Most firms failing audit standards due to poor workflows

Research from Swimlane has shown that only 29% of organisations say their compliance programmes consistently meet both internal and external standards.

The report, entitled "GRC Chaos: The High Price of Audits and Non-Compliance," highlights issues such as fragmented workflows, manual evidence gathering and poor collaboration between security and governance, risk and compliance (GRC) teams. The study suggests these issues are contributing to increased vulnerability to audit failures, regulatory penalties and gaps in security.

Swimlane conducted the research by surveying 500 IT and security decision-makers from both the United Kingdom and the United States. Respondents were selected for their oversight of compliance audit processes at enterprise organisations, each employing at least 1,000 people.

The survey found that 96% of organisations are struggling to keep up with the rising number of industry regulations. Only 29% reported that their compliance programmes are consistently meeting internal and external standards, indicating a significant gap for the majority of companies.

An additional finding was that 92% of respondents depend on at least three tools to collect audit evidence. This reliance on multiple systems often leads to duplicated efforts and workflows that are not coordinated, with just 39% of the audit evidence process currently being automated on average.

Manual processes remain a persistent issue, with 54% of organisations spending more than five hours weekly on compliance tasks done by hand. Furthermore, 62% noted that their approach to gathering audit evidence is at least occasionally error-prone, raising concerns about accuracy and efficiency.

The report also explored the relationship between GRC and security teams, revealing that 90% of organisations are concerned poor collaboration between these groups undermines audit preparedness. Differing priorities, ambiguity in roles and communication issues were all cited as major obstacles to effective alignment.

The risks associated with failing to comply with regulatory standards were shared by respondents, who identified financial penalties (39%), security breaches (36%) and reputational damage (36%) as the top consequences of inadequate compliance management.

Michael Lyborg, Chief Information Security Officer at Swimlane, said: "The burden of compliance weighs heavy on security and GRC teams, and the pain is growing faster than teams can adapt. Regulations are shifting, expectations are rising, and yet most organisations still rely on processes that were never designed for this level of complexity. Until now, everything has been massive spreadsheets. Without better coordination and smarter workflows, even well-intentioned programmes will fall short."

Jack Rumsey, Head of GRC at Swimlane, commented: "Audit readiness is harder than it should be. Teams are wasting time chasing evidence, interpreting requirements in isolation and stitching together data across disconnected systems. This report highlights just how unsustainable that model has become — and why it's time to rethink how to manage compliance from the ground up."

The findings underline a need for improved workflows, greater alignment between teams and the application of automation technologies. The report suggests these measures would help restore management and board confidence in organisational compliance readiness.