🚀 New User? Start Here
Welcome to the Internal Audit team. Your organisation is already set up — your engagements, team and workpapers are waiting for you. Follow these seven steps on your first day.
Log in with your company Google account. Go to
getassurai.com/login.html and click
Continue with Google. Use your
@bloomenergy.com address — no separate password to remember.
Land on your Dashboard. You'll see your organisation's engagements, open findings and key metrics. Everything here is private to your organisation.
Open an engagement. Click any engagement to open its Engagement File — the home base for that audit.
Browse the Workpapers. Open the Workpapers view to see what's already been prepared, submitted or approved.
Try Evidence Intelligence. Upload an invoice or a control document and let the AI classify it and assess its adequacy.
Run an AI Agent. Open Fraud Risk Assessment and run an assessment for a process such as Procure-to-Pay.
Save the result to your engagement. Click Save as Workpaper on the AI output and file it into the right engagement — then find it under Workpapers.
💡 Pro tip for auditors
Do the full loop once on a low-stakes control before your real fieldwork. Running one agent end-to-end — from prompt to a saved draft workpaper — is the fastest way to understand how the whole platform fits together.
🔑 Logging In
AssurAI uses Google Single Sign-On (SSO). You sign in with your company Google Workspace account — there is no separate AssurAI password.
Go to getassurai.com/login.html → Continue with Google → choose your @bloomenergy.com account
How to use it
Click Continue with Google and pick your company account.
On first login you're automatically placed in your organisation (matched by your email domain) and taken to the Dashboard.
💡 Pro tip
Bookmark
getassurai.com/dashboard.html once you're in. After your first SSO sign-in, that link takes you straight to your work.
⚠️ Common confusion
If you don't see your engagements after logging in, you may have signed in with a personal Google account instead of your
@bloomenergy.com account. Sign out and sign back in with your company account.
📁 Projects & Engagements
An engagement (also called a project) is a single audit — for example "FY2026 Internal Audit — Procurement Process". It holds the engagement's workpapers, findings, controls, evidence and team. The Engagement File is its home page.
Sidebar → Dashboard → click an engagement → Engagement File
Understanding phases
Each engagement moves through phases. The current phase is shown on the engagement card and at the top of the Engagement File:
Planning
Fieldwork
Review
Reporting
Closed
How to use it
From the Dashboard, click an engagement to open its Engagement File.
Use the tabs/sections to move between Workpapers, Findings, Controls and Evidence for that engagement.
For SOX engagements, switch between By Phase and By Process (O2C, P2P, R2R, H2R, ITGC) to view work the way you plan it.
Use the Export button to produce a PDF of the engagement file.
💡 Pro tip for auditors
Keep one engagement per audit per year (e.g.
FY2026 SOX — ITGC Review). It keeps your workpapers, findings and evidence cleanly separated for the file and for rollforward next year.
📄 Workpapers
A workpaper documents a piece of audit work — a walkthrough, a test of a control, or an analysis. Workpapers move through a sign-off lifecycle and are locked once approved.
Sidebar → Workpapers (or open an engagement → Workpapers)
The workpaper lifecycle
Draft →
Submitted for review →
Reviewed →
Approved & locked
How to use it
Create a workpaper directly, or save one from any AI agent (see
Save to Engagement). It starts as a
Draft.
Edit the draft — add the procedure performed, the population, results and your conclusion.
Submit for review when ready. The reviewer is notified.
The reviewer approves (which locks the workpaper) or returns it with review comments for you to clear.
⚠️ Important
Approving a workpaper
locks it. To make further changes, the reviewer must re-open it — this preserves the integrity of the signed-off audit file.
💡 Pro tip for auditors
Clear every review note before re-submitting. A clean review trail (note raised → cleared → approved) is exactly what a quality reviewer or external inspector expects to see.
⚠️ Findings
A finding is an issue or control deficiency you've identified. AssurAI captures findings using the standard condition / criteria / cause / effect / recommendation structure and tracks them through to closure.
