Vanta provides flexible control over the population data that auditors can access during an audit. This feature is particularly useful for security and compliance administrators who want to maintain transparency and control throughout their audit cycle.

Population data refers to the data points collected from your integrations (such as User ID or Database name) that help auditors assess compliance. It provides them with the visibility they need to select accurate and representative samples. Without access to this data, auditors can’t effectively confirm whether your controls are functioning as intended.

You can choose between two auditor views, Full View and Controlled View, based on your preferences for automation, transparency, and control.

Full Auditor View (Default)

The Full View offers auditors access to the entire population dataset and all related attributes. This allows them to self-serve and select samples directly in Vanta without assistance. It’s the fastest and most automated way to complete audits.

Plan Availability: Core, Plus, Growth, and Scale

Controlled Audit View

If you need to limit what auditors can see due to data sensitivity or internal policies, the Controlled View allows you to display only a subset of population attributes. Auditors can still select samples, but you’ll need to fulfill their requests manually, as they’ll not have access to all attributes.

Plan Availability: Growth and Scale only

When to Use Each View

Full View: Ideal for speed, efficiency, and automation.
Controlled View: Best when you want to limit exposure due to sensitive or restricted data.

Audit View Comparison by Section

Each section below includes a brief description and a table comparing the features auditors can view in Controlled View versus Full View.

Risk

Risk data helps auditors understand how your company identifies and manages security or operational threats. This information comes from your risk register and includes detailed scenarios and statuses.

If you're using the Controlled View, auditors only see the fields that you've explicitly marked as visible. In the Full View, they see everything, including custom and extended risk data.

Controlled Audit View	Full Audit View
Risk snapshot fields: Risk ID Risk scenario Inherent risk Treatment Residual risk Approval status Owner Categories CIA categories Identified Custom fields marked as visible Information is not clickable	All fields, including: Financial impact Business function Information is fully accessible

Vendors

Vendor data allows auditors to assess the third parties your organization works with, including review schedules and security posture.

The Controlled View limits visibility to active vendors and standard fields. In the Full View, auditors can view a comprehensive history and explore more detailed information.

Controlled Audit View	Full Audit View
Active vendor fields: Vendor name Vendor category Inherent risk Findings Last review completed Next review scheduled Custom fields marked as visible Information is not clickable	Vendors (active + archived) and security reviews are shown on separate pages. Information is clickable, including: Security review findings

Assets

Asset data encompasses a wide range of items, including computers, databases, alarms, vulnerabilities, and more. It helps auditors verify how you monitor and protect your technical infrastructure.

The Controlled View shows only selected inventory and code change attributes. The Full View displays all asset types and fields.

Controlled Audit View	Full Audit View
Inventory fields: Vendor name Vendor category Inherent risk Findings Code changes fields: Vendor name Vendor category Inherent risk Findings Last review completed Next review scheduled Custom fields marked as visible Information is not clickable	Full visibility into: Inventory Vulnerabilities Alarms Code changes Databases Network configurations Subnets Related settings Examples like: Vulnerability remediation SLAs

Personnel

Auditor access to personnel data lets them verify onboarding, offboarding, group membership, and system access for employees and contractors.

The Controlled View offers a summarized version with static tables. In the Full View, auditors can drill down into tasks, group membership, and access accounts.

Controlled Audit View	Full Audit View
People: Name Employment status Start date End date Groups Groups: Name Members (#) Source Tasks Last updated Point of contact Drawer opens task data: Policies Trainings Background checks Onboarding Offboarding Account access: Account name Owner Role Status MFA Date created Date deactivated Custom fields Tables are not clickable	Full access, including clickable rows in People and Groups tables that reveal: People task status Detailed access settings

Integrations

Integrations demonstrate how you collect evidence and monitor infrastructure using automated tools.

The Controlled View offers basic metadata. The Full View provides complete insight into integration configuration and status.

Controlled Audit View	Full Audit View
Connective integration fields: Name Tags Categories Drawer opens: Overview Categories Permissions	Full access to: All integrations Scope configuration Permissions Errors Connected integrations Shown on separate pages

Organizations

This section shows your company’s general information and audit notification preferences.

This is the only section that is identical in both Controlled and Full Views.

Controlled Audit View	Full Audit View
Company info fields: Display name Legal name Incorporation URL Mailing address Telephone Logo Notifications: Notification schedule Personnel reminders External notifications	Same as Controlled View

Adding and Managing Auditors in Vanta

How will your Auditor use Vanta?

How to view Vanta as an auditor

Vanta GRC Implementation Guide

Restrict Auditor Permissions in Vanta

Managing Auditor Views (Beta)