time snapshots. Generate new reports to reflect changes.
Can auditors see my working drafts?
No. Auditors only see generated reports and approved policies.
Can I delete old reports?
Report retention is managed by your organization. Contact support for retention policy questions.
What if an auditor needs more detail?
Generate a new report after making updates, or provide additional evidence through the Evidence Index.
Can auditors see AI guidance?
No. AI assistance is internal only and never appears in reports.
Next Steps
- Evidence Documentation — What counts as evidence
- Controls Documentation — How controls are evaluated
- Security & Privacy — How your data is protected