Vanta Quick Start Guide

What is the Purpose of this Guide?

This guide is designed to help you get audit-ready quickly and confidently. Our goal at Tempo Audits is to keep things moving, and make the audit process as smooth (and stress-free) as possible. Our partners, Sensiba, have created the below guide for you to help you set up your SOC 2 Audit on Vanta.

How do we configure our systems and define our scope?

Your audit scope sets the foundation for everything that follows. Defining it clearly upfront helps avoid unnecessary work and prevents delays later in the audit.

What would generally be IN scope would be production systems, systems handling sensitive information or user data; and what would generally be OUT of scope would be test, sandbox, or non-production environments.

A tip from your Tempo/ Sensiba team: Make sure your scope includes all production systems and sensitive data — but nothing extra. A clean scope = a faster audit. For step-by-step instructions, you can review Vanta’s guidance on configuring scope here.

Systems to connect in Vanta (where applicable):

• Cloud providers

• Databases

• Version control systems (GitHub, GitLab, Bitbucket, etc.)

• Identity providers (IDP)

• Mobile Device Management (MDM)

How do we scope the right controls?

Vanta includes a wide range of default controls — but you don’t need to complete all of them for your audit with us. For a standard SOC 2 audit, we focus on a subset of controls, typically covering the below Trust Services Criteria which include roughly 50 controls.

• Security

• Availability

• Confidentiality

Other subsets include Processing Integrity and Privacy, but these are optional and are scoped separately.

To Note: Vanta is evidence-driven and automatically maps evidence to controls based on your integrations. Depending on your systems and setup, we may occasionally request alternative or additional evidence to ensure proper coverage. This is completely normal and helps us keep the audit both accurate and efficient.

How do we add Tempo as our auditor?

Granting auditor access early allows us to provide targeted guidance, streamline your preparation, and accelerate your audit readiness.

Add Tempo as your auditor by navigating to “Settings”, and then “User Permissions” in Vanta. From here, go to the “Compliance” tab, select “Audits” and “Add Audit”. Here you will create your audit package with the below information:

• Framework: Your engaged framework (e.g. SOC 2 Type 1, SOC 2 Type 2, HIPAA, GDPR). If you’re unsure, refer to your Tempo/ Sensiba SOC 2 contract.

• Audit firm: Tempo Audits

• Auditors: (we’ll confirm the correct email with you)

• Audit date / period:

  • Type 1: Select today’s date

  • Type 2: Select your observation period (this can be updated later if needed)

What is a System Description and how do we complete it?

Creating a System Description is a key step for your audit, as it forms the basis of your final report and it clearly defines what is in scope and helps us understand how your systems and processes work together.

You can complete it by following the instructions linked here.

What are some key focus areas to make your Vanta audit-ready?

To keep your audit smooth and efficient, we recommend reviewing the following areas in Vanta.

1. Personnel in Scope: Ensure all in-scope personnel are listed and manually mark out-of-scope users (e.g. contractors without access to sensitive systems).

2. Policy Management: Upload or create policies and track approvals and acknowledgements. For this, you can either use Vanta’s built-in policy resources of PolicyTree. PolicyTree is optional and has a Policy Generator that you can use to create tailored, audit-ready policies. You can find out more about PolicyTree here.

3. Risk Management: Document risks, mitigation plans and owners; as well as grant auditor access to your risk register (or upload a manual one).

4. Vendor Management: Add critical vendors, assign risk ratings, and complete annual reviews for high or critical vendors.

5. Monitoring Tests: Configure monitoring checks so controls are continuously validated.

6. Device Compliance: Integrate your MDM or use the Vanta Agent to monitor personnel devices that are in-scope.

A tip from your Tempo/ Sensiba team: Think of these as your “audit readiness foundations.” The stronger they are, the faster and smoother your audit will be.

What are some Frequently Asked Questions?

Below are answers to the most common questions we get about preparing for and completing your audit in Vanta. If anything’s unclear or feels overcomplicated — just shout. That’s what we’re here for.

Who can help me prepare for my first audit?

