> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List risks for an audit

> Retrieves risk population data for an audit.

This endpoint provides access to the risk records visible to auditors
during an audit engagement. Risk data is scoped to a specific risk
assessment snapshot identified by the `snapshotId` parameter.

Only Controlled Audit View (CAV) audits are supported. Full Audit
View audits are rejected with 403.

Supports filtering by:
- `search`: Searches risk scenario descriptions (case-insensitive)

Results are sorted by identified date (newest first) by default.
Use `orderBy` and `orderDirection` to customize sorting.
Sort parameters must remain consistent across paginated requests.

Uses cursor-based pagination. To paginate:
1. Make initial request with desired `pageSize`
2. Check `results.pageInfo.hasNextPage`
3. Use `results.pageInfo.endCursor` as `pageCursor` for next request

Rate limit: 10 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples get /audits/{auditId}/risks/{snapshotId}
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: US Region API
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/risks/{snapshotId}:
    get:
      tags:
        - Audits
      summary: List risks for an audit
      description: |-
        Retrieves risk population data for an audit.

        This endpoint provides access to the risk records visible to auditors
        during an audit engagement. Risk data is scoped to a specific risk
        assessment snapshot identified by the `snapshotId` parameter.

        Only Controlled Audit View (CAV) audits are supported. Full Audit
        View audits are rejected with 403.

        Supports filtering by:
        - `search`: Searches risk scenario descriptions (case-insensitive)

        Results are sorted by identified date (newest first) by default.
        Use `orderBy` and `orderDirection` to customize sorting.
        Sort parameters must remain consistent across paginated requests.

        Uses cursor-based pagination. To paginate:
        1. Make initial request with desired `pageSize`
        2. Check `results.pageInfo.hasNextPage`
        3. Use `results.pageInfo.endCursor` as `pageCursor` for next request

        Rate limit: 10 requests / minute.
      operationId: ListAuditRisks
      parameters:
        - description: The audit ID
          in: path
          name: auditId
          required: true
          schema:
            type: string
        - description: The risk assessment snapshot ID
          in: path
          name: snapshotId
          required: true
          schema:
            type: string
        - description: Maximum number of results per page (1-100, default 10)
          in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - description: Pagination cursor from previous response
          in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
        - description: Search term for filtering by risk scenario description
          in: query
          name: search
          required: false
          schema:
            type: string
        - description: >-
            Field to sort results by. Allowed: "riskId", "riskScenario",
            "inherentRisk", "treatment", "residualRisk", "reviewStatus",
            "owner", "categories", "ciaCategories", "identified". Default:
            "identified"
          in: query
          name: orderBy
          required: false
          schema:
            $ref: '#/components/schemas/RiskOrderBy'
        - description: 'Sort direction: "asc" or "desc". Default: "desc"'
          in: query
          name: orderDirection
          required: false
          schema:
            $ref: '#/components/schemas/OrderDirection'
      responses:
        '200':
          description: Paginated list of risks with pagination metadata
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedResponse_AuditRisk_'
              examples:
                Example 1:
                  value:
                    results:
                      pageInfo:
                        hasNextPage: true
                        hasPreviousPage: false
                        startCursor: 5f2c939a52855e725c8d5824
                        endCursor: 5f2c939a52855e725c8d5824
                      data:
                        - id: 5f2c939a52855e725c8d5824
                          riskId: RISK-001
                          riskScenario: Unauthorized access to production database
                          likelihood: 4
                          impact: 5
                          inherentRisk: 20
                          treatment: MITIGATE
                          treatmentStatus: IN_PROGRESS
                          residualRisk: 6
                          reviewStatus: APPROVED
                          owner:
                            displayName: Jane Doe
                          categories:
                            - Cryptography
                            - Privacy
                          ciaCategories:
                            - CONFIDENTIALITY
                            - INTEGRITY
                          linkedControlIds:
                            - control-1
                            - control-2
                          identified: '2023-01-15T10:00:00.000Z'
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: ListAuditRisks
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.listAuditRisks({
                auditId: "<id>",
                snapshotId: "<id>",
              });

              console.log(result);
            }

            run();
        - lang: java
          label: ListAuditRisks
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.operations.ListAuditRisksRequest;

            import
            com.vanta.vanta_auditor_api.models.operations.ListAuditRisksResponse;

            import java.lang.Exception;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    ListAuditRisksRequest req = ListAuditRisksRequest.builder()
                            .auditId("<id>")
                            .snapshotId("<id>")
                            .build();

                    ListAuditRisksResponse res = sdk.audits().listAuditRisks()
                            .request(req)
                            .call();

                    if (res.paginatedResponseAuditRisk().isPresent()) {
                        System.out.println(res.paginatedResponseAuditRisk().get());
                    }
                }
            }
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    RiskOrderBy:
      type: string
      enum:
        - inherentRisk
        - riskId
        - riskScenario
        - treatment
        - residualRisk
        - reviewStatus
        - owner
        - categories
        - ciaCategories
        - identified
    OrderDirection:
      type: string
      enum:
        - asc
        - desc
      description: >-
        Sort direction shared across the external REST API surface.


