What Lies Beyond the “40-Hour Audit Cycle Reduction”
News reports highlighted that cloud services company Planview reduced man-hours by over 40 hours per audit cycle by implementing “Kiro CLI,” a tool that automates SOC 2 (Service Organization Control) compliance audit preparation. For many SME owners and managers, this figure is enviable. “If only we could save that much time…”
But let’s pause and think. What exactly was this “40 hours” reduced from? And what was that time originally being used for?
Delving into the answer to this question goes beyond mere “operational efficiency” and exposes a fundamental “design flaw” in SME governance, particularly in compliance activities. In many organizations, compliance has become an “end goal” in itself, turning into a self-perpetuating machine that generates vast amounts of “work man-hours.”
The True Nature of Compliance Man-Hours: A Cycle of “Translation” and “Search”
Analyzing the breakdown of the immense time spent on audit responses and internal control setup at the SMEs I’ve supported reveals a surprisingly common pattern. The vast majority of time is consumed by the following three types of “non-productive work.”
1. The Work of “Interpreting” and “Translating” Requirements
This is the work of “translating” audit standard or regulatory requirements—like “establish a security policy” or “conduct periodic access rights reviews”—into the company’s specific operational processes. Often, this translation is ambiguous, leading to constant queries from staff asking, “Is this okay?” Each time, the management department must reinterpret the requirements.
2. The Work of “Searching For” and “Gathering” Evidence
This is the work of finding and compiling “evidence” from various internal systems, file servers, and mailboxes to prove that the translated requirements are being met. This constitutes the bulk of so-called “audit material preparation.” If systems are not integrated or rules are not documented, this task becomes a hellishly time-consuming endeavor.
3. The Work of “Coordinating” and “Confirming” Between Stakeholders
This involves emails and meetings to confirm whether the gathered materials meet the requirements, have obtained approval from relevant departments, and are consistent with past responses. The more ambiguous the lines of responsibility, the more this chain of “confirmation for confirmation’s sake” grows, bloating the man-hours.
The “40 hours” that Planview’s tool reduced likely stem from automating this second task—”evidence collection/generation”—and its accompanying third task. The tool automatically collects and formats system logs and settings, generating reports for the audit.
The Root Problem: Compliance is “Disconnected” from Business Operations
However, implementing automation tools is merely a symptomatic treatment. The fundamental issue lies in the fact that compliance activities themselves are designed in complete “disconnection” from daily business operations.
A classic example of this disconnect is the pattern of “scrambling to create materials as the audit period approaches.” This means that producing compliance evidence is not a natural daily output of business but is positioned as a separate “special task.” No matter how much you streamline with tools, man-hours will continue to be generated this way.
I interpret the core of the “reconstruction of compliance” pointed out in PwC’s “Global Compliance Survey 2025” to be precisely this. It demands a shift in design philosophy—not automation through tools, but a transition to “embedding compliance into the business processes themselves.”
Three “Embedding” Practices SMEs Should Start Today
Even without large-scale system investments, changing your thinking and process design can start embedding compliance into business.
Practice 1: Define Rules by Their “Output”
Instead of “comply with the password policy,” define it as: “When logging into System A, multi-factor authentication is mandatory, and the log is automatically saved to the ‘Security Log Folder’.” The key here is to focus not on the “action” to be complied with, but on the “output” (in this case, the authentication log) that is naturally generated as a result of compliance. Design the business process from the start so that this output is saved in a form usable as evidence.
Practice 2: Integrate Approval Processes with “Evidence Generation Processes”
Are expense approvals or purchase orders handled via email or verbally? That scatters the evidence. Utilize cloud-based approval workflow tools (often included with accounting software for SMEs) to design it so that “the approval itself becomes the audit evidence.” Who approved what and when is automatically recorded and accumulated in a searchable state. This brings the “searching for evidence” man-hours close to zero.
Practice 3: Design Regular Reports as “Audit Material Drafts”
Are monthly reports from department heads or project progress reports just free-form text? Embed the items required for audits (e.g., presence of information security incidents, status of major system changes, contract renewal status) into the report format itself. Then, collecting regular reports directly prepares the groundwork for audit materials. It’s a design where the “output” of business activities becomes the “input” for management activities.
The Governance Design Philosophy Beyond “Automation”
JSOL partnering with US-based WitnessAI to offer AI governance solutions, listed companies disclosing governance reports as covered by Nikkei, discussions about the University of Tokyo’s governance—all these indicate we are in a transitional period where governance is transforming from “an arcane ritual for specialists” into “a practical design technique for advancing business.”
Automating audit man-hours is merely one important “result” in this trend. What we should truly aim for is to bring the special man-hours for audits close to zero. That is, to design a state where “running the daily business correctly inherently strengthens governance.”
In organizations that achieve this state, the compliance officer’s role evolves from “material creator” to “designer who embeds a governance perspective into business processes.” What is reduced is not merely 40 hours of work, but the entire wasteful cycle of “translation and search” that exists between “business” and “management.”
Your State After Reading (After)
You are likely beginning to realize that much of the time you previously recognized as “compliance man-hours” was actually “glue to forcibly connect disconnected processes.” The next time you feel that audit response or internal control setup is taking too many man-hours, you will first ask yourself:
“Why isn’t this task emerging as a natural output of daily operations?”
“How should we ‘redesign’ the core business process itself to gather this evidence?”
While implementing automation tools is one excellent “answer” to this question, what truly distinguishes an SME’s governance design capability is whether it can pose the right “question” in the first place. Take the first step beyond mere man-hour reduction towards building more robust governance that is integrated with your business.
Comments