You’re not on your own. Once you’re onboarded with Tempo Audits, you’ll be introduced to your dedicated Auditor/ Audit team, who will guide you through setup and readiness.

We’re friendly, responsive, and easy to reach — you can contact us any time via email (we’ll share the correct address during onboarding).

Why should I involve my auditor early?

Bringing us in early helps to keep the audit running smoothly, reduce rework for your team, issues come to the surface sooner (when they’re easier to fix), and we let you lean on our experience from day one.

Early collaboration = faster, calmer audits.

When am I “ready” to start the audit?

In Vanta, you’ll see a completion percentage that shows how much of the framework you’ve prepared.

For SOC 2 audits, we expect you to have completed the steps outlined above before formally starting the audit.

Your Vanta team is there to help fast-track readiness and make sure you’re focusing on the right things — not just ticking boxes.

What should I select as my audit period?

For SOC 2 Type 2 audits, your audit period can be between 3 and 12 months.

We usually recommend starting from:

• A date you’re confident your controls were operating effectively (especially for first-time reports), or

• The end date of your previous Type 2 period

This ensures continuous coverage and aligns with industry best practice. After your first report, annual Type 2 audits typically become the norm.

If you’re unsure, just ask — we’ll help you choose the right dates.

Which policies should I prioritise?

These policies are commonly expected for SOC 2 audits:

• Code of Conduct

• Access Control Policy

• Asset Management Policy

• Operations Security Policy

• Incident Response Plan

• Information Security / Acceptable Use Policy

• Human Resources Security Policy

• Risk Assessment Policy

• Third-Party / Vendor Management Policy

• Data Management Policy

• Business Continuity & Disaster Recovery Plan

• Secure Development Policy

Why are there different completion percentages showing?

• Vanta’s completion % shows how much of the framework you’ve prepared

• Our passing % reflects how much evidence has been verified during the audit

During the queries stage, controls marked as “incomplete” usually just need more or clearer evidence. This isn’t a failure — it’s part of the normal audit flow.

How long does the audit take?

Our AI-enabled audit approach helps speed things up and reduce back-and-forth during the queries phase.

If you’re working towards a deadline or need something to share with a client, we can provide a Letter of Engagement confirming you’re actively mid-audit.

What if a control doesn’t apply to us?

That’s totally fine. Controls are designed to be flexible.

If something doesn’t reflect how your business operates, let your audit team know. We’ll work with you to document an appropriate alternative — as long as the intent of the control is met.

Do I need to perform every control for a Type 1 audit?

Not necessarily.

For Type 1 reports, it’s acceptable to show planned controls, such as:

• A scheduled disaster recovery test

• A signed statement of work for a penetration test

• Draft templates for on-boarding/ off-boarding or incident tracking

The focus is on design and readiness.

I’ve received my AI audit results - what does “Incomplete” mean?

“Incomplete” simply means we need more evidence before the control can be marked as passed.

It is not a failure and does not disqualify you from completing the audit.

When are samples tested for Type 2 audits?

Sample testing typically happens around two weeks before the end of the audit period.

For example, we may select incidents, access changes, or tickets from the audit period and request evidence to confirm the control operated effectively.

What happens once the audit hits 100%?

Once all controls are complete:

1. We perform a secondary quality assurance review (our “triple check”)

2. We confirm all evidence and findings

3. We let you know the audit is officially finalised !

How does third-party infrastructure affect the audit?

We only audit controls you manage.

If you rely on third-party infrastructure (e.g. cloud databases or hosted platforms), these are referenced as sub-service organisations. No additional evidence is required unless you manage those controls directly.

I’ve added Privacy to my scope - what do the key terms mean?

Privacy terminology can be confusing at first. Here are the basics:

• Data Controller: Decides why and how personal data is processed.

• Data Processor: Processes personal data on behalf of a data controller.

• Data Subject: The individual whose personal data is collected.

If you’re ever unsure, your Tempo audit team is happy to help clarify.

We have also put together some Pre-Audit FAQs for your SOC 2 audit that you can check out here.

We hope this short guide helps you when setting-up your SOC 2 audit on Vanta, but if you have any more questions - just shout!