For Heads of Governance, Risk & Compliance

Govern confidently, without overloading your team.

Enough structure for your ARMC to sleep soundly. Not so much that operational teams resent compliance. The goal is not more governance — it’s governance that runs continuously in the background so leadership can sign attestations with confidence and teams can focus on their actual work.

Your auditor finds 13 things to fix. Are any of them fixed? The audit firm leaves with a PDF. You’re left with a spreadsheet, a dozen named Responsible Officers, and target dates spread across three years. Next year the auditor often finds the same gaps. That gap between finding and closed is governance debt — and it compounds. Constellation sits there: the control layer on top of your existing records and document systems (SharePoint, M-Files, Convene) that turns findings into tracked commitments and continuous readiness signals.

The problem

An internal audit engagement costs $50,000–$200,000. The deliverable is a beautifully produced PDF presented to the Audit & Risk Management Committee. Findings are rated Very High / High / Medium / Low. Each finding is paired with an “Agreed Management Action”, a Responsible Officer, and a Target Date.

Then the PDF gets filed. Recommendations migrate to a spreadsheet — or to Jira, or to nothing. Responsible Officers change roles. Target dates slip silently. The ARMC gets quarterly updates that look like progress but aren’t. The next audit cycle surfaces the same findings because implementation never happened.

This isn’t an audit problem. Auditors do what auditors do. It’s an implementation infrastructure problem. The layer between “finding” and “closed” has no software.

$100K+
Typical annual audit spend at mid-size institutions
13+
Recommendations from a single engagement, typically 3-year roadmap
Repeat
The same findings often appear in the next engagement

The real gap is coverage

A security penetration test is scoped to two weeks, limited to a checklist, and delivered as a PDF. This year, autonomous security agents found critical vulnerabilities at McKinsey, BCG, and Bain — three of the most prestigious firms on earth, with world-class technology teams and significant security budgets. The traditional pentest missed all of it. Why? Because periodic, scoped testing can’t catch what continuous monitoring catches.

The same logic applies to governance. An annual internal audit is scoped to a few weeks, limited to a framework checklist, and delivered as a PDF. It catches what it catches. Between engagements — the other 48 weeks — nobody is watching. Commitments drift. Responsible officers change roles. Constraints get overridden without justification. The next audit finds the same gaps not because the institution failed, but because nothing was monitoring between audits.

Constellation is continuous governance coverage. Every consequential action checked against every constraint. Every commitment tracked with an owner and a due date. Every override logged with a justification. Not once a year. Not during audit week. Every day. At 2am. On a public holiday. Whether anyone is watching or not.

If institutions with $100K+ annual audit budgets still have repeat findings year after year, the question is not whether your institution has governance gaps. It’s whether you’d know.

Traditional audit
  • • 2–4 weeks per year
  • • Scoped to a framework checklist
  • • Findings delivered as a PDF
  • • Implementation tracked in a spreadsheet
  • • 48 weeks of no visibility between engagements
Continuous governance
  • • Every action, every day
  • • Every constraint checked at point of action
  • • Live commitments with owners and dates
  • • Evidence logged as work happens
  • • Quarterly attestation in 15 minutes, not 2 days

What Constellation does

Constellation ingests your audit report and turns it into a live governance structure. Findings become decisions. Agreed Management Actions become commitments with owners, due dates, and review cadences. Every new operational decision is checked against the active constraints those findings implied. When the next audit comes, you export a remediation evidence pack showing what was done, when, and by whom.

  1. 01

    Upload the audit PDF

    KPMG, PwC, Deloitte, EY, BDO, or your own internal audit team. Constellation extracts findings, ratings, management actions, owners, and target dates automatically.

  2. 02

    Review and tailor

    Assign Responsible Officers to real users. Adjust target dates. Link findings to the governance framework they relate to (VIMF, AICD, ACNC, ISO 37000, NIST AI RMF).

  3. 03

    Track continuously

    Overdue commitments surface in the weekly governance digest. New operational decisions are checked against the constraints your audit findings implied. Status is visible to the ARMC any time they ask.

