Control Integrity in Rillet: What's Published, What's Diligence
Control integrity under change is where ERPs commonly fall short. A system can have strong entry-level controls and still fail on what happens when entries are modified, who can reopen a closed period, whether AI-generated suggestions can bypass review, or whether maker-checker holds when one person wears multiple hats.
This page is the response: what Rillet has published about its controls, paired with the diligence conversations that flesh them out for a specific organization. For the broader diligence hub, see Rillet CFO Evidence Pack for Diligence.
What Rillet publishes about controls
The following statements come directly from Rillet's product pages.
Approvals, roles, and audit trail (User Management & Approvals):
-
"Approval processes guarantee that only relevant data gets posted in the general ledger."
-
"Information from external systems and originated by junior staff can get reviewed."
-
"Assign user roles based on each person's function. Users can be easily added or archived, and there's no limit on the number of seats."
-
"Provide users outside the accounting team with view-only access, enabling them to review essential reports."
-
"All changes impacting journal entries are recorded, allowing full auditability."
Close workflow + reconciliation oversight (Close Management):
-
"Customize the month-end checklist to fit your close process. Add tasks, assign owners, set deadlines, upload documents and provide status."
-
"Approval processes guarantee that only relevant data gets posted in the general ledger."
-
"Rillet enhances the process of error detection by emphasizing inconsistencies in reconciliations."
-
Manual journal entries that could cause reconciliation differences are flagged in AR and AP aging reports.
AI-generated entries and audit logging (Aura AI):
-
"Every field, every dimension, every decision is logged. Auditors see exactly what happened and why."
-
For accruals: Aura AI "proposes expense entries from historical patterns and current-period activity. Works with journal entries agent to book approved accruals automatically."
-
Aura AI takes action: "Book journal entries, run reports, and flag anomalies directly from the chat."
Platform-level security and access logging (Enterprise Security):
-
SOC 1 Type II and SOC 2 Type II audits.
-
AES-256 at-rest encryption (on AWS); TLS 1.2+ in transit; SSO support.
-
Continuous monitoring and regular independent penetration tests.
-
Logical data segregation and logged data access.
Five diligence questions, grounded in what's published
These are the control-integrity questions auditors and controllers consistently want documented. For each, what Rillet has stated publicly is the starting point. Specific configuration for an organization's risk policy is part of the implementation conversation — Rillet's white-glove team (CPAs and ex-auditors) works with finance on approval policies, role mappings, and review cadence.
1. What controls sit at the GL boundary?
Published: Approval processes guarantee that only relevant data gets posted to the general ledger. Information from external systems or originated by junior staff is routed for review. Changes impacting journal entries are recorded for full auditability.
Part of enterprise diligence: the specific approval chains and materiality thresholds an organization configures, how those map to the internal controls policy, and how the audit trail is exported for review.
2. How are roles separated for finance teams of different shapes?
Published: User roles are assigned by function. View-only access is available for stakeholders outside the accounting team. No limit on the number of seats.
Part of enterprise diligence: how role assignments support the organization's specific maker-checker policy, including arrangements for one-person finance teams (such as designating an external reviewer or an executive as the approval role).
3. How does the close checklist combine with approvals?
Published: A customizable month-end checklist with tasks, owners, deadlines, document uploads, and status. Approval processes at the GL boundary. Reconciliation error detection that flags inconsistencies and manual journal entries that could cause reconciliation differences.
Part of enterprise diligence: the specific review cadence the team uses, how reconciliation discrepancies are routed, and which steps stay manual vs are surfaced by the system.
4. How does Aura AI fit into the control framework?
Published: Every field, dimension, and decision Aura AI makes is logged with full traceability for auditors. Aura AI proposes expense entries from historical patterns. The accruals workflow books approved accruals automatically (the approval step is the gate before booking).
Part of enterprise diligence: the specific configuration of which AI proposals require human review vs auto-post, and how that maps to the organization's risk tolerance.
5. What artifacts exist for audit support?
Published: Changes impacting journal entries are recorded for full auditability. Aura AI actions are logged at field, dimension, and decision granularity. SOC 1 Type II and SOC 2 Type II reports are available. Data access is logged at the platform level.
Part of enterprise diligence: the specific export formats and lineage detail an organization's auditors require, the PBC-package structure for the audit firm, and the controls-walkthrough cadence during audit cycles.
What's published vs what's part of enterprise engagements
Rillet's white-glove implementations are led by CPAs and ex-auditors. The following are typically part of the configuration conversation rather than publicly documented defaults:
-
Specific approval chains and thresholds tuned to materiality policy
-
Role mappings reflecting maker-checker requirements for the team's structure
-
Close checklist configuration including ownership, deadlines, and document upload requirements
-
Reconciliation review cadence and exception escalation policy
-
Aura AI control boundaries (which proposals require human review vs auto-post) tuned to risk tolerance
-
Audit trail export configuration and PBC-package preparation for the customer's audit firm
-
Period close governance specific to the organization's accounting policy
Control architecture summary
| Control area | What Rillet publishes | Source |
|---|---|---|
| GL approval gating | Approval processes guarantee only relevant data posts to the GL | User Management & Approvals, Close Management |
| Role-based permissions | User roles by function; view-only access; no seat limit | User Management & Approvals |
| Audit trail | All changes impacting journal entries are recorded for full auditability | User Management & Approvals |
| Close workflow | Customizable checklist with tasks, owners, deadlines, documents, status | Close Management |
| Reconciliation oversight | Error detection emphasizing inconsistencies; flags manual journal entries that could cause reconciliation differences | Close Management |
| AI action logging | Every field, dimension, and decision Aura AI makes is logged | Aura AI |
| AI accrual workflow | Aura AI proposes accruals; books approved accruals automatically | Aura AI |
| Platform security | SOC 1 Type II + SOC 2 Type II; AES-256 at rest; TLS 1.2+ in transit; SSO; logged data access | Enterprise Security |
Related resources
-
Rillet CFO Evidence Pack for Diligence — full diligence hub
-
Introducing the Continuous Close — close operating model
-
How Rillet works: integrations, automation, Aura AI, and security — architecture
-
Rillet for Controllers — persona overview
-
GAAP-Compliant Reporting Out-of-the-Box — audit-ready reporting
-
Aura Flows: Automated Financial Workflows — automation context
-
Key questions to ask during an ERP evaluation — evaluation checklist