← Help & Docs

TATER Audit — Auditor Workbench

For audit firms: turn a pile of a client's evidence files into a mapped, searchable, audit-ready set — with Claude doing the reading. Last updated 2026-06-17

What it is

TATER Audit is a workspace for an audit firm to run multiple client SOC 2 engagements in one place. For each engagement you collect evidence (policies, access lists, config screenshots, sub-service SOC reports, tickets, signed attestations…), and TATER maps each piece to the SOC 2 Trust Services Criteria it supports, indexes it for search, tracks coverage and gaps, and holds your workpapers. It works with or without the client being a TATER customer — the firm just uploads its own files.

It appears in the sidebar (the TATER Audit group) only for organizations TATER has registered as an audit firm. Contact TATER to enable it for your firm org.

The key idea: Claude does the reading (MCP-first)

TATER doesn't run an AI model on your files and it doesn't store your raw documents to "process" them server-side. Instead, you connect Claude to TATER's MCP server and hand Claude the client's files. Claude reads each file natively, extracts what it shows, and records it as structured evidence mapped to the criteria it supports. TATER stores the mapping + summary and indexes it — it never re-reads the file. That means no per-file AI cost to TATER, the most capable model doing the cognition, and a clean audit trail of what was recorded and when.

The loop, in practice:

  1. Create an engagement (UI or create_audit_engagement).
  2. In Claude, point at the client's files and say "ingest these for engagement <id>". Claude reads each and calls ingest_audit_evidence with a summary + the TSC criteria it supports.
  3. Ask get_audit_coverage to see what's covered and what's still a gap.
  4. For each criterion, review the evidence and record a workpaper (create_audit_workpaper) — your procedure, the evidence relied on, the result, and your conclusion.

Engagements

An engagement is one client audit: client name, framework (SOC 2 Type II by default), audit period, scope, lead auditor, and status (planning → fieldwork → review → reporting → complete). Open one to see its evidence, coverage, and workpapers.

Evidence

Each evidence record carries the file name, an evidence type, a summary of what it demonstrates, the TSC criteria it supports, and a status (received / reviewed / accepted / exception). Evidence arrives two ways:

The evidence search (search_audit_evidence) is a ranked index across file names, summaries, and mapped criteria — use it to answer "do we have evidence for CC6.1?" before writing a workpaper.

TSC coverage

The Coverage tab shows every SOC 2 criterion (the mandatory Common Criteria CC1–CC9 plus the optional Availability / Confidentiality / Processing Integrity / Privacy categories), the evidence mapped to each, the workpaper result, and whether it's covered. The KPI strip shows overall coverage %, the mandatory Common-Criteria %, and the count of gaps — so you can see how audit-ready an engagement is at a glance and what's left before fieldwork wraps.

Workpapers

For each criterion, record a workpaper: the test procedure performed, the evidence relied on, the result (effective / exception / not-applicable), and your conclusion. The conclusion is the auditor's — TATER (and Claude) help you assemble and map the evidence, but you remain responsible for the opinion. Claude as augmentation, with auditor sign-off; never "AI concludes the control is effective."

PBC request list

The PBC Requests tab is your "Provided By Client" list — what you need the client to hand over for the engagement. Track each item with a category (policy / evidence / access / config / report / interview), an optional TSC criterion it supports, the client contact it's assigned to, a due date, and a status (open → requested → received → accepted → closed). Items past their due date while still open are flagged overdue so nothing slips. The tab header shows open and overdue counts at a glance, turning the back-and-forth of "did we get X yet?" into a tracked checklist.

Engagement reports

The 📄 Report button on an engagement assembles a branded Word (.docx) audit report from everything in the engagement: an overview, the TSC coverage summary and per-category breakdown, any exceptions noted, every tested workpaper (procedure, evidence relied on, result, your conclusion, preparer/reviewer), and the full evidence inventory. It carries your firm's name and logo. The report is generated on demand and downloaded via a short-lived link — re-run it any time as the engagement progresses.

With or without the client's TATER data — the Live Bridge

If the client isn't a TATER customer, you just upload/ingest their files — everything works. If the client is a TATER customer, set the client's TATER org ID on the engagement (Edit → Client TATER org ID) and use the Live Bridge tab to pull their live compliance posture — the latest scan plus any risk acceptances — straight in as evidence, automatically mapped to the SOC 2 criteria each signal supports. Re-pull any time to refresh; it updates the tater-live evidence in place rather than duplicating. Access requires an MSP relationship between your firm's org and the client org (set up in TATER Manage → Clients) — a firm can't read an org it has no engagement-of-record relationship with. Either way the engagement is the same workspace.

Confidentiality & independence

MCP tools

Roles

Admins can create engagements and delete evidence; Auditors can ingest evidence, search, record workpapers, and view coverage. Both require the org to be registered as an audit firm.

Related