Overview
This article explains what auditors can see in Audit Hub and how that compares with what customers manage in Drata. Both sides work from the same underlying audit data, evidence, and audit packages, but access and actions depend on how the audit is configured.
Use the sections below to compare the auditor view and the customer view at the same stage of the audit workflow.
Choosing the client and audit
What the customer sees
The customer creates the audit in Drata, selects the framework and audit period, and adds the auditor to the engagement. Once the auditor is assigned, they can access the audit from the Audit Portal.
What the auditor sees
After signing in to the Audit Portal, the auditor can view the list of assigned clients.
After selecting a client, they can see the available audits for that client and open the audit they need to review. If Read-only access is enabled, the auditor can navigate the Drata app and view evidence, controls, and documentation beyond the assigned audit. They cannot edit, upload, or delete content. The customer controls whether Read-only access is granted. If it is not enabled, the auditor is limited to the data and evidence scoped to the assigned audit.
Screenshot displays the View in read-only button for auditors
Depending on how access is configured, some auditors may instead land on a list of audits they can access or go directly to a specific audit.
Main audit overview
What the auditor sees
After the auditor opens a specific audit, they land on the main audit page. From there, they can typically see the audit name, audit period, completion state, assigned auditors, request summary, request list, and Audit Resources.
If the auditor is assigned to more than one audit, they can use the client list and audit list to open the specific audit they want to review.
Main audit: Package downloads
The pre-audit package reflects the audit state when the audit is opened, while the control evidence package reflects the evidence snapshot taken when audit samples are set. If evidence is added later, customers may need to open a new audit for a refreshed pre-audit package or adjust samples and regenerate the control evidence package to update what the auditor can download.
What the auditor sees
From the main audit page, the auditor can open Package downloads to access audit package options. Typical options include Pre audit package, Request control evidence, and View past downloads.
When a package is ready, Drata sends the requester an email with the download link, and the package can also be downloaded from the menu or notification link.
What the customer sees
Audit packages are generated from the same underlying data for both the auditor and the customer. The pre-audit package reflects the audit state when the audit is opened, while the control evidence package reflects the evidence snapshot taken when audit samples are set.
What Package downloads includes
From the Audit Resources area on the main audit page, auditors can start common download actions such as Download pre-audit package, Download control evidence, and sometimes View past downloads. Drata prepares the ZIP in the background, then sends an email with the download link and also makes the file available in the Audit Portal.
What the pre-audit package shows
The pre-audit package shows a snapshot of the audit based on the last time the package was generated.
In the new experience:
While creating an audit, the pre-audit package is optional.
Customers can Include pre-audit package. This is turned on by default during audit creation.
Customers can choose which evidence categories to include.
The Infrastructure accounts category is also available in the pre-audit package category list.
Customers can update category selections later using the Edit package modal
Customers do not need to open a new audit to refresh the pre-audit package
What the control evidence package shows
The control evidence package is based on the evidence snapshot taken when audit samples are first set.
It includes:
control-level evidence files
audit metadata and mappings
an interactive evidence manifest
If new evidence is mapped after samples are already set, that evidence will not appear in the existing control evidence package until samples are updated and the package is regenerated.
What customers can change in Drata
Customers can change what the auditor sees by:
selecting the framework and audit period when the audit is created
making sure evidence is uploaded or generated within the audit period
updating mapped evidence in Drata
adjusting sample selections so the control evidence package can be regenerated with the updated scope
turning the pre-audit package off during audit creation, if needed
editing which evidence categories are included by using the Edit package modal
updating audit attributes or category selections, which automatically regenerates the pre-audit package
In Download only, the customer selects the audit samples instead of relying on the auditor to do it. Sample dates must fall within the audit period, and those sample selections can be edited after the audit is created.
Main audit: Requests and messages
What the auditor sees
The request area shows the requests associated with the audit. Auditors can review request details such as the request name or ID, status, and related activity, then open a request for more detail.
Within a request, the auditor can review request details and use the Messages panel for request-specific communication. The portal can also generate system messages when evidence is uploaded or a request status changes.
What the customer sees
Customers use the same request context to upload evidence, respond to auditor questions, and update request status when more information is needed.
What customers should keep in mind
Customers control the framework, audit period, and auditor assignment for the audit.
Auditors and customers work from the same underlying audit data and package sources.
Read-only access expands what the auditor can view, but it does not allow edits.
If a package download fails or takes longer than expected, retry it from Audit Resources. If the issue continues, contact Drata Support.