Sharing HourSlip with Your CA: Read-Only Accountant Access

Every ITR season, freelancers repeat the same scramble: dig out invoices from email, copy bank statements to Excel, export GSTR-1 CSVs, screenshot expense receipts, zip everything up, send it to the CA on WhatsApp. The CA replies asking for one specific invoice from October. Repeat five times. HourSlip's Accountant Access exists to skip that cycle entirely — your CA gets a read-only cockpit that mirrors your own data, with full audit log, magic-link login, no password sharing, no exports needed.

Why CAs Need Access (Not Just Exports)

Three things break the email-and-CSV workflow at scale:

1. Reconciliation needs the source. A summarised CSV hides the underlying invoices. When your CA spots a Rs. 7,300 mismatch between your books and 26AS, they need to drill into the actual invoice — not ask you to send it.
2. Forms 16A, GSTR-1 CSV, P&L, and ITR worksheets all change shape during ITR season.Re-exporting every time the CA finds an inconsistency means re-emailing 5-10 attachments weekly between April and July.
3. Compliance liability shifts when the CA has live access. A CA looking at read-only data they can re-pull whenever needed is much harder to challenge in scrutiny than a CA who got a Dropbox link in March.

---

The hidden cost of CSV-based collaboration with your CA is the back-and-forth: one new question per week, three new exports per question. Read-only cockpit access drops that weekly tax to zero.

The Magic Link + OTP Flow

HourSlip's accountant access uses passwordless login — your CA never gets your account password, and you never have to rotate one. The flow:

1. You add your CA's email from Settings → Accountant Access. One click, one email field.
2. We send your CA a one-time magic link by email. Clicking it opens HourSlip in their browser and triggers a 6-digit OTP sent to the same email.
3. The OTP is entered to confirm device identity — a second-factor step that prevents email forwarding attacks.
4. After OTP verification, the CA gets a 30-day session tied to that device. Within those 30 days, they log in passwordlessly with the same email (we send a one-tap link each session).
5. The 30-day session is per-device. CAs working from office laptop and home laptop are treated as two devices, two sessions.

What CAs See (the 12 Pages)

The CA cockpit is read-only and scoped to 12 specific pages:

1. Dashboard — Income, expenses, P&L summary at a glance.
2. Clients — Client list with GSTIN and total revenue.
3. Invoices — All invoices with status, line items, taxes.
4. Time entries — Logged hours by client and project.
5. Expenses — Categorised expenses with receipts.
6. Platform income — Upwork/Fiverr/Toptal/Direct aggregations.
7. TDS tracker — Section-wise TDS log with 26AS reconciliation.
8. Tax planner — Old vs new regime, advance tax schedule.
9. GST reports — GSTR-1 source data, monthly summary.
10. P&L — Drill-down profit-and-loss for the selected period.
11. Reports — Tally XML, ITR worksheet, GSTR exports.
12. Audit log — Every action the CA has taken in the cockpit.

Pages the CA cannot access: settings, billing, integrations, profile editing, workflow rules. They cannot edit any data anywhere — every form is rendered read-only.

The 5 Exports CAs Can Pull

Even with full read access, CAs prefer downloadable artifacts for their own working files. The cockpit ships 5 one-click exports:

1. GSTR-1 CSV — Pre-formatted in the exact 8-section layout the GST portal accepts (B2B, B2CS, B2CL, EXP, CDNR/CDNUR, NIL, HSN, DOCS).
2. GSTR-3B summary — Section-by-section numbers ready to type into the portal, including 3.1(d) RCM rows.
3. Tally XML — Direct import into Tally Prime / ERP 9 for CAs running Tally workflows.
4. ITR worksheet — Pre-computed gross receipts, 44ADA-eligible deemed profit, TDS by section, 80C/80D summary — formatted for ITR-4 line items.
5. P&L statement — Period-bounded P&L with category drill-down, downloadable as CSV or PDF.

The Audit Log

Every action the CA takes inside the cockpit is logged: page visited, export downloaded, invoice viewed, search query run. The log is visible to you on the Audit Log tab, with:

• Timestamp (UTC + IST)
• CA email + device fingerprint
• Action category (view, export, search)
• Resource accessed (e.g., "Invoice INV-2026-1024 viewed")

The audit log retains 90 days by default. For long-term retention (Section 36 mandates a 6-year minimum for tax records), HourSlip Pro stores the log indefinitely on your account.

When to Add Your CA

Most freelancers benefit from CA access in three windows:

• Quarter-end (April, July, October, January) — Advance tax review, TDS reconciliation, GSTR-1 review before the 11th-of-next-month deadline.
• Pre-ITR season (April-July) — Annual books cleanup, regime selection, deduction planning, ITR draft review.
• Year-round if your CA charges retainer — Add once, leave permanently. The 30-day session auto-renews on each login.

Revoking Access

Revocation is one click from Settings → Accountant Access → Revoke:

• Active sessions immediately invalidated — any in-progress browser tab gets a 401 on the next request.
• The CA's email is removed from the allowed list — new magic links will not be sent.
• Audit log entries remain (revocation does not erase history; it gates new access).
• If you reinstate the same CA later, they have to complete the OTP flow again.