Permission Matrix
Workpapers
| Action | Auditor | Manager | CAE | QA | Viewer |
|---|
| View workpapers | ✅ Own engagements | ✅ All | ✅ All | ✅ All | ✅ |
| Create workpapers | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit draft workpapers | ✅ Own | ✅ All | ✅ All | ❌ | ❌ |
| Submit for review | ✅ Preparer only | ✅ | ✅ | ❌ | ❌ |
| Review workpapers | ❌ | ✅ | ✅ | ✅ | ❌ |
| Sign off | ✅ Preparer | ✅ Reviewer | ✅ | ❌ | ❌ |
| Use AI Assistant | ✅ | ✅ | ✅ | ❌ | ❌ |
Evidence
| Action | Auditor | Manager | CAE | Client |
|---|
| Upload evidence | ✅ | ✅ | ✅ | ✅ PBC |
| View evidence | ✅ Own engagements | ✅ All | ✅ All | ❌ |
| Download evidence | ✅ | ✅ | ✅ | ❌ |
| Delete evidence | ❌ | ❌ | ❌ | ❌ |
Test Procedures
| Action | Auditor | Manager | CAE |
|---|
| Create test procedures | ✅ | ✅ | ✅ |
| Edit test procedures | ✅ Own | ✅ All | ✅ All |
| Record results | ✅ | ✅ | ✅ |
Segregation of Duties
- A workpaper preparer cannot also be the reviewer for the same workpaper
- The system enforces this by preventing the
preparer_id and reviewer_id from being the same user
- Attempting to self-review returns a "SoD violation" error
Organization Isolation
All fieldwork data is scoped to the engagement's org_id. Cross-organization data access is prevented at the database and API levels.