Skip to main content
GrantPipe logo

External Review Session

Published: Last updated: Reviewed:

TLDR

An External Review Session is the building block behind every Auditor & Funder Portal invitation: a secure, scoped, time-limited access link that proves what was shared, with whom, and for how long.

An External Review Session is the mechanism that makes an Auditor & Funder Portal work without giving external reviewers a full account. Rather than creating a user in the system, the organization creates a secure, scoped, time-limited access link for a named reviewer.

How access stays scoped

The organization chooses the reviewer, the grant and fund scope, the included documents, and the access end date before sending the invitation. When the reviewer opens the link, GrantPipe performs server-side verification and displays only the records included in that session.

If the scope is wrong, the organization should revoke the session and create a new one with the correct records. If the review ends early, revocation stops access before the scheduled end date. Both automatic expiration and manual revocation are captured in the audit trail.

What the session log captures

The audit trail records every interaction during the session:

  • The reviewer name and email from the invitation
  • The specific record accessed (grant, document, fund summary)
  • The action type (view, download)
  • The UTC timestamp

The log is append-only. Neither the reviewer nor the organization can remove entries.

See Also

Free resource

Get the Auditor Evidence Checklist

What auditors need from nonprofit grantees - organized by section. Build your evidence bundle without missing the documents that typically produce findings. Delivered by email.

Looking for something else?

We'll email the resource and a short follow-up sequence. Unsubscribe any time.

Email is required because the download link is delivered by email, not on-page.

Q&A

Why use an External Review Session instead of creating a full user account?

A full user account usually creates broader and longer-lived access than an auditor or funder needs. An External Review Session is narrow by design: it is scoped to selected records, ends on a date the organization controls, and can be revoked when the review is finished.

Q&A

Can an external reviewer forward their session link to someone else?

Forwarding a link may be possible depending on the organization's access controls. This is why the organization should set a short access window, scope the session narrowly, and revoke access immediately if the link may have reached an unauthorized party.

Q&A

What happens when a session expires?

When the access window ends, the reviewer can no longer open the portal view. No further action is required from the organization unless it wants to create a new session with a later end date.

Frequently asked

Frequently Asked Questions

No. A guest login typically creates a persistent credential for an ongoing relationship. An External Review Session is single-purpose, scoped to a specific set of records, and expires automatically. There is no persistent credential to manage or revoke over time.
Every action in the session, including opening a document, downloading a file, or viewing a fund summary, is recorded in the organization's audit trail with the reviewer name from the invitation, the UTC timestamp, and the specific record accessed.
The safer workflow is to create a new session with a later end date and send a fresh access link. That keeps each review window explicit in the audit trail.

Keep reading

Go deeper

Next step

Check the workflow against GrantPipe.

Start a 1-month free trial and test donor, grant, restricted-fund, and compliance work in one place.

Start your 1-month free trial See pricing and fit