The audit conversation has changed shape. Five years ago, when an auditor opened fieldwork, the standard pattern was a six-week scramble: the customer's compliance team booked the audit window, alerted the engineering teams, and started the rolling exercise of pulling screenshots, exporting access lists, drafting policy attestations, and collecting signed approvals. The control was designed once, in some long-ago project. The evidence was assembled now, under deadline pressure, by humans copy-pasting state into PDFs.

That model is breaking. Not because the controls are wrong. Because the evidence is wrong. When the auditor asks for proof that a control operated continuously across a twelve-month period, and the proof is a folder of artefacts dated within the last three weeks, the design of the control is no longer the question. The integrity of the evidence is. And across every major framework now in force, that integrity expectation has moved from "the evidence should look reasonable" to "the evidence should be a real-time output of the system the control runs in."

This article walks through why every major framework has pushed toward continuous evidence, why the dominant audit failure mode in 2025 and 2026 is evidence quality rather than control design, and what an architecture that emits its own evidence looks like.

The shift from periodic audit to continuous evidence

For most of the last two decades, audit and compliance frameworks were structured around a periodic rhythm: annual recertification, quarterly access reviews, monthly vulnerability scans, weekly log spot-checks. Each cadence produced an artefact, and the artefacts were filed against the control they evidenced. The framework expected the artefacts to exist. The auditor checked that they did. Whether the artefact was generated by a system that watched the control day after day, or stitched together by a human two days before the audit, was largely irrelevant to the framework's literal requirements.

The relevance changed because regulators noticed two things. The first is that point-in-time evidence does not survive correlation. Auditors started asking follow-up questions across artefacts (does the access review match the actual user state at the date stamped on it, does the log spot-check correspond to the SIEM data for the same window, does the approval signature line up with the change ticket), and the answer kept coming back inconsistent. Manually assembled evidence has a measurable defect rate, and the defects are visible the moment the auditor compares two artefacts that should agree.

The second is that the threat environment moved faster than the audit cadence. Once breach-notification windows compressed to seventy-two hours under GDPR and twenty-four hours under NIS2, the framework expectation became operational: the organisation must be able to detect, classify, and report on incidents in time windows shorter than the periodic monitoring cycle. That is not solvable with a quarterly review. It is solvable only with a system that produces evidence continuously and reads it the same way the auditor will.

Both shifts pushed in the same architectural direction. The audit posture moved from "do you have the artefact" to "does your system continuously produce the artefact". The frameworks followed.

What the major frameworks now expect

The pattern is consistent across geographies. The vocabulary differs. The direction does not.

SOC 2 Type II (United States, AICPA). The Type II report is, by definition, a test of operating effectiveness "throughout a specified period" (typically six to twelve months). The AICPA's 2022 revised points of focus tightened the language in the CC4 Monitoring Activities and CC7 System Operations criteria. CC4.1 expects the entity to perform "ongoing and/or separate evaluations" of internal control, with the emphasis in 2022 sliding toward ongoing. CC4.2 requires deficiencies to be communicated to those responsible "in a timely manner", not by the next audit. CC7.1 expects "ongoing monitoring for all new vulnerabilities". A service auditor running Type II fieldwork in 2026 will sample dates inside the period and expect a coherent evidence chain on each one. Screenshots dated within the audit window of fieldwork are increasingly read as an evidence-quality finding rather than a control-operating finding.

ISO 27001:2022 (international). Clause 9 Performance Evaluation is unusually explicit about cadence. Clause 9.1 requires the organisation to determine what is monitored and measured, the method, the timing, the responsible roles, when results are analysed, and by whom; documented information must be retained as evidence. Clause 9.2 requires a planned internal audit programme, and Clause 9.3 a management review at planned intervals with explicit inputs covering monitoring results, audit results, nonconformities, and trends. Trends, by definition, require continuous data. The 2022 revision added Control A.5.36 on compliance with policies and standards, which expects regular review of compliance status. The 2022 reordering of Clause 10 placed continual improvement (10.1) before nonconformity and corrective action (10.2), signalling that improvement should be proactive rather than only reactive. Surveillance auditors in the 2025 and 2026 cycles are increasingly drawing operational data from running systems rather than reviewing freshly assembled folders.

PCI DSS 4.0.1 (international, payments). The 31 March 2025 effective date for the previously future-dated PCI 4.0 requirements moved the framework decisively toward continuous evidence. Requirement 10.4.1.1 makes automated log-review mechanisms mandatory for the cardholder data environment, security functions, and critical systems. Requirement 10.7.2 and 10.7.3 require detection of and prompt response to failures of critical security control systems. Requirement 11.6.1 mandates change-and-tamper detection on payment pages with at least weekly checks, designed to catch e-skimmer injection in near-real-time. The Customized Approach introduced a Targeted Risk Analysis (TRA) requirement: where the entity defines the frequency of a periodic activity, it must document the TRA, review it annually, and produce evidence the TRA is actually driving the cadence. The expected QSA failure mode from 2025 onward is exactly this: the entity has TRA documents but no operational evidence the TRA is driving testing frequency.

