Continuous assurance is the new compliance: the operational shift behind it

A discipline shift is happening inside regulated organisations, and it is bigger than any framework cadence or evidence architecture on its own. The compliance function is reorganising. The internal-audit profession is reorganising. The external auditor's testing methodology is reorganising. The compliance-officer role is reorganising. The vendor category called "Continuous Controls Monitoring" exists now where it did not five years ago. The Institute of Internal Auditors retired its 1999 Three Lines of Defense framework in 2020, replaced it with the Three Lines Model, and published a complete rewrite of its Global Internal Audit Standards in January 2024 (effective January 2025). The PCAOB amended its evidence sufficiency standard (AS 1105) in 2024 to address audit procedures involving technology-assisted analysis of information. None of this is incidental. The collective signal is that continuous assurance has replaced project-based compliance as the discipline, and the organisations that have not restructured around it are working harder for less.

The companion articles on continuous evidence as architecture and operating audit-ready every day cover the engineering substrate and the operating rhythm. This article sits above both: how the compliance discipline itself is reorganising, what the IIA's Three Lines Model evolution means in practice, why CCM platforms exist as a vendor category, how the compliance-officer role has changed, and what happens to organisations that buy "compliance automation" tools without restructuring the function underneath. The structural argument: continuous assurance is the professional analogue of DevOps' emergence from sysadmin. The job did not get harder; the operating model changed.

The discipline shift

For most of the regulated-industries history, compliance was a project-based, audit-driven function. The organisation built controls, the auditor came once a year, the controls were sampled, the report was issued, the binder was filed. The compliance team's calendar was structured around the audit calendar. Internal audit, in IIA's original 1999 Three Lines of Defense framing, was the third line, sequenced after operations (first line) and risk-and-compliance functions (second line). The model was linear, defensive, terminal. Audit at the end.

That model is being supplanted by continuous assurance, in which all three lines collaborate continuously and the audit becomes a verification of an already-current operational record. The companion articles on continuous evidence and operating audit-ready every day cover why the evidence and the rhythm have to be continuous. This article is about why the discipline itself has to be.

The drivers are converging. PwC's 2025 Global Compliance Survey of 1,802 executives across 63 territories reports that 85 percent of respondents say compliance complexity has materially increased in the last three years; only 7 percent consider themselves "leading" in compliance, while 38 percent aim to be within three years. Fortune 500 organisations now track hundreds of regulations and frameworks across jurisdictions. The companion article on framework convergence covers why the same three controls (MFA, encryption, audit) became table stakes simultaneously across nine major frameworks in an eighteen-month window. The compliance function cannot scale linearly with regulatory growth. Continuous assurance is the only scaling pattern available, and the organisations adopting it earliest are restructuring before they have to.

The Three Lines Model and IIA's 2024 Global Standards

The Institute of Internal Auditors retired the 1999 Three Lines of Defense framework in July 2020, replacing it with the Three Lines Model. The changes are substantive. The new model reframes governance from defence to alignment; emphasises collaboration, shared accountability, and integrated governance; and explicitly positions internal audit as a continuous-improvement partner rather than a terminal assurance provider. Third-line auditors are now expected to provide "continuous assurance rather than point-in-time assessments". This was the early signal of where the discipline was going.

The bigger event is the January 2024 Global Internal Audit Standards, effective from January 2025. The IIA replaced its 1978-era International Professional Practices Framework with a single set of standards organised around fifteen guiding principles. The new standards add explicit emphasis on continuous monitoring as part of internal audit's mandate, introduce Quality Assurance and Improvement Programmes, and define Topical Requirements series (Cybersecurity in February 2025, then Third-Party Risk, Culture, and Business Resiliency) that provide standardised baselines for assurance in specific risk areas. Internal audit reports are expected to include data insights and consultative recommendations, not just findings.