Sidebar → Findings (or open an engagement → Findings)
Severity levels
Critical
Significant
Moderate
Observation
Finding lifecycle
Identified / Open →
In Progress →
Remediated →
Verified / Closed
How to use it
Log a finding — give it a title, severity, owner and the affected module/process.
Add the condition, criteria, cause, effect and your recommendation.
Capture management's response and a remediation owner and due date (see Management Action Plans).
When remediation is complete, verify the evidence and move the finding to Closed.
💡 Pro tip for auditors
Link the finding back to the workpaper that supports it. When the audit committee asks "what's the evidence for this issue?", you can answer in one click.
📥 Evidence & PBC Requests
"PBC" (Prepared By Client) requests let you ask control owners and process owners for evidence. AssurAI sends a secure link — the recipient uploads files without needing an AssurAI login.
Sidebar → Evidence Manager / PBC Portal
How to use it
Create a request — describe the evidence you need and choose the recipient (the control or process owner).
AssurAI emails the owner a secure upload link. They open it, upload their documents and submit — no login required.
Outstanding requests send automatic escalating reminders and can escalate to the owner's manager if overdue.
💡 Pro tip for auditors
Be specific in the request ("Q3 user access listing for SAP S/4HANA, exported on the review date") — precise asks get the right evidence first time and cut down on back-and-forth.
🛡️ Controls
The control library holds the controls in scope for an engagement — their description, owner, frequency, whether they're a key control, and their current test status.
Sidebar → Controls (or open an engagement → Controls)
How to use it
Review the controls in scope and confirm which are key controls (the ones that must be tested).
Track each control's test status — Not Started, In Progress, Passed, or Exception.
Link controls to the workpapers that test them and to any findings raised.
💡 Pro tip for auditors
Filter to
key controls first. For SOX, that's where your testing effort and the external auditor's reliance are concentrated.
🧪 Testing & Sampling
AssurAI supports the full testing workflow — design the test, select a sample (or test the whole population), perform the test against evidence, and record a PCAOB-style conclusion.
Open a control / workpaper → Run Test · or Sidebar → Sampling Engine / Population Testing AI
How to use it
Design the test — define the control objective, attribute(s) and the procedure.
Select a sample using the Sampling Engine (MUS or attribute sampling) — or test the entire population with Population Testing AI (up to 50,000 rows).
Perform the test — the AI evaluates each item against the attributes and flags exceptions with a decision log.
Record your conclusion — the AI proposes a PCAOB-style conclusion; you, the auditor, make the final judgement.
⚠️ The auditor concludes — not the AI
The AI proposes conclusions and highlights exceptions.
You make the professional judgement and own the final conclusion in the workpaper.
💡 Pro tip for auditors
For high-volume, low-judgement controls (e.g. three-way match), run full
Population Testing instead of a sample — you get 100% coverage and a defensible decision log for every exception.
⚡ Evidence Intelligence
Upload any document, spreadsheet, screenshot or image and the AI reads it, classifies it, and assesses whether it's adequate audit evidence — automatically detecting the type of testing required.
Sidebar → AI Tools → Evidence Intelligence
Three testing modes — detected automatically
🔬MRC testing
Detects Management Review Controls and evaluates 5 attributes. See the
MRC section.
📊IPE testing
Tests the completeness and accuracy of Information Produced by the Entity (reports, listings, queries).
📄Standard evidence
Evaluates relevance, reliability and sufficiency against the control objective.
🧾Decision log
Every AI judgement is traced to specific data points for a fully auditable trail.
How to use it
Upload or paste your evidence — PDF, Excel, Word, CSV, image or screenshot.
Click Classify Evidence with AI. The AI detects whether this is an MRC, IPE or standard evidence situation and runs the right test.
Review the adequacy rating, attribute-by-attribute analysis, any missing-attribute warnings and the suggested test procedures.
