✅ Feature availability: The Information Request List (IRL) feature is available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Vanta’s Information Request List (IRL) experience helps you manage and respond to auditor requests directly within Vanta. The IRL experience lets you or your auditor upload the request list into Vanta so you can manage evidence, track progress, and collaborate with your team all in one place. You decide who owns each request, what evidence to attach, and can tailor what your auditor can see.
⚙️ User permissions: Admins, Editors, and Audit Limited Editors can manage the request list, control mapping, and population data access, as well as manage evidence across all requests. Collaborators can be assigned as Information Request Owners to manage evidence on assigned requests. Learn more: User Permissions by Product Area
Getting started
After you create an audit, you’ll use different tabs to manage requests, controls, and population data. Which tabs you can access depends on your user role and assignments in the audit. Auditor access is outlined in the Auditor workflow section.
Tab | Description | User access |
Requests | Contains a list of all the information requests in scope for the audit. | Admins, Editors, Audit Limited Editors, Information Request Owners |
Controls | Shows an overview of all the controls mapped to the audit across information requests. | Admins, Editors, Audit Limited Editors, Control Owners |
Data & populations | Lets you manage which population data sections your auditor will be able to see. | Admins, Editors, and Audit Limited Editors |
Video tutorial: Product overview
Video tutorial: Product overview
A video overview from a Vanta product manager highlighting Vanta's end-to-end audit experience, including how to upload and manage an auditor's information request list, map requests to controls, collect and share evidence, and collaborate with auditors, so teams can streamline audits and stay continuously audit-ready.
Video tutorial: Setup guide
Video tutorial: Setup guide
A video overview from a Vanta product manager showing how to upload and map an auditor's information request list (IRL)—including preparing required fields, handling different IRL formats, mapping framework codes to controls, resolving upload errors, and refining mappings post-import.
Request list management
Once your audit is created, the Requests tab will be empty until a request list is uploaded. You can upload your auditor's request list yourself, or your auditor can upload it directly once they have access to the audit—either after the observation window starts or once an early access period begins.
Uploading a request list
Uploading a request list
You can upload a request list when the audit has no requests yet. After requests already exist in the audit, only your auditor can add more.
To upload a request list:
Open your audit and go to the Requests tab.
Click Download to get resources to help you prepare your spreadsheet outside of Vanta.
Select Example IRL to download a sample CSV template showing the supported fields and example rows.
Select Framework codes to download a CSV of the valid framework codes and descriptions for your audit's framework to use as a reference when preparing your spreadsheet.
Return to the Requests tab.
Click Upload IRL.
Upload your file by dragging and dropping it or browsing from your computer.
Select the header row.
Map your columns to the corresponding fields in Vanta.
Review any warnings. You can proceed with warnings—only blocking errors must be resolved before importing.
Click Import. Once imported, your requests appear in the Requests tab with a status of Needs evidence.
ℹ️ Note: You can currently bulk import up to 500 requests via XLS or CSV. Please reach out to your Customer Success Manager if you need to import more.
Supported fields (request metadata)
Supported fields (request metadata)
Each request allows you to capture metadata using the following fields. Some fields can be added with your spreadsheet import, others you need to manage in Vanta after import.
Field | Description |
Unique ID | Any value that uniquely identifies each request. Used to prevent duplicates. |
Request name | The name of the request. |
Type | Point in time, Sample, or Population. |
Description | Additional context about the request. |
Framework codes | Framework criteria codes used to map requests to controls. |
Due date | The date by which evidence should be ready. |
Capture date | The earliest date evidence can be added to a request. |
Cadence | Monthly, Quarterly, Biannually, or Annually. |
Control ID | A specific control you want to map a control to |
Owner | The user or team assigned as information request owner. |
Status | The workflow status for the request. |
💡 Tip: Column names in your spreadsheet don't need to match exactly—you'll map them to the right fields during upload.
Assigning request owners
Assigning request owners
Assign an owner to each request so your team knows who’s responsible for gathering and submitting evidence. You can assign either a user or a team as the owner. If you assign a team, members of that team can upload evidence for the request.
To assign an owner to a request, click the Owner field in the request list or in the request header.
To assign owners in bulk, select multiple requests in the request list and click Assign Owner from the toolbar.
Editing request metadata
Editing request metadata
In the Evidence tab of a request, you can edit the following metadata from the request header:
Due date
Capture date
Type
Cadence
Owner
Framework codes
Status (can mark as Not ready, Internal review, or Audit ready)
From the Requests tab, you can select multiple requests to apply bulk changes to:
Due date
Capture date
Type
Cadence
Owner
ℹ️ Note: Only the auditor can add new requests, edit the request name or description, or delete requests.
Control mapping
The Controls tab gives you a view of all Vanta controls mapped to your audit across requests. Use it to confirm your requests are mapped to the right controls and to track evidence progress per control. If no framework codes or controls were included during import, the Controls tab may be empty until you map framework codes or controls to requests.
