> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a new information request

> Creates a new information request for an audit during audit setup or as requirements evolve.

After creating all information requests, use POST /audits/{auditId}/share-information-request-list
to make them visible to the customer organization. Until shared, requests remain in draft state
visible only to auditors.

New requests are created in an initial state indicating evidence is needed. The status
progresses through the workflow: initial state → awaiting review → approved or flagged.

Rate limit: 600 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples post /audits/{auditId}/information-requests
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/information-requests:
    post:
      tags:
        - Audits
      summary: Create a new information request
      description: >-
        Creates a new information request for an audit during audit setup or as
        requirements evolve.


        After creating all information requests, use POST
        /audits/{auditId}/share-information-request-list

        to make them visible to the customer organization. Until shared,
        requests remain in draft state

        visible only to auditors.


        New requests are created in an initial state indicating evidence is
        needed. The status

        progresses through the workflow: initial state → awaiting review →
        approved or flagged.


        Rate limit: 600 requests / minute.
      operationId: CreateInformationRequest
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateInformationRequestInput'
      responses:
        '201':
          description: Information request created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InformationRequest'
              examples:
                Example 1:
                  value:
                    id: 6890e473dce1da5d8406f5e7
                    uniqueId: '1466132'
                    additionalControlIds: []
                    approvalStatus: NEEDS_EVIDENCE
                    cadence: ANNUALLY
                    frameworkCodes:
                      - SOC2_CC6.1
                    description: >-
                      Provide the data deletion evidence for a sample of
                      terminated customers
                    dueDate: '2025-10-28T00:00:00.000Z'
                    evidenceCaptureDate: '2025-10-28T00:00:00.000Z'
                    requestId: null
                    requestType: SAMPLE
                    title: Terminated Customer Deletion Evidence
                    creationDate: '2025-08-01T12:34:56.000Z'
                    modificationDate: '2025-08-02T08:00:00.000Z'
                    deletionDate: null
                    ownerAssignment:
                      type: user
                      id: 507f1f77bcf86cd799439011
                      displayName: John Doe
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: CreateInformationRequest
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.createInformationRequest({
                auditId: "<id>",
                createInformationRequestInput: {
                  uniqueId: "<id>",
                  title: "<value>",
                  requestType: "SAMPLE",
                  frameworkCodes: [],
                },
              });

              console.log(result);
            }

            run();
        - lang: java
          label: CreateInformationRequest
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.components.CreateInformationRequestInput;

            import
            com.vanta.vanta_auditor_api.models.components.InformationRequestType;

            import
            com.vanta.vanta_auditor_api.models.operations.CreateInformationRequestResponse;

            import java.lang.Exception;

            import java.util.List;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    CreateInformationRequestResponse res = sdk.audits().createInformationRequest()
                            .auditId("<id>")
                            .createInformationRequestInput(CreateInformationRequestInput.builder()
                                .uniqueId("<id>")
                                .title("<value>")
                                .requestType(InformationRequestType.SAMPLE)
                                .frameworkCodes(List.of())
                                .build())
                            .call();

                    if (res.informationRequest().isPresent()) {
                        System.out.println(res.informationRequest().get());
                    }
                }
            }
components:
  schemas:
    CreateInformationRequestInput:
      description: |-
        Input for creating a new information request.
        New requests are created in an initial state by default.
      properties:
        uniqueId:
          type: string
          description: >-
            External unique ID to prevent duplicate requests across audit
            systems.

            Must be unique within the audit. Used for idempotency.
        title:
          type: string
          description: |-
            Short, descriptive title summarizing what is being requested.
            Must be at least 1 character.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Scope of evidence required.
        description:
          type: string
          nullable: true
          description: |-
            Detailed description explaining what evidence is needed.
            Helps the customer understand what to submit. Optional.
        frameworkCodes:
          items:
            type: string
          type: array
          description: |-
            Framework codes this request addresses.
            An empty array if no framework codes are associated.
        cadence:
          allOf:
            - $ref: '#/components/schemas/InformationRequestCadence'
          nullable: true
          description: >-
            How frequently this request recurs. Null or omitted for one-time
            requests.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Deadline for fulfilling this request. Null or omitted if no
            deadline.

            Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Start date of the audit period. Evidence before this date may not be
            accepted.

            Null or omitted if not restricted.

            Format: ISO 8601 UTC timestamp.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Control IDs to link directly to this request, beyond those
            automatically

            mapped from framework codes. Each must be the `id` of an existing
            control in

            the customer's organization (the identifier returned by the controls
            endpoints).

            The request is rejected if any ID does not match a control.

