Skip to content
English
Ask our team
Go to sensiba.com
  • There are no suggestions because the search field is empty.

Vanta FAQs

Frequently asked questions about our audit approach in Vanta

Preparing for Your Audit

Who can assist me with preparing for my first audit? 

Our dedicated Customer Success Team is here to help guide you through the process. Once onboarded with our team, you will be introduced to your personal customer success manager - we are contactable via csplatform@sensiba.com 

How do I provide Sensiba access to my Vanta domain?

Check out step 3 of our Quick Start guide for instructions.

If you would prefer to watch a step-by-step video, follow this link to a loom video.

Involving your auditor early in your compliance journey:

  • Helps the process go more smoothly
  • Avoids extra work for your team
  • Allows you to leverage our expertise

When will I be ready for the audit?

As you progress through setup in Vanta, you'll see an audit "completion percentage" that reflects how much of Vanta’s framework you've prepared for your audit. 

For SOC 2 clients, at a minimum we expect you to have completed the steps on the Quick Start Guide prior to starting your audit. 

The customer success team is here to assist you get onboarded and guide your effort to fast-track your readiness! 

What should I put as my audit period?

For Type 2 engagements, you can choose an audit period between 3 to 12 months. We recommend starting from:

A date you're confident you meet the criteria (for first-time reports)
The end of your last Type 2 period

This ensures continuous coverage and aligns with industry expectations. Annual Type 2 reports typically become the standard after your first. If you are unsure, please seek advice from our team. 

Which policies should I prioritize?

Commonly expected policies:

  • Code of Conduct
  • Access Control Policy
  • Asset Management Policy
  • Operations Security Policy
  • Incident Response Plan
  • Information Security Policy (AUP)
  • Human Resource Security Policy
  • Risk Assessment Policy
  • Third-Party Management Policy
  • Data Management Policy
  • Business Continuity & Disaster Recovery Plan
  • Secure Development Policy

Check out our complimentary policy tree tool, alternatively Vanta offers a policy builder tool also, in the platform. 

 

Mid-Audit Questions

Why does Vanta show 90% completion, but Sensiba says I'm 60% passing?

Vanta is a compliance platform that helps you maintain compliance and prepare for your audit. Its completion percentage reflects how much of the framework you've prepared.

Once our team begins your audit, we assess your evidence in Vanta, and provide a "passing percentage" based on what's currently verified. This is part of the queries stage, where controls marked "incomplete" simply need more evidence to pass. 

SOC 2 Type 1 vs Type 2 audits:
  • SOC 2 Type 1: Focuses on control design. You can update controls during the audit based on feedback.
  • SOC 2 Type 2: Assesses both design and operating effectiveness over time. We prefer starting the audit within your audit period to allow time to ensure all controls are operating effectively before the audit period ends.

 

Audit Logistics

How long does the audit take?

Our AI audit offering helps fast-track results and clarify queries. If you're working to a deadline or need a report for a client, on request we can provide a status letter confirming you're mid-audit period. 

What if some controls don't apply to you?

Our control descriptions are flexible. If something doesn't apply or doesn't reflect your operations, please let your audit team know. This helps reduce back-and-forth.

Examples of control variations:

  • Startups may not have a Board of Directors. Oversight may be handled by senior management or founders.
  • Incident definitions, vendor scopes, and risk management approaches may vary. As long as the controls purpose is met, variations are acceptable.
Do I need to perform all controls before a Type 1 report?

Not necessarily. For Type 1, you can show plans for controls like DR/BCP testing or penetration testing. Examples:

  • Scheduled Disaster recovery test
  • Signed statement of work for a penetration test
  • Templates for onboarding/offboarding or incident management tracking
You have received my AI Audit results - what does an "Incomplete" control mean?

It means more evidence is needed before the control can be marked as passed. A control found to be incomplete is not a failure or disqualification. 

When are samples tested for Type 2 audits?

Sample testing is done 2 weeks before the end of the audit period. For example, we may select security incidents from the audit period and request evidence to confirm control effectiveness.

What happens when the audit reaches 100%?

We conduct a secondary QA review ("triple check") to verify all findings and evidence. Once complete, well notify you that the audit is officially finalized - yay!

What is an "exception noted"?

In a Type 2 audit, if a control is found not operating effectively, it results in an exception in the report. You can provide a rationale and remediation plan. This is not a failure or disqualification.

 

Framework FAQs

How does third-party infrastructure impact the audit?

We only audit controls you manage. If you use third-party infrastructure (e.g., DBaaS), we reference them as sub-service organizations. No extra evidence is needed unless you manage those controls directly.

I've added Privacy trust services criteria to my scope. How do I understand some of the terms used in Privacy?

The Privacy trust services criteria refers to specific terms that can be confusing the first time around. Here are some helpful definitions. When in doubt, reach out to your audit team for additional support.

  • Data controller: An entity that (alone or jointly with others) determines the purposes for and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
  • Data processor: An entity that processes personal data at the direction of a data controller. In many cases, a service organization may process personal data for its business-to-business (B2B) customers (user entities), which in turn may function as data controllers. In other cases, a service organization may function as a data controller, depending on the facts and circumstances.
  • Data subject: The individual about whom personal information is collected.

Example: A private company provides software to process healthcare data for patient assessments. Using the software, the company provides tracking and reporting to their healthcare provider customers.
The company’s sole purpose in processing healthcare data is to provide this service to the healthcare providers. The providers set the purpose – to process data for assessments and reporting. The company does not determine the purposes of the processing, it merely provides the processing service. This company is likely to be a processor. The healthcare provider is the data controller. The healthcare provider's patients are the data subjects.

 

Continuous Audit Model & AI Audits

As of 2024, our continuous audit model has evolved with the introduction of AI audits, now the preferred method for ongoing audit practices. These audits enhance speed, clarity, and insight throughout the audit lifecycle.

 

Vanta support contacts

  • Contact your assigned Vanta CS for general support

  • For technical issues email support@vanta.com