AttestIQA is a standalone, browser-based SOC 2 Type 2 workpaper platform built exclusively for independent CPAs. It runs entirely in your browser with no server, no cloud sync, and no third-party data transmission: all engagement data is encrypted with AES-256-GCM and stored in your browser's localStorage: never transmitted to third-party servers.

AttestIQA maps 62 controls to the AICPA Trust Services Criteria: complete coverage of all 53 criteria for a Security + Confidentiality + Privacy examination (Security CC1–CC9, Confidentiality C1, Privacy P1–P8): and the HIPAA Security and Privacy Rules (45 CFR Part 164), organized across seven evidence tabs. It includes the complete 28-step engagement wizard, five report sections (AT-C 205), a SQMS 1 pre-issuance checklist, a HIPAA Compliance workpaper tab, and an optional HITRUST CSF r2 readiness checklist.

Open AttestIQA_v1.html in the same browser. Enter your password and click Sign In. If you see the license entry screen instead of the login screen, your localStorage was cleared: see Section 32 for recovery options.

All AttestIQA license keys follow this structure:

AttestIQA automatically locks after 15 minutes of inactivity by default. The session timer resets on any click, keystroke, or mouse movement. When locked, all content is hidden and the password screen is shown. Re-enter your password to continue: no data is lost.

The timeout is configurable in Settings → Firm Preferences: 5, 10, 15, or 30 minutes. The 15-minute default is recommended for shared office environments.

The sidebar contains a Lock App button that locks immediately, regardless of inactivity. Use this whenever you step away from your workstation. There is also a Save & Lock option that confirms a save before locking.

All engagement data is encrypted with AES-256-GCM before being stored in your browser's localStorage. The encryption key is derived from your master password using PBKDF2 with 100,000 iterations: it is never stored anywhere, held only in memory while you are logged in. When you lock the app or close the browser, the key is cleared and your data remains encrypted at rest. Data never leaves your machine: no server, no cloud sync, no third-party transmission. For additional at-rest protection, enable full-disk encryption on your workstation (BitLocker on Windows, FileVault on macOS).

The top of the Dashboard shows the Practice Alerts panel. This panel automatically scans all engagements and surfaces items requiring attention. Alerts are color-coded:

Each alert has a direct navigation button (e.g., "Go to Findings →") that takes you to the exact location of the issue.

Four summary cards show at a glance: Total Clients, Active Engagements, Controls Passing (aggregate across all clients), and Exceptions Found. These update in real time as you work.

The progress board displays all clients as cards. Each card shows: client name, entity type, a visual progress ring, current wizard phase, PASS/EXCEPTION count, and a Review → button. Click Review to open the Client Dashboard Modal for a full-screen at-a-glance summary of that engagement.

The modal shows the engagement phase timeline, client-specific alerts, control summary (Pass/Exception/Pending), document status, and a "blocking step" with direct navigation. The modal has four action buttons: Open Evidence, View Findings, Documents, and Generate Report.

From an empty dashboard, click the Load Demo Client button. This loads a pre-filled engagement for Sapphire Healthcare AI, Inc., a fictional health-tech company that gives you a realistic working example of a completed engagement.

The demo client includes:

• 16 representative controls pre-populated: 15 PASS, 1 EXCEPTION on A-04 (Role-Based Access Control)
• All 5 HIPAA workpaper panels filled in (AWS BAA, training records, pen test, IR tabletop, SRA)
• 3 subprocessors registered: AWS, GitHub, Anthropic
• Change management git log and PR template samples pre-loaded
• SQMS checklist 18/24 complete
• Demo banner with a Delete Demo button to remove it when done

Click the orange Delete Demo button in the demo banner at the top of any demo-client page, or go to the dashboard and click the trash icon on the demo client card. Demo data is completely removed from localStorage.

Click + Add Client on the Dashboard. Required fields:

Each client card shows a visual progress ring. Progress is computed from two inputs: (1) the percentage of controls that have been reviewed (status set to PASS or EXCEPTION, not Pending), and (2) wizard step completion. The two scores are averaged into one ring display.

The wizard assigns each engagement to one of five phases displayed on the dashboard card:

The Evidence page contains seven tabs. The active tab is highlighted in teal. All seven tabs are available regardless of TSC scope: the CPA exercises professional judgment about which tabs are in-scope for the engagement.

