Skip to main content
Komply

Comparison · Four ways to run compliance

Continuous compliance vs the annual audit (and the spreadsheet).

South African businesses run compliance four ways: an annual audit, a consultant on retainer, a spreadsheet someone owns, or continuous monitoring software. These are not interchangeable — they catch different failures at different costs. Here is the comparison, honestly drawn, including where software loses.

§01

Side by side

Comparison of four compliance approaches across cadence, coverage, evidence, cost, and failure modes
DimensionAnnual audit / verificationConsultant retainerDIY spreadsheetContinuous monitoring software
CadenceOnce a year, scheduledMonthly or quarterly check-insWhenever someone remembersContinuous, reported monthly
What it catchesThe state of things on audit day, examined properlyWhat you bring to the meeting, plus experienced judgmentWhatever the person maintaining it knows to look forEverything scannable and scoreable, the moment it drifts
Evidence trailA certificate or report, dated to that dayMeeting notes and memos, quality variesA file, last modified: unknownA timestamped trail, exportable
Cost shapeA significant once-a-year feeRecurring professional fees, scales with hoursFree, plus the owner's hours, plus the missesA fixed monthly subscription
Where it failsThe other ~50 weeks. A finding in March surfaces in next year's audit.Between engagements — and monitoring by the hour is expensive monitoring.Silently. Nobody audits the spreadsheet, and it leaves with the person who built it.At the judgment layer — no software interprets law or signs off a tax position.
§02

The honest read

The audit is not the enemy. A proper audit or verification examines things software cannot — it applies professional scepticism to your claims, not just your configuration. Its weakness is arithmetic: it happens on one day, and regulatory risk accrues on the other 364. A finding that appears in March waits a year to be found.

The consultant is not the enemy either. Judgment is exactly what you should pay a professional for. The mismatch is using professional hours for vigilance work — paying advisory rates for someone to check whether a deadline moved or a register is current. That is monitoring, and monitoring is what software does at a frequency and price a retainer cannot match.

The spreadsheet is the honest default, and the most dangerous of the four — not because it is wrong, but because nothing tells you when it becomes wrong. It fails silently, and it fails completely the day its owner resigns.

The pattern that works: continuous monitoring as the base layer, professionals for judgment, and the annual audit as the external check it was always meant to be — a confirmation of what you already knew, not a discovery of what you missed.

§03

Questions

Does continuous monitoring replace the annual B-BBEE verification?

No. If you are a QSE or Generic entity, a certificate still comes from a SANAS-accredited verification agency, once a year. What monitoring changes is what happens in between: you know your score before verification day, you can see the gap analysis before committing spend, and the evidence pack is assembled before the agency asks for it.

Is a spreadsheet enough for a small business?

Sometimes, honestly. A sub-R10M business with simple taxes, no procurement exposure and one person who genuinely maintains the file can get by. The failure mode is that spreadsheets fail silently: the deadline column nobody updated, the rule that changed in a gazette nobody read, the file that left with an employee. The question is not whether a spreadsheet can work — it is whether anyone would notice when it stops working.

Should I cancel my compliance consultant if I use software?

No — and Komply says so on every module page. Consultants and Compliance Officers are excellent at judgment: regulatory opinions, complex remediation, sign-off that carries professional responsibility. Software is better at vigilance: watching every deadline, register and scannable surface at a frequency no human retainer can match. Most businesses that take compliance seriously end up running both — the software for monitoring, the professional for the heavy lifts.

For the map of what each regulator actually requires, read POPIA vs B-BBEE vs SARS vs FSCA: the SA compliance stack explained, or start from the four-module overview.

See what continuous looks like.

The four modules are live. Komply is onboarding the first 25 pilot tenants free — join the waitlist and we'll invite you in order.