Core Idea
Audit-driven thinking starts from the question, 'What will the auditor ask for?' and lets that answer shape the programme. The result is a GRC function that moves in audit seasons, speaks in control IDs, and treats business reality as raw material for evidence binders.
For example, if access reviews only happen when the audit calendar demands them, the control is probably shaped around inspection rather than ownership. The Companion should use this card to ask what cadence the business would choose if it cared about access risk before audit readiness.
Use In Teaching
Invoke this card when a learner frames every decision around audit readiness, certification, request lists, or auditor preference. Use it to redirect them toward the system the audit is supposed to sample: ownership, execution, observability, and improvement.
Use it to run a reversal exercise: first describe the control as the auditor sees it, then describe the same control as the operator, attacker, customer, and executive would experience it. The gap between those descriptions usually reveals whether the programme is serving inspection or improving the system.
A reviewer should check that Audit-Driven Thinking names a visible symptom, the hidden operating cost, and the safer pattern the learner can practise next. Without those three parts, the anti-pattern becomes a complaint instead of a learning tool for changing behaviour.
Contrast
This does not dismiss audits. Audits are useful constraints and external feedback loops. The anti-pattern is making the audit the product, the roadmap, and the measure of truth.
Practice Prompt
If the next audit disappeared, which parts of your current GRC work would still be worth doing next week?