Skip to content
GRC ComplexitiesField guide

The Context Is the Work: Why Compliance Effort Isn't Writing

The hidden compliance cost isn't writing, it's re-stitching context by hand each cycle. A connected-record model changes what rework means. Here's how.

TT
Truvara Team
July 11, 2026
7 min read

The most expensive part of compliance isn't the drafting. It's the re-stitching. Every new questionnaire, audit cycle, or risk assessment starts from a blank page rather than the last good iteration — and the hours lost to context recovery never appear on a timesheet.

The compliance hours nobody accounts for

When a compliance manager says a report takes 45 minutes, the composition is the smallest slice. Most of that time goes to context switching: which control narrative held up last cycle, where the evidence lives now, what rating the risk carried in the last review. The next questionnaire does not start from the last answer — it starts from scratch.

Teams field roughly 300 or more vendor assessments a year and track approximately 60 standards, according to practitioner estimates. That means re-entering the same access-control narrative, the same encryption description, the same incident-response timeline — in different formats, at different word counts, for different audiences. The source data is the same. The presentation layer is the effort.

The work that counts — whether a control actually meets its objective — competes for time with the work that repeats: locating, rephrasing, reformatting, reconciling.

Three places the invisible work hides

The re-stitching tax shows up predictably in three places.

Questionnaires. Every new vendor assessment asks about access control. You describe MFA enforcement, privileged access, session management — the same controls in a different format. SOC 2 uses a different table structure than ISO 27001, which differs again from the customer's custom SIG. The evidence supporting the answer is identical across all three. The effort lives in reformatting it to fit each frame. This is compliance rework that no tooling budget has ever eliminated.

Risk assessments. One risk — a third-party data breach affecting customer PII — appears in your risk register, the vendor's risk assessment, the board's risk report, and the auditor's risk narrative. Each audience needs a slightly different framing: the register wants a residual-risk score, the board wants business impact, the auditor wants control linkage. Each gets entered by hand. Spreadsheet formulas break when columns shift. The risk stays the same; the context around it has to be rebuilt every time it surfaces.

Audit prep. Evidence that proved a control five months ago sits where the previous auditor left it. Next cycle starts fresh: re-collect screenshots of the same access logs, re-label the same policy documents, re-organise into the auditor's preferred folder structure. The open gap from last time has not closed, but it must be re-established before it can be addressed.

Why "AI that writes faster" misses the point

A general AI chatbot can draft a policy in ten seconds. That is genuinely useful — for the first draft. But if it does not know what evidence you collected last cycle, what control narrative your auditor already accepted, or which risk treatment your leadership rejected, it starts from the same blank page you do.

Worse: it will confidently fill in the gaps. A fluent chatbot presented with a questionnaire it cannot fully answer does not leave the hard questions blank — it invents control IDs, fabricates evidence artifacts, and produces output that looks complete. Checking and correcting fabricated output often costs more than writing it from scratch. Speed without grounding does not reduce rework — it changes the kind of rework required.

Here is what fast writing actually solves, and what it doesn't:

Pain pointFaster writingWhat actually helps
Re-explaining the same control for each new questionnaireNoA reusable answer library tied to controls
Re-collecting the same evidence each audit cycleNoA persistent evidence base with freshness tracking
Reconciling one risk across four spreadsheetsNoOne connected record linking risk → control → evidence
Drafting the initial version of a policy or reportYesWriting speed reduces first-cycle time
Rephrasing a finding for different audiencesPartiallyTemplates with context carry-forward

The difference between faster output and less rework is structural. Speed helps the first cycle. Reuse helps every cycle after that. For teams facing questionnaire context reuse as a recurring burden, the second matters more.

Reuse over regeneration — a better operating model

What changes the game is a connected record: one workspace where each control links to the policy that defines it, the risk it mitigates, the evidence that proves it, the vendor it touches, and every framework that asks for it. Change one element and the rest follow. Every phase of the PDCA loop — Plan, Do, Check, Act — draws on the same base. Nothing gets re-entered or re-explained.

This model does not eliminate the judgment work. It eliminates the context-recovery work that crowds out judgment. When the next questionnaire arrives, the answer to "what did we say about access control last time" is not a memory — it is a cited proposal from your connected record, ready for review.

Compass by Truvara is built for this model. It reads the workspace you already keep, assembles the context once, and reuses it across the loop. Reuse still passes through human review each time — the agent never auto-commits — but you are not rebuilding context from a blank page every cycle.

Context that carries forward

When the next questionnaire arrives, it should not ask you to re-explain the same control. In Compass by Truvara, the context you assemble once — controls in your register, evidence you have collected, answers you have written — carries across the loop: Plan, Do, Check, Act. The agent reads your workspace and reuses what you have already built, proposing cited answers and flagging gaps for attention. It does not auto-commit: every reuse passes through human review, because the owner decides what is ready for the next cycle. Join the waitlist to try it in the preview.


FAQ

Doesn't reuse mean I'm propagating old mistakes?

Reuse proposes what you did last time and flags it for review. If the control narrative needs updating or the evidence is stale, you revise before it ships. The alternative — re-entering from scratch — creates more opportunities for inconsistency, not fewer.

What if evidence changes between cycles?

The connected record surfaces what was used before. Compass tracks evidence freshness and flags items that have aged beyond your threshold. Directional changes — a new tool, a reorg, a regulatory update — are surfaced as gaps to address, not assumptions to repeat.

Can this work across different frameworks?

Yes — that is the point. The same access-control evidence supports SOC 2 CC6, ISO 27001 A.9, and NIST CSF PR.AC. A cross-framework mapping links them so you do not re-argue access control per framework. The evidence stays the same; the citation target changes.

Is this just a template library with better labels?

A template library saves formatting. It does not track which evidence proved which control last cycle, or which risk treatment changed between reviews. A connected record preserves the relationships — control ⟷ evidence ⟷ risk ⟷ framework — so each cycle inherits context, not just layout.


TT

Truvara Team

Truvara