            Omit or pass an empty array for no direct control links.
      required:
        - uniqueId
        - title
        - requestType
        - frameworkCodes
      type: object
      additionalProperties: false
    InformationRequest:
      description: >-
        Information Request resource representing a single request for audit
        evidence from a customer.


        An information request is created by an auditor and shared with the
        customer organization.

        The customer then uploads evidence, which the auditor reviews and either
        approves or flags

        for issues.
      properties:
        id:
          type: string
          description: >-
            The unique identifier for the information request within Vanta's
            system.

            This is the primary identifier used in all API endpoints.

            Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7")
        uniqueId:
          type: string
          description: >-
            External unique ID to prevent duplicates across different audit
            systems.

            Used for idempotency when syncing data between external audit
            management

            systems and Vanta. Unlike `id`, this value is provided by the
            external system.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Additional control IDs beyond those automatically mapped from
            framework codes.

            Allows manual association with specific controls when automatic
            mapping

            is insufficient. Each ID should reference a valid control in your
            audit framework.
        approvalStatus:
          $ref: '#/components/schemas/InformationRequestApprovalStatus'
          description: >-
            Current approval status tracking the request's lifecycle through
            evidence

            submission and auditor review.
        cadence:
          allOf:
            - $ref: '#/components/schemas/InformationRequestCadence'
          nullable: true
          description: >-
            How frequently this information request recurs (e.g., annual
            password

            policy reviews). Null for one-time requests.
        frameworkCodes:
          items:
            type: string
          type: array
          description: >-
            The framework codes this request addresses.

            Links the request to specific compliance requirements. Can be an
            empty array

            if no framework codes are associated. These codes correspond to
            standards like SOC 2, ISO 27001, etc.
        description:
          type: string
          nullable: true
          description: >-
            Detailed description explaining what evidence is needed and why.

            Should provide clear instructions to help the customer understand
            what

            to submit.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The deadline by which the customer must fulfill this request.
            Null if no specific deadline is set. Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The earliest date for which evidence should be captured.
            Evidence dated before this date may not be accepted.
            Null if not restricted. Format: ISO 8601 UTC timestamp.
        requestId:
          type: string
          nullable: true
          description: >-
            Non-unique external reference ID for this request.

            Unlike `uniqueId` which must be unique, `requestId` is for
            display/reference

            purposes only (e.g., "REQ-123"). Null if not provided.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Defines the scope of evidence required.
        title:
          type: string
          description: Short, descriptive title summarizing what is being requested.
        creationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was created in the system.
            Format: ISO 8601 UTC timestamp.
        modificationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was last modified.
            Format: ISO 8601 UTC timestamp.
        deletionDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Timestamp when the request was soft-deleted. Null if the request has
            not

            been deleted. Soft deletes allow retaining history while hiding the
            request

            from normal operations.

            Format: ISO 8601 UTC timestamp.
        ownerAssignment:
          allOf:
            - $ref: '#/components/schemas/ResourceOwner'
          nullable: true
          description: |-
            Resource owner (user or team) assigned to this information request.
            Returns null if no resource owner is assigned.
      required:
        - id
        - uniqueId
        - additionalControlIds
        - approvalStatus
        - cadence
        - frameworkCodes
        - description
        - dueDate
        - evidenceCaptureDate
        - requestId
        - requestType
        - title
        - creationDate
        - modificationDate
        - deletionDate
        - ownerAssignment
      type: object
      additionalProperties: false
    InformationRequestType:
      type: string
      enum:
        - POINT_IN_TIME
        - POPULATION
        - SAMPLE
      description: >-
        Type of information request, defining what scope of evidence is needed.


        - POINT_IN_TIME: Evidence for a specific moment (e.g., current state of
        a policy)

        - POPULATION: Evidence covering all items in a category (e.g., all
        employees)

        - SAMPLE: Evidence for a representative sample (e.g., 10 random customer
        records)
    InformationRequestCadence:
      type: string
      enum:
        - ANNUALLY
        - BIANNUALLY
        - MONTHLY
        - QUARTERLY
      description: >-
        Frequency cadence for the information request, indicating how often it
        recurs.
    InformationRequestApprovalStatus:
      type: string
      enum:
        - NEEDS_EVIDENCE
        - READY_FOR_AUDIT
        - AUDITOR_APPROVED
        - AUDITOR_FLAGGED
      description: >-
        Current approval status of the information request, tracking its
        lifecycle through the audit process.


        The status progresses through the workflow: initial state → awaiting
        review → approved or flagged.

        Status can move between awaiting review and flagged states as evidence
        is reviewed and resubmitted.
    ResourceOwner:
      anyOf:
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - user
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - team
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
      description: Represents either a user or a team owning a resource.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````