In 2025, the Asia-Pacific region witnessed a pivotal shift in the adoption of low-code/no-code (LCNC) solutions. No longer seen as mere prototyping tools, low-code platforms have become the backbone of digital transformation across industries.
Gartner predicts that by 2026, developers outside formal IT departments will account for at least 80% of the user base for low-code development tools.
While citizen developers boost agility, decentralised creation brings new risks in the form of shadow IT, fragmented systems, data silo sprawl, and data exposure, as well as compliance gaps.
Relentless digitisation pressures and a chronic shortage of skilled developers drive this trend. IDC predicts that 25% of APAC enterprises now prioritise integrating AI with low-code platforms, using them to modernise legacy systems before layering on intelligent automation.
As Leonard Tan, regional director for OutSystems in Singapore, Malaysia, Brunei, and Greater China, observes: "The synergy lies in using low-code first to automate and streamline processes, creating the foundation for smarter AI adoption."
Sectors such as maritime, logistics, real estate, and government are leading the charge, deploying audit workflow builders to digitise compliance cycles, risk assessments, and internal controls.
What was once managed via spreadsheets and siloed tools is now being reimagined as dynamic, scalable applications — built not just by IT, but by domain experts with deep procedural knowledge.
Democratising audit with visual design
"Low-code audit workflow builders use visual platforms to design, automate, and scale audit, risk, and compliance processes without needing deep coding expertise." Leonard Tan
These builders are visual development environments that empower audit professionals to model, automate, and manage end-to-end compliance processes, eliminating the need for hand-coding and enabling legal, risk, and compliance teams to co-design workflows with IT.
In Asia, many organisations still rely on legacy systems or disconnected spreadsheets, resulting in fragmented and error-prone audit trails. "The challenge is compounded by limited in-house resources and fragmented vendor solutions," says Tan.
Low-code platforms address this by allowing subject matter experts—such as legal officers or internal auditors—to collaborate directly with IT, ensuring workflows align with real-world governance requirements.
Equipped with enterprise-grade features like role-based access, integration controls, and secure data handling, these platforms enable audit teams to deploy custom applications rapidly—from risk registers to control testing trackers—without accumulating technical debt.
"It's a more future-proof approach," Tan adds.
Governance embedded in the platform
"Strong governance becomes critical, especially when workflows are created outside central IT." Leonard Tan
As citizen development scales, so do the risks: shadow IT, data silos, and non-compliant processes. Tan argues that the solution lies in a platform-first governance model, where controls are embedded into the development environment from the outset.
"Governance is embedded directly into the platform itself from day one," he explains. Key mechanisms include role-based access controls to restrict sensitive modifications, version control for full audit trails, lifecycle management for reviewing, updating, and retiring workflows, and data integration standards to prevent siloed systems.
This approach aligns technology, process, and people, replacing reactive policy enforcement with automated safeguards. "Embedding these safeguards ensures decentralised development can happen securely and sustainably," confirms Tan.
Compliance across fragmented regulations
"Many companies choose to deploy the platform in their environment to isolate data in line with regulations like GDPR or PDPA." Leonard Tan
Asia's regulatory landscape is complex, with the PDPA in Singapore, PIPL in China, and PDPA in Thailand, as well as evolving frameworks in Indonesia and India, requiring low-code platforms to support multi-jurisdictional compliance. Tan highlights two key strategies: infrastructure flexibility and inherent platform controls. Organisations can deploy platforms on-premises or in private clouds to meet data residency requirements. Platforms like OutSystems, which are SOC 2 attested, provide built-in safeguards for data lifecycle management and access control.
"It's not one-size-fits-all, but the flexibility allows alignment with internal controls and security standards," Tan notes. This hybrid compliance model ensures audit workflows remain compliant whether processing financial data in Shanghai or personal records in Kuala Lumpur.
Oversight through central platform ownership
"Oversight must sit with a platform owner from IT... to maintain a single source of truth," posits Tan.
With workflows developed across departments, maintaining an up-to-date inventory is crucial. The solution lies in reusability and microservices, designed by default. Shared modules — such as CRM or ERP integrations — become standard components, ensuring that every workflow built on them inherits consistency, security, and traceability. "Using microservices ensures scalability and visibility," says Tan.
