CommunityPay provides CPA firms with direct, read-only access to HOA financial data through a token-gated audit portal. No login is required. The CPA receives a secure link, clicks it, and navigates the same ledger data that governs day-to-day financial operations.
This page describes how the portal works, what the CPA can see, and how access is controlled.
Why a CPA Portal
The standard audit workflow for HOAs involves weeks of back-and-forth: the CPA requests a trial balance, the board emails a PDF, the CPA asks for the journal register, the board emails another PDF, the CPA needs AR aging, and so on. Each exchange introduces delay, version confusion, and the risk of stale data.
The CPA Audit Portal eliminates this cycle. The HOA grants time-limited access to the system of record. The CPA pulls what they need, when they need it, from the same ledger that produces enforcement decisions, integrity scans, and institutional packets. There is no secondary reporting layer.
Creating an Engagement
An HOA administrator creates an engagement from the Vault.
Steps
- Navigate to Vault in the accounting navigation
- Click the Audit Portal tab
- Click Create Engagement (top-right)
- Fill in the engagement details:
| Field | Description |
|---|---|
| Firm Name | The CPA firm's name |
| Contact Name | Primary contact at the firm |
| Contact Email | Where the access link will be sent |
| Engagement Type | Review, Financial Audit, Compilation, Tax Preparation, or Agreed-Upon Procedures |
| Period Start | Start of the financial data window |
| Period End | End of the financial data window |
| Access Duration | How long the access link remains valid (30, 60, 90, 180, or 365 days). Default: 90 days. |
| Notes | Internal notes (e.g., board resolution reference). Not visible to the CPA. Optional. |
- Click Create Engagement
The system generates a unique access token, emails the secure link to the CPA, and displays a confirmation. The raw token is shown once and never stored — only its SHA-256 hash is persisted.
Token Security
The access token follows the same security pattern as CARI API keys:
| Property | Detail |
|---|---|
| Format | cpa_ prefix + 48 bytes of URL-safe random data |
| Storage | SHA-256 hash only — raw token is never persisted |
| Lookup | 12-character prefix for fast database lookup, then hash verification |
| Shown once | The raw token appears in the creation confirmation and invitation email. It cannot be retrieved later. |
If the token is lost, the engagement must be revoked and a new one created. There is no token recovery mechanism. This is deliberate — a recoverable token is a weaker token.
What the CPA Sees
The portal presents a professional, read-only interface with a sticky header bar showing the HOA name, firm name, engagement type, period, and days remaining. A gold "Read-only access" banner is always visible.
The left sidebar provides navigation to 12 sections:
Portal Sections
| Section | What It Contains | CSV Export |
|---|---|---|
| Overview | Engagement details, journal entry count, active account count, artifact count | No |
| Trial Balance | Account balances as of period end, filterable by fund | Yes |
| Fund Reconciliation | Beginning balance, net income, transfers, ending balance per fund | Yes |
| Integrity Scans | Latest integrity scan snapshots with status badges (GREEN/YELLOW/RED), drill-down to findings by severity | No |
| Journal Register | All posted entries in period, filterable by account, date range, and transaction type. Paginated at 50 entries. | Yes |
| Chart of Accounts | Active accounts with per-account balances as of period end | Yes |
| Artifacts | Institutional packets (RC, RSR, CEP, VECR, etc.) generated during the engagement period | No |
| AR Aging | Receivables aging by unit: current, 1–30, 31–60, 61–90, over 90 days | Yes |
| AP Aging | Payables aging by vendor: current, 1–30, 31–60, 61–90, over 90 days with bill-level detail | Yes |
| Fund Statements | Fund-comparative balance sheet and income statement for the engagement period | No |
| Enforcement | Enforcement decision history with outcome filters (ALLOW/BLOCK/OVERRIDE), block rate, drill-down to individual decisions with full guard chain results | No |
| Close Packages | Close evidence packs (CEP) with risk flag summaries: total flags, critical count, high count | No |
Every section is scoped to the engagement's HOA and period window. The CPA cannot see data outside the granted time range.
CSV Exports
Six sections support CSV export. The CPA clicks the export link and receives a file named with the HOA name and period end date. Every export is logged as a separate event with resource_type set to export_trial_balance, export_journal_register, etc.
