Every compliance cycle follows the same pattern: plan what you need, do the work, check it holds up, act on what you find. Most teams run these phases in separate tools, re-entering the same evidence each time. One workspace that keeps the context across all four changes the math.
The PDCA Loop in Trust Work
Plan-do-check-act (PDCA) is the oldest continuous-improvement framework still in daily use — Shewhart and Deming in the 1930s, adopted by ISO 27001 for continual improvement, built into every audit cycle a compliance team runs. The loop repeats every quarter, every assessment, every regulatory change: set the objective, execute, verify, correct.
The problem most teams face is not the loop itself. It is that each phase runs in a different tool — the risk register in one spreadsheet, the questionnaire in a portal, evidence in a shared drive, the board memo in a slide deck. Every phase requires re-stitching the same web of controls, policies, risks, and evidence from scratch.
One connected record across all four phases eliminates that re-stitching tax.
Plan: Objectives and Scoping
Real trigger: "We are targeting SOC 2 Type II next quarter."
A Plan phase starts with a scope. Which systems are in scope? Which controls apply? What evidence already exists from the last cycle?
When the agent reads the workspace you already keep, it can draft a scope memo that links each control to evidence on file — not a blank-page exercise. The scope, the control list, and the system boundary are proposed as pending changes. The owner reviews, adjusts, and accepts.
The alternative: a fresh spreadsheet, a copy from last year's audit folder, manual reconciliation of what changed.
Do: Implementation and Events
Real trigger: "A new vendor introduced a risk we have not rated."
The Do phase is where controls are implemented, incidents are triaged, and third-party risks are assessed. This phase generates the evidence the next phase will check.
If a new vendor assessment lands, the agent can read the existing risk register, the vendor intake questionnaire, and the relevant control definitions — all from the same workspace the Plan phase just used. The draft assessment carries citations to the evidence it draws on. Nothing is re-entered.
Check: Monitor and Evaluate
Real trigger: "A customer sent a 200-question security questionnaire."
The Check phase is where most teams feel the re-stitching tax most acutely. A questionnaire arrives, and every answer needs to be traced back to evidence — a control narrative, a policy clause, a test result. Without a connected record, each answer is a hunt.
With a workspace that kept the context from Plan and Do, the agent reads the questionnaire, maps each question to the evidence already in scope, and proposes answers with citations. Where evidence is missing, it marks the gap as "Not Provided / no source found" instead of fabricating. Every answer is a pending change; none ships unapproved.
| Phase | Without connected record | With one workspace across the loop |
|---|---|---|
| Plan | Manual scoping, start from last audit folder | Agent drafts scope from existing evidence; owner reviews |
| Do | Risk register in one tool, controls in another | Agent reads shared workspace; no re-entry |
| Check | Questionnaire answers from memory and search | Agent answers from evidence; marks gaps honestly |
| Act | Board memo drafted from scattered sources | Agent assembles from the same connected record |
Act: Improve and Report
Real trigger: "The board update is due Friday."
The Act phase closes the loop. Findings from Check become recommendations. Risks need treatment proposals. The board wants a read on where the programme stands.
From the same workspace — the same risk register, evidence tracker, and control map that fed Plan, Do, and Check — the agent assembles a board-ready proposal. Each risk cites its source evidence, each recommendation traces to a finding. The owner reviews the packet, adds context only they know, and accepts or rejects before it reaches leadership.
The output is not a clean but orphaned slide deck. It is a decision packet whose every claim can be traced back to the evidence in the workspace.
One Agent Across All Four — What Changes
The shift from four tools to one agent across the loop is not a convenience improvement. It changes the fundamental economics of each cycle:
- No re-entering. The evidence gathered in Plan is the same evidence Check draws on. Nothing gets re-entered, re-stitched, or re-explained.
- Every phase sees the whole picture. A risk flagged in Do is visible when Check evaluates controls. An evidence gap found in Check informs the next Plan.
- The human checkpoint at every step. The agent proposes; the owner decides. The loop never closes on an unapproved artifact.
The agent does not replace the human at any phase. It absorbs the reading, drafting, mapping, and summarizing — the re-stitching work — so the human spends their cycles on judgment.
FAQ
Does Compass support all four phases, or is it only for questionnaires?
It is designed for the full PDCA loop. The same workspace — documents on a canvas, schema-driven grids for risk registers and evidence trackers — supports scoping (Plan), assessment (Do), evidence review (Check), and reporting (Act). The pre-loaded framework knowledge covers SOC 2, ISO 27001, NIST CSF, PCI, and HIPAA regardless of phase.
What happens when a control changes mid-cycle?
A control is linked to everything that references it — the policy, the risk, the evidence, every framework that asks for it. Update the control in the workspace, and the cross-framework crosswalk surfaces the downstream impact as pending changes. Each one still requires human acceptance.
How does the "Not Provided" behavior fit into a PDCA workflow?
It lives in the Check phase most naturally — the questionnaire or evidence review — but applies anywhere the agent cannot support a claim with workspace evidence. Instead of inventing a plausible answer, it marks the gap visibly. That gap becomes an action item in the next Plan or Act phase, closing the loop.
Is the agent ever autonomous enough to skip the human?
No. The trust stance is explicit: the agent proposes, the human decides. Every artifact, answer, or treatment plan lands as a pending change. Acceptance commits it to the record; rejection either revises it or surfaces the reason. The loop never closes without human approval.
Compass by Truvara is the local-first workspace where evidence, policies, questionnaires, and risks become reviewable trust work. The same evidence base feeds every PDCA phase — Plan, Do, Check, Act — so each cycle draws on the connected record instead of starting from a fresh blank page. Each phase still ends in a human accept or reject; the agent proposes, the owner decides. Compass by Truvara — Watch Compass work.