Frequently asked questions

AssurAI is an AI-native GRC (Governance, Risk and Compliance) platform built specifically for internal audit teams, SOX compliance professionals, risk managers, and Chief Audit Executives. It replaces manual workpaper preparation, control testing, and board reporting with AI-assisted workflows — cutting audit effort by up to 70%. It is designed by former Big 4 professionals with 25+ years of real-world audit experience.

Click Start free trial on any page. No credit card is required. You'll be up and running in under 5 minutes. The platform comes pre-loaded with demo data so you can explore all features immediately without entering your own data. When you're ready to go live, simply create a project and start working.

No. AssurAI is entirely browser-based. There is nothing to install, no servers to manage, and no updates to apply. It works on any modern browser (Chrome, Firefox, Safari, Edge) on Mac, Windows, or iPad. We recommend Chrome for the best experience.

Most teams are fully operational within one week:

• Day 1: Account setup, team invitations, SSO configuration
• Days 2–3: Create your first project, import your control library, set up your risk universe
• Days 4–5: First AI-generated workpapers, testing templates configured
• Week 2+: Full audit cycle running in AssurAI

Professional and Enterprise plans include onboarding support from our team.

Yes. AssurAI supports data import from Excel/CSV for controls, risks, findings, and audit plans. We also have built-in migration tools for teams coming from TeamMate+, AuditBoard, SAI360, and Navex. For Enterprise plans, we provide a dedicated data migration service at no additional cost.

Yes. All plans include access to our help centre and documentation. Starter plans include email support with a 48-hour response time. Professional plans include priority email and live chat support. Enterprise plans include a dedicated customer success manager, unlimited video calls, and custom training sessions for your team.

AssurAI is available on three plans:

• Starter — $499/month: Up to 3 users, all 6 GRC modules, 285+ AI tools. Ideal for small audit teams and internal audit departments.
• Professional — $1,499/month: Up to 10 users, unlimited projects, SSO, API access, priority support. Ideal for mid-size organisations.
• Enterprise — $4,999/month: Unlimited users, dedicated database, custom SLA, dedicated CSM, custom integrations. Ideal for large enterprises and multi-entity groups.

All plans are billed monthly with no long-term commitment. Annual billing available at 2 months free. See full details on our pricing page.

Yes — every new account starts with a free trial. No credit card is required to sign up. You get full access to all features during the trial so you can make a fully informed decision. Trial length is 14 days. At the end of the trial you can subscribe or your account moves to a read-only state (your data is preserved).

Yes. You can upgrade or downgrade at any time. Upgrades take effect immediately. Downgrades take effect at the end of your current billing period. There are no penalties or fees for changing plans.

Yes. We offer a 40% discount for registered non-profit organisations and academic institutions. Contact hello@getassurai.com with proof of status to apply.

We accept all major credit and debit cards (Visa, Mastercard, American Express) via Stripe. Enterprise customers can also pay by bank transfer (ACH or wire) with a purchase order. All payments are processed securely by Stripe — we never store your card details.

If you cancel your subscription, your account moves to read-only mode. You have 60 days to export all your data in standard formats (PDF, Excel, CSV). After 60 days, data is permanently deleted from our servers. We will send you reminders at 30 days and 7 days before deletion.

Yes. AssurAI uses enterprise-grade security throughout:

• Encryption: AES-256 at rest, TLS 1.3 in transit — always on, no exceptions
• Infrastructure: AWS (via Supabase) — SOC 2 Type II, ISO 27001 certified
• Access: Row-level security ensures no customer can access another's data
• Network: Cloudflare WAF and DDoS protection on all traffic
• Auth: Short-lived JWT tokens, MFA support, SSO/SAML 2.0

For full details, see our Security & Trust Centre.

Yes, completely. Every record in AssurAI is tagged with your organisation ID, and PostgreSQL Row Level Security (RLS) ensures that every database query — at the database engine level — is automatically scoped to your organisation only. It is architecturally impossible for one customer to access another customer's data. Enterprise customers also have the option of a fully dedicated database instance for physical data separation.