Each control card contains these fields:

• Control Reference: e.g., C-04
• Control Name: Plain-English title
• HIPAA Citation: Applicable 45 CFR section (if any)
• TSC Criterion: Applicable AICPA Trust Services Criterion
• Description: What the control does in plain English
• Expected Evidence: What you should see if the control is operating effectively
• Evidence Paste Area: Paste raw AWS CLI or script output here
• CPA Notes: Freeform workpaper notes field
• Status: PASS / EXCEPTION / PENDING: CPA-settable override
• CPA Initials & Review Date: Sign-off fields

The client must provision an AuditorReadOnly IAM role before evidence collection begins (C-15). This role has read-only access to the AWS console: no write permissions are granted. The CPA logs into the client's AWS console using this role.

Evidence is pasted directly into each control's evidence area. Use the built-in Evidence Scripts guide (accessible from the Evidence page header) for the specific AWS CLI commands corresponding to each control.

A-04 is one of the most commonly excepted controls. The client must demonstrate that access to every application page is explicitly granted through role-based access control and that user access aligns with current job function across the full observation period: not just at engagement time. Cross-reference the user access listing against the HR terminated-employees list: flag any user whose access was not removed within the deprovisioning SLA. The review evidence should show reviewer name, review date, the population of users reviewed, and documented action for any access changes.

For B-02, AICPA best practice requires the client to demonstrate that backups are not just created but can be successfully restored. Request a backup restoration test performed during the examination period. If none was performed, note this as a finding and recommend management establish an annual restoration test procedure.

The Policy & Governance tab covers the AICPA Common Criteria categories plus the Confidentiality (CN-01–CN-02) and Privacy (P-01–P-08) controls when those categories are in scope. Evidence here is primarily documentary: policies, board minutes, risk registers, vendor contracts, and monitoring reports rather than technical output.

Purpose: Verifies that all corporate endpoints are enrolled in a Mobile Device Management (MDM) solution with full-disk encryption enabled, current OS patches (applied within ≤30 days), and remote wipe capability documented.

HIPAA Citation: 45 CFR 164.312(a)(2)(iv): Encryption and Decryption

TSC Criterion: CC6.8

Expected Evidence:

• MDM enrollment export showing 100% of corporate devices enrolled (e.g., Jamf, Intune, Kandji export)
• Encryption status report showing BitLocker (Windows) or FileVault (macOS) enabled on all devices
• Patch status report showing OS patches applied within the last 30 days
• Remote wipe capability confirmation (policy document or MDM console screenshot)

The Change Management tab covers AICPA CC8.1: the requirement that changes to infrastructure and applications follow an authorized, documented process with separation of duties. The tab has four sections:

1. Git Commit Log: paste git log output for the examination period
2. Population List Guidance: collapsible panel with audit-ready export rules
3. PR Samples: HIPAA-compliant PR template loader
4. Branch Protection & SoD Status: branch protection and segregation of duties documentation

Paste the output of this command into the Git Commit Log field:

Replace [engagement-start] and [engagement-end] with the engagement period dates in YYYY-MM-DD format. This produces a clean pipe-delimited population of all commits during the examination period.

The collapsible Population List Guidance panel details five rules for audit-ready population lists. All five must be satisfied for the git log or any other population list to be accepted as reliable audit evidence:

Click Use PR Template to load a HIPAA-compliant pull request template. The template includes:

• ePHI Impact Assessment checkboxes (Does this change touch ePHI storage? Does this change affect access controls?)
• Reviewer attestation field (separate from author)
• Testing checklist (unit tests, integration tests, security scan)
• Deployment rollback plan field

Copy the template into the client's GitHub/GitLab repository as .github/pull_request_template.md.

The HIPAA Compliance tab consolidates all HIPAA administrative safeguard evidence into a single structured workpaper space. It contains two reference panels and five workpaper panels. Complete the workpaper panels in order from top to bottom.

This collapsible panel displays a 23-row table mapping all 45 CFR 164.308, 164.310, and 164.312 sections to their corresponding AttestIQA control references. Column headers: HIPAA Section, Description, R/A (Required/Addressable), AttestIQA Control(s).

Legend: R = Required standard (mandatory); A = Addressable specification (must implement or document why not applicable).

