Skip to main content

Managing Auditor Views (Beta)

J
Written by Jaquez Hodo
Updated over 3 weeks ago

Vanta provides flexible control over the population data that auditors can access during an audit. This feature is particularly useful for security and compliance administrators who want to maintain transparency and control throughout their audit cycle.

Population data refers to the data points collected from your integrations (such as User ID or Database name) that help auditors assess compliance. It provides them with the visibility they need to select accurate and representative samples. Without access to this data, auditors can’t effectively confirm whether your controls are functioning as intended.

You can choose between two auditor views, Full View and Controlled View, based on your preferences for automation, transparency, and control.

Full Auditor View (Default)

The Full View offers auditors access to the entire population dataset and all related attributes. This allows them to self-serve and select samples directly in Vanta without assistance. It’s the fastest and most automated way to complete audits.

  • Plan Availability: Core, Plus, Growth, and Scale

Controlled Audit View

If you need to limit what auditors can see due to data sensitivity or internal policies, the Controlled View allows you to display only a subset of population attributes. Auditors can still select samples, but you’ll need to fulfill their requests manually, as they’ll not have access to all attributes.

  • Plan Availability: Growth and Scale only

When to Use Each View

  • Full View: Ideal for speed, efficiency, and automation.

  • Controlled View: Best when you want to limit exposure due to sensitive or restricted data.

Audit View Comparison by Section

Each section below includes a brief description and a table comparing the features auditors can view in Controlled View versus Full View.

Risk

Risk data helps auditors understand how your company identifies and manages security or operational threats. This information comes from your risk register and includes detailed scenarios and statuses.

If you're using the Controlled View, auditors only see the fields that you've explicitly marked as visible. In the Full View, they see everything, including custom and extended risk data.

Controlled Audit View

Full Audit View

Risk snapshot fields:

  • Risk ID

  • Risk scenario

  • Inherent risk

  • Treatment

  • Residual risk

  • Approval status

  • Owner

  • Categories

  • CIA categories

  • Identified

  • Custom fields marked as visible Information is not clickable

All fields, including:

  • Financial impact

  • Business function Information is fully accessible

Vendors

Vendor data allows auditors to assess the third parties your organization works with, including review schedules and security posture.

The Controlled View limits visibility to active vendors and standard fields. In the Full View, auditors can view a comprehensive history and explore more detailed information.

Controlled Audit View

Full Audit View

Active vendor fields:

  • Vendor name

  • Vendor category

  • Inherent risk

  • Findings

  • Last review completed

  • Next review scheduled

  • Custom fields marked as visible Information is not clickable

Vendors (active + archived) and security reviews are shown on separate pages. Information is clickable, including:

  • Security review findings

Assets

Asset data encompasses a wide range of items, including computers, databases, alarms, vulnerabilities, and more. It helps auditors verify how you monitor and protect your technical infrastructure.

The Controlled View shows only selected inventory and code change attributes. The Full View displays all asset types and fields.

Controlled Audit View

Full Audit View

Inventory fields:

  • Vendor name

  • Vendor category

  • Inherent risk

  • Findings

Code changes fields:

  • Vendor name

  • Vendor category

  • Inherent risk

  • Findings

  • Last review completed

  • Next review scheduled

  • Custom fields marked as visible Information is not clickable

Full visibility into:

  • Inventory

  • Vulnerabilities

  • Alarms

  • Code changes

  • Databases

  • Network configurations

  • Subnets

  • Related settings

  • Examples like: Vulnerability remediation SLAs

Personnel

Auditor access to personnel data lets them verify onboarding, offboarding, group membership, and system access for employees and contractors.

The Controlled View offers a summarized version with static tables. In the Full View, auditors can drill down into tasks, group membership, and access accounts.

Controlled Audit View

Full Audit View

People:

  • Name

  • Employment status

  • Start date

  • End date

  • Groups

Groups:

  • Name

  • Members (#)

  • Source

  • Tasks

  • Last updated

  • Point of contact

  • Drawer opens task data:

    • Policies

    • Trainings

    • Background checks

    • Onboarding

    • Offboarding

Account access:

  • Account name

  • Owner

  • Role

  • Status

  • MFA

  • Date created

  • Date deactivated

  • Custom fields

Tables are not clickable

Full access, including clickable rows in People and Groups tables that reveal:

  • People task status

  • Detailed access settings

Integrations

Integrations demonstrate how you collect evidence and monitor infrastructure using automated tools.

The Controlled View offers basic metadata. The Full View provides complete insight into integration configuration and status.

Controlled Audit View

Full Audit View

Connective integration fields:

  • Name

  • Tags

  • Categories

  • Drawer opens:

    • Overview

    • Categories

    • Permissions

Full access to:

  • All integrations

  • Scope configuration

  • Permissions

  • Errors

  • Connected integrations

  • Shown on separate pages

Organizations

This section shows your company’s general information and audit notification preferences.

This is the only section that is identical in both Controlled and Full Views.

Controlled Audit View

Full Audit View

Company info fields:

  • Display name

  • Legal name

  • Incorporation

  • URL

  • Mailing address

  • Telephone

  • Logo

Notifications:

  • Notification schedule

  • Personnel reminders

  • External notifications

Same as Controlled View