An audit is a measurement, and like any measurement it has a timestamp. By the time the report lands, it describes a system that has already moved on through hundreds of merges. It is the most rigorous lagging indicator you own, and a lagging indicator is a strange thing to be the only thing you watch.
Lagging tells you where you were
Lagging indicators are not useless; they are how you confirm an outcome. Revenue is lagging. The audit opinion is lagging. They are real and they matter. But you cannot steer with them, because by the time they move, the decisions that moved them are long behind you.
Steering needs leading indicators: signals that move at the moment of the decision, while you can still change it. For compliance, that moment is the pull request, and almost nobody is measuring it.
What a leading indicator looks like for compliance
A leading indicator is concrete and fast: how many control-relevant changes were flagged this week, on which frameworks, and how many were resolved before merge. That number moves every day, and it tells you about drift while you can still do something about it, not after the window has closed.
It also changes the conversation. Instead of an annual verdict, you get a continuous read on whether your system is holding the line, in the same stream where the work happens.
You cannot manage what you measure once a year
If the only time you measure compliance is the audit, then between audits you are flying blind and hoping. The drift is happening either way; you just are not looking at it.
heygrc is built to turn the pull request into a leading indicator: every change read against your frameworks, every control-relevant one named with its clause, as it happens. The audit still comes, and it should have less to find. heygrc is in early access.