Mapping framework codes to requests
Mapping framework codes to requests
When you add a valid framework code to a request, Vanta maps that request to the matching controls automatically. If you included framework codes in your spreadsheet, this mapping happened during import. If not, you can add them after import.
To add or edit framework codes on a request:
Open your audit and go to the Requests tab.
Open a request.
Click the framework codes chip in the request header—this shows as Unmapped, Manually mapped, or the existing framework code depending on the current mapping state.
Select the relevant framework codes.
Click Save. Vanta automatically links controls that match the selected framework codes.
ℹ️ Note: Framework code edits are disabled once a request has been marked as Accepted by your auditor.
Mapping requests to controls
Mapping requests to controls
You can map a request to a specific control directly, without using framework codes. If you included a Control ID in your spreadsheet, this mapping happened during import. If not, you can add controls manually after import.
To manually add a control to a request:
Open the request.
Go to the Controls tab.
Click the + button.
Search for and select the control you want to add.
Assigning control owners
Assigning control owners
Control owners pipe in automatically from the control owner assigned on the Controls page—edit the owner there rather than from within the audit.
Reviewing control assessments
Reviewing control assessments
Control assessments let an auditor evaluate a control as a whole, based on how well the linked evidence demonstrates that the control is met. Only auditors can edit the Auditor assessment status and Justification for each control.
Exporting controls
Exporting controls
From the Controls tab of the audit, click Export to download the controls table as a CSV.
The export includes all controls and columns in the table—filters and hidden columns don't apply.
The export includes the auditor assessments and justifications, but excludes auditor comments.
Population data access
IRL audits use the Controlled auditor view, which means all sections in the Data & populations tab are hidden from your auditor by default—you decide which sections your auditor can see.
When you enable a section, it becomes available to your auditor once the observation window starts or once an active early access period begins. When you disable a section, access is removed immediately.
While you can manage which sections are shared before the audit starts, the pages themselves are only viewable once the audit period starts, at which time you can click View next to any section to preview what your auditor will see.
📖 Learn more: Managing Auditor Views
Request owner workflow
Requests represent evidence-level evaluation, where an auditor reviews the specific evidence attached to a request. If you’re assigned as an Information Request Owner, your job is to gather evidence and get it ready for your auditor. Each request moves through the following statuses as you work through it.
Request status | Description |
Not ready | No evidence has been attached yet, or the request needs more work before it can move to internal review or be shared with your auditor. |
Internal review | Evidence is attached and ready for your team to review before sharing with your auditor. Your auditor can't see evidence at this stage. |
Audit ready | Evidence was marked ready for audit and is visible to your auditor for evaluation. |
Flagged | Your auditor reviewed the request and needs an update, clarification, or additional evidence. Address the feedback and mark it audit ready again. |
Accepted | Your auditor reviewed and accepted the request. |
ℹ️ Note: Your team moves requests through Not ready, Internal review, and Audit ready. Only the auditor can move a request to Flagged or Accepted.
Uploading evidence
Uploading evidence
You can attach multiple types of evidence to a single request.
To upload evidence to a request:
Open your audit and go to the Requests tab.
Click a request from the table and go to the Evidence tab.
Click the + Evidence button and select the upload method you want to use:
Vanta evidence: Evidence from automated tests, policies, and documents already stored in Vanta. Use the Related toggle to filter to evidence Vanta recommends for the request. Turn it off to browse a broader list of available Vanta evidence in scope for the audit.
Upload document: Upload a file from your computer. Supported file types (up to 50 MB each): .ai, .csv, .docx, .jpg, .json, .pdf, .png, .txt, .webp, .xlsx, .zip.
Add URL: Add a link to an external resource. Requires a URL and title.
Observation notes: Add plain text in a text box.
If you add evidence to a request that's already been marked as Audit ready, it's visible to them immediately—except for automated test evidence, which moves the request back to Internal review.
Evidence can't be added to requests that have already been marked as Accepted by your auditor. If you need to add evidence after it’s been accepted, ask your auditor to move the request back to Flagged.
AI evidence evaluation
AI evidence evaluation
For evidence uploaded from outside of Vanta: Vanta AI evaluates it against the auditor's specific request, flags gaps, and provides remediation guidance before you submit it to your auditor.
For evidence already in Vanta: Tests, policies, and documents go through their own compliance workflows. When you attach existing Vanta evidence, you're linking evidence that you’re already assessing elsewhere, so Vanta AI does not need to re-evaluate it.
Evidence capture dates
Evidence capture dates
Some requests may have a capture date, meaning evidence can't be added until that date arrives.
The evidence upload controls are hidden until the capture date is current—you'll see a note on the request indicating when the evidence window opens.
When the capture date arrives, you'll receive a notification and can begin uploading evidence.
Sharing evidence (marking as audit ready)
Sharing evidence (marking as audit ready)
Once evidence is uploaded, you can move the request status to Internal review or Audit ready.