The operational implication is direct: third-line teams are now expected to provide ongoing, data-driven assurance rather than annual sampled engagements. Audit is becoming a continuous service. Deloitte's 2024 Global Chief Audit Executive Survey of more than 200 chief audit executives across thirty-five countries reports that eighty-two percent of internal audit functions increased their impact in the last three years but only fourteen percent feel they have reached full potential. Sixty-seven percent of chief audit executives are concerned about the digital capabilities of their teams. The 2025 follow-up survey reports that ninety percent of internal audit functions now have digital and analytics plans integrated with strategic objectives, but only thirty-eight percent have a formal digital strategy. The capability gap is real, and it is wider than the function's leadership ambition.

The external audit profession is moving at the same time. Deloitte uses machine-learning bots to verify one hundred percent of vendor invoices against ledgers, replacing sample-based testing. PwC's reported $1.5 billion AI investment underpins the Aura platform, which automates prepared-by-client lists, flags delays in real time, and tests journal-entry populations for fraud anomalies. EY's Helix platform serves the same function. KPMG's Clara platform uses AI to assess audit risk against documents, past audits, and real-time data. The Big Four are moving en masse from sampling to population testing, and the PCAOB's 2024 amendments to AS 1105 specifically address audit procedures involving technology-assisted analysis. Paragraph .B2 amendments are effective for fiscal years ending on or after 15 December 2024; the new paragraph .10A on technology-assisted analysis is effective for fiscal years ending on or after 15 December 2025. The standard raises the evidence-sufficiency bar in line with AI-based population testing. The discipline shift is now codified in audit standards, not just industry practice.

What the major frameworks now require

The pattern is consistent across jurisdictions. The vocabulary differs. The direction does not.

SOC 2 (United States, AICPA). Trust Services Criteria 2017 with 2022 revised points of focus push toward continuous monitoring of controls across the audit period, not just snapshot testing at the end. Type II reports still cover a three-to-twelve-month observation period. The 2024 and 2025 evolution is in the description criteria: continuous monitoring across the audit window is now the expected design, and the Type II report is increasingly viewed as a stale artefact compared to the real-time Trust Center customers actually want to read. The marketplace gap is unambiguous: the formal framework is annual; the operational expectation, from customers, third parties, and boards, is real-time.

ISO 27001:2022 (international). Clause 9 Performance Evaluation is the "Check" phase of Plan-Do-Check-Act. The 2022 revision strengthened the evaluation requirement: organisations must evaluate both the performance of information security and the effectiveness of the ISMS itself. Clause 10 Continual Improvement requires non-static practices. Under the 2022 revision combined with market practice, monitoring data feeds a real-time improvement loop and surveillance audits become checkpoints rather than calendar events.

PCI DSS 4.0.1 (international, payments). Two fundamental moves toward continuous posture. The Activity Frequency Targeted Risk Analysis lets entities decide how often to run a control based on environment risk profile, replacing prescriptive "once per quarter" language. The Customized Approach Targeted Risk Analysis lets organisations meet requirements with controls of their own design as long as they document equivalent risk reduction. Requirement 12.3.2 mandates a Targeted Risk Analysis for each customised requirement, reviewed at least every twelve months. PCI DSS has moved from prescriptive checklist to continuous risk-based posture. The compliance team must continuously justify its design decisions in writing.

NIST CSF 2.0 and SP 800-53 (United States). CSF 2.0 Implementation Tier 3 (Repeatable) requires consistent, documented, traceable processes; Tier 4 (Adaptive) expects the organisation to use real-time or near-real-time information to manage cyber risk and continuously adjust. NIST SP 800-137 Information Security Continuous Monitoring is the canonical federal definition. NIST SP 800-53 Rev 5 CA-7 Continuous Monitoring sets the control. The FedRAMP Moderate baseline operationalises this with monthly vulnerability scans, monthly POA&M updates, annual penetration tests, and continuous CSO monitoring.

NIS2 directive (European Union). Article 21(2)(f) requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures", the legal hook for continuous self-assessment. Article 23's twenty-four-hour early-warning, seventy-two-hour incident notification, and one-month final report timelines require operational posture data to be live, not assembled. Commission Implementing Regulation 2024/2690 translates Article 21 into roughly 150 specific cybersecurity controls. Member State enforcement through 2025 has flagged static annual risk registers as insufficient under 21(2)(f).