💡 Pro tip for auditors
When you upload a report or query result, tell the AI what the report
should contain. It sharpens the IPE completeness-and-accuracy assessment.
🔬 MRC Testing (Management Review Controls)
Management Review Controls are some of the hardest controls to test — and AssurAI tests them automatically. This section explains what an MRC is, how the AI evaluates it, and why it matters.
What is an MRC — and why is it hard?
A Management Review Control is a control where a person reviews something and acts on it — for example a CFO reviewing a monthly variance analysis, or a controller reviewing a reconciliation. They're hard to test because a signature alone proves nothing: you have to evidence that the review had the right precision, rigour and follow-up, not just that someone signed off.
How Evidence AI detects an MRC
When you upload review evidence (a variance analysis, a reconciliation review, a board pack with annotations), AssurAI recognises the MRC pattern and switches into MRC mode — then evaluates the review against five attributes.
The 5-attribute evaluation framework
1 · Performance
Was the review actually performed — with evidence of the reviewer engaging with the data (not just a signature)?
2 · Competence
Did the reviewer have the authority and expertise to perform the review effectively?
3 · Timeliness
Was the review performed on time — within the period and before the related reporting deadline?
4 · Effectiveness
Was the review at the right level of precision — did it identify and challenge the items it should have (e.g. variances over threshold)?
5 · Documentation
Is there sufficient documentation of the review, the questions raised and how they were resolved?
Worked example — a CFO variance analysis
You upload the monthly P&L variance analysis the CFO reviewed. The AI evaluates: did the CFO investigate variances above the threshold (effectiveness/precision)? Are there review notes, questions or annotations showing engagement (performance)? Was it reviewed before the close deadline (timeliness)? Is the CFO the appropriate reviewer (competence)? Is the review documented well enough to re-perform (documentation)? You get a rating per attribute plus the gaps to follow up.
⚠️ Why this matters — PCAOB AS 2201
For MRCs, regulators (PCAOB AS 2201) expect evidence of the
precision of the review — that it operates at a level that would catch a material misstatement. A sign-off without evidence of investigation is the classic MRC deficiency. AssurAI's 5-attribute test is built around exactly this expectation.
💡 Pro tip for auditors
Upload the
actual review document — the marked-up variance analysis with the reviewer's notes and questions —
not just the sign-off sheet. The sign-off proves someone approved it; the marked-up document proves the review had precision. The AI can only assess what you give it.
🤖 AI Agents
AI Agents are specialist tools — each one is an expert at a single audit task. There are 20+ agents; pick the one that matches your work, give it data, and it runs the analysis with Big-4-grade prompts built in.
Sidebar → AI Agents
The specialist agents
How to use any agent
Open the agent from the AI Agents page.
Provide its input — upload a file, paste data, or describe the process/scope.
Run the agent and review its structured output, exceptions and decision log.
💡 Pro tip for auditors
Every agent output is a
starting point, not a conclusion. Read the decision log, sanity-check a few items yourself, then add your own judgement before you submit the workpaper for review.
🔗 Agent Pipeline
The Agent Pipeline chains several agents into one autonomous workflow — so the output of one agent feeds the next. Use it for multi-step audit procedures you'd otherwise run by hand.
Sidebar → AI Agents → Agent Pipeline
How to use it
Choose the agents to chain (e.g. extract data → detect anomalies → draft the finding).
Provide the starting input and run the pipeline — it executes each step in turn.
Review the combined output and save the result to your engagement.
💡 Pro tip for auditors
Start with a two-agent chain before building longer pipelines. It's easier to review the hand-off between two steps and confirm the logic holds.
🔀 Flowchart Builder
Describe a process in plain English and the Flowchart Builder generates a visual swimlane diagram — plus a process narrative and a risk-and-control matrix — in one click.
Sidebar → Flowchart Builder
How to use it
Pick a template (Procure-to-Pay, Payroll, Order-to-Cash…) or describe your process.