To share evidence:
Open your audit and go to the Requests tab.
Click a request from the table and go to the Evidence tab.
Click the Share evidence button and select one of the following options:
Share with internal team: Moves the request to Internal review. Your auditor can’t see evidence at this stage.
Share with auditor: Moves the request to Audit ready. Your auditor can see the evidence shared on the request.
Evidence not ready: Returns the request to Not ready.
ℹ️ Note: The audit's owner permissions setting determines if Information Request Owners can share evidence directly with the auditor or if they can only move the request to internal review.
Auditor workflow
Once you assign an auditor, they can only access the audit once the observation window starts or an early access period begins. Once they have access, here's what they can do on each tab:
Requests: Review evidence marked ready for audit, accept or flag requests, manage the request list, and view or respond to auditor comments.
Controls: View the controls mapped to the audit, conduct control assessments, export controls, and view or respond to auditor comments.
Data & populations: View only the sections enabled for the audit.
Uploading a request list
Uploading a request list
An auditor can upload the initial request list once they have access to the audit, if you haven't already done so.
An auditor can add more requests by uploading another spreadsheet. This adds new requests—it doesn't update existing ones. Each request in the upload needs a unique ID that hasn't already been used in that audit.
See request list management for more information on preparing a spreadsheet.
Adding or deleting individual requests
Adding or deleting individual requests
An auditor can add individual requests to the audit or delete requests from the audit.
Only auditors can add or delete individual requests in the audit.
Editing request metadata
Editing request metadata
In the Evidence tab of a request, an auditor can edit the following metadata from the request header:
Request name
Description
Framework codes
Due date
Capture date
Type
Cadence
Status (can mark as Accepted or Flagged)
ℹ️ Note: Auditors can’t edit the Owner field or use other Status fields.
Accepting or flagging requests
Accepting or flagging requests
While an auditor can view and edit requests during the audit window, they can only review the request’s evidence once it’s been marked Audit ready. That’s when the evidence becomes visible to them, and they can then accept or flag the request.
Accepted: Your auditor reviewed and accepted the evidence.
Flagged: Your auditor needs an update, clarification, or additional evidence.
Conducting control assessments
Conducting control assessments
An auditor can change the status for each control and can add a justification to explain why.
To conduct a control assessment:
Open the audit and go to the Controls tab.
Edit the Auditor assessment status:
Select a status directly from the table.
Open the control details to select a status.
Add a Justification in the confirmation modal.
To edit a justification without changing the status, open the control and edit the Justification field directly.
Assessment status options depend on the framework in scope for the audit. Frameworks not listed below use the default status options.
Framework | Status options |
ISO frameworks | Not assessed, Major non-conformity, Minor non-conformity, Conforming |
FedRAMP or NIST 800-53 | Not assessed, Not satisfied, Other than satisfied, Satisfied |
FedRAMP 20x | Not assessed, False, Partial, True |
Custom frameworks | Not assessed, Not satisfied, Other than satisfied, Satisfied |
All other frameworks (default) | Not assessed, Not in place, Partial, In place |
Audit commenting
Use audit commenting to collaborate internally on requests or communicate with your auditor on requests or controls. Auditors can view and respond to auditor-facing comments when they have access to the audit engagement. Internal users can comment at any time, whether the audit is active or complete.
Comment type | How to comment |
Request-level commenting | Open your audit and go to the Requests tab. Click a request from the table and go to the Auditor comments or Internal comments tab. |
Control-level commenting | Open your audit and go to the Controls tab. Click a control from the table and go to the Auditor comments tab. |
ℹ️ Note: Information Request Owners can post internal comments and view auditor comments. If the audit’s owner permissions setting is enabled, they can also post auditor-facing comments.
Request-level commenting
Request-level commenting
Each request has two comment threads: one for internal-only comments and one for auditor-facing comments.
Auditor comments are visible to both you and your auditor.
Internal comments are only visible to your team. To loop in a specific teammate, you can use an @ mention.
Control-level commenting
Control-level commenting
Each control has one shared comment thread for auditor-facing comments.
Control comments are visible to both you and your auditor. There is no internal-only control comment thread, but you can loop in a specific teammate with an @ mention.
Comment notifications
Comment notifications
Comment notifications follow your notification preferences and can be sent via email, supported integrations, and your in-app notifications menu.
While comments are visible as soon as they're posted, comment notifications are batched over a 30-minute window. If multiple comments are posted during that time, they'll be grouped into a single notification.
Audit notifications
You’ll receive notifications when key events occur on your information requests during the audit. Each user manages the notifications they receive from their account notification settings.
To manage audit notifications:
Go to Settings.
In the page menu, scroll to My account and select Notifications.
Scroll to the IRL / Audit Requests section.
ℹ️ Note: Auditors are not notified when a request is marked ready for audit or when evidence is shared. To alert your auditor that requests are ready for their review, leave an auditor comment.