Check the HITRUST CSF r2 (Optional) checkbox to activate the 30-item HITRUST readiness checklist. See Section 18 for full detail. This checkbox is the only way to activate the HITRUST checklist; it also affects Wizard Step 18 completion requirements.

HIPAA Citation: 164.308(b)(1): Business Associate Contracts. A signed BAA is required with every vendor that creates, receives, maintains, or transmits ePHI on behalf of the covered entity or business associate.

Required fields per subprocessor entry: Vendor Name, Services Provided, Data Type (ePHI / Non-ePHI), BAA Executed Date, BAA Expiry Date (if applicable), Primary Contact.

HIPAA Citation: 164.308(a)(5): Security Awareness and Training. Required annually for all workforce members with access to ePHI.

Fields: Training Platform, Training Course Name, Last Completion Date, Total Workforce Members with ePHI Access, Members Completed (count), Completion Percentage (auto-calculated), CPA Evidence Note.

HIPAA Citation: 164.308(a)(8): Evaluation; also maps to CC7.1. HIPAA requires periodic technical and non-technical evaluations of security; a third-party penetration test satisfies this requirement most effectively.

Fields: Testing Firm, Test Date, Test Scope (external / internal / web app / API), Finding Counts (Critical / High / Medium / Low / Informational), Remediation Status (All Critical Remediated? All High Remediated?).

HIPAA Citation: 164.308(a)(6)(ii): Response and Reporting; also maps to CC7.4. An annual tabletop exercise tests the workforce's ability to execute the incident response plan.

Fields: Exercise Date, Scenario Tested, Attendees (names/roles), Facilitator, Lessons Learned, Next Drill Date.

HIPAA Citation: 164.308(a)(1): Security Management Process. This is a Required standard (not addressable) and is the most scrutinized item in OCR audits. Failure to conduct an annual SRA is the single most common HIPAA enforcement action.

Fields: SRA Completion Date, Conducted By (internal / external firm), Methodology (NIST SP 800-30 or HHS SRA Tool), Open Risk Count (High / Medium / Low), Risk Treatment Summary.

The HITRUST CSF r2 Readiness Checklist is an optional 30-item checklist available in the HIPAA Compliance tab. It is intended for clients who are pursuing or considering HITRUST certification alongside their SOC 2 engagement. Activate it by checking the "HITRUST CSF r2 (Optional)" checkbox in the HIPAA Compliance tab.

When activated: a progress counter (X/30 completed) appears at the top of the checklist, and Wizard Step 18 requires at least 20/30 items checked before that step can be marked complete.

The Findings page aggregates all controls across all seven evidence tabs and displays their current status. Controls are grouped by status: PASS, EXCEPTION, and PENDING.

For each control, the Findings page shows: control reference, name, status, the evidence that drove the determination, CPA notes, and: for exceptions: the management response status.

The CPA is solely responsible for the final opinion determination. The Findings page provides guidance: it does not issue opinions automatically.

Set a control's status to EXCEPTION in the control card. The Findings page will immediately flag the exception and indicate that a management response is required. An exception without a management response will block SQMS Step 12 (see Section 29).

Management responses must be documented before the SOC 2 report can be issued. Each management response should address four elements:

1. Root Cause: Why did this control fail? What is the underlying gap?
2. Compensating Controls: What existing controls partially mitigate the risk?
3. Remediation Plan: What specific steps will management take?
4. Target Remediation Date: When will the remediation be complete?

Click Use Template on any exception card to load an AT-C 205–compliant response starting point. Edit and finalize with the client before locking.

AttestIQA can export a structured JSON file containing all exception controls, their evidence, and context. You upload this JSON to your AI assistant (Claude.ai, ChatGPT, etc.) and receive back a JSON response with draft management responses and remediation language. You then import the AI's response into AttestIQA and review it before applying.

The Letters page generates all deliverable documents for the SOC 2 engagement. Each document is auto-populated from client data entered during the engagement. Review and edit before finalizing.

The VRM (Vendor Risk Management) Questionnaire is a hospital-facing template that your client submits to prospective healthcare customers who require vendor security documentation before contracting. It is auto-populated from AttestIQA client data.