DORA (European Union, financial services). Effective from 17 January 2025. Article 5 requires an ICT risk-management framework with board accountability. Article 6(5) requires the framework to be documented and reviewed at least annually and after every major ICT-related incident. Article 16 mandates ongoing monitoring of ICT systems. Article 19 sets incident-reporting timelines that mirror NIS2. Articles 24 and 25 introduce threat-led penetration testing for critical entities. DORA's structural shift is that it puts personal accountability on the management body: boards must define risk appetite, approve the framework, ensure resources. Compliance is no longer a function the board reviews annually; the board owns it continuously.

HIPAA Security Rule (United States, healthcare). The December 2024 NPRM published in the Federal Register on 6 January 2025 restructures the Security Rule. Annual written technology asset inventory; annual network map showing ePHI flows, reviewed after material changes; vulnerability scans at least every six months; penetration testing at least annually; audit programmes every twelve months with annual reviews; removal of the addressable carve-out across the board. The 2026 enforcement implication is that OCR is shifting toward documented continuous monitoring as the baseline. The point-in-time risk assessment is no longer defensible.

FINMA Circular 2023/1 (Switzerland). Effective from 1 January 2024. Each critical function must have a tolerance for disruption approved by the board. The inventory of critical functions, supporting resources including third parties, and tolerances must be maintained continuously. Chapter V on operational resilience requires holistic monitoring. FINMA Guidance 05/2025, effective 1 January 2026, tightened these expectations after a 267-institution survey found most firms had policy artefacts but lacked the operational telemetry to evidence they were within tolerance day to day.

ADHICS V2 (United Arab Emirates). Effective from August 2024. Mandatory annual independent compliance audit plus quarterly self-assessment by the entity against the ADHICS controls, plus breach notification within twenty-four to seventy-two hours. The quarterly self-assessment is the clearest single example of a regulator codifying the four-times-per-year continuous-assurance cadence as a baseline expectation. Most other frameworks imply it; ADHICS writes it.

SAMA Cyber Security Framework (Saudi Arabia). Domain 6 Compliance requires continuous monitoring of compliance status against the framework. The framework uses a six-level maturity model (0 through 5); Level 3 and above require continuous monitoring with Key Performance Indicators. For domestically systemically important banks, the practical expectation has shifted to real-time dashboards on cybersecurity compliance status with both KPIs and Key Risk Indicators reported up to the board.

Ten frameworks, six jurisdictions. The expectation has converged: continuous assurance is the new compliance, codified.

The compliance-officer transformation

The role has changed in the same shape as the discipline. PwC's 2025 Global Compliance Survey reports that eighty-two percent of organisations are planning to invest more in compliance automation technology; forty-nine percent already use technology for eleven or more compliance activities. The top barriers to transformation are organisational complexity (thirty-four percent), culture (twenty-nine percent), resource capacity (twenty-eight percent), employee awareness (twenty-five percent), technology (twenty-five percent), and leadership (twenty-two percent). The barriers are organisational, not technological.

The Chief Compliance Officer of 2026 sits in the C-suite alongside the Chief Financial Officer, Chief Risk Officer, and Chief Information Security Officer. The role is no longer to gatekeep; it is to enable the business at the speed regulators now expect. Board reporting has moved from quarterly project updates to live dashboards with five to seven stable outcome KPIs that do not change quarter to quarter and eight to twelve broader board metrics. Reporting has moved from "what tools did we deploy" to "can you prove this control is working right now". The CISO no longer reports tools deployed; the CISO reports control effectiveness with live evidence.

Internal audit teams are restructuring around the same shift. Generative AI tools (Microsoft Copilot, custom audit agents) are now standard in 2025. Internal audit functions are explicitly expected to implement continuous assurance models, especially for cloud risk. The capability gap, where seventy percent of audit teams describe themselves as not yet digitally capable, is the bottleneck. Continuous assurance does not run itself; it runs on people who can interpret the live data the platform produces.