Only with your explicit written consent, and only for the specific purpose you authorise (for example, to diagnose a support issue). Any such access is logged, time-limited, and immediately revoked when the issue is resolved. We will never access your data for commercial purposes, benchmarking, or AI training. This is documented in our Data Processing Agreement which is available on request.

No. Your data is never used to train AI models — by AssurAI or by Anthropic (our AI provider). When you use an AI feature, your data is sent to Anthropic's API for inference only. Anthropic does not retain or train on API request data. Each AI query is stateless and independent.

By default, all data is stored in AWS us-east-1 (Northern Virginia, United States). European customers can request storage in AWS eu-central-1 (Frankfurt, Germany) to meet GDPR data residency requirements — contact us to arrange this. UK and Asia Pacific regions are planned for Q3 and Q4 2026 respectively.

Yes. AssurAI is designed to comply with GDPR requirements:

• We sign a Data Processing Agreement (DPA) with all customers who require it
• EU data residency is available (Frankfurt, Germany) — data never leaves the EU
• We maintain a sub-processor list and notify customers of changes 30 days in advance
• Data deletion requests are processed within 30 days
• In the event of a breach, we notify affected customers within 72 hours (Article 33)

Request our DPA at privacy@getassurai.com.

Yes. Every account includes both a Production environment and a Sandbox environment. Sandbox and production data are completely separate — you can test new workflows, AI features, and configurations in sandbox without any risk to your live audit data. Switch between environments using the environment toggle in the platform header. Sandbox access is included on all plans at no extra cost.

Your data is automatically backed up every 24 hours. Backups are encrypted and retained for 7 days, allowing point-in-time recovery. Enterprise customers receive 30-day backup retention and a guaranteed Recovery Time Objective (RTO) of 4 hours. In practice, our average recovery time is under 30 minutes.

AssurAI's AI (powered by Claude by Anthropic) performs real audit work:

• Workpaper drafting: Generate complete Big 4-quality workpapers from control descriptions
• Risk assessment: Score and rank risks, suggest mitigating controls, identify gaps
• Evidence analysis: Analyse uploaded evidence and flag exceptions automatically
• Report writing: Draft board reports, audit committee papers, and management letters
• SOD analysis: Identify segregation of duties conflicts from access data
• Testing programs: Generate test procedures for any control area

All AI output is reviewed by you before finalisation — the AI is your assistant, not your replacement.

AssurAI's AI is built on Claude by Anthropic — one of the most capable and reliable AI models available. The platform has been designed by practitioners with 25+ years of Big 4 experience, so the AI prompts and templates encode real audit methodology. Like any AI, it can make mistakes — which is why every output is editable, reviewable, and subject to your professional judgement. Think of it as an exceptionally well-trained junior auditor whose work you always review.

All plans include all 6 modules:

• SOX & ICFR: Full SOX compliance — scoping, walkthroughs, testing, deficiency assessment, reporting
• Internal Audit: Audit universe, annual plan, engagement management, workpapers, findings, reports
• Risk Management: Risk register, heat maps, KRIs, risk appetite, treatment plans
• Compliance: Multi-framework compliance — SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS and 20+ more
• Business Continuity: BIA, BCP, DR plans, exercise management, incident tracking
• Financial Controls: Period-end close, revenue recognition, AP/AR, payroll controls

Yes. AssurAI supports real-time collaboration. Multiple team members can work on the same project simultaneously. Workpapers have a built-in review and approval workflow — preparer submits, reviewer reviews and approves or sends back, with full audit trail throughout. Role-based permissions control who can view, edit, approve, or export each area.

