SECTION 3

Audit fatigue

The true compliance cost for CISOs

Compliance is a blocker to proactive security

With visibility of controls performance data so hard to come by, it’s little wonder teams are spending a significant amount of their time getting ready for audits or answering compliance requests. 25% of teams spend at least ten working days preparing for every audit.

The average organisation now faces 28 internal and external audits a year – each one stretching for a week or longer.

Reporting burnout and audit fatigue are no longer rare. They’re the new normal for cyber teams, regardless of industry or organizational size.

Number of internal and external audit requests per year

The biggest challenges when demonstrating compliance

Despite the deluge of new and updated regulations, the challenge for teams isn’t necessarily managing these updates (89% of cybersecurity leaders claim they’re on top of all recent and regulatory changes), but the constant chase to prove compliance. Half (50%) of those surveyed said demonstrating controls’ effectiveness is a major or disruptive challenge, with 42% of leaders in agreement that gathering evidence for audits is difficult and time-consuming.

The legacy way of doing things, such as static point-in-time audits, has now fallen behind. 66% of CISOs say traditional audits don’t cut it for today’s fast-changing threats, and half (47%) report challenges in translating how exposed the organization is to relevant regulations. Every audit is now a huge effort.

Preparing for external auditing is a challenge. The complexity lies in meeting and demonstrating strict compliance standards. It creates pressure on resources, as even small gaps can result in heavy penalties and reputational damage

Striking the balance between risk reduction and reporting

Time spent preparing for audits by team size

working days spent collectively preparing for audits

Given the struggle teams face with overwhelming data, it’s no surprise the same issues are plaguing teams in audit response. Gathering evidence, proving controls, and answering audit requests have all become a core part of the cybersecurity function.

44% of cybersecurity teams are responding to internal audit requests every month – and for enterprises, over half (53%) are spinning up audit reports at least monthly. The pace might be slightly slower for external audits, but half (49%) of enterprise cybersecurity leaders still claim external audits are a monthly routine.

Every audit (internal or external) takes time. It’s no small task either; on average, eight working days go into prepping for each audit request. Multiply that by dozens of audits a year, and the hours stack up quickly.

Only 9% of teams can turn around audit data in two days or less. One-third (34%) take between three and five days, and 11% say it takes two to three weeks.

Working days spent responding to each audit request

It takes 8 working days to respond to each audit request

Coordinating across teams and making sure we’re fully compliant in time has been stressful, especially with limited resources and tight deadlines.

The financial risks of audit overload

For many teams, the pain of constant audit prep isn’t just about time lost – it’s also about money out the door. This year, more than seven in ten (71%) organizations said they have incurred fines because they couldn’t respond to an audit request quickly enough.

For some, the price tag is eye-watering. Based on the data shared, the average enterprise organization spent almost a quarter of a million dollars ($247,331) in 2025 on audit delay fines. It means Fortune 500 and FTSE 100 companies spent a staggering $111 million last year in audit delay fines alone.

Overlapping and ever-shifting regulations, paired with too many tools fighting for attention, make compliance and “the frequent request for internal data a significant challenge.” As one CISO described, “The general complexity of ensuring compliance can often be overwhelming”. The result is a compliance cycle where already-stretched teams not only burn out but also risk blowing the budget on compliance slip-ups instead of spending on better security.

Average audit delay fines in 2025 by turnover

MAIN TAKEAWAY

Audit and compliance demands are burning out teams

Data access and difficulty in demonstrating control effectiveness without automation are draining precious resource. Especially in the wake of new and more stringent regulations, and exposing organizations to fines and unnecessary risk, a huge concern for CISOs already operating under limited budgets.

How CISOs are responding in 2026

Automating the collection of audit-ready evidence and moving towards a continuous assurance approach can reduce the months and weeks every year spent prepping for audits to just hours, enabling teams to spend more time on proactive risk reduction, not just reporting.