> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update an information request for an audit

> Updates an existing information request for an audit, allowing modification of request
details as audit requirements evolve. Supports partial updates where only specified
fields are changed; omitted fields remain unchanged.

Common use cases:
- Updating due dates as audit timelines shift
- Refining descriptions to clarify requirements
- Adjusting request type

Note: The `modificationDate` is automatically updated to the current timestamp
when any field is changed.

Rate limit: 50 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples patch /audits/{auditId}/information-requests/{requestId}
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/information-requests/{requestId}:
    patch:
      tags:
        - Audits
      summary: Update an information request for an audit
      description: >-
        Updates an existing information request for an audit, allowing
        modification of request

        details as audit requirements evolve. Supports partial updates where
        only specified

        fields are changed; omitted fields remain unchanged.


        Common use cases:

        - Updating due dates as audit timelines shift

        - Refining descriptions to clarify requirements

        - Adjusting request type


        Note: The `modificationDate` is automatically updated to the current
        timestamp

        when any field is changed.


        Rate limit: 50 requests / minute.
      operationId: UpdateInformationRequest
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
        - in: path
          name: requestId
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PartialUpdateInformationRequest'
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InformationRequest'
              examples:
                Example 1:
                  value:
                    id: 6890e473dce1da5d8406f5e7
                    uniqueId: '1466132'
                    additionalControlIds: []
                    approvalStatus: NEEDS_EVIDENCE
                    cadence: ANNUALLY
                    frameworkCodes:
                      - SOC2_CC6.1
                    description: >-
                      Provide the data deletion evidence for a sample of
                      terminated customers
                    dueDate: '2025-10-28T00:00:00.000Z'
                    evidenceCaptureDate: '2025-10-28T00:00:00.000Z'
                    requestId: null
                    requestType: SAMPLE
                    title: Terminated Customer Deletion Evidence
                    creationDate: '2025-08-01T12:34:56.000Z'
                    modificationDate: '2025-08-02T08:00:00.000Z'
                    deletionDate: null
                    ownerAssignment:
                      type: user
                      id: 507f1f77bcf86cd799439011
                      displayName: John Doe
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: UpdateInformationRequest
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.updateInformationRequest({
                auditId: "<id>",
                requestId: "<id>",
                partialUpdateInformationRequest: {},
              });

              console.log(result);
            }

            run();
        - lang: java
          label: UpdateInformationRequest
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.components.PartialUpdateInformationRequest;

            import
            com.vanta.vanta_auditor_api.models.operations.UpdateInformationRequestResponse;

            import java.lang.Exception;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    UpdateInformationRequestResponse res = sdk.audits().updateInformationRequest()
                            .auditId("<id>")
                            .requestId("<id>")
                            .partialUpdateInformationRequest(PartialUpdateInformationRequest.builder()
                                .build())
                            .call();

                    if (res.informationRequest().isPresent()) {
                        System.out.println(res.informationRequest().get());
                    }
                }
            }
components:
  schemas:
    PartialUpdateInformationRequest:
      description: >-
        Input for partially updating an information request. Only provided
        fields

        will be updated; omitted fields remain unchanged. At least one field
        must

        be provided.
      properties:
        frameworkCodes:
          items:
            type: string
          type: array
          description: |-
            The framework codes this request addresses.
            An empty array if no framework codes are associated.
        description:
          type: string
          nullable: true
          description: Detailed description of what evidence is needed.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            Deadline for fulfilling this request. Null if no deadline.
            Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Start date of the audit period. Evidence before this date may not be
            accepted.

            Null if not restricted. Format: ISO 8601 UTC timestamp.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Scope of evidence required.
        title:
          type: string
          description: Short, descriptive title.
        cadence:
          $ref: '#/components/schemas/InformationRequestCadence'
          description: How frequently this request recurs.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Control IDs to link directly to this request, beyond those
            automatically

            mapped from framework codes. Replaces the existing set: pass the
            complete

            desired list, an empty array to clear all direct control links, or
            omit to

            leave them unchanged. Each must be the `id` of an existing control
            in the

            customer's organization (the identifier returned by the controls
            endpoints).

            The request is rejected if any ID does not match a control.
      type: object
      additionalProperties: false
    InformationRequest:
      description: >-
        Information Request resource representing a single request for audit
        evidence from a customer.


        An information request is created by an auditor and shared with the
        customer organization.