Yes — AssurAI covers the entire SOX ICFR cycle:

• Scoping and materiality calculation
• Entity-level controls assessment
• Risk and control matrix (RCM) preparation
• Process walkthroughs and documentation
• Design and operating effectiveness testing
• IPE testing
• Deficiency evaluation (significant deficiency vs. material weakness)
• Management's assessment report drafting
• Audit committee reporting

Yes. AssurAI allows you to set organisation-level templates for workpapers, reports, and findings. You can define your standard terminology, format preferences, and house style. AI outputs automatically follow your templates. Enterprise customers can also provide proprietary methodology documents that the AI references when generating content.

AssurAI integrates with:

• Identity providers: Okta, Azure AD, Google Workspace, Ping Identity (via SAML 2.0)
• ERP systems: SAP S/4HANA, Oracle, Microsoft Dynamics (evidence import)
• Ticketing: Jira, ServiceNow (finding and remediation tracking)
• Document storage: SharePoint, Google Drive, Box, Dropbox (evidence upload)
• Communication: Slack, Microsoft Teams (notifications and alerts)
• HRIS: Workday, BambooHR (user access review population)

All integrations are available on Professional and Enterprise plans. API access for custom integrations is available on all plans above Starter.

Yes. AssurAI provides a RESTful API for Professional and Enterprise customers. The API allows you to push/pull projects, workpapers, findings, controls, and risks programmatically. This enables integration with your existing GRC ecosystem, data warehouse, or reporting tools. Full API documentation is available at getassurai.com/api-docs.

Yes — AssurAI is designed to work alongside or replace existing tools. You can export all workpapers, reports, and evidence packages as PDF or Excel, which are accepted by external auditors regardless of what tool produced them. If you are transitioning from TeamMate+, AuditBoard, or similar tools, we provide migration support to move your existing workpapers and control libraries into AssurAI.

Yes. You can invite external auditors (your Big 4 or other external firm) to the Auditor Portal — a read-only view tailored for external auditors. They can review workpapers, testing evidence, and control documentation without being able to edit anything. Access is permission-based and can be revoked instantly. This replaces the need to email large evidence packages and gives auditors a professional, structured view of your control environment.

AssurAI is a tool that supports your SOX compliance programme — it does not itself confer compliance. SOX Section 404 requires management and the external auditor to assess the effectiveness of ICFR. AssurAI helps you perform, document, and evidence that assessment to PCAOB and SEC standards. The workpapers, test results, and reports produced in AssurAI are designed to meet Big 4 quality standards and withstand external audit scrutiny.

Yes. AssurAI's Compliance module maps controls to SOC 2 Trust Service Criteria (TSC). You can document and evidence controls, generate test reports, and produce an evidence package that your SOC 2 auditor can rely upon. The Cross Assurance Engine also maps a single control test to multiple frameworks simultaneously — so if a control satisfies SOC 2, it can also be tagged as satisfying ISO 27001, HIPAA, and GDPR simultaneously.

AssurAI's Framework Library includes 50+ frameworks including:

• SOX / COSO 2013 / COSO ERM 2017
• SOC 2 (all 5 TSCs) / SOC 1
• ISO 27001:2022 / ISO 27002 / ISO 22301
• NIST CSF 2.0 / NIST SP 800-53
• GDPR / UK GDPR / CCPA
• HIPAA / HITECH
• PCI DSS 4.0
• COBIT 2019
• ITIL 4
• FCA / PRA (UK financial services)
• Basel III / IV operational risk
• And 40+ more

Yes. External auditors (Big 4, GT, BDO, RSM etc.) accept workpapers regardless of the tool used to create them — what matters is content quality and completeness, not the platform. AssurAI workpapers are structured to PCAOB AS 2201 and IIA Standards, with complete objectives, scope, procedures, results, and conclusions sections. In practice, external auditors are often impressed by the consistency and completeness of AssurAI-generated workpapers compared to manually produced equivalents.

Yes. A Data Processing Agreement is available for all paying customers. It covers our roles as data processor, your rights as data controller, sub-processor obligations, security measures, data retention, and breach notification. Email privacy@getassurai.com to request the DPA. Enterprise customers can also negotiate custom DPA terms.