Generate the swimlane diagram, narrative and risk/control matrix.
Refine the description and regenerate; then save it to your engagement as a walkthrough workpaper.
💡 Pro tip for auditors
Use it at the start of a walkthrough to draft the process map, then confirm and correct it live with the process owner. It turns a blank page into a 5-minute review.
💾 Save to Engagement
Every AI agent output can be filed directly into an engagement as a workpaper. This is what keeps your AI analysis organised inside the audit file instead of scattered across downloads — and it's available on all 20+ agents.
Why it matters
An AI result is only useful in an audit if it lands in the right place in the file, with the right context, ready to review and sign off. Save to Engagement does exactly that — one click turns an agent output into a draft workpaper in the correct engagement.
How to use it — the 5-level hierarchy
Click Save as Workpaper on any AI result and choose, top to bottom:
1 · Module
SOX & ICFR, Internal Audit, Risk & ERM, or Compliance.
2 · Engagement
The specific audit/project this belongs to.
3 · Business Process
O2C, P2P, R2R, H2R, ITGC… (especially important for SOX).
4 · Section
Where in the engagement file the workpaper sits.
5 · Workpaper Type
Walkthrough, Test of Operating Effectiveness, Analysis, etc.
On any AI agent result, click Save as Workpaper.
Work down the five levels — Module → Engagement → Business Process → Section → Workpaper Type.
Choose Save as Draft (or Save & Submit for Review). The output is filed as a workpaper in the chosen engagement.
Go to Workpapers to find it — then edit, submit for review, and approve it like any other workpaper.
💡 Pro tip for auditors
For SOX work, always pick the correct
Business Process (O2C / P2P / R2R / H2R / ITGC). It's what lets the engagement file group everything
By Process and gives the external auditor a clean, navigable file.
Where does the saved workpaper go?
Straight into the
Workpapers list for the engagement you selected, as a
Draft. Nothing is auto-approved — you review and sign it off.
🗂️ Engagement Modules
AssurAI organises work into modules. Your engagements live inside the module that matches the type of work.
💡 Pro tip for the Internal Audit team
Your day-to-day home is the
Internal Audit module, but you'll dip into
SOX & ICFR whenever you test ITGCs or controls relied on for financial reporting.
📊 Reporting & Monitoring
Stay on top of risk and tell the story to leadership — these tools turn your audit work into monitoring signals and board-ready reporting.
How to use them
Check the KRI Monitor for any amber/red breaches before status meetings.
Scan the Regulatory Monitor weekly for standards changes that affect your controls.
Use the Audit Universe to prioritise next year's plan by risk.
Generate the Audit Committee Report when you need a board pack — then review and tailor it.
💡 Pro tip for auditors
Generate the Audit Committee Report a few days
before the meeting and edit the narrative. The AI gives you a strong 90% draft; your judgement makes the last 10% land with the committee.
❓ Frequently Asked Questions
Can multiple team members work on the same engagement?
Yes — all team members in your organisation see the same engagements and workpapers, and can collaborate in real time with comments and presence.
Is my data secure?
Yes — your data is isolated to your organisation. Other organisations cannot see your data. Access is enforced at the database level by row-level security.
Can I export workpapers?
Yes — use the Export button on the Engagement File page to export to PDF. AI tools can also export to Big 4, PCAOB or standard Excel templates.
How do I add a new team member?
What file types can Evidence Intelligence analyse?
PDF, Excel (.xlsx), Word (.docx), CSV, images (PNG, JPG) and screenshots.
Does the AI make the audit conclusion for me?
No — the AI provides analysis and observations. The auditor makes all professional judgements and conclusions. AssurAI is there to do the heavy lifting, not to sign your name.
What standards does AssurAI align to?
PCAOB AS 2201, IIA Standards (2024 edition), ISA 240, ISA 500, and SOX Sections 302 and 906.