Product

One agent that runs the whole audit.

Tessero isn't a checklist or a GRC spreadsheet. It's an agent, an evidence vault, and a reviewable workpaper trail — the full engagement, from scoping to sign-off, in one place.

The agentEvidence vaultControl testingFindingsReviewer sign-offReports
01 · The agent

Tess runs the engagement

You don't operate a tool — you hand off an audit. Tess scopes the work in plain language, builds the in-scope control set, and tests each control on its own. You stay in review, not in the weeds.

  • Plain-language scoping — describe your environment, Tess builds the control set
  • Works control by control, autonomously
  • Shows its work as it goes — every step on the record
Tess · running engagement SOX ITGC

› scoping engagement — 6 domains, 258 controls in scope

› scanning 41 evidence files…

AM-03 testing “MFA enforced for remote & admin access”

› 21 pass · 27 exception · queued for review

Connected sources

Amazon Web Services Microsoft Azure Oracle Cloud 3 accounts · read-only
📎 Access_Control_Policy.pdf policy
📎 Change_Tickets_Q1.xlsx export
📎 Backup_Log.xlsx log
📎 Onboarding_Runbook.pdf policy

41 files · originals retained

02 · Evidence

Every document and account, in one vault

Connect your cloud accounts and drop in your policies, tickets, and logs. Tess reads all of it. The vault keeps every original, so any finding can point back to the exact source you gave it.

  • Connect AWS, Azure, and OCI read-only
  • Upload policies, exports, screenshots, tickets
  • Originals retained and re-openable
03 · Testing

Every control, tested against your evidence

No sampling spreadsheets, no two reviewers reaching two answers. Tess tests each in-scope control against the evidence you connected — for every framework — and returns pass or exception with the reason.

  • One agent, every framework
  • A read-only command behind every cloud test
  • Consistent testing, run after run
ITGC
Cloud Security
SOC 2
ISO 27001
PCI DSS
NIST CSF
OR-11 backups · restore tested pass
AM-03 MFA enforcement exception
AM-03.1 Exception · review

Multi-factor authentication (MFA)

Access Management · operating effectiveness

Tess concluded

The access policy states multi-factor authentication is optional and left to user discretion — it does not enforce MFA for remote or administrative access.

📎 Access_Control_Policy.pdf cited
04 · Findings

Results you can defend, line by line

Every verdict is a workpaper: the conclusion, the evidence, and the exact passage it rests on. Open the original document from any finding — pass or exception, it's all cited.

  • File and exact excerpt on every verdict
  • Pass and exception, both backed by proof
  • Filter, sort, and export the full set
05 · Review

A senior pass before anything ships

Tess flags anything not yet defensible and routes the rest for sign-off. Your reviewers approve, comment, or send a finding back — and the trail records who decided what, and when.

  • Auto-flags weak or unsupported conclusions
  • Approve, comment, or reopen per finding
  • Every decision attributed and timestamped
Review queue 258 controls
AM-03.1 MFA enforcement Needs review
OR-11.2 Backup restore test Approved
CM-07.4 Change approval Sent back

21 approved · 27 in review · 210 queued

📄 SOX ITGC — FY26 Engagement Final

258

controls

231

pass

27

exception

Evidence index · every conclusion linked to source

06 · Reports

Export the whole trail

Turn the engagement into a deliverable your reviewers and regulators can follow — every finding, its evidence, and its citation, in one export. The audit trail leaves with you.

  • Complete control results with citations
  • Evidence index linked to every conclusion
  • Share read-only or export the full set

See the whole engagement run.

From scoping to a cited, reviewed report — watch Tess take an audit end to end.

Book a demo Browse the frameworks