Auditors are integral to helping customers achieve compliance certifications and build trust with their clients, thereby scaling their compliance efforts. Vanta automates evidence collection and cross-maps controls across over 35 frameworks, streamlining the compliance process. However, an auditor must provide official accreditation for most security frameworks, including SOC2 and ISO27001. The customer and auditor collaborate closely to ensure all compliance controls are met with the required evidence and tests.
Audits occur during a specific duration, as determined by the auditor and customer. The customer will indicate the audit period in Vanta, when auditors will have access to evidence and are expected to complete their assessment. Auditors have limited access to the Vanta instance, depending on what the customer has decided to share.
Evidence
The Evidence page is a repository for evidence that supports and is mapped to a customer's controls. Auditors will use this page to review ready-for-audit evidence and assess and approve evidence. If an auditor wants to add custom audit requests, they can do so from this page.
Auditors can directly communicate with customers by adding comments to individual pieces of evidence. This communication is centralized within the Vanta platform, and customers can receive notifications via email, Slack, or Microsoft Teams when comments are added. This allows for easy tracking of evidence that may require attention.
Typically, Auditors need to retain and download information to support their testing. From the evidence tab, Auditors can export the evidence list, a policy packet, and security awareness training. Information can also be exported from any individual piece of evidence. An Auditor can take a screenshot of pages that don’t have an export tab.
Controls
The Controls page offers a holistic view of your controls and their current status. From this page, the auditor will see automated tests and documents assigned to each control for testing purposes.
Auditors can map/re-map evidence to controls. However, the auditor cannot add or delete controls.
Frameworks
The Frameworks page organizes your controls based on the specific framework criteria to which they are mapped. Like the Controls Page, you'll find automated tests and documents assigned to each control for testing.
In this view, auditors review evidence for a particular control and can accept, flag, or mark it as not required.
Evidence in the auditor's instance can be a document, policy, or test. Auditors can also change the control status and comment on any evidence they review.
Risks
Risk management is essential to ensuring an organization is proactively identifying and assessing risk scenarios that could impact their organization
What the auditor has access to in their environment is contingent on the settings you establish from the Risk register page
Based on your settings, your auditor will be able to view snapshots of your risk program you have chosen to share, or your full risk register and tasks managed in the action tracker.
Vendors
The vendor section contains your managed vendors and security reviews.
Here, auditors can understand the inherent risk, the residual risk score, and the security reviews associated with each vendor in your account.
Assets
Auditors have visibility into infrastructure through the assets section, which identifies third-party vulnerabilities, code changes, network, and subnet configurations.
Auditors can also view monitoring alarms that customers have established.
Please Note: The Alarms and Code changes pages are unavailable in your Vanta instance
Personnel
This section allows auditors to see personnel, computers, and access reviews.
Integrations
Integrations are a key part of the audit. This is where auditors can identify what integrations the customer has linked to Vanta, what resources are in scope for the audit, and a high-level overview of a particular integration.
For any integration, the Auditors can see what has been marked in and out of scope. If the Auditor has any questions about why a resource is marked out of scope, they can inquire directly with the customer. Auditors cannot change what is determined in scope, the customer manages this.
Complete an Audit Engagement
Customers use Vanta to automate compliance by automating the collection of evidence needed to demonstrate adherence to standards like SOC 2 or ISO 27001. Once Vanta has helped a company establish its security posture, an independent auditor steps in. Auditors leverage a customer’s Vanta instance to conduct an unbiased evaluation of an organization’s security controls. This involves verifying that the implemented controls are properly designed and effectively operating. Auditors then generate a report summarizing their findings, granting accreditation upon successful review. This accreditation allows customers to prove their credibility and trust to their prospective customers.
Most frameworks will require yearly attestation, but with Vanta, security controls are continuously monitored with automated tests. When it is time for your next audit, Vanta will remind you to update and review any evidence as needed, streamlining the entire audit process and ensuring you are always prepared.
FAQ
If someone is already working towards an audit, can they move what they have into Vanta to complete the audit?
Yes. To use Vanta for an audit, customers must deploy their Vanta instance. Existing company policies and documents can be imported into Vanta to take advantage of previous work.
Is evidence collection completely automated for compliance?
Vanta automates numerous tests required for audits, streamlining evidence collection and ensuring continuous compliance through always-on automated testing. Some controls, however, will still necessitate manual document updates to provide auditors with sufficient evidence.
If a customer is already using a GRC platform, is Vanta an easy lift and shift?
Vanta has historically moved several customers from competitive platforms to Vanta. Vanta's customer success team and MSPs are available to assist customers with migrating from competitive platforms to Vanta within a predetermined timeframe. The migration process for each tool will vary and require different levels of effort.