✅ Feature availability: Vanta’s default request list is available on all plans. The Information Request List (IRL) feature is available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
The Audits page is where you create and manage your organization's audits in Vanta, from setting up the audit and granting auditor access to tracking evidence readiness and uploading your final report.
⚙️ User permissions: Admins and Editors can add audits and manage audit settings from the Audits page. Learn more: User Permissions by Product Area
Getting started
Vanta supports two audit experiences. The experience you're in depends on whether your account has Information Request List (IRL) enabled and the type of information request list you’re using:
Using Vanta’s default request list: Vanta automatically generates a request list based on your framework and syncs evidence from across your compliance program. This is the audit experience for accounts without IRL enabled.
Importing your own request list: You import your auditor's request list and manage evidence request by request. Only available when IRL is enabled on your plan. When IRL is enabled, this is the default selection when creating an audit—though you can choose the default request list instead.
Identifying your experience
Identifying your experience
You can identify which experience you have in two ways: when creating an audit or on an existing audit.
When creating an audit
If you see an Advanced options section in the audit creation flow, IRL is enabled on your account. You can choose between Vanta's default request list or importing your own request list. If you don't see that setting, your audit will use the default request list.
On an existing audit
On the Audits page, your audit will display Evidence tracker if you're using the default request list or Request tracker if you're importing your own request list.
Using the Audits page
Using the Audits page
The Audits page is your central hub for managing the audits across your organization.
The Active and Completed tabs organize audits by status.
Audit status can be Upcoming, In audit, or Awaiting report, or Completed.
Search by audit name, or filter by audit firm, framework, status, or audit type. If your organization has business units configured, you'll also see a filter for business units.
Click the ••• menu at the top of the page to access Compliance settings related to audit management.
Click the ••• menu next to an individual audit to delete it as needed.
Adding a new audit
From the Audits page, click + Add audit to get started. You'll configure core settings like your framework, audit type, auditor, and request list, then set your audit dates and review your selections before confirming.
The two key decisions that shape the audit experience are your framework and your request list selections. The framework determines which controls, tests, and evidence are in scope. The request list determines how evidence is collected and shared with your auditor, and which features are available to you during the audit.
💡 Tip: After you create an audit, you can edit the following settings: audit name, auditor, owner permissions, audit window or audit date, and early access to data. Other settings can't be changed after the audit is created, so it's worth discussing these with your auditor before you begin. If you're not ready to involve your auditor yet, just leave the audit firm blank—this lets you explore the setup and assign a firm later when you're ready, or delete the audit and start fresh.
Framework or segment
Framework or segment
The framework you select determines which controls, tests, and evidence are scoped to your audit. This setting can't be changed after the audit is created.
How you select a framework depends on how your organization is set up:
Framework: Select one of the frameworks you've purchased—for example, SOC 2, ISO 27001, or HIPAA.
Segment: If your organization has business units configured, you'll select the segment instead. Segments combine a framework with a business unit—for example, SOC 2 for your EMEA division.
Audit name
Audit name
The audit name auto-populates based on your framework or segment selection.
You can edit the audit name during audit creation or after the audit is created.
The audit name can be up to 100 characters.
Audit type
Audit type
The audit type setting determines how the audit is labeled and who can be assigned as the auditor. This setting can't be changed after the audit is created.
External: The audit is being conducted by an independent third-party auditor for certification, attestation, or regulatory purposes.
Internal: The audit is being performed by your organization or a representative acting on your behalf to evaluate controls and identify improvement opportunities.
Audit firm
Audit firm
If you're working with an audit firm on either an external or internal audit, use this field to add them.
You need to add the audit firm to your Vanta domain before they'll appear in this list.
This field is optional when creating the audit, so you can leave it blank to add an audit firm later.
Once assigned, the audit firm can't be changed.
Auditor
Auditor
Select the auditor who will be conducting the audit. How the auditor field works depends on your audit type and whether you select an audit firm.
Assign to an auditor
Available for both external and internal audits.
The auditor dropdown activates after you select an audit firm. The available auditors are pulled from the firm you chose.
If the auditor isn't in the list, the audit firm will need to add the auditor for you.
If you select an audit firm, you must also select an auditor before you can finish creating your audit. Remove the audit firm selection to add an auditor later.
After audit creation, you can add or remove auditors as needed, as long as they’ve been added to the same audit firm assigned to the audit.
Assign to an internal user
Only available for internal audits.
Be sure to select the internal audit type.
Leave the audit firm blank—the auditor dropdown will switch to show eligible users in your organization.
Internal users must be assigned a Collaborator role or higher (any non-Employee user role) to be assigned to the audit.
Once assigned, the user has auditor permissions for that audit, allowing them to complete auditor workflows. These permissions override other permissions they may have within the audit they’re assigned to, such as managing request owners or sharing evidence.
ℹ️ Note: You can only assign an internal audit to an internal user if your organization has the IRL experience enabled and you’re importing your own request list.
Request list
Request list
The request list setting determines how evidence is collected and shared with your auditor. This setting can't be changed after the audit is created.
Use Vanta's default request list: Vanta automatically syncs evidence from your compliance program to your auditor based on your framework. This is the right fit if you want a guided, automated workflow and your audit aligns well with Vanta's standard framework tests.
Import your own request list: With the IRL experience, you control exactly which evidence gets collected and shared with your auditor, working from a custom request list your auditor provides. This is the right fit if your auditor has a specific list they want you to work from, or if you need to control what evidence is shared and when. This is the default selection when the IRL experience is enabled on your account.
ℹ️ Note: This setting appears in the Advanced options section, which is only visible if your organization has the IRL experience enabled. If you don't see Advanced options, your audit will use Vanta's default request list and full auditor view.
