wiredepth
Run a check

Free tool · Audit evidence

Internal audit workpaper templates

Five PDF workpapers, audit-binder-ready, pre-populated with live evidence from public sources. Cover the domain-health controls that show up in SOC 2 / PCI / HIPAA / OSFI B-13 / NIS2 / DORA. Paste a domain, pick which workpaper to generate. Free, no signup, IP rate-limited.

What this tool checks

Audit workpapers are the evidence artifacts that survive in the binder long after a control test is complete. Internal audit (or external audit, or your friendly local assessor) needs each workpaper to do three things: state the control being tested, attach the evidence observed at the test date, and carry the sign-off chain (preparer, reviewer, conclusion).

Auditors do this work today by hand: open a checker, screenshot the result, paste into a Word doc, fill in the sign-off block. This tool collapses the first half to a one-click download - the captured evidence is already wired into a workpaper-format PDF with the sign-off rows ready for the auditor's pen.

Five templates ship today: Email authentication posture (DMARC / SPF / DKIM / MTA-STS / BIMI), TLS / certificate inventory (chain, expiry, protocols, HSTS), Third-party sender inventory (vendor blast-radius classification), DNS + domain governance (NS topology, DNSSEC, CAA, registrar, blocklists), Incident-response readiness (DMARC reporting, TLS-RPT, abuse@ probe).

How to read the results

What each workpaper contains:

  • Title block: workpaper reference (e.g. WP-EML-01), entity name, audit phase, period covered, evidence capture timestamp.
  • Control objective: framework-language statement of what the control is supposed to do.
  • Observed evidence: tables of the actual values resolved from public sources at the capture date. Monospaced so they're trivially comparable across runs.
  • Auditor observations: automated findings the auditor confirms or rejects.
  • Sign-off block: preparer, reviewer, conclusion / exception narrative.

Customise the title block via query parameters on the generator URL: ?entity=My%20Co, ?period=Q3%20FY26, ?phase=Interim, ?preparer=Alex%20Smith, ?reviewer=Sam%20Jones. The form on the result page wires these for you.

Frequently asked questions

How do I prove this PDF wasn’t modified after Wiredepth generated it?

Every Prove-tier workpaper carries a chain-of-custody footer with the artifact hash plus a third-party RFC 3161 timestamp token. Your auditor downloads the free public verifier (CLI or browser, no Wiredepth account required), points it at the PDF, and gets back a pass / fail plus the original generation timestamp signed by an external Time Stamping Authority. The auditor never has to trust Wiredepth - the verification works against published anchors and the TSA chain.

Are these workpapers framework-specific?

No - the same five workpapers are pitched at the union of SOC 2, PCI DSS, HIPAA Security Rule, OSFI B-13, NIS2, and DORA controls in the domain-health space. Each workpaper names the specific control references it covers in its control-objective section, so the auditor can cross-reference into the binder taxonomy directly.

Does Wiredepth store the workpaper data?

No. Generation is server-side and ephemeral - the PDF is rendered, returned to your browser, and not persisted. Re-running the same domain six months later produces a fresh capture; previous PDFs you downloaded retain their original "as-of" timestamp so staleness is obvious.

Can I customise the sign-off rows?

Yes. The "Prepared by" and "Reviewed by" lines accept query parameters (?preparer=…&reviewer=…) so the workpaper arrives with those rows pre-filled. The "Date prepared", "Date reviewed", and "Conclusion / exception narrative" rows are intentionally blank for the auditor to fill in by hand or in Acrobat.

How are these different from the email-auth scorecard PDF?

The scorecard is a 1-page marketing-grade artifact for sharing in Slack / Teams; the workpaper is an audit-binder-format document for filing in attestation packs. Different audience, different layout, different level of detail. Both are free.

Can I generate all five workpapers at once?

Not from the free tier today - each workpaper is downloaded separately because the underlying probes run at different speeds and you may only need one or two for a given control test. Wiredepth Prove batches all five plus the compliance crosswalk into a single Evidence Pack zip.

Related free tools

Email-auth scorecard (PDF)

1-page shareable posture summary - different from a workpaper, designed to travel in Slack.

Compliance crosswalks

How email-auth / TLS / DNS controls map to OSFI B-13, PCI DSS, HIPAA, SOC 2, NIS2, DORA, SEC.

Vendor consolidation audit

Live vendor inventory the third-party sender workpaper builds on.

Full domain check

Run all underlying probes once before generating the workpaper set.