Compliance Hub

Track software vendors, run recurring access and security review attestation cycles, log required changes, and produce auditor-ready evidence packages for SOX and SOC 2 compliance.

MangoApps

Request Demo

Overview

Compliance Hub gives compliance owners a single place to run a SOX or SOC 2 program without leaving MangoApps. It adds a control register (the list of controls an auditor walks), recurring review campaigns that fan out attestations to reviewers (review user access, review access roles, review security certifications), an evidence registry that links each control to the records that prove it — vendor SOC 2 certifications, change requests, form submissions, or uploaded files — and one-click auditor exports that snapshot controls, sign-off trails, and evidence as a point-in-time package. It composes with the apps you already use (Asset Pro / Supplier Hub for the software-vendor inventory, Contracts for vendor certifications and obligations, and Service Desk Change Management for the change log) rather than re-modeling them. Built for first-time compliance programs that need structure inside their everyday platform, not a separate GRC tool.

Workplace Ops

Highlights

Maintain a control register — the list of SOX or SOC 2 controls an auditor walks.

Run recurring review cycles that fan out attestations to reviewers and track completion.

Capture sign-off with decision notes and evidence, then lock the campaign for audit integrity.

Link each control to the records that prove it — vendor certifications, change requests, or files.

Generate auditor-ready export packages with controls, evidence, and the full sign-off trail.

Composes with Asset Pro, Contracts, and Service Desk instead of re-modeling your data.

Capabilities

Control Register

Define controls with reference code, framework, category, and owner
Frameworks (SOX, SOC 2, ISO 27001, HIPAA, custom tag)
Per-control review frequency (monthly/quarterly/semiannual/annual)
Due-soon and overdue control tracking on the dashboard
Prebuilt framework control libraries (SOX, SOC 2, ISO 27001, HIPAA)
One-click framework import + import-the-gaps
Cross-framework crosswalks ("satisfy once, cover many")
Coverage matrix (frameworks × category)
Console-authored, curated control catalog (super-admin)

Review Campaigns & Attestations

Recurring review cycles (Annual Access Review, Quarterly Cert Review)
Campaign types: access review, certification review, change review, general
Fan-out review items to assignees with attest / flag / N/A decisions
Decision notes and per-item evidence upload
Completion gate — all items resolved before a campaign can complete
Campaign locks on completion for audit integrity (admin-only unlock)

Evidence Registry

Link evidence to a control, campaign, or item
Use existing records as proof (vendor SOC 2 cert, change request, form submission)
Attach uploaded files as evidence
Evidence rollup per control

Auditor Export

Point-in-time export of controls, sign-off trail, and evidence
Export history (who exported what, when) — never deleted
CSV / XLSX workbook package
Live external auditor portal (read-only login) Tier 2 — Tier 1 ships an exported package

Composes With

Asset Pro / Supplier Hub — software-vendor inventory
Contracts — vendor certifications and recurring obligations
Service Desk — change-management change log

Screenshots

Compliance Hub dashboard — control posture (active/due-soon/overdue), pending attestations, and recent review campaigns

Control register — SOX/SOC 2/ISO controls with framework, category, review frequency, next-review date, and owner

Review campaign — fanned-out attestation items with attest/flag/N-A decisions, per-item evidence, and progress

Compliance analytics — control coverage by framework, campaign throughput, item decisions, and a 6-month completion trend

Read-only auditor portal — a token-gated evidence package an external auditor opens without a login

Use cases

Annual user access review

Launch an access-review campaign that fans out one attestation per user or role-holder; reviewers confirm access is appropriate, flag exceptions, and the campaign locks when complete.

Vendor security certification review

Run a certification-review campaign over active vendor SOC 2 / COI certifications, attaching each certificate as evidence and surfacing expiring ones.

Documented change review

Review the change requests logged in Service Desk for a period, attesting each was authorized and documented per SOX requirements.

Auditor evidence package

Export a point-in-time package of controls, their state, sign-off trails, and linked evidence to hand to an external auditor.

FAQ

No. Compliance Hub is a focused compliance layer inside MangoApps — control register, review campaigns, evidence, and auditor export. It deliberately omits prebuilt framework libraries, risk registers, and continuous monitoring, and composes with apps you already use.

From Asset Pro and Supplier Hub, which share one Vendor record. Compliance Hub reads them rather than maintaining a separate vendor list.

A completed campaign is locked and its items become read-only for audit integrity. An admin can explicitly unlock it to allow re-attestation; the unlock itself is recorded.

Tier 1 produces a CSV / XLSX workbook of controls, sign-off trails, and evidence. A live read-only auditor portal is a future enhancement.