External auditors need evidence packages tied to specific controls, with a clear chain of custody. The bottleneck is rarely the testing. It is the collection and back-and-forth. Dock solves the collection layer: an agent gathers evidence per control from AuditBoard and Vanta, writes a packaged row to a Dock table, and the external auditor signs off as a named principal on that row. Evidence stays in the GRC platforms. The package and the signature live in Dock.
The architecture
AuditBoard and Vanta stay the system of record for the raw evidence: control definitions, test results, integration logs, policy attestations, ticket exports. Dock is the system of record for what the agent interprets from that data. Each Dock row carries a pointer back to the source record (auditboard_control_id, vanta_test_id), the agent identity that built the package, the reviewer who approved internally, the external auditor who signed off, and the timestamp on each step. The agent re-fetches platform data via fresh API reads when it needs current state, so a stale snapshot never becomes the basis for a signature. This is the agent-identity discipline applied to GRC.
The Dock surface
A single table, audit_evidence_packages, with rows like:
| control_id | framework | auditboard_control_id | vanta_test_id | agent | package_status | internal_reviewer | external_auditor | signed_at |
|---|---|---|---|---|---|---|---|---|
| AC-2 | SOC 2 | AB-4471 | VT-9921 | compliance-bot v3.1 | packaged | rachel.kim@dock | priya@bdo.com | 2026-05-21 14:02 |
| CC-6.1 | SOC 2 | AB-4488 | VT-9947 | compliance-bot v3.1 | awaiting auditor | rachel.kim@dock | priya@bdo.com | null |
| CM-3 | ISO 27001 | AB-5102 | VT-10044 | compliance-bot v3.1 | signed | marcus.r@dock | priya@bdo.com | 2026-05-22 09:18 |
The row is the package. The platforms hold the evidence. The signature is structured data, not an email.
The worked workflow
For control CC-6.1, the agent reads the AuditBoard control definition and pulls the matching Vanta test results from the prior quarter. It cross-references access reviews, change tickets, and policy attestations, then writes a packaged Dock row with links back to each source artifact. Rachel, the internal compliance reviewer, opens the row, confirms scope, and marks internal_reviewer approved. The row moves to awaiting auditor. Priya, the BDO auditor, receives a scoped Dock link, inspects the package, and signs the row as external_auditor. The signature is a two-key handshake: the agent built the package, a named human signed it off. Both identities persist.
Why it matters
Audit trails are only useful when they are queryable and attributable. A folder of PDFs is not an audit trail. A Dock row with agent, internal_reviewer, external_auditor, and signed_at is. When next year's auditor asks how CC-6.1 was evidenced, the answer is a row.
Agent participation in regulated workflows requires the dangerous-ops contract: the agent can package, but it cannot sign as the auditor. PCAOB AS 2201 ties evidence requirements to control risk, and AICPA SAS 145 requires inherent and control risk to be assessed separately. Both standards assume someone can show their work. Dock rows are how the work gets shown.
This is the pattern that powers Dock for accounting audit packets, generalized to GRC. The agent-audit-and-compliance discipline scales when the audit object is a row, not a thread.
Get started
See the full pillar at Dock for compliance for the table templates, the reviewer routing rules, and the auditor sign-off schema.
FAQ
Does the auditor need a Dock account? Yes, as a scoped external principal. Sign-off must come from a named identity. The row records the auditor's email, firm, and timestamp.
Where does evidence actually live? In AuditBoard and Vanta. Dock holds package metadata, pointers, and signatures. Re-running a query fetches fresh state from the source.
Can the agent sign off on its own packages?
No. The agent can move a row to awaiting reviewer or awaiting auditor, but the signature columns are write-protected against the agent identity.
What if a control fails between packaging and sign-off? The agent re-fetches Vanta test state on auditor open. If a previously passing test now fails, the package is flagged and sign-off blocks.