  4. 04

    Export next year’s remediation pack

    One click produces a PDF for the next audit firm showing every finding, every commitment, every status change, every piece of evidence logged, and every override taken with justification.

Your data, your environment

Audit reports are confidential and often subject to data residency rules — VPDSS for Victorian Government, PSPF for Commonwealth, CPS 230 for APRA-regulated entities, GDPR for EU operations. Constellation’s extraction pipeline runs on pluggable LLM backends, configured per institution, so your data is processed where your governance posture requires.

AWS Bedrock (AU regions)
Sydney & Melbourne. VPDSS-compatible. Default for Australian Government and AU-regulated customers.
Azure OpenAI (your tenant)
Data never leaves your Azure boundary. Ideal for Microsoft-native institutions.
Google Vertex AI (AU regions)
For GCP-native customers. Claude or Gemini, Australian region processing.
Local LLM / on-premises
Air-gap capable. Your audit report never leaves your infrastructure. For defence, classified, and highest-sensitivity use.

Every LLM call is logged with institution, backend, region, and model metadata — exportable as a CSV for your own audit trail. Switching backends is a settings change, not a re-implementation.

Between audits, leadership still needs confidence

Formal internal audits happen once a year. Leadership still needs to sign quarterly attestations, the ARMC still meets every six weeks, and regulators still expect interim updates. Constellation’s Light-Touch Review generates a 2–4 page attestation pack in 15 minutes, on demand or on a schedule, based on the system of record you already maintain.

Not a formal audit. No findings, no rating, no third-party assurance. A credible snapshot that lets you sign an interim attestation, brief the ARMC, or respond to a regulator’s question — without scrambling to assemble screenshots and spreadsheets.

Know what you hold, where it lives, who owns it

Every institutional audit includes some variant of “you don’t have a complete inventory of your information assets.” Constellation’s Information Asset Register captures physical records, digital documents, structured data, communications, specialist systems, and third-party hosted data — with ownership, classification, retention, and regulatory mappings attached.

Built for the governance-layer question the auditor actually asks: “for any information asset, who owns it, what classification applies, what retention is in place, and which of your regulatory obligations does it touch?” Pre-loaded with VPDSS, PSPF, ISO 27001-aligned, and NFP-specific classification schemes.

Start from a framework, not a blank page

Most institutions are subject to 2–5 governance frameworks simultaneously. Constellation ships with a curated library so you don’t write your constraints from scratch.

VIMF
Victorian Information Management Framework
AICD NFP Governance Principles
8 principles for AU NFP boards
ACNC Governance Standards
6 standards for ACNC charities
ISO 37000
Governance of organisations — guidance
NIST AI RMF
AI Risk Management Framework
Custom framework ingestion
Upload your own control framework (PDF / Word)

Who this is for

  • Heads of Governance and Planning at state government agencies, universities, libraries, hospitals, cultural institutions
  • Chief Risk Officers and Compliance leads at regulated entities (APRA, ASIC, ACNC)
  • NFP CEOs and Company Secretaries who own the board risk register
  • Internal audit functions who want their findings to actually stick
  • ARMC members tired of status reports that don't reconcile with reality

Why this is different

Audit management platforms (Workiva, AuditBoard, LogicGate, Galvanize) cost $50K–$500K/year and are designed for the audit function itself — audit planning, workpaper management, issue tracking for teams of auditors. They’re overkill if you’re the recipient of audits, not the producer.

Board paper platforms (Diligent, Azeus Convene, BoardEffect) distribute documents to directors. They don’t track whether decisions get implemented.

Spreadsheets and Jira tickets don’t know about governance frameworks, can’t check new decisions against constraints, and produce no audit trail.

Constellation is the operational layer between “finding” and “closed” — specifically designed for institutions whose annual audit budget is $50K–$200K and whose remediation budget is a fraction of that.

Get started

See pricing

Governance Professional, Enterprise, and custom tiers

Run a pilot with your latest audit

Send us your audit report — we’ll ingest it and show you the live structure before you commit to anything.