Audits

List information requests for an audit

Retrieves a paginated list of all information requests for an audit, enabling external audit management systems to display and track evidence requests.

This endpoint always includes soft-deleted records (where deletionDate !== null). Clients should check the deletionDate field to identify and handle deleted records appropriately in their systems.

This endpoint supports delta synchronization via the changedSinceDate parameter, allowing efficient polling for changes without retrieving the entire dataset.

Pagination usage:

Make initial request with desired pageSize
Check results.pageInfo.hasNextPage to see if more data exists
If true, use results.pageInfo.endCursor as pageCursor in next request
Repeat until hasNextPage is false

Delta sync usage:

Store the timestamp of your last sync
Pass that timestamp as changedSinceDate
Only requests created, modified, or deleted since that timestamp are returned
Process updates and soft-deletes by checking the deletionDate field
Update your last sync timestamp to the current time

GET

audits

{auditId}

information-requests

TypeScript

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.listInformationRequests({
    auditId: "<id>",
  });

  console.log(result);
}

run();

{
  "results": {
    "data": [
      {
        "id": "6890e473dce1da5d8406f5e7",
        "uniqueId": "1466132",
        "additionalControlIds": [],
        "approvalStatus": "NEEDS_EVIDENCE",
        "cadence": "ANNUALLY",
        "frameworkCodes": [
          "SOC2_CC6.1"
        ],
        "description": "Provide the data deletion evidence for a sample of terminated customers",
        "dueDate": "2025-10-28T00:00:00.000Z",
        "evidenceCaptureDate": "2025-10-28T00:00:00.000Z",
        "requestId": null,
        "requestType": "SAMPLE",
        "title": "Terminated Customer Deletion Evidence",
        "creationDate": "2025-08-01T12:34:56.000Z",
        "modificationDate": "2025-08-02T08:00:00.000Z",
        "deletionDate": null,
        "ownerAssignment": {
          "type": "user",
          "id": "507f1f77bcf86cd799439011",
          "displayName": "John Doe"
        }
      }
    ],
    "pageInfo": {
      "hasNextPage": false,
      "hasPreviousPage": false,
      "startCursor": "Njg5MGU0NzNkY2UxZGE1Z",
      "endCursor": "Njg5MGU0NzNkY2UxZGE1Z"
    }
  }
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

auditId

string

required

Query Parameters

pageSize

integer<int32>

default:10

Maximum number of information requests to return per page. Controls the maximum number of items returned in one response from the API.

Required range: 1 <= x <= 100

pageCursor

string

Pagination cursor from a previous response. Provide to fetch the next page of results. A marker or pointer, telling the API where to start fetching items for the subsequent page in a paginated dataset. Note that the requested page will not include the item that corresponds to this cursor but will start from the one immediately after this cursor.

changedSinceDate

string<date-time>

Includes all information requests that have changed since changedSinceDate. Considers creationDate, modificationDate, and deletionDate timestamps when determining changes.

Response

200 - application/json

results

object

required

Show child attributes

Create a new information requestCreates a new information request for an audit during audit setup or as requirements evolve. After creating all information requests, use POST /audits/{auditId}/share-information-request-list to make them visible to the customer organization. Until shared, requests remain in draft state visible only to auditors. New requests are created in an initial state indicating evidence is needed. The status progresses through the workflow: initial state → awaiting review → approved or flagged.

⌘I

TypeScript

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.listInformationRequests({
    auditId: "<id>",
  });

  console.log(result);
}

run();

{
  "results": {
    "data": [
      {
        "id": "6890e473dce1da5d8406f5e7",
        "uniqueId": "1466132",
        "additionalControlIds": [],
        "approvalStatus": "NEEDS_EVIDENCE",
        "cadence": "ANNUALLY",
        "frameworkCodes": [
          "SOC2_CC6.1"
        ],
        "description": "Provide the data deletion evidence for a sample of terminated customers",
        "dueDate": "2025-10-28T00:00:00.000Z",
        "evidenceCaptureDate": "2025-10-28T00:00:00.000Z",
        "requestId": null,
        "requestType": "SAMPLE",
        "title": "Terminated Customer Deletion Evidence",
        "creationDate": "2025-08-01T12:34:56.000Z",
        "modificationDate": "2025-08-02T08:00:00.000Z",
        "deletionDate": null,
        "ownerAssignment": {
          "type": "user",
          "id": "507f1f77bcf86cd799439011",
          "displayName": "John Doe"
        }
      }
    ],
    "pageInfo": {
      "hasNextPage": false,
      "hasPreviousPage": false,
      "startCursor": "Njg5MGU0NzNkY2UxZGE1Z",
      "endCursor": "Njg5MGU0NzNkY2UxZGE1Z"
    }
  }
}