NIST CSF 2.0 (United States, February 2024). The first major revision since 2018 added a sixth function, GOVERN, and reorganised improvement into a dedicated category (ID.IM) under IDENTIFY. ID.IM-01 expects improvements to be identified from evaluations, with implementation examples including "constantly evaluating compliance with selected cybersecurity requirements through automated means". The DE.CM (Continuous Monitoring) subcategories use the word "monitored" throughout, not "reviewed". The Implementation Tiers are explicit on what continuous looks like at maturity: Tier 3 Repeatable expects practices to be "regularly updated based on the application of risk management processes to changes in business and threats"; Tier 4 Adaptive expects the organisation to adapt cybersecurity practices "based on previous and current cybersecurity activities, including lessons learned and predictive indicators". NIST SP 800-137 has long defined the federal canonical definition of Information Security Continuous Monitoring; SP 800-137A added the meta-level assessment of whether the ISCM programme itself is operating as designed.

NIS2 directive (European Union). Article 21(2) lists "policies and procedures to assess the effectiveness of cybersecurity risk-management measures" as a mandatory minimum measure for essential and important entities. Member State supervisors and ENISA implementation guidance read this as ongoing assessment of operational effectiveness, not an annual gap analysis. The Article 23 reporting timeline (early warning within 24 hours, full notification within 72 hours, intermediate report on request, final report within one month with root cause and mitigation) mechanically requires continuous logging and detection capable of producing forensically sound evidence within hours. Member State competent authorities in the 2025 enforcement cycle have been explicit: static annual risk registers, checklist-driven gap analyses, and evidence assembled only before audits do not satisfy Article 21.

FINMA (Switzerland). Circular 2023/1 on Operational Risks and Resilience, in force from 1 January 2024, requires every supervised institution to identify its critical functions, define a board-approved tolerance for disruption per function, map the supporting resources (people, processes, technology, data, third parties), and test the ability to continue critical functions under "severe but plausible scenarios" on a regular basis. FINMA Guidance 05/2025, published 10 November 2025 and effective 1 January 2026, restated and tightened those expectations after surveying 267 institutions: most firms have policy artefacts for critical functions and tolerances but lack the operational telemetry to evidence they are within tolerance day to day. Inspections from 2026 onward will look for continuous monitoring of resources supporting critical functions, not just the document that says monitoring exists.

ADHICS V2 (United Arab Emirates). The Abu Dhabi healthcare standard is one of the few regimes that bakes a quarterly cadence into the standard itself: a mandatory annual compliance audit plus quarterly self-assessments, plus mandatory breach reporting in 24 to 72 hours. The Innovation pillar explicitly requires SIEM and EDR for 24/7 monitoring, plus network segmentation and real-time monitoring of protected health information access. The only way to file a quarterly attestation without burning a quarter on each cycle is to have the underlying evidence emitted continuously by the platform.

SAMA Cyber Security Framework (Saudi Arabia). Saudi Central Bank's framework mandates 24/7 Security Operations Centre operations with SIEM, continuous vulnerability management, and regular structured penetration testing as evidence that technical controls are functioning. The Compliance domain expects evidence of compliance to be producible on demand for supervisory inspections, including unannounced onsite reviews and data requests at any time. An institution cannot prepare for a SAMA request the way it prepares for a SOC 2 audit, because it may have hours; the practical pressure is on the institution to keep the evidence continuously in a state ready for inspection.

Eight frameworks, six jurisdictions. The expectation has converged: continuous monitoring with evidence on demand, not periodic monitoring with evidence on request.

Why evidence-quality is the new failure mode

A useful pattern emerged in the 2024 and 2025 SOC 2 reporting cycles. The CBIZ 2024 SOC Benchmark Study found that fifteen percent of SOC 2 reports took more than 100 days to issue, and the leading causes were incomplete evidence and user access issues. Audit firms reported that the most common findings in Type II engagements were not about control design but about evidence quality: screenshots without timestamps, logs covering only part of the audit period, policies missing approval or review dates, access reviews recorded sporadically rather than on the defined cadence. The controls were in place. The evidence that the controls operated continuously was not.

The same pattern is visible across the other frameworks. NIS2 supervisory enforcement has explicitly disqualified static annual risk registers as evidence under Article 21's "assess the effectiveness" language. PCI 4.0 QSAs from 31 March 2025 onward have flagged TRA documents with no operational backing as a Customized Approach failure. FINMA's Guidance 05/2025 survey found policy artefacts in place across most institutions but operational telemetry missing. ISO 27001 surveillance auditors in 2025 increasingly opened nonconformities on Clause 9.1 monitoring data quality rather than on the absence of monitoring procedures.

The shift matters because it changes what an audit prep actually has to produce. Designing a strong control once and writing it down is necessary but no longer sufficient. The artefact the auditor will read is the continuous operational record. The institution either has that record because the system produced it, or does not have it because no human assembled it under sufficient discipline. The latter is becoming the routine finding.

