Two weeks before the audit, the Slack messages start.
Get me a screenshot of this. Can you screenshot the CI/CD logs? Can you add the artifact names that were deployed to production and when, and when the incident happened?
Senior engineers stop shipping. A spreadsheet appears. The product roadmap goes on hold while four people chase down ownership data and evidence that should have existed all along.
This fire drill is the symptom of an operating model problem. Compliance got bolted onto the side of engineering instead of built into it, and the bill comes due every twelve months.
On our recent Braintrust podcast, Matt Bailey of Merge Ready put it plainly:
"Just start treating your compliance as controls as code. Evidence everything. Try and be continuous with your compliance so you're always audit ready, because you never know. If you're always audit ready, when that day comes, you're already there."
Being audit-ready by default is structural. It comes from three things working together: a real catalog, real ownership, and standards that run continuously instead of quarterly.
Why the fire drill exists
The pre-audit scramble is the predictable output of how most engineering orgs are wired. Standards live in wikis, and wikis aren't enforced. Ownership data lives in five places that don't agree. Evidence collection is a manual process owned by someone "on top of" their real job. Compliance posture is a snapshot taken once a year, not a signal you can read on a Tuesday.
On the pod, Matt describes a healthcare client where the IdAM process (the chain of approvals, ticketing systems, and Active Directory steps required to spin up a dev server) took more than 30 days to complete. The diagram of that process, he said, was beyond spaghetti.
That latency compounds when an audit hits:
"The cost of that to an organization is in the tens, if not hundreds of millions, especially in these large regulated organizations." — Matt Bailey
A sharper diagnostic from the same conversation: if your process has become that difficult to document, it's probably too complex to keep.
Matt calls the root cause "decision latency." The six-week audit prep is decision latency in a different costume. If you can't answer which of your services meet a given requirement right now without convening a meeting, you've got a data architecture problem.
What audit-ready by default actually means
Three things should be true on any random Tuesday, with no prep:
You can name every service, who owns it, and what it depends on.
Your standards (security, reliability, compliance controls) are codified somewhere a machine can evaluate them, not somewhere a human has to remember to check them.
Evidence of compliance is collected continuously from the systems of record, not assembled by hand the week before the audit.
The shift is from cyclical to continuous. When the auditor asks for evidence, you filter a view instead of mobilizing a team.
The three pillars of audit-ready engineering
A real service catalog
The catalog is the foundation. Every service, every owner, every dependency, every infrastructure resource, in one place that updates itself from your existing tools. It replaces the spreadsheet someone maintains by hand and the org-chart slide that has been wrong for nine months.
Shaun McCormick, Principal Engineer at BigCommerce, put it this way: "With Cortex, we know exactly who owns what, how it's performing, and what it's connected to. That alone has saved us countless hours every week."
Ownership accuracy is the unsexy precondition for everything else. Without it, no scorecard is trustworthy and no evidence report is defensible.
Standards codified once, evaluated continuously
For standards to be enforceable, they have to be codified. In Cortex, that mechanism is a Scorecard: a set of rules that evaluates every in-scope service against your requirements (vulnerability SLAs, documentation standards, security configurations, ownership coverage, encryption settings). Scorecards run on a schedule you control, with on-demand evaluation available when you need an answer right now.
This works at scale. Matt described a recent engagement at a 15,000-engineer organization where his team built a standard change workflow in GitLab CI/CD that referenced prior approved changes to auto-approve ServiceNow tickets. Same principle as a Scorecard, different layer of the stack: codify the standard once, let the pipeline run it forever. The result, by his account, was countless days and dollars saved.
Remember, surfacing a gap is only half the work; the other half is closing it. Continuous evaluation only adds up to audit-ready if the gaps close as continuously as they're surfaced.
An audit-ready report, on demand
The third pillar is the layer that turns continuous compliance state into the report an auditor can read: scoped to the audit period, exportable, with the underlying rule definitions and pass/fail history attached to every service.
Without it, you've built an excellent internal dashboard that doesn't translate to an audit response. With Cortex Engineering Intelligence, audit prep collapses into the part auditors actually ask for: "show me your compliance posture for production services during the audit period." You filter the report, you export, you send.
That changes the cost equation. Engineers stay on the roadmap. Compliance leads spend their time on the exceptions instead of the inventory. The auditor gets answers in the room, not in a spreadsheet two weeks later.
What this looks like at scale: LetsGetChecked
LetsGetChecked is a global healthcare company operating under HIPAA and HITRUST. They scaled from 15 services to over 100 in under a year: exactly the kind of growth that breaks manual compliance.
"In healthcare, with regulations like HIPAA and HITRUST, you can't sacrifice compliance for speed," says Chief Software Engineer Javier de Vega Ruiz.
Their move: embed compliance and quality requirements into Cortex Scorecards so every new service is evaluated against minimum standards from day one, before it reaches production.
The same scaffolding that made them audit-ready also made them faster:
67% reduction in MTTR
Deployment frequency doubled, from 17 per week to 32
Kubernetes migration completed eight months ahead of schedule
That's the punchline regulated buyers don't usually expect. Continuous compliance and engineering velocity share the same foundation.
Where to start
You're not going to roll this out across 100 services in a quarter, and you shouldn't try. Matt's advice on the pod is to start small.
Pick a pilot team based on risk. The team shipping into your most regulated surface area is usually the right call. They have the most to gain, and the most evidence already lying around to codify.
Codify one control as a Scorecard. Ownership accuracy, vulnerability SLA compliance, or change-management coverage are good first targets. One rule. One owner. One dashboard.
Evidence everything. Controls as code. Policies, guardrails, templates. Everything that lives in a wiki today belongs somewhere a machine can read it.
Run it for one quarter, then expand. Use the data to make the case to the next team, and to the stakeholders who control the budget.
One note on stakeholders: start with the change-management and compliance teams as collaborators, not gatekeepers. They want this to work as much as you do. They're the ones writing the policy you're going to encode.
The shift, and what's coming next
DevOps is an outcome, not a toolchain. The audit-ready engineering org is the same kind of idea. It comes from catalog, ownership, and standards working as a system instead of three separate spreadsheets.
Matt's AI prediction is worth taking seriously: AI changes how you get to audit-ready, not what audit-ready means. The next few years will see auditors asking platforms questions in plain English and getting evidence back the same way. The organizations that get the most value from that shift are the ones whose data is already structured, owned, and continuously evaluated.
The work to be audit-ready by default is the same work that makes the next wave of AI agents useful. Start small. Codify one thing. Then the next.
Want to see what audit-ready by default looks like in practice? Book a Cortex demo →
Listen to the full Braintrust episode with Matt Bailey on why DevOps transformations fail in regulated industries. Listen now →
