> ## Documentation Index > Fetch the complete documentation index at: https://developer.vanta.com/llms.txt > Use this file to discover all available pages before exploring further. # Create a comment for a control within an audit > Creates a new comment on a control within an IRL audit. The comment author must be an auditor in the audit firm making the request. The comment will be associated with the control and visible to all authorized users. Returns 404 when the control is not part of the audit. Rate limit: 50 requests / minute. ## OpenAPI ````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples post /audits/{auditId}/controls/{controlId}/comments openapi: 3.0.0 info: title: Conduct an audit version: 1.0.0 description: >- The Auditor API lets audit firms conduct audits from a tool outside of Vanta. Unlock data syncing with Vanta through this API. **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)` from the server dropdown to issue requests against `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the commercial host — replace it with `https://api.vanta-gov.com/oauth/token`. termsOfService: https://www.vanta.com/terms license: name: UNLICENSED contact: name: API Support url: https://help.vanta.com/ email: support@vanta.com servers: - url: https://api.vanta.com/v1 description: US Region API - url: https://api.vanta-gov.com/v1 description: Vanta Gov (FedRAMP) security: [] paths: /audits/{auditId}/controls/{controlId}/comments: post: tags: - Audits summary: Create a comment for a control within an audit description: >- Creates a new comment on a control within an IRL audit. The comment author must be an auditor in the audit firm making the request. The comment will be associated with the control and visible to all authorized users. Returns 404 when the control is not part of the audit. Rate limit: 50 requests / minute. operationId: CreateCommentForControl parameters: - in: path name: auditId required: true schema: type: string - in: path name: controlId required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddAuditControlCommentInput' responses: '200': description: Ok content: application/json: schema: $ref: '#/components/schemas/AuditControlComment' examples: Example 1: value: id: 65fc81a3359c8508c9af880f text: Some comment creationDate: '2024-03-07T21:25:56.000Z' modificationDate: '2024-03-07T21:25:56.000Z' deletionDate: '2024-03-07T21:25:56.000Z' email: vlad@vantaroo.com authorName: Vlad Vantaroo security: - bearerAuth: [] x-codeSamples: - lang: typescript label: CreateCommentForControl source: |- import { Vanta } from "vanta-auditor-api-sdk"; const vanta = new Vanta({ bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "", }); async function run() { const result = await vanta.audits.createCommentForControl({ auditId: "", controlId: "", addAuditControlCommentInput: { text: "", email: "Justice.Konopelski@hotmail.com", creationDate: new Date("2024-04-23T18:18:35.232Z"), }, }); console.log(result); } run(); - lang: java label: CreateCommentForControl source: >- package hello.world; import com.vanta.vanta_auditor_api.Vanta; import com.vanta.vanta_auditor_api.models.components.AddAuditControlCommentInput; import com.vanta.vanta_auditor_api.models.operations.CreateCommentForControlResponse; import java.lang.Exception; import java.time.OffsetDateTime; public class Application { public static void main(String[] args) throws Exception { Vanta sdk = Vanta.builder() .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", "")) .build(); CreateCommentForControlResponse res = sdk.audits().createCommentForControl() .auditId("") .controlId("") .addAuditControlCommentInput(AddAuditControlCommentInput.builder() .text("") .email("Justice.Konopelski@hotmail.com") .creationDate(OffsetDateTime.parse("2024-04-23T18:18:35.232Z")) .build()) .call(); if (res.auditControlComment().isPresent()) { System.out.println(res.auditControlComment().get()); } } } components: schemas: AddAuditControlCommentInput: description: >- Comments enable auditors and customers to collaborate on a control within an audit. All comments are immediately visible to authorized parties once created. properties: text: type: string description: |- The text content of the comment. Must be at least 1 character. Can include questions, clarifications, or explanations related to the control. email: type: string description: >- Email address of the comment author. Must match an existing Vanta user who belongs to the audit firm making the API request. This email uniquely identifies the author across systems. creationDate: type: string format: date-time description: >- Timestamp when the comment was created in the external audit management system. This allows synchronizing comment timestamps from external systems. Format: ISO 8601 UTC timestamp. required: - text - email - creationDate type: object additionalProperties: false AuditControlComment: description: >- A comment on a control within an audit. These threaded discussions let auditors and customers collaborate on a specific control — asking questions, documenting reasoning, or recording follow-ups — directly against the control being assessed. Audit control comments are scoped to a single audit engagement and are distinct from any organization-internal control comments. properties: id: type: string description: |- The unique identifier for the comment within Vanta's system. Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7"). text: type: string description: >- The comment message content. Can include explanations, questions, or clarifications about the control. creationDate: type: string format: date-time description: |- Timestamp when the comment was created. Format: ISO 8601 UTC timestamp. modificationDate: type: string format: date-time nullable: true description: |- Timestamp when the comment was last edited. Null if the comment has never been modified. Format: ISO 8601 UTC timestamp. deletionDate: type: string format: date-time nullable: true description: >- Timestamp when the comment was soft-deleted. Null if the comment has not been deleted. Soft deletes retain the comment for audit history while hiding it from normal operations. Format: ISO 8601 UTC timestamp. email: type: string nullable: true description: >- Email address of the comment author. This email uniquely identifies users between Vanta and external audit systems. Null when the comment author can't be matched to a Vanta user. authorName: type: string nullable: true description: >- Human-readable display name of the comment author. Null if the author's name is not available (e.g., user was deleted). This enables correct author attribution in integrations where users cannot be reliably matched across systems by email alone. required: - id - text - creationDate - modificationDate - deletionDate - email - authorName type: object additionalProperties: false securitySchemes: bearerAuth: type: http scheme: bearer ````