Compliance should not begin with an auditor.
If the first time you organize evidence is when a buyer, auditor, or security reviewer asks for it, you are already operating too late. Readiness should exist before pressure arrives, not because pressure finally forced the work to happen.