Before you assign an auditor to an audit engagement, you need to add the audit firm to your Vanta domain so they can log in to the auditor portal. What auditors can see in their Vanta portal depends on the audit engagement they’re assigned to, the framework and scope of your audit, and the permissions you’ve enabled.
Managing audit firms
Adding an audit firm to your domain allows you to assign specific audit engagements to individual auditors that appear in an auditor portal they log in to—it does not grant them access to your Vanta account.
Adding an audit firm to your domain
Adding an audit firm to your domain
To add an audit firm:
In your account header, click the ⚙ settings icon.
Open the User permissions page and select the Auditors tab.
Click the + Add auditor button.
Use the drop-down menu to search for the audit firm. Or if you don’t see your auditor in the list, click the link to invite them to Vanta.
Click the Grant access button.
After you grant an audit firm access to your Vanta domain, we’ll email the point of contact you added to confirm access and direct them to their auditor dashboard in Vanta. The audit firm can log in to Vanta, but auditors can only see data if they’re assigned to an audit engagement.
Removing an audit firm from your domain
Removing an audit firm from your domain
Removing access revokes the audit firm’s ability to be assigned to any audit engagements. It does not delete or modify any existing audits, but auditors from that firm will no longer be able to view or open those audits until access is granted again.
Assigning auditors
After an audit firm is added to your domain, you can assign individual auditors to specific audit engagements. Auditors won’t be able to access the audit engagement until the observation window opens (unless you choose to grant early access.
If the audit firm hasn’t been granted access to your domain, it’s possible if you add an auditor to an audit engagement they won’t be able to see it in the auditor portal.
Assigning an auditor to a new audit engagement
Assigning an auditor to a new audit engagement
To add an auditor to a new audit:
On the Audits page, click the Add audit button.
In the Audit name field, use the drop-down menu to search for the audit firm.
Once you complete setting up your audit, click Add audit. Vanta will send an email notification that a new audit engagement was created (sent to admins on your side and admins at the audit firm).
If you don’t see your auditor in the list, click the link to invite them to Vanta—this will allow you to add the audit firm to your domain so they can access audit engagements you assign to them.
Assigning an auditor to an existing audit engagement
Assigning an auditor to an existing audit engagement
You may have created an audit without assigning an auditor—this is helpful if you want to prepare your audit and see how ready you are and view what the auditor will see before assigning them.
To add an auditor to an existing audit, click the ••• more menu and select Assign to audit firm.
If you don’t see your auditor in the list, first you need to add the audit firm to your domain.
Editing auditors on an existing audit engagement
Editing auditors on an existing audit engagement
To see which auditors have access, click the ••• more menu and select Edit auditors. Updates to engagement assignments don’t trigger an email notification. If you need the auditor to take action, message them directly and confirm they can see the engagement in their dashboard.
You can add multiple auditors from the same audit firm. However, if you want to assign an audit to multiple audit firms, you will need to make a separate audit for each audit firm.
Auditor portal access
Auditors can only access an audit engagement in the auditor portal once they’re added to your domain, assigned to the engagement, and the observation window begins (unless you choose to grant early access).
Auditors have access to:
A dedicated audit portal: They do not have access to your full Vanta instance. The audit appears in their portal once assigned, but they can’t open it until the observation window starts. If needed, they can request early access to perform a readiness review.
The selected frameworks: Auditors can view controls and supporting evidence (including tests, documents, and policies) related to the frameworks being audited. They can also request access to additional evidence if needed.
Time-bound access: Auditor visibility is limited to the audit observation window. When an audit is marked completed, access is automatically removed and the engagement can no longer be opened in their portal.
You can preview what your auditor will be able to see by opening the audit from the Audits page. This shows you the same controls and supporting evidence your auditor will be able to access for that engagement. Learn more: How to view Vanta as an auditor
Managing auditor permissions
Auditors may also have permission to add additional auditors, start new audits, or modify evidence mappings. You can control these permissions by navigating to Compliance, opening the Settings page, and scrolling to the Auditor actions section.
Auditors can modify control mappings
Auditors can modify control mappings
When enabled, auditors can modify control mappings directly from the evidence drawer by clicking the + Add control button. When disabled, auditors can only view the related controls.
Example auditor view when the setting is enabled:
Auditors can add new audits
Auditors can add new audits
When enabled, audit firms added to your domain can create new audits on behalf of your company. From their auditor dashboard, an auditor can create a new audit and select your company from the drop-down menu. When disabled, auditors won’t be able to select your company from the drop-down menu.
Example auditor view when the setting is enabled:
Auditors can add others to existing engagements
Auditors can add others to existing engagements
When enabled, auditors can add additional auditors from the audit firm to existing audit engagements. When disabled, this information is view only for the auditor.
Example auditor view when the setting is enabled:
