Auditors have their own view of the data that you provide during an audit, but it only shows them data relevant to the observation window in question. It is not the same information you see when looking at a test page as the auditor view is restricted to the date range of the observation window.
Prior to explaining what auditors can and cannot see, it's essential to understand the terminology used in the definitions:
-
Test Items: This refers to any instance of a resource that a test runs against. For example, in this test "MFA on Snowflake", the user "Nikhil" is the failing item for the test as they don't have MFA set up in Snowflake:
- While the "item" is a Snowflake user in this case, it could be many other things for different tests (AWS RDS instance, Vanta user, Vulnerability, etc.)
- Observation Window: This is the date range from the start of the audit to the end of the audit. This can be found on the audits page:
- SLA: This is the time allowed to remediate an item once it is discovered by Vanta. Some tests may not have an SLA. These are set on the SLA settings page here and are defined uniquely for different groups of tests:
What auditors will see
- Items that were remediated within the observation window and after the SLA
- Items that were not remediated within the SLA and the SLA fell within the observation window
- Items that don't have an SLA were discovered during the observation window and have not been remediated
-
Test items that were deactivated from monitoring. The auditor is shown the resources that were deactivated from monitoring for specific tests, as well as the reason and/or document provided to show why the resource was excluded from the test
What auditors will not see
- Items that were remediated before the SLA
- Items that were remediated before the beginning of the observation window
- Items where the SLA falls after the observation window
Remember that you can always use the "Preview an audit" option on the audits page to view what the auditor sees.