Rick Orloff is a Fortune 1000 CISO and Strategic Advisor at A-LIGN, with over 20 years of experience at companies including Apple and eBay. 

In the compliance world, we talk a lot about audit harmonization, the practice of consolidating multiple frameworks under one roof to reduce redundancy, save time, and drive efficiency. It’s a concept A-LIGN has championed for good reason: the operational and financial benefits are significant. 

But when I talk about this with security leaders, the framing that actually moves people is rationalization. We’re rationalizing our audit portfolio, aligning our compliance programs, and driving a measurable ROI. Same outcome — sharper language for a technical audience. 

So, let’s talk about what that looks like in practice. 

The real cost of unsynchronized audits 

If your organization is juggling SOC 2, ISO 27001, PCI DSS, and other frameworks individually, each with its own evidence requests, interview schedules, and internal stakeholders getting pulled in different directions, you already know the hidden tax this placeson your business, but have you actually quantified it? 

At my previous company, when we consolidated and rationalized our audit portfolio with A-LIGN, we saved approximately $180,000 per year in hard costs. That alone got attention. But the number that got a lot of appreciation from engineering? We saved 12 weeks of evidence gathering. 

Think about that for a moment. Twelve weeks of your engineers’ time not spent answering the same questions, pulling the same screenshots, attending the same interviews — just for a different auditor on a different framework. When I quantified that for the engineering organization and communicated what we were doing and why, the response was a genuine, heartfelt thank you. That kind of goodwill with your internal stakeholders doesn’t show up in a spreadsheet, but it’s real. 

The trade-off you have to be honest about 

Here’s what I told engineering when we made this change, and I want to be direct about it because it matters: there is a trade-off. 

When we consolidate, we are compressing our audit window. That’s the point. But a compressed window means less runway to reschedule meetings, push back on requests, or let things slide. I was explicit with stakeholders that if we were going to do this — if I was going to go to bat and give them 12 weeks of their lives back — the ask was they must be responsive, and executives had to be accountable at the VP level. 

If subject matter experts or directors went dark or started rescheduling, I didn’t chase them. I went straight to their VP. That’s not about being difficult. That’s about protecting the window we all agreed to. 

The phrase “audit season” always strikes me as borrowed from the accounting world, and it doesn’t quite fit how tech organizations operate. The concept that resonates in my experience is the audit window: it opens, it runs for a certain number of weeks, and then it closes. That framing drives urgency and accountability in a way that a vague “season” simply doesn’t.  

Making the case to the business 

When I’ve taken audit harmonization, or rationalization, to executive teams or boards, I haven’t asked for permission. I’ve explained the decision, quantified the value, and gotten written alignment from stakeholders on their end of the bargain. Money and time savings close the conversation at the leadership level. What takes more effort is getting the organizational commitments in place before the window opens — not after. 

One thing I’d encourage every security leader to consider: don’t think about compliance certifications in isolation. The right conversation to have with your Chief Revenue Officer is: “If we got that certification, would it help you close more deals? Can you put a number on it?” If sales tells you a new certification is worth $10M in ARR, the budget conversation with your CFO becomes straightforward. And if you’ve already consolidated your audit portfolio, there’s a good chance you’ve freed up the budget to pursue it without a new budget ask at all. In the past, that’s exactly what we did — we self-funded new certifications through consolidation savings. 

The piece nobody tells you about 

The most common questions I get when people are planning to consolidate are: “Where does this go wrong? What risks am I exposing the organization to?” 

My answer, which might surprise you, is that it usually doesn’t go badly if you set the ground rules up front. The deals that go sideways are the ones where expectations weren’t set clearly before the window opened, and suddenly you’re chasing people for two weeks to get a piece of evidence. I don’t allow my team to operate that way, and I’d recommend other security leaders adopt the same posture. 

What I would focus on instead is looking for opportunities to automate evidence collection. Most organizations are still gathering evidence manually. If you have a SIEM in your environment, there’s likely a configuration discussion to be had about generating audit-ready evidence artifacts automatically. That moves you from manual collection to a proactive, pre-audit posture — and it’s a conversation worth having with your audit partner before the window opens. 

How to choose what comes next 

Once you’ve rationalized your existing portfolio, the natural next question is: “Should we add additional certifications?” My recommendation is to use a common controls framework to run a gap analysis across certifications you don’t yet have. You may discover you’re already 80% of the way to a new certification based on controls you’re operating today. That changes the calculus entirely. 

The best audit partners will surface that analysis for you proactively, and that gets at something more fundamental about what to look for in an auditor. When I’m evaluating a firm, the question I’m really asking is: “Are they a transaction company or a relationship company?” 

A transactional auditor will take your existing scope, execute the work, and look for the next contract. A true partner is thinking about your business outcomes, not their revenue. That means telling you when you’re already close to a valuable certification. It means flagging inefficiencies in your current portfolio even when fixing them might reduce billable hours. It means being invested in your program’s success in a way that extends well beyond the audit window. That kind of relationship is harder to find and worth a lot more than a lower invoice. 

The bottom line 

If you’re running multiple frameworks with multiple auditors and haven’t looked seriously at consolidation, here’s the honest summary: worst case, this is an 18-month journey to get everything coterminous. In practice, it’s largely pain-free — and on the other side of it, you’ve got hard dollar savings, happier engineers, a tighter audit window, and capacity to pursue additional certifications that actually move the business forward. 

That’s not harmonization. That’s rationalization. And it’s worth doing. 

Ready to rationalize your compliance program? 

Talk to A-LIGN about how multi-framework consolidation can drive real ROI for your organization.