Continuous audit has been talked about for over 10 years. From the start of my career, I remember it talked about as a concept, that made a lot of sense in theory but it wasn’t practically viable.
It’s still yet to be a reality; continuous audit is either done by large companies with huge audit teams (and budgets) to address an outrageous scale of compliance obligations, or as a very narrow part of a compliance program covering only a subset of automated controls.
It was early 2023, Nick and I were at a bar in San Diego. I can’t remember who’s idea it was that sparked it, or how many ridiculous ideas came before it. But we were two beers deep when we conceived how to turn the theory of continuous audit into a practical reality at scale for any company.
I asked the bar maid for paper and a pen and we sat there frantically “white boarding” on an A5 sheet 😅. Scribble, sip, scribble, sip, ‘another round please’, scribble, sip. We had to run to dinner an hour later with a few sheets stuffed into my pocket going off to meet the co-founders of Drata for the first time.
They say necessity breeds innovation. I guess going to meet the co-founders of Drata may have been that necessity. Imagine Nick and I with our little audit firm from Australia going to chat about the market opportunities with the founders of a company that reached a $2bn valuation, grew a 350 person team and thousands of business customers, in less than 2 years! These guys were serious operators achieving some incredible things for the compliance industry.
But like all innovation, the ideas didn’t come out of thin air. There were important reasons for moving into continuous audit.
An evolution of our agile audits
Our 200+ clients have praised the way our agile audits just make a lot of sense. They provide faster feedback, reduced business disruption, and give our clients and their stakeholders greater confidence. The theory of continuous audit was a natural evolution of that. Instead of audits playing out at the clients pace over weeks or months, we could turn it into something that happens year round following the same principles and internal systems and processes we had developed for years.
We entered a live Type 2 period ourselves
In late 2022 we issued our own SOC 2 Type 1 report, that meant we had entered a live Type 2 period. That was really daunting. Even as audit and compliance experts; how could we be sure our approach and our auditors expectations are aligned? How do we know for sure our compliance is on track? And how do we plan for the time and disruption the Type 2 will cause at the end of the audit period, when the audit is conducted?
Perhaps most important was the psychology of it all. It’s really hard to stay motivated maintaining compliance when there’s no positive reinforcement, and the business outcome seems so far away! It naturally falls behind lots of other priorities that have a higher urgency in a fast growth company.
The unsolved market problems
We had spent the last few months working closely with Drata and sharing insights on the state of the market, and clients’ key pain points. A few really stood out:
Waiting periods: Enterprise users of compliance reports were impatiently waiting up to 12 months for the next report and pushing for “bridging letters”, status updates, and even delaying renewals or expanded licensing terms until they had those in hand.
Compliance lapses: Clients were achieving their first compliance reports but then letting it lapse and scrambling to pick it back up 12 months later. That would then be under the pressure of failures that were too late to fix, limited time to complete the audits, and potentially lost revenue if the outcome fell short of customer expectations.
Learning lessons when it’s too late: Clients were under-utilising platform features designed to enhance security, and streamline their compliance and audits. In some cases not going far enough to be compliant, in others going too far when it doesn’t align to their goals. When auditors would give that feedback at period end, it had already caused major additional work, and angst amongst the clients team. It can be hard to salvage team sentiment and re-build motivation to engage with the compliance program.
Audit efficiency is the key to unlocking value
The reality of audits done well, is our clients actually like them. Why wouldn’t you want insightful feedback on your company? To benchmark to industry standards to help you operate effectively and securely? Why wouldn’t you want to achieve something that’s broadly recognised, well-regarded, and helps you win revenue?
But those benefits are overshadowed by the high costs and disruption of audits. So audit efficiency is the key to unlocking the true potential of audits.
As an audit firm, we found scaling to hundreds of clients had two specific efficiency challenges:
1. Team training is so important to efficient audits, but it’s hard to align the topical training to what was most relevant in a field with hundreds of topical areas. That alignment is important to maximise knowledge retention and the impact of the training.
2. Audit services are naturally reactive. They respond to what documentation the client provides and when it’s provided. Managing things reactively is always harder and comes with inherent inefficiencies.
Continuous audit flips both points so we can optimise our team training, proactively manage capacity and workload, and then ultimately conduct efficient audits that allows for lower costs to the client and less business disruption. Hooray!