Auditor view
Auditor view
The auditor view setting controls how much of your compliance data your auditor can see. This setting can't be changed after the audit is created.
Full: Auditors have full visibility into population data and can explore records and attributes across your environment. Can only be selected when using Vanta's default request list.
Controlled: Auditor access to population data is limited to a subset of attributes, allowing you to restrict sensitive information while still enabling auditors to review and select samples. Available for both Vanta's default request list and when importing your own request list. The controlled auditor view is required when importing your own request list.
ℹ️ Note: This setting appears in the Advanced options section, which is only visible if your organization has the IRL experience enabled. If you don't see Advanced options, your audit will use Vanta's default request list and full auditor view.
Owner permissions
Owner permissions
The owner permissions setting determines whether Information Request Owners can perform auditor-facing actions. You can edit this setting after the audit is created.
Enabled: Information Request Owners can share evidence for internal review and post internal comments, as well as share evidence with the auditor and post auditor-facing comments.
Disabled: Information Request Owners can share evidence for internal review and post internal comments, as well as view auditor-facing comments. Only Admins and Editors can share evidence with the auditor and post auditor-facing comments.
ℹ️ Note: This setting appears in the Advanced options section, which is only visible if your organization has the IRL experience enabled and when importing your own request list. If you're using Vanta's default request list, this setting isn't available.
Audit window or audit date
Audit window or audit date
Set the dates for your audit. You and your assigned auditor can edit dates after the audit is created.
The date picker that appears depends on your framework:
Audit window: Select a start and end date for the audit observation period. Used for time-bound frameworks like SOC 2 Type II and ISO 27001.
Audit as of date: Select the single date the audit is conducted as of. Used for point-in-time frameworks like SOC 2 Type I.
💡Tip: Auditors can only access an audit engagement in the auditor portal once they're added to your domain, assigned to the engagement, and the observation window begins—unless you choose to grant early access to data. Learn more: Adding and Managing Auditors
Early access to data
Early access to data
Optionally grant your auditor access to your Vanta data before the audit window starts. This is useful for readiness checks and pre-audit preparation.
The early access date must be no earlier than the present date and no later than the audit start date.
This field is disabled until you've set an audit start date.
You can edit the early access date before the audit start date. Your auditor can request an earlier date, which you'll need to approve before it takes effect.
If you don't set an early access date, your auditor's access begins when the audit window opens.
Test evidence
Test evidence
Controls whether your auditor can view test evidence. This setting can't be changed after the audit is created.
Enabled: Your auditor can view test evidence to independently verify your test results. This setting is enabled by default.
Disabled: Your auditor can see test results but not the underlying records behind them.
ℹ️ Note: This setting only appears when using Vanta's default request list, where Vanta automatically syncs test evidence into your audit. If your organization has the IRL experience enabled and you’re importing your own request list, you manually attach test results to individual requests rather than having them sync automatically.
Managing an active audit
Once you create an audit, it’s added to the Active tab.
Each audit card shows a timeline with key dates at a glance.
Click ••• on the audit to edit available audit settings.
Click Open audit on any audit card to view audit details, manage evidence, and take action.
Default request list
Default request list
If your audit shows an Evidence tracker it means you're using Vanta's default request list:
Review evidence that Vanta has automatically synced to your audit from across your compliance program.
Work through any evidence flagged by your auditor and resubmit for review.
Monitor overall evidence readiness using the evidence tracker.
Custom request list
Custom request list
If your audit shows a Request tracker it means you're using an imported request list (IRL):
Work through your auditor's requests one by one—assign owners, attach evidence, and track progress.
Move requests through internal review as needed before sharing them with your auditor.
Monitor overall request readiness using the request tracker.
📖 Learn more: Managing an Information Request List (IRL)
Managing completed audits
An audit moves to the Completed tab when the audit report is uploaded. If no report has been uploaded, the audit remains in the Active tab with an Awaiting report status, even if the observation window is past.
Uploading an audit report
Uploading an audit report
If you managed your audit in Vanta, upload the final report to move it to the Completed tab.
To upload an audit report:
Click the ••• menu next to the audit.
Select Upload report & complete.
Upload a PDF file (up to 50 MB).
Select the Completion date.
Click Upload and complete, which moves the audit to the Completed tab.
Uploading audits completed outside of Vanta
Uploading audits completed outside of Vanta
If your audit was conducted outside of Vanta, you can upload the final report to store it in the Completed tab without first creating an audit in Vanta.
To upload an audit report:
Click ••• at the top of the Audits page.
Select Upload audit report.
Check This audit is completed outside of Vanta.
Select the Standard (aka the framework) and enter the name of the Audit firm.
Select the Date audit was completed.
Upload a PDF or DOCX file.
Click Upload and complete.
ℹ️ Note: For audits conducted outside of Vanta, the ••• menu only includes Download report and Delete audit and there’s no Open audit option.
Downloading or replacing reports
Downloading or replacing reports
From the Completed tab, click ••• on a completed audit to view the actions available for that audit. The options shown depend on the audit type, how the report was uploaded, and your user permissions:
Download report: Download the audit report. If multiple reports are attached, you'll first choose which report to download.
Replace audit report: Upload a new version of the report. This option appears for completed audits with a report and is only enabled if the report was uploaded by your team. If the report was uploaded by your auditor, this option is disabled
💡 Tip: To add an audit report to your Trust Center, add it as a resource in your knowledge base. Learn more: Managing Your Knowledge Base
Duplicating an audit
With the IRL experience, you can duplicate an existing audit to start your next audit cycle without rebuilding your request list, control mappings, and settings from scratch.
📖 Learn more: Duplicating an Audit





