Get Audit Ready on Vanta in 5 Steps with Sensiba
Configuring your Systems & Scope
Your audit scope defines what systems, users, and resources will be included in the audit. Getting this right at the start avoids wasted effort and delays later.
Systems to connect:
-
Cloud Providers
-
Identity Providers (IDP)
-
Version Control (GitHub, GitLab, Bitbucket, etc.)
-
HRIS (Human Resource Information Systems)
-
Databases
-
Mobile Device Management (MDM)
👉 In-scope = production systems, sensitive information, or user data
👉 Out-of-scope = test, sandbox, or non-production systems
💡 Tip: Always confirm that your in-scope inventory covers all production systems and sensitive data — and nothing unnecessary.
📖 For further step-by-step instructions, view more about configuring your scope in Vanta here.
Get Your Vanta Instance Audit-Ready
Beyond your initial connections and system description, there are a few key areas in Vanta that help ensure you’re truly audit ready. Taking the time to configure these properly now will save time later.
Focus areas to review in Vanta:
-
Personnel in scope: Confirm all employees who should be part of the audit are added — and that only relevant people are included. (For example, contractors are generally excluded unless they have access to critical systems.)
-
Policy management: Upload your required policies, assign them to the right staff, and track acknowledgements and approvals.
-
You will need to enable policy acknowledgement in Vanta, it isn't by default, and this will be key to ensuring you can track personnel policy acknowledgements.
-
We also offer a Policy Generator (PolicyTree) that creates robust, tailor-fit policies aligned with your controls. This is optional — you can use Vanta’s policies instead — but if you choose PolicyTree, you’ll need to upload those policies into Vanta. You can create them here.
-
-
Risk management: Document your risks, define mitigation plans, and assign ownership — especially for critical or high risks.
- You will need to enable auditor view for your risk register in Vanta, in order for our Audit team to be able to see this. Alternatively, you can upload a manual risk register.
-
Vendor management: Add your critical vendors, assign risk ratings, and complete reviews for those rated high or critical.
-
Monitoring tests: Configure key monitoring checks so controls are continuously validated within Vanta.
- Vanta Agent: Leverage the Vanta Agent to monitor for personnel device compliance, such as hard-disk encryption and anti-virus software installation.
📖 For a detailed step-by-step walkthrough, check out Vanta’s SOC 2 Checklist.
💡 Tip: Think of these areas as the “readiness foundation” — the stronger they are, the smoother your audit will go.
Scoping your Controls
Vanta comes with a broad set of default controls and generous evidence coverage, but you don’t need all of them for your audit.
-
Your audit with us only requires a subset of controls.
-
The Vanta Velocity Framework includes 65 controls, each with guidance, tips, and examples.
-
You can safely descope/exclude any controls that aren’t relevant to your audit, as per our control listing provided below.
📖 Download and View the full list here (Please note this is just for Security, Avaliability and Confidentiality. Further changes are being made currently and your Customer Success Manager will be able to ensure you have the most up to date listing.)
💡 Tip: Focus on quality over quantity — only keep controls that truly apply to your environment.
Create the Audit
Set up your audit so we can join you in Drata.
-
Go to the Compliance tab → select Audits
-
From here, select:
-
Framework
-
Audit type
-
📖 Read more about creating you Audit in Vanta here
Provide Sensiba Auditor Access
Once your audit is created, please add us as the Audit Firm and give our audit team access:
- Audit Firm: AssuranceLab (we will be changing this to Sensiba shortly)
- Audit Email Address: ops@assurancelab.cpa
-
- This ensures we can start supporting you right away
💡 Note: Your dedicated audit team member will be assigned after your Kick-Off call. They’ll let you know when to add their individual account.
Complete your System Description
This is a key step for your audit:
-
It forms the basis of your final SOC 2 report
-
It tells your auditor exactly which systems are in scope
You can complete it by following the instructions linked here.
💡 Note: While Vanta also has a system description, ours is different and required for the audit. The good news is you can re-use much of the information you’ve already entered into Vanta.
Need Help?
We’re here for you! If you have questions or something feels unclear, reach out anytime at csplatform@sensiba.com.