Two fields are automatically populated from HIPAA tab data:

• TRN-05 (Training Records): Pulled from HIPAA Compliance Tab → Workpaper Panel 2 (Training Records): training platform, completion date, and completion rate.
• VDR-06 (Subprocessors): Pulled from HIPAA Compliance Tab → Workpaper Panel 1 (Subprocessor/BAA Register): all vendors with ePHI access and BAA status.

All other fields are editable. Generate the VRM Questionnaire from the Letters page, edit in the browser, then print to PDF for delivery to the client.

The Board Presentation Letter is a one-to-two page executive summary designed to accompany the SOC 2 report when presented to the client's board of directors or audit committee. It translates technical findings into governance-level language.

The letter is auto-populated with: engagement dates, TSC scope, total control count, PASS/EXCEPTION counts, a plain-English summary of each exception, and the CPA's opinion. The CPA reviews and edits the narrative before delivery.

After the AI generates a response JSON, click Import AI Response on the Findings or Letters page. The preview modal shows a side-by-side comparison of current values vs. AI-proposed values for each field. Fields with changes are highlighted. Click Accept or Reject on each proposed change individually, or use Accept All / Reject All. Changes take effect only after clicking Apply Accepted Changes.

The Engagement Wizard guides the CPA through all five phases of a SOC 2 Type 2 examination in a structured, sequential workflow. Each step has a description, required actions, and a completion checkbox. Steps can be marked complete out of order, but the wizard flags any steps that are logically inconsistent (e.g., completing Step 20 before Step 15).

Step 18 requires the following before it can be marked complete:

• At least one subprocessor entry in the BAA Register (Workpaper Panel 1)
• HIPAA Training completion date entered (Workpaper Panel 2)
• SRA completion date entered (Workpaper Panel 5)
• If HITRUST opted in: at least 20 of 30 HITRUST checklist items checked

Most wizard steps are advisory: they guide but do not block. A small number of steps are blocking: the wizard will show a warning and the step cannot be marked complete without meeting the requirement. Blocking steps are: Step 3 (independence), Step 18 (HIPAA), Step 21 (SQMS), and Step 23 (opinion determination).

The Documents page tracks the signature and receipt status of all engagement documents. Each document has a status indicator: Signed, Received: Unsigned, Not Yet Sent, Overdue.

Update document status manually as documents are sent, received, and signed. The Dashboard's Practice Alerts panel will flag any overdue or missing documents that are required before report issuance.

• Signed Engagement Letter
• Signed Management Assertion (Section II)
• Signed Representation Letter
• Signed System Description (Section III)
• Management Responses to all exceptions (if any)

The SQMS 1 Pre-Issuance Checklist implements the quality control requirements of AICPA SQMS 1 §70 for an attestation engagement. It contains 24 items that must be verified by the engagement partner before the SOC 2 report is issued. The checklist is accessible from the Documents page or from the Wizard at Step 21.

The 24 items cover: independence confirmation, engagement acceptance criteria, scope completeness, exception documentation, management response adequacy, representation letter completeness, opinion appropriateness, report formatting per AT-C 205, workpaper retention readiness, and engagement partner sign-off.

Go to Settings → Firm Profile. These fields auto-populate all generated letters and reports:

Session timeout: 5 / 10 / 15 / 30 minutes (default: 15). Auto-save confirmation toast: on/off. Dark mode: not available in v1.1 (planned for v1.2).

Go to Settings → Export Data. Click Download Backup. A JSON file is downloaded containing all client data, control reviews, findings, HIPAA workpapers, document statuses, and firm settings. The file is named AttestIQA_Backup_YYYYMMDD.json.

To migrate to a new browser or computer: export on the old browser, open AttestIQA on the new browser, complete first-time setup, then go to Settings → Import Data and select your backup JSON. Note: your password is set per browser: you set a new password on the new machine during first-time setup. The import restores all client data but not the old password.

On the login screen, click Forgot password?. Enter your recovery key exactly as saved. You will be prompted to create a new password. All engagement data is preserved.

If your browser's localStorage is cleared (e.g., by a browser reset, privacy extension, or OS reinstall), AttestIQA will show the first-time setup screen. Your data is not in the browser anymore. Restore from your most recent JSON backup export (Settings → Import Data) and set a new password.

When a new version of AttestIQA is available, a banner appears after login. Download the new AttestIQA_v1.html file. Open it in the same browser. Your data in localStorage carries over automatically. The old file can be deleted. If prompted, re-accept the SLA for the new version.