Why the scramble-for-the-auditor model is structurally broken

The traditional pre-audit scramble has a known reliability problem. Every control that depends on a human remembering to export a report, screenshot an approval, or save the result of an access review will have gaps in the resulting evidence. Across a twelve-month Type II window, the gaps compound. A control that operates ninety-eight percent of the time has, in expectation, a week or two of missing evidence over the period. A control that depends on quarterly artefacts has, in practice, three artefacts when there should be four, with the fourth reconstructed from current state in week six of fieldwork.

Ponemon Institute and Globalscape's True Cost of Compliance research put the average annual compliance spend at $5.47M for the studied organisations, with audit preparation absorbing a significant share. The figure is unevenly distributed: tier-one banks with twenty thousand or more employees commonly spend $200M annually on compliance activities. The non-compliance figure was $14M, roughly 2.7 times the cost of compliance. The ratio tells a clear story: compliance is expensive, and the dominant cost driver is human evidence assembly.

Continuous Controls Monitoring case studies report routine reductions in audit preparation time when evidence is emitted by the system rather than assembled by people. Documented case ranges: a sixty percent reduction in audit-prep time across general CCM deployments; a healthcare organisation moving from three weeks of HIPAA evidence collection to under a day, a ninety-five percent reduction; a financial services firm reporting forty-five percent documentation-time reduction from control-mapping automation alone. The economics of the shift are not subtle. The regulators have moved to expect continuous evidence anyway. The institutions that build the architecture to produce it pay it back in audit-cycle compression.

The questions that distinguish continuous evidence from quarterly theatre

A short, uncomfortable checklist for any team looking at their current evidence posture or evaluating a new platform.

  1. Can the platform produce, on demand, the audit trail for a single record across a year-long period? Not "we have logs". Not "we ship to SIEM". A specific record's complete history (who touched it, when, what changed, under whose authority, with what approval), exportable in the time it takes to write the query. If the answer involves any human assembly, the platform fails the continuous-evidence test.
  2. Is the evidence tamper-evident, not just tamper-resistant? Auditors are increasingly explicit on this distinction. Tamper-resistant means breaches are hard. Tamper-evident means any modification is detectable. Hash-chained audit logs (each entry containing the hash of the previous entry, optionally anchored externally) produce tamper-evidence; flat append-only logs do not.
  3. Does the platform emit the evidence at the moment the control operates, or at audit time? If access reviews, change approvals, or key rotations produce their evidence only when an admin remembers to export, the evidence stream has structural gaps.
  4. Can the auditor read the same data the operator reads? The cleanest continuous-evidence architecture has no separate "audit view"; the auditor queries the same operational record the platform itself uses to enforce the control. Bespoke audit dashboards are a smell, because they imply the production telemetry was not trustworthy enough to use directly.
  5. What evidence does the platform produce for controls that did not need to engage during the period? A control that did not block any event over twelve months should still produce evidence that it was in place and watching. The absence of an incident is itself an artefact, and one that auditors are increasingly asking for.

A platform that answers each of these with an artefact rather than a paragraph is producing continuous evidence. A platform that needs to "investigate the specifics" is not.

The architectural answer

Continuous evidence is the design property that becomes load-bearing when every major framework simultaneously expects it. Novantra was built around this property, and the architectural commitments behind it are the same handful any platform serious about audit-grade evidence has to make.

Append-only event streams as the substrate for evidence. Every control-relevant action, from access grants to policy approvals to key rotations to data writes, lands in Novantra's append-only event store. Deletion is restricted, audited where permitted at all, and recoverable. The event store is the evidence; there is no separate "evidence repository" to keep in sync.

Hash-chained audit with tamper-evidence. Each entry in Novantra's audit stream contains the cryptographic hash of the previous entry, forming an unbroken chain. Modification of any record breaks the hash for every subsequent record, making tampering detectable on read. Optional external anchoring of the chain root to a third-party timestamping service or signed log defeats insider tampering on the storage layer itself. This is the architectural answer to the auditor's question "how do I know this log was not edited last night".

Real-time emission from the production system. Evidence is generated at the moment the control engages, not at the moment the audit is announced. The control and the evidence are the same write. Latency between control action and evidence record is bounded by the storage round-trip, not by a human's calendar.

One store, queried by both operations and audit. The compliance team reads the same data Novantra itself uses to enforce the control. There is no derived audit warehouse, no eventual-consistency window between operations and evidence, and no opportunity for the two views to diverge.

Per-organisation isolation of the evidence stream. Each organisation's audit history lives in its own boundary, in its own region, under its own keys. Exporting evidence for a regulator does not depend on the vendor's cooperation, and the regulator's view of one customer's evidence cannot accidentally surface another customer's. On Novantra's Sovereign deployment, the whole evidence stream runs inside the customer's own infrastructure.

None of these is a feature. Each is the architectural answer to a question every major framework is now asking out loud: not whether the control was designed, but whether the evidence that it operated is a continuous output of the system the control ran in. A platform built to produce that evidence by default makes audit a query against a continuously produced data product, rather than a six-week project carried out under deadline pressure once a year. The frameworks have already moved in that direction. The architecture has to follow.

The same continuous-evidence substrate is what makes the right-to-audit clause exercisable without contract negotiation and what collapses the breach-notification scoping bottleneck from weeks into a structured query.