Comparison · Four ways to run compliance
Continuous compliance vs the annual audit (and the spreadsheet).
South African businesses run compliance four ways: an annual audit, a consultant on retainer, a spreadsheet someone owns, or continuous monitoring software. These are not interchangeable — they catch different failures at different costs. Here is the comparison, honestly drawn, including where software loses.
Side by side
| Dimension | Annual audit / verification | Consultant retainer | DIY spreadsheet | Continuous monitoring software |
|---|---|---|---|---|
| Cadence | Once a year, scheduled | Monthly or quarterly check-ins | Whenever someone remembers | Continuous, reported monthly |
| What it catches | The state of things on audit day, examined properly | What you bring to the meeting, plus experienced judgment | Whatever the person maintaining it knows to look for | Everything scannable and scoreable, the moment it drifts |
| Evidence trail | A certificate or report, dated to that day | Meeting notes and memos, quality varies | A file, last modified: unknown | A timestamped trail, exportable |
| Cost shape | A significant once-a-year fee | Recurring professional fees, scales with hours | Free, plus the owner's hours, plus the misses | A fixed monthly subscription |
| Where it fails | The other ~50 weeks. A finding in March surfaces in next year's audit. | Between engagements — and monitoring by the hour is expensive monitoring. | Silently. Nobody audits the spreadsheet, and it leaves with the person who built it. | At the judgment layer — no software interprets law or signs off a tax position. |
The honest read
The audit is not the enemy. A proper audit or verification examines things software cannot — it applies professional scepticism to your claims, not just your configuration. Its weakness is arithmetic: it happens on one day, and regulatory risk accrues on the other 364. A finding that appears in March waits a year to be found.
The consultant is not the enemy either. Judgment is exactly what you should pay a professional for. The mismatch is using professional hours for vigilance work — paying advisory rates for someone to check whether a deadline moved or a register is current. That is monitoring, and monitoring is what software does at a frequency and price a retainer cannot match.
The spreadsheet is the honest default, and the most dangerous of the four — not because it is wrong, but because nothing tells you when it becomes wrong. It fails silently, and it fails completely the day its owner resigns.
The pattern that works: continuous monitoring as the base layer, professionals for judgment, and the annual audit as the external check it was always meant to be — a confirmation of what you already knew, not a discovery of what you missed.
Questions
Does continuous monitoring replace the annual B-BBEE verification?
No. If you are a QSE or Generic entity, a certificate still comes from a SANAS-accredited verification agency, once a year. What monitoring changes is what happens in between: you know your score before verification day, you can see the gap analysis before committing spend, and the evidence pack is assembled before the agency asks for it.
Is a spreadsheet enough for a small business?
Sometimes, honestly. A sub-R10M business with simple taxes, no procurement exposure and one person who genuinely maintains the file can get by. The failure mode is that spreadsheets fail silently: the deadline column nobody updated, the rule that changed in a gazette nobody read, the file that left with an employee. The question is not whether a spreadsheet can work — it is whether anyone would notice when it stops working.
Should I cancel my compliance consultant if I use software?
No — and Komply says so on every module page. Consultants and Compliance Officers are excellent at judgment: regulatory opinions, complex remediation, sign-off that carries professional responsibility. Software is better at vigilance: watching every deadline, register and scannable surface at a frequency no human retainer can match. Most businesses that take compliance seriously end up running both — the software for monitoring, the professional for the heavy lifts.
For the map of what each regulator actually requires, read POPIA vs B-BBEE vs SARS vs FSCA: the SA compliance stack explained, or start from the four-module overview.
See what continuous looks like.
The four modules are live. Komply is onboarding the first 25 pilot tenants free — join the waitlist and we'll invite you in order.