Clark Sandlin on The Compliance Con: When Compliance Advisors’ Audits Triple your Bill and Phone It In
When Clark Sandlin talks about compliance, it’s not in the polished, jargon-heavy language many consultants lean on. It’s blunt, grounded, and unflinchingly honest. “Let’s talk about something nobody wants to admit publicly but every private equity firm and family office has encountered behind closed doors,” says Sandlin, Founder and CEO of Zyrka. “Third-party compliance advisors who triple their audit bill and barely show up to work.”
Sandlin isn’t sounding the alarm for effect. With 33 years of experience in the IT and cybersecurity space, he’s seen firsthand how these firms sell safety but deliver little substance. His company, Zyrka, a specialized IT partner to private equity groups and family offices, has earned its reputation by exposing these gaps, often being the team brought in after damage has been done.
The Business of Empty Checklists
It usually starts with a slick pitch. Advisors show up armed with a playbook of acronyms — NIST, SOC 2, ISO 27001 — and promise a streamlined, airtight compliance process. But, according to Sandlin, what clients get is something else entirely. “They show up with a generic checklist, an intern in tow, and a rate sheet that makes a Fortune 100 consultant feel underpaid,” he explains. “They breeze through a few surface-level checks, deliver a canned report, and walk away with a five-figure paycheck.”
The core problem, he argues, isn’t just poor service, it’s a complete misunderstanding of what compliance should be. “The problem isn’t compliance. It’s complacency,” he says. “Here’s the dirty truth: compliance has become a business model. Not a safeguard. Not a strategy. Just a way to monetize fear and complexity.” The result is often what he calls “performative theater.” It looks like a thorough audit. It feels like due diligence. But dig deeper and it’s little more than formatted fluff.
What Real Compliance Actually Looks Like
The difference between real and fake compliance is both obvious and measurable. “A real advisor doesn’t just name-drop frameworks,” he says. “They align them to your business. They understand your systems, your risks, your team, and your regulatory environment.” He describes the process Zyrka takes with clients: asking hard, specific questions like Where are you most vulnerable, technically and operationally? What’s your actual risk tolerance? What’s the real-world impact if something breaks on your deal flow, your investors, your reputation?
The answers to those questions drive tailored recommendations instead of regurgitated white paper findings. “Not a recycled PDF. Not a summary of findings with no path forward. Real compliance means building the fix, not just diagnosing the symptom.” And above all, Sandlin insists, accountability matters. “If your advisor can’t explain how their work measurably reduced risk, they didn’t do their job. Full stop.”
Cleaning Up the Aftermath
Zyrka has developed a niche in cleaning up the messes others leave behind. “We’ve worked with clients who were paying three times the going rate for compliance reports that were nothing more than dressed-up screenshots,” says Sandlin. “We’ve replaced firms who spent more time talking about frameworks than actually assessing infrastructure.” In some cases, those oversights had real consequences. Systems were compromised, vulnerabilities exploited, deals jeopardized. And all of it had supposedly been “audited” just weeks before.
His frustration is evident. “Stop paying for theatricals. Start demanding results.”
Choosing a Compliance Partner Who Delivers
When it comes to vetting compliance advisors, Sandlin doesn’t mince words. “Treat it like hiring a surgeon,” he says. “Ask what their findings actually changed for other clients. Ask how many of their clients experienced breaches post-audit, and how they responded. Ask to see deliverables and look past the formatting.”
Because as he reminds his clients often, “You don’t get points for a clean report. You get points for staying out of headlines.”
With Zyrka, Sandlin has created a firm that partners with its clients. Built on transparency and measurable outcomes, Zyrka thrives on solving the problems others tend to avoid. Sandlin’s legacy lies in the quiet confidence of clients who know their systems are sound and their risks managed because someone finally asked the right questions.
For more insights from Clark Sandlin, visit his website or follow him on social media on LinkedIn and X (formerly Twitter)
