> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List information requests linked to a control within an audit

> Returns a paginated list of active information requests linked to a specific
control within an IRL audit. An information request is linked to a control
either via its framework codes (`criteriaIds`) or via a direct association
(`additionalControlIds`).

Soft-deleted information requests are not included in the response. To
synchronize deletions, use `GET /audits/{auditId}/information-requests`,
which supports `changedSinceDate` and includes soft-deleted records.

Returns 404 when the control is not part of the audit. Returns an empty page
when the control is part of the audit but has no active IRLs linked to it.

Pagination usage:
1. Make initial request with desired `pageSize`
2. Check `results.pageInfo.hasNextPage` to see if more data exists
3. If true, use `results.pageInfo.endCursor` as `pageCursor` in next request
4. Repeat until `hasNextPage` is false

Rate limit: 50 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples get /audits/{auditId}/controls/{controlId}/information-requests
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/controls/{controlId}/information-requests:
    get:
      tags:
        - Audits
      summary: List information requests linked to a control within an audit
      description: >-
        Returns a paginated list of active information requests linked to a
        specific

        control within an IRL audit. An information request is linked to a
        control

        either via its framework codes (`criteriaIds`) or via a direct
        association

        (`additionalControlIds`).


        Soft-deleted information requests are not included in the response. To

        synchronize deletions, use `GET /audits/{auditId}/information-requests`,

        which supports `changedSinceDate` and includes soft-deleted records.


        Returns 404 when the control is not part of the audit. Returns an empty
        page

        when the control is part of the audit but has no active IRLs linked to
        it.


        Pagination usage:

        1. Make initial request with desired `pageSize`

        2. Check `results.pageInfo.hasNextPage` to see if more data exists

        3. If true, use `results.pageInfo.endCursor` as `pageCursor` in next
        request

        4. Repeat until `hasNextPage` is false


        Rate limit: 50 requests / minute.
      operationId: ListInformationRequestsForControl
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
        - in: path
          name: controlId
          required: true
          schema:
            type: string
        - description: Maximum number of information requests to return per page.
          in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - description: >-
            Pagination cursor from a previous response. Provide to fetch the
            next page of results.
          in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedResponse_InformationRequest_'
              examples:
                Example 1:
                  value:
                    results:
                      data:
                        - id: 6890e473dce1da5d8406f5e7
                          uniqueId: '1466132'
                          additionalControlIds: []
                          approvalStatus: NEEDS_EVIDENCE
                          cadence: ANNUALLY
                          frameworkCodes:
                            - SOC2_CC6.1
                          description: >-
                            Provide the data deletion evidence for a sample of
                            terminated customers
                          dueDate: '2025-10-28T00:00:00.000Z'
                          evidenceCaptureDate: '2025-10-28T00:00:00.000Z'
                          requestId: null
                          requestType: SAMPLE
                          title: Terminated Customer Deletion Evidence
                          creationDate: '2025-08-01T12:34:56.000Z'
                          modificationDate: '2025-08-02T08:00:00.000Z'
                          deletionDate: null
                          ownerAssignment:
                            type: user
                            id: 507f1f77bcf86cd799439011
                            displayName: John Doe
                      pageInfo:
                        hasNextPage: false
                        hasPreviousPage: false
                        startCursor: Njg5MGU0NzNkY2UxZGE1Z
                        endCursor: Njg5MGU0NzNkY2UxZGE1Z
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: ListInformationRequestsForControl
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.listInformationRequestsForControl({
                auditId: "<id>",
                controlId: "<id>",
              });

              console.log(result);
            }

            run();
        - lang: java
          label: ListInformationRequestsForControl
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.operations.ListInformationRequestsForControlResponse;

            import java.lang.Exception;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    ListInformationRequestsForControlResponse res = sdk.audits().listInformationRequestsForControl()
                            .auditId("<id>")
                            .controlId("<id>")
                            .pageSize(10)
                            .call();

                    if (res.paginatedResponseInformationRequest().isPresent()) {
                        System.out.println(res.paginatedResponseInformationRequest().get());
                    }
                }
            }
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    PaginatedResponse_InformationRequest_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/InformationRequest'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    InformationRequest:
      description: >-
        Information Request resource representing a single request for audit
        evidence from a customer.


        An information request is created by an auditor and shared with the
        customer organization.