The compliance-automation failure pattern

The most consistent failure mode in 2024 and 2025 compliance-automation deployments is the gap between buying a tool and restructuring the function. The pattern is recognisable across industry analysis: control owners run manual processes in parallel with the automation because they do not trust it; auditors request "real" evidence behind automated outputs, exposing thin traceability; leadership cannot prove the tool actually reduces risk; the tool produces massive evidence volume that the team has no structured workflow to triage. The "trust gap" between automated outputs and human action stalls the programme.

The deeper point is that buying a CCM tool without restructuring the compliance function produces an evidence firehose nobody can act on. The organisational redesign (workflows, ownership, escalation paths, decision rights) has to accompany the tool. Vanta's continuous monitoring runs tests every hour. Drata acquired SafeBase for $250 million in February 2025 and rebranded around agentic trust management. OneTrust, Hyperproof, MetricStream, RegScale, CyberSaint, and Panaseer all sit in adjacent positions. The tools work; the function around them often does not.

The continuous-trust marketplace makes the gap public. Verizon's 2025 Data Breach Investigations Report records third-party involvement in breaches doubling to thirty percent. Customers no longer accept an annual SOC 2 PDF. They want real-time third-party assurance readings via Trust Centers and API-based attestations. The organisations that have rebuilt their compliance function around continuous-assurance discipline can publish a Trust Center with live posture; the organisations that have not are still emailing PDFs and dropping behind in procurement evaluations.

The architectural answer

Continuous assurance is a discipline shift more than a tooling shift. The discipline requires architecture that produces continuous evidence (covered in the companion article) and operational rhythm to consume it (covered in operating audit-ready every day). On top of both, the function itself has to be reorganised. The platform's job is to make the reorganisation possible rather than forcing the customer to fight against the tool.

Novantra's first-line operating surface gives control owners the work they own, on the cadence they own it, with the evidence they produce captured at the point of operation. Daily log-review attestations, weekly tamper-detection reviews, monthly privileged-access reconciliations, quarterly access recertifications: each is a first-class operational object with a named owner, a defined cadence, and an audit trail of every execution. The first line operates in the platform; the evidence is the by-product.

Novantra's second-line oversight surface gives compliance and risk teams the live dashboards and exception registers they need to oversee without becoming a blocker. Exception registers capture every gap (a postponed review, a deferred quarterly activity) with a justification and a documented exit condition. The compliance team manages exceptions as work, not as findings. The shift from gatekeeper to enabler is structural.

Novantra's third-line interface gives internal audit a query surface, not a request queue. The audit function reads the same operational record the platform itself uses to enforce control. Sample-based testing becomes population testing; the IIA's 2024 Global Standards expectation of data-driven continuous assurance becomes a configuration rather than a multi-year capability build.

Novantra's external-trust surface (the Trust Center pattern) gives customers and third parties a real-time view of the relevant posture they have permission to see. Procurement-cycle frictions collapse. The "send me your latest SOC 2 PDF" thread becomes a link.

Novantra's board-and-committee report templates feed directly from the operational data, so quarterly risk-committee, audit-committee, and board reports do not require a separate evidence-collection project. The board reads the same numbers the operations team manages day to day. DORA's board-accountability requirement (Article 5) and FINMA's tolerance-for-disruption board approval (Circular 2023/1) become a function of how the data flows, not an additional reporting burden.

For customers whose threat model or jurisdiction requires it, Novantra's Sovereign deployment runs the entire continuous-assurance stack inside the customer's own infrastructure.

None of this is a feature. Each is the architectural answer to a question the discipline itself is now asking: not whether the controls were designed, and not whether the evidence was produced, and not whether the cadence was met, but whether the compliance function has been restructured so all of those land naturally as the output of how the organisation actually runs. The IIA has moved. The PCAOB has moved. The Big Four have moved. The regulators have moved. The vendor category has moved. The frameworks have moved. The compliance function either follows, or the next three years get progressively harder for it.

The compliance officer of 2026 is to the compliance officer of 2010 what the SRE is to the sysadmin. The job did not get harder. The operating model changed.