Skip to main content
Guides

The Auditor's Guide to Working with Papyrus

For external and internal auditors: how to navigate a Papyrus tenant during an engagement, what to test, and what evidence to produce.

Papyrus Team 4 min read Updated May 3, 2026

The Auditor's Guide to Working with Papyrus

This guide is for the auditor walking into a Papyrus-using client for the first time. Internal auditors, external auditors, regulatory examiners, and forensic accountants will find it useful.

Getting access

You should be granted the Auditor role. This is read-only:

  • Browse documents the client has scoped you to (typically a specific period and class)
  • Run audit-log queries across the full tenant
  • Export findings as audit-defensible bundles
  • View workflow history and approval chains

You cannot edit, delete, share externally, or change permissions. You will be visible to the Tenant Admin as an active session.

Best practice: the engagement letter specifies the scope. Get the Auditor role grant with that scope before the fieldwork starts.

The first 30 minutes

When you sign in:

  1. Confirm scope: Compare your access against the engagement letter. If you can see things you shouldn't, raise it immediately.
  2. Run a tenant snapshot: Total document count, by classification. Total workflow instances, by state. Active users, by role.
  3. Pull the audit log for your period: Filter by CreatedAt between your engagement dates.
  4. Identify privileged actions: Permission changes, document deletions, retention overrides, classification corrections by privileged users.

These give you the lay of the land before you start testing.

What to test

Control 1 — Segregation of duties

Look at workflows for high-risk processes (invoice approval, payments, contract execution). Verify the initiator is not the same as the approver is not the same as the executor. Papyrus enforces this if configured; verify it's configured.

Control 2 — Privileged access review

Pull the list of users with PlatformAdmin, TenantAdmin, WorkflowDesigner, and Auditor roles. For each, check:

  • Was the assignment recent? Approved by whom?
  • Has the user used the privilege?
  • Is the assignment still needed?

Documented privilege reviews should be available in the audit log.

Control 3 — Audit-log integrity

The audit log is hash-chained. Test it: ask the client to run the built-in verification function on the chain. Successful verification produces a certificate; failure surfaces an alert.

Control 4 — Retention policy enforcement

Find documents older than their retention period. There should be none, OR all such documents should have an active litigation hold. If there are documents past retention with no hold and no disposition trail — that's a finding.

Control 5 — External sharing controls

Run a query for all external shares in the period. For each, verify:

  • Time-bounded (no perpetual links)
  • Recipient identifiable (email captured)
  • Audit log shows view/download activity
  • Restricted documents not externally shared

Control 6 — Workflow conformance

Sample 15-20 high-risk workflows (e.g., invoice approvals over a threshold, contract executions). For each, verify:

  • Initiated by the right user
  • Routed through the right approvers
  • Approver actions were captured with rationale
  • SLA met (or escalation logged if not)

Control 7 — Classification accuracy

For sensitive document classes (Confidential / Restricted), spot-check that classification is correct. If documents containing PII are misclassified as Internal, that's a DPA finding.

Control 8 — DSAR fulfilment

Pull the list of DSARs in the period. For each:

  • Fulfilment within 30 days?
  • Identity verification recorded?
  • Scope of search documented?
  • Privilege exclusions justified?

Producing evidence

Papyrus's audit log export produces a hash-signed PDF. The export includes:

  • Query parameters (what you searched for)
  • Result count
  • Each entry with hash chain reference
  • A verification certificate

Attach this PDF to your working papers. The chain reference lets a re-performer verify the export wasn't doctored.

Common findings

Patterns we see in audited tenants:

  • Privileged roles assigned and never revoked (a few users have admin from when they joined two years ago)
  • External share links without expiry
  • Retention policies defined but not assigned to all relevant documents
  • Litigation holds that should have been released years ago
  • Documents under classification Internal that should be Confidential

None of these are necessarily catastrophic. All should be management points.

Working with the client

The client typically appreciates findings being raised in real-time rather than at the closing meeting. Most Papyrus tenants want to fix issues during the audit, not after. The Compliance Officer is your point of contact.

What the auditor cannot do in Papyrus

Just to be clear:

  • Modify any document
  • Delete any document or audit log entry
  • Change permissions or workflows
  • Sign documents on behalf of the client
  • Issue invoices or approvals

If the client is asking you to do any of these via the Auditor role, that's a separate engagement (advisory, not audit).

#audit#auditor#kenya#guides

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.