Audit Readiness Checklist

Shannon DeLange
Shannon DeLange Idea generator Vanta Team Member Conversation starter
  • Updated

Your Audit Readiness Checklist 

The Vanta team has supported companies through thousands of audits to achieve SOC 2, ISO 27001, HIPAA, PCI, and GDPR compliance. We will apply our expertise and know-how to quickly guide you through a successful audit.

 

Company Settings | Audits 

The Company Settings page enables you to add information about your company, add users, and set up API integrations. Additionally, you can confirm your audit has been entered into Vanta correctly. 

 

unchecked Verify your auditor has successfully added your audit to the Vanta platform. 

unchecked Confirm the details of your audit: type, start date, and auditor.

unchecked If there is missing information, please contact your Customer Success Manager or auditor to rectify this.

 

Policies

Policies are the foundation of your security program. This section ensures the creation of all policies within the last year, which is crucial for any audit you perform. 

 

uncheckedReview your policies using the eye icon on the right side of the screen.

uncheckedThe created date for all policy PDFs should be within the previous 12 months.

uncheckedThe approved date for all policy PDFs should be within the last 12 months. 

uncheckedConfirm you have read all policies before your audit begins.

 

Vulnerabilities

Vulnerability scanning is a crucial control for any audit. This section guides you through the data needed to provide sufficient evidence to your auditor.

 

unchecked If you use a 3rd party scanning tool for vulnerabilities and do not integrate with Vanta, you will need to upload screenshots for the auditor. If you have any open high or medium vulnerabilities, you need to show a clear plan to remediate during the audit.

unchecked All High/Medium severity vulnerabilities must be resolved or have a plan to fix them. 

unchecked Review the SLA violations tab to confirm their acknowledgment.

unchecked If you are not using an integrated service for vulnerability scanning, check the documents tab for how to upload:

       unchecked Vulnerabilities Remediated Sample 

       unchecked Vulnerability Scan 

 

Documents Tab

If you are not self-attesting, your auditor may request documents in line with your organization’s policies (auditors ask “Is there policy?”, “Is it effective?”, “Is it operating properly?”), be sure all documents are accurate, up-to-date and uploaded

 

unchecked Upload the documents specified by your auditor to Vanta. 

 

Access

Access control is a fundamental component of data security that limits who can access and use company information and resources. 

 

unchecked Link all user accounts with employees in Vanta to pass this control. 

unchecked Verify all user accounts link to individual employees and not a shared account. 

unchecked Track this for all possible integrations from the drop-down menu: 

unchecked Cloud Infrastructure

unchecked Identity Providers

unchecked Version Control 

 

Risk Assessment

Effectively completing the risk assessment is imperative to any audit using Vanta. It offers organizations several benefits, such as protecting assets and optimizing data security. 

 

uncheckedIf you are a SOC 2, HIPAA, GDPR, or PCI customer, ensure all risk assessment modules, including the standard-specific module, are complete. 

       uncheckedNote:  You do not need to fill out the Physical Security module if:

unchecked You have a fully remote team without a physical office, and,

uncheckedWill not have a physical office within the next year

uncheckedFor every identified risk, be sure to create at least one task to mitigate the risk identified in your scenario.

       uncheckedNote: You can create these tasks during your observation window.

uncheckedReview all scenarios created for every identified risk.

 

Vendors 

Assessing the security controls for vendors who have access to your sensitive data is vital to any audit.

 

uncheckedAdd SOC 2 report, SOC 3 report, or ISO 27001 certification for all your vendors. Confirm all security questionnaires are complete unless a SOC 2 report, SOC 3 report, or ISO 27001 certification is uploaded.

       uncheckedNote: Best practice is to review the SOC 2 report or ISO 27001 certification, SOC 3’s should only be used for vendor reviews when a SOC 2 isn’t available.

uncheckedComplete Comments on vendor security controls to demonstrate that you have read and understood the security documentation and have determined the security of the external vendor meets the required security controls standards.

       uncheckedExample: “AWS SOC 2 report meets expectations and requirements. All services in scope.” or “Exception in AWS SOC 2 report noted, does not affect the use of service.”

uncheckedAdd the vendor review date.

 

Standards Page / Control Language

The Standards page shows you the connection between the broader compliance framework and the evidence (both automated and manual) that has been uploaded into the Vanta platform. Your auditor will refer to the information listed here and use this language throughout the audit, as these are your stated controls. The auditor will look for ownership of these controls as they are the basis for the audit framework you are implementing. 

 

unchecked Carefully review the control language with control owners to help them understand their roles and responsibilities, e.g., HR Teams, Engineers, etc.

       unchecked Example: An auditor may ask your team member to explain the onboarding process. The auditor will compare the onboarding process to determine whether it is effective and whether it is operating properly, that is, whether you can demonstrate that you have an effective onboarding policy and whether you follow that policy with the procedures you perform when you hire someone.

 

Before the Observation Window Begins

Before your Observation Window begins, you need to ensure that only production environment systems are marked as in-scope on the integrations page.

 

unchecked Confirm Vanta links to all in-scope systems.

unchecked Confirm that all resources in the production environment of integrated systems are marked as in-scope.

unchecked Confirm that all resources in the Development and Test environment of integrated systems are marked as out of scope.

 

Once the Observation Window Begins

As soon as your Observation Window starts, you need to understand what you can and cannot do within Vanta to comply with your audit.

unchecked DO NOT disable any tests on the Tests page—if this is needed, please contact your auditor.

unchecked DO NOT scope any users or systems out on the Connections page.

unchecked DO NOT enable any Development or Test environment resources on the Connections page.

unchecked DO NOT disable any Production environment resources on the Connections page.

unchecked DO NOT change the SLAs on the SLA’s page.

unchecked DO NOT alter any uploaded documents, including, but not limited to, policies, organization charts, job descriptions, etc.