        `"asc"` for ascending, `"desc"` for descending. Endpoints expose this as
        the

        `orderDirection` / `sortDirection` query parameter and map it onto
        whatever

        internal direction representation the underlying service expects.
    PaginatedResponse_AuditRisk_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/AuditRisk'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    AuditRisk:
      description: >-
        A risk record from the risk population.


        `id` and `riskId` are required. All other fields are optional to support
        customizable field visibility.


        Omitted keys mean the column is not in the response; `null` means the
        column is present but empty.
      properties:
        id:
          type: string
          description: Unique identifier for the risk scenario version.
          example: 5f2c939a52855e725c8d5824
        riskId:
          type: string
          nullable: true
          description: Custom risk ID (e.g., "RISK-001"), or null if not available.
          example: RISK-001
        riskScenario:
          type: string
          nullable: true
          description: Description of the risk scenario, or null if not available.
          example: Unauthorized access to production database
        likelihood:
          type: number
          format: double
          nullable: true
          description: |-
            Likelihood score of the risk, or null if not scored.
            Full Audit View only - omitted in Controlled Audit View.
          example: 4
        impact:
          type: number
          format: double
          nullable: true
          description: |-
            Impact score of the risk, or null if not scored.
            Full Audit View only - omitted in Controlled Audit View.
          example: 5
        inherentRisk:
          type: number
          format: double
          nullable: true
          description: >-
            Inherent risk score (likelihood * impact), or null if not
            calculable.
          example: 20
        treatment:
          allOf:
            - $ref: '#/components/schemas/AuditRiskTreatment'
          nullable: true
          description: Risk treatment strategy, or null if not set.
          example: MITIGATE
        treatmentStatus:
          allOf:
            - $ref: '#/components/schemas/AuditRiskTreatmentStatus'
          nullable: true
          description: Treatment implementation status, or null if not set.
          example: IN_PROGRESS
        residualRisk:
          type: number
          format: double
          nullable: true
          description: Residual risk score after treatment, or null if not calculable.
          example: 6
        reviewStatus:
          allOf:
            - $ref: '#/components/schemas/AuditRiskReviewStatus'
          nullable: true
          description: Review status of the risk scenario, or null if not set.
          example: APPROVED
        owner:
          allOf:
            - $ref: '#/components/schemas/AuditRiskOwner'
          nullable: true
          description: Risk owner information, or null if no owner assigned.
          example:
            displayName: Jane Doe
            imageUrl: https://app.vanta.com/avatar.png
        categories:
          items:
            type: string
          type: array
          description: Risk category names, or empty array if not categorized.
          example:
            - Cryptography
            - Privacy
        ciaCategories:
          items:
            $ref: '#/components/schemas/AuditRiskCia'
          type: array
          description: CIA triad categories, or empty array if not categorized.
          example:
            - CONFIDENTIALITY
            - INTEGRITY
        linkedControlIds:
          items:
            type: string
          type: array
          description: >-
            IDs of controls linked to this risk scenario, or empty array if
            none.

            Full Audit View only - omitted in Controlled Audit View.
          example:
            - control-1
            - control-2
        identified:
          type: string
          nullable: true
          description: |-
            When the risk was identified, or null if not recorded.
            ISO 8601 format.
          example: '2023-01-15T10:00:00.000Z'
      required:
        - id
        - riskId
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
    AuditRiskTreatment:
      type: string
      enum:
        - ACCEPT
        - AVOID
        - MITIGATE
        - TRANSFER
      description: Risk treatment strategy returned by the auditor API.
    AuditRiskTreatmentStatus:
      type: string
      enum:
        - IN_PROGRESS
        - DONE
      description: Treatment implementation status returned by the auditor API.
    AuditRiskReviewStatus:
      type: string
      enum:
        - APPROVED
        - DRAFT
        - NOT_REVIEWED
        - AWAITING_SUBMISSION
        - PENDING_APPROVAL
        - REQUESTED_CHANGES
      description: Risk scenario review status returned by the auditor API.
    AuditRiskOwner:
      description: Owner information for a risk.
      properties:
        displayName:
          type: string
          description: Display name of the risk owner.
          example: Jane Doe
        imageUrl:
          type: string
          nullable: true
          description: URL of the owner's profile image, or null if not available.
          example: https://app.vanta.com/avatar.png
      required:
        - displayName
        - imageUrl
      type: object
      additionalProperties: false
    AuditRiskCia:
      type: string
      enum:
        - AVAILABILITY
        - CONFIDENTIALITY
        - INTEGRITY
      description: CIA triad category returned by the auditor API.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````