Export formats follow standard accounting conventions:
| Export | Columns |
|---|---|
| Trial Balance | Account Number, Account Name, Account Type, Debit, Credit, Net Balance |
| Journal Register | Entry #, Date, Description, Transaction Type, Fund, Line Account #, Line Account, Line Description, Debit, Credit |
| Chart of Accounts | Account Number, Account Name, Account Type, Account Role, Balance |
| AR Aging | Unit, Owner, Current, 1-30 Days, 31-60 Days, 61-90 Days, Over 90, Total |
| AP Aging | Vendor, Bill #, Bill Date, Due Date, Balance, Days Past Due, Bucket |
| Fund Reconciliation | Fund, Beginning Balance, Net Income, Transfers In, Transfers Out, Ending Balance, Balanced |
Scope Manifest
Engagements can be restricted to specific portal sections using the scope manifest — a JSON list of allowed section keys stored on the engagement record.
If the scope manifest is empty (the default), all 12 sections plus integrity detail and enforcement detail are accessible. If populated, only the listed sections are permitted. A CPA attempting to access a restricted section sees a clear error message.
Available section keys:
overview, trial_balance, fund_reconciliation, integrity, integrity_detail, journal_register, chart_of_accounts, artifacts, ar_aging, ap_aging, enforcement, close_packages, fund_statements
This allows an HOA to grant a tax preparer access to only the trial balance and journal register, while a full audit engagement gets all sections.
Engagement Types
The engagement type is informational — it appears in the portal header and event log but does not affect which sections are accessible. Scope restriction is controlled separately via the scope manifest.
| Type | Typical Use |
|---|---|
| Review | Annual review engagement (most common for small HOAs) |
| Financial Audit | Full financial statement audit |
| Compilation | Financial statement compilation |
| Tax Preparation | Form 1120-H or state tax return preparation |
| Agreed-Upon Procedures | Specific procedures defined by engagement letter |
Access Logging
Every portal interaction creates an immutable AuditEngagementEvent record. Events cannot be modified or deleted after creation — the save() method rejects updates via the _state.adding check.
Each event records:
| Field | Description |
|---|---|
| Event Type | CREATED, ACCESSED, DOWNLOADED, EXPIRED, or REVOKED |
| Resource Type | Which section was viewed (e.g., trial_balance, ar_aging, export_journal_register) |
| IP Address | The CPA's IP address at the time of access |
| User Agent | The browser identification string |
| Timestamp | When the access occurred |
The HOA can see aggregated access data on the Vault engagement list: total access count, first accessed date, and last accessed date. The full event log is available through the admin interface.
Managing Engagements
The Vault's Audit Portal tab shows all engagements for the HOA with status badges:
| Status | Badge | Meaning |
|---|---|---|
| ACTIVE | Green | Currently accessible, not expired |
| EXPIRED | Yellow | Past expiration date, auto-expired |
| REVOKED | Red | Manually revoked by an HOA administrator |
Auto-Expiry
When a CPA accesses the portal after the expiration date, the system automatically transitions the engagement to EXPIRED status and logs an expiration event. No manual intervention is required.
Revocation
An HOA administrator can revoke an active engagement at any time from the Vault. Revocation is immediate — the CPA's next request will see an error message. The revocation is logged with the revoking user's identity.
Creating a New Engagement
If an engagement expires or is revoked and the CPA still needs access, create a new engagement. Each engagement has its own token, expiration, and event log. There is no mechanism to extend or reactivate an expired engagement. This is deliberate — each engagement is a discrete, auditable grant of access.
Data Mode
Engagements support two data modes:
| Mode | Behavior |
|---|---|
| LIVE | Portal queries run against the current ledger, scoped to the engagement period. Data reflects the latest posted state. |
| SNAPSHOT | Reserved for future use. Will freeze data at a point in time for reproducible audit evidence. |
The default is LIVE mode. All queries are scoped by the engagement's period start and end dates, ensuring the CPA sees only data within the granted window while still reflecting the most current posted state of that data.
How CommunityPay Enforces This
- Access token stored as SHA-256 hash with 12-char prefix lookup — raw token shown once and never persisted
- Every portal page view creates an immutable AuditEngagementEvent with IP, user agent, and resource_type
- Scope manifest restricts which of the 12 portal sections are accessible per engagement
- All queries scoped to engagement HOA and period window — no data outside the granted time range
- CSV exports logged as separate audit events with granular resource_type tracking
- Auto-expiry on first access after expiration date — no manual intervention required