        The customer then uploads evidence, which the auditor reviews and either
        approves or flags

        for issues.
      properties:
        id:
          type: string
          description: >-
            The unique identifier for the information request within Vanta's
            system.

            This is the primary identifier used in all API endpoints.

            Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7")
        uniqueId:
          type: string
          description: >-
            External unique ID to prevent duplicates across different audit
            systems.

            Used for idempotency when syncing data between external audit
            management

            systems and Vanta. Unlike `id`, this value is provided by the
            external system.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Additional control IDs beyond those automatically mapped from
            framework codes.

            Allows manual association with specific controls when automatic
            mapping

            is insufficient. Each ID should reference a valid control in your
            audit framework.
        approvalStatus:
          $ref: '#/components/schemas/InformationRequestApprovalStatus'
          description: >-
            Current approval status tracking the request's lifecycle through
            evidence

            submission and auditor review.
        cadence:
          allOf:
            - $ref: '#/components/schemas/InformationRequestCadence'
          nullable: true
          description: >-
            How frequently this information request recurs (e.g., annual
            password

            policy reviews). Null for one-time requests.
        frameworkCodes:
          items:
            type: string
          type: array
          description: >-
            The framework codes this request addresses.

            Links the request to specific compliance requirements. Can be an
            empty array

            if no framework codes are associated. These codes correspond to
            standards like SOC 2, ISO 27001, etc.
        description:
          type: string
          nullable: true
          description: >-
            Detailed description explaining what evidence is needed and why.

            Should provide clear instructions to help the customer understand
            what

            to submit.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The deadline by which the customer must fulfill this request.
            Null if no specific deadline is set. Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The earliest date for which evidence should be captured.
            Evidence dated before this date may not be accepted.
            Null if not restricted. Format: ISO 8601 UTC timestamp.
        requestId:
          type: string
          nullable: true
          description: >-
            Non-unique external reference ID for this request.

            Unlike `uniqueId` which must be unique, `requestId` is for
            display/reference

            purposes only (e.g., "REQ-123"). Null if not provided.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Defines the scope of evidence required.
        title:
          type: string
          description: Short, descriptive title summarizing what is being requested.
        creationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was created in the system.
            Format: ISO 8601 UTC timestamp.
        modificationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was last modified.
            Format: ISO 8601 UTC timestamp.
        deletionDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Timestamp when the request was soft-deleted. Null if the request has
            not

            been deleted. Soft deletes allow retaining history while hiding the
            request

            from normal operations.

            Format: ISO 8601 UTC timestamp.
        ownerAssignment:
          allOf:
            - $ref: '#/components/schemas/ResourceOwner'
          nullable: true
          description: |-
            Resource owner (user or team) assigned to this information request.
            Returns null if no resource owner is assigned.
      required:
        - id
        - uniqueId
        - additionalControlIds
        - approvalStatus
        - cadence
        - frameworkCodes
        - description
        - dueDate
        - evidenceCaptureDate
        - requestId
        - requestType
        - title
        - creationDate
        - modificationDate
        - deletionDate
        - ownerAssignment
      type: object
      additionalProperties: false
    InformationRequestType:
      type: string
      enum:
        - POINT_IN_TIME
        - POPULATION
        - SAMPLE
      description: >-
        Type of information request, defining what scope of evidence is needed.


        - POINT_IN_TIME: Evidence for a specific moment (e.g., current state of
        a policy)

        - POPULATION: Evidence covering all items in a category (e.g., all
        employees)

        - SAMPLE: Evidence for a representative sample (e.g., 10 random customer
        records)
    InformationRequestCadence:
      type: string
      enum:
        - ANNUALLY
        - BIANNUALLY
        - MONTHLY
        - QUARTERLY
      description: >-
        Frequency cadence for the information request, indicating how often it
        recurs.
    InformationRequestApprovalStatus:
      type: string
      enum:
        - NEEDS_EVIDENCE
        - READY_FOR_AUDIT
        - AUDITOR_APPROVED
        - AUDITOR_FLAGGED
      description: >-
        Current approval status of the information request, tracking its
        lifecycle through the audit process.


        The status progresses through the workflow: initial state → awaiting
        review → approved or flagged.

        Status can move between awaiting review and flagged states as evidence
        is reviewed and resubmitted.
    ResourceOwner:
      anyOf:
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - user
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - team
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
      description: Represents either a user or a team owning a resource.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````