Low-code platforms provide automated version control, audit logging, and change tracking, allowing for a live, searchable inventory without relying on manual reporting. However, Tan stresses that ownership must rest with IT. "A platform owner from IT ensures governance, avoids shadow IT, and maintains a single source of truth for compliance."
This model supports decentralised innovation while upholding central oversight — a balance essential for audit readiness and organisational control.
Orchestration layer for enterprise systems
"Low-code platforms sit at the orchestration layer, connecting systems and users while ensuring consistency, compliance, and rapid delivery." Leonard Tan
Integration remains a significant challenge, as audit workflows must pull data from core systems, such as ERP (e.g., SAP) and GRC, as well as data lakes (e.g., Azure), and then deliver reports through BI tools like Power BI.
To address this, Tan advocates a platform-first integration approach, where APIs and prebuilt connectors are embedded directly into the low-code environment. "This enables seamless data sharing and end-to-end auditability."
For instance, an audit team can build a risk and control tracker on OutSystems that pulls financial controls from SAP via REST API, syncs policy compliance status from ServiceNow GRC, archives logs in Azure Data Lake, and delivers real-time dashboards via embedded Power BI.
"The platform acts as the bridge between audit users and enterprise systems," Tan explains. In today's blended IT environments, where off-the-shelf, custom, and cloud systems coexist, this orchestration role is indispensable for ensuring agility, traceability, and compliance.
Empowering citizen developers responsibly
"Organisations need a structured model combining training, governance, and collaboration." Leonard Tan
To empower non-IT users, Tan emphasises the importance of a Centre of Excellence (CoE), reusable assets, and role-based training. "You can't succeed in a low-code environment without proper training or guardrails."
Petronas in Malaysia exemplifies this approach. Through a CoE, they have enabled audit teams to co-develop enterprise-grade applications with IT oversight, resulting in faster deployment, reduced manual effort, and increased audit coverage.
"Tailored training, certifications, and a strong community deepen both business and technical skills," Tan adds. This model of structured decentralisation ensures that innovation proceeds without compromising compliance.
Auditing the audit workflows themselves
"Security and compliance must be embedded throughout the development lifecycle," notes Tan.
Even audit workflows need to be audited. Tan dismisses the myth that low-code sacrifices security for speed, stating: "Modern platforms come with built-in protections like controlled environments and automated security checks."
For high-risk workflows, oversight should be led by internal audit, risk, or compliance functions, which are responsible for enforcing platform-wide policies, monitoring integrity, reporting, and conducting periodic reviews.
"Role-based access, versioning, and logging help enforce this," Tan says. When these controls are standardised, automated compliance reporting becomes achievable and reliable.
Measuring success with KPIs
"Success is typically measured across three areas: effectiveness, efficiency, and governance," Leonard Tan
Tan recommends tracking:
- Effectiveness: Time to deployment, audit plan completion rates
- Efficiency: Manual effort saved, team productivity gains
- Governance: Audit log compliance, policy enforcement, technical debt
Platforms like OutSystems even scan for technical debt, providing proactive recommendations to help mitigate it. "These metrics form a healthy feedback loop, helping teams scale with confidence."
Click on the PodChats player to hear OutSystems' Tan elaborate on the above topics.
- Briefly describe the state of low-code/no-code (LCNC) adoption in Asia as of 2025.
- What are LCNC Audit Workflow Builders? What are the strategic objectives for adopting these?
- What governance models and policies must be enforced to effectively manage what we earlier alluded to as a decentralised citizen development of audit workflows?
- How do these LCNC platforms ensure compliance with diverse regional data privacy regulations and regulatory frameworks across Asia?
- How do organisations maintain an up-to-date inventory and ensure consistent oversight of all low-code audit workflows developed centrally and departmentally? Who should be in charge of this?
- Could you share one proven way LC audit tools are adequately integrated with core enterprise systems (ERP, GRC, data lakes) for seamless data sharing, reporting, and end-to-end auditability of critical processes?
- What specific training, support frameworks, and guardrails must be provided to non-IT users to empower them to build compliant and effective audit workflows?
- How can leaders regularly assess and mitigate risks (including auditing the audit workflows themselves for integrity and accuracy) stemming from rapid, decentralised development, and ensure automated compliance reporting? Who should be leading/doing this?
- What key metrics and KPIs should organisations use to track and measure the efficiency, compliance and overall success of their low-code audit workflow initiatives?
