Continuous Audit in Pillar

How continuous audit works in Pillar


Continuous audit progressively completes your audits over a 12 month reporting cycle. In contrast to traditional audits that are conducted at the end of the period, with continuous audit you get:

  • Faster feedback, when it's relevant;
  • Increased confidence your compliance is on track year-round; and
  • It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the business disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies from breaking down the audit tasks into monthly focus areas.



Initial setup: Let us know when you're ready to start and we'll create your audit board.

Monthly topical focus: about ~40% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas below to complete these areas.

Remaining controls: The remaining control areas not covered below can be covered anytime during your 12 month audit period. If you use a compliance platform like Drata, we can progressively test and sign off those controls throughout the period.

Audit queries: We will raise any audit queries when we conduct the testing of any items that require clarification. These will be logged in the Audit Queries column of Pillar. The earlier these are addressed, the better, to close off those areas and if there any any issues it helps us get on top of them early, and ensure they're resolved to mitigate the impact.

Wrap up: We may have some top up testing in the final month of your audit period. The calendar view below is designed to minimise this, but we also need to ensure our audit can demonstrate reasonable coverage of the full audit period. We'll let you know where this applies and give you a clear view of what's remaining in that final month. 


Month Controls
January: Risk and Controls 

Risk Assessments:

  • Risk Assessment Policy
  • Annual/Quarterly Risk Assessments
  • Risk Mitigation/Remediation Plans

Controls Assessments:

  • Conducting Control Self-Assessments
  • Control Remediation Plans (as applicable)

February: Employees

New Joiners and Current Employees

New joiners:

  • Background Checks
  • Sign-Off on the Acceptable Use Policy
  • Sign-Off on the Code of Conduct
  • Approval of System Access
  • Employee Contracts (NDA)

Current employees:

  • Annual Performance Evaluations
  • Job Descriptions
  • Security Awareness Training
March: Vulnerabilities and Vendors


  • Vulnerability Management Policy
  • Annual Penetration Tests
  • Vulnerability Scans (eg. quarterly)
  • Resolution of Identified Vulnerabilities


  • Vendor Management Policy
  • Vendor Register
  • Vendor Agreements or Terms of Service 
  • Review of Vendor Attestation Reports
April: Access and Assets

Access Control:

  • Quarterly Access Control Review
  • Termination/Offboarding Checklist

Asset Management: 

  • Asset Inventory
  • Disposal of Sensitive Data on Hardware
May: Incidents and Changes


  • Incident Management Policy
  • Tracking and Resolution of Incidents
  • Lessons Learned/Root Cause Analysis
  • Annual Incident Response Tests (if applicable)
  • Incident Response Plans


  • Change Management Policy
  • Testing of Code Changes
  • Approval of Code Changes
  • Change Release Management and Communications
June: Governance & BCDR Tests


  • Board Meetings 
  • Senior Management Meetings (if applicable)
  • All Hands Meetings (if applicable)

Business Continuity and Disaster Recovery:

  • Disaster Recovery Plans
  • Business Continuity Plan
  • BCP/DR Tests Conducted Annually
  • Restoration Tests
July: Risk and Controls As above in January.
August: Employees As above in February.
September: Vulnerabilities and Vendors As above in March.
October: Access and Assets As above in April.
November: Incidents and Changes As above in May.
December: Board & BCDR Tests As above in June.