        The customer then uploads evidence, which the auditor reviews and either
        approves or flags

        for issues.
      properties:
        id:
          type: string
          description: >-
            The unique identifier for the information request within Vanta's
            system.

            This is the primary identifier used in all API endpoints.

            Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7")
        uniqueId:
          type: string
          description: >-
            External unique ID to prevent duplicates across different audit
            systems.

            Used for idempotency when syncing data between external audit
            management

            systems and Vanta. Unlike `id`, this value is provided by the
            external system.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Additional control IDs beyond those automatically mapped from
            framework codes.

            Allows manual association with specific controls when automatic
            mapping

            is insufficient. Each ID should reference a valid control in your
            audit framework.
        approvalStatus:
          $ref: '#/components/schemas/InformationRequestApprovalStatus'
          description: >-
            Current approval status tracking the request's lifecycle through
            evidence

            submission and auditor review.
        cadence:
          allOf:
            - $ref: '#/components/schemas/InformationRequestCadence'
          nullable: true
          description: >-
            How frequently this information request recurs (e.g., annual
            password

            policy reviews). Null for one-time requests.
        frameworkCodes:
          items:
            type: string
          type: array
          description: >-
            The framework codes this request addresses.

            Links the request to specific compliance requirements. Can be an
            empty array

            if no framework codes are associated. These codes correspond to
            standards like SOC 2, ISO 27001, etc.
        description:
          type: string
          nullable: true
          description: >-
            Detailed description explaining what evidence is needed and why.

            Should provide clear instructions to help the customer understand
            what

            to submit.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The deadline by which the customer must fulfill this request.
            Null if no specific deadline is set. Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The earliest date for which evidence should be captured.
            Evidence dated before this date may not be accepted.
            Null if not restricted. Format: ISO 8601 UTC timestamp.
        requestId:
          type: string
          nullable: true
          description: >-
            Non-unique external reference ID for this request.

            Unlike `uniqueId` which must be unique, `requestId` is for
            display/reference

            purposes only (e.g., "REQ-123"). Null if not provided.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Defines the scope of evidence required.
        title:
          type: string
          description: Short, descriptive title summarizing what is being requested.
        creationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was created in the system.
            Format: ISO 8601 UTC timestamp.
        modificationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was last modified.
            Format: ISO 8601 UTC timestamp.
        deletionDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Timestamp when the request was soft-deleted. Null if the request has
            not

            been deleted. Soft deletes allow retaining history while hiding the
            request

            from normal operations.

            Format: ISO 8601 UTC timestamp.
        ownerAssignment:
          allOf:
            - $ref: '#/components/schemas/ResourceOwner'
          nullable: true
          description: |-
            Resource owner (user or team) assigned to this information request.
            Returns null if no resource owner is assigned.
      required:
        - id
        - uniqueId
        - additionalControlIds
        - approvalStatus
        - cadence
        - frameworkCodes
        - description
        - dueDate
        - evidenceCaptureDate
        - requestId
        - requestType
        - title
        - creationDate
        - modificationDate
        - deletionDate
        - ownerAssignment
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
    InformationRequestApprovalStatus:
      type: string
      enum:
        - NEEDS_EVIDENCE
        - READY_FOR_AUDIT
        - AUDITOR_APPROVED
        - AUDITOR_FLAGGED
      description: >-
        Current approval status of the information request, tracking its
        lifecycle through the audit process.


        The status progresses through the workflow: initial state → awaiting
        review → approved or flagged.

        Status can move between awaiting review and flagged states as evidence
        is reviewed and resubmitted.
    InformationRequestCadence:
      type: string
      enum:
        - ANNUALLY
        - BIANNUALLY
        - MONTHLY
        - QUARTERLY
      description: >-
        Frequency cadence for the information request, indicating how often it
        recurs.
    InformationRequestType:
      type: string
      enum:
        - POINT_IN_TIME
        - POPULATION
        - SAMPLE
      description: >-
        Type of information request, defining what scope of evidence is needed.


        - POINT_IN_TIME: Evidence for a specific moment (e.g., current state of
        a policy)

        - POPULATION: Evidence covering all items in a category (e.g., all
        employees)

        - SAMPLE: Evidence for a representative sample (e.g., 10 random customer
        records)
    ResourceOwner:
      anyOf:
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - user
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - team
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
      description: Represents either a user or a team owning a resource.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````