For many firms, assurance still follows a familiar rhythm, with controls tested, risks assessed, audit plans delivered, issues reported and remediation tracked. Boards and senior management then receive updates on where confidence is high, where weaknesses exist and what action is being taken.
All that remains important.
But the operating environment is changing faster than many traditional assurance cycles were designed for. Technology evolves, processes are redesigned, new suppliers are introduced, systems are updated, teams are restructured and automated decisions become more embedded in day-to-day activity.
A control that appeared effective when it was last tested may not remain so for long.
This does not mean annual assurance has lost its value. It means firms need to be clearer about the difference between knowing a control worked at a particular point in time and having confidence that it remains reliable now.
Assurance is often built around a point in time
Most assurance activity is necessarily based on evidence from a defined period. A control may be tested against a sample, an audit may review a process as it operated during a particular window, and a risk assessment may reflect the business model, systems and operating environment at the time it was completed.
That provides an important view, but it is still a view of the past.
The challenge comes when the conditions around the control change before the next review takes place.
A process may be altered to improve efficiency, a key activity may move to a new system, or a team may take on additional responsibilities. A supplier may change its service model, a new data source may be introduced, or an automated workflow may remove a manual check that once provided an important safeguard.
None of those changes automatically mean the control has failed.
But they may affect how it operates, whether it is still applied consistently and whether it continues to manage the risk it was designed to address.
The issue is not simply whether the control existed when it was last reviewed. It is whether the organisation has enough confidence that it still works in the environment it now operates in.
Controls rarely weaken in isolation
Controls do not usually become less effective because someone has decided to stop applying them. More often, they weaken gradually as the environment around them changes.
A process may become more complex, a team may lose experience, or a system change may create an unexpected workaround. A manual review may become harder to complete at volume, an exception queue may grow, a supplier relationship may change, or a new dependency may be introduced without the surrounding control framework being updated.
Each change may appear manageable on its own. Together, they can create a gap between the control as it was designed and the control as it operates in practice.
This is particularly relevant where firms are relying more heavily on technology, automation and third-party services.
A control may still be documented correctly, the policy may still be in place and the responsible owner may still be identified. But the underlying process may have changed enough that the original assurance approach no longer provides a reliable picture.
That is where control confidence matters.
It shifts the focus away from whether a control passed its last test and towards whether the organisation can see early signs that it may be becoming less effective.
Moving from control testing to control confidence
Control testing answers an important question: did the control operate as expected when we looked at it?
Control confidence asks something broader: what evidence do we have that this control remains reliable as the business, systems and risk environment change?
That does not require firms to test everything continuously. Nor does it mean creating more dashboards or collecting more data for the sake of it.
The aim is to focus attention on the controls that matter most: those linked to important business services, customer outcomes, regulatory obligations, financial exposure, operational resilience or significant decision-making.
For those controls, firms need a clearer understanding of what could indicate that performance is changing.
That may include increases in exceptions, delays in completion, growing backlogs, repeated overrides, failures in related processes, staff turnover, changes in supplier performance, system incidents or a rise in customer complaints.
None of those indicators should be viewed in isolation. But together, they can provide an earlier indication that a control needs attention before a formal review identifies a more significant weakness.
The danger of historic comfort
There is a risk in treating completed testing as evidence that a control is secure until the next scheduled review. That can create a false sense of confidence.
A control may have been effective when assessed, but the process around it may have changed considerably since then. It may now be operating at greater volume, relying on different data, managed by a smaller team or affected by a new third-party dependency.
In those circumstances, the question is not whether the original testing was wrong. It is whether the organisation has recognised that the control environment has moved on.
This is where assurance needs to become more closely connected to change.
Risk, compliance, operations, technology and internal audit should not all need to wait for the next annual cycle to identify that a control may be under pressure. There should be clearer links between significant change, emerging issues, control performance and management action.
That is not about making assurance functions responsible for running the business. It is about ensuring management’s confidence is based on current evidence rather than historic comfort.
Start with the controls that matter most
No organisation can monitor every control with the same level of intensity. Trying to do so would create unnecessary work and make it harder to see what really matters.
A more practical approach is to identify the controls where failure would have the greatest consequences. These are likely to include controls linked to:
- Important business services
- Customer outcomes
- Regulatory reporting and compliance
- Financial crime prevention
- Data protection and cyber resilience
- Significant financial decisions
- Outsourced or technology-enabled activity
- Areas undergoing frequent change
The next step is to ask what would indicate that those controls are becoming less reliable.
For some, this may be operational data. For others, it may be management information, control owner attestations, assurance findings, incidents, complaints, audit observations or changes in the wider risk environment.
The point is not to create a complicated measurement framework. It is to ensure there is enough evidence to support a meaningful management judgement.
The role of management
Continuous control confidence cannot sit entirely with risk, compliance or internal audit.
Management owns the controls, understands the operating environment and is closest to the changes that may affect whether controls remain effective.
That means control owners need to be able to explain more than whether a control is documented and assigned. They should understand what the control is intended to prevent or detect, what could cause it to weaken and what evidence would suggest it needs to be reviewed.
This is especially important where controls are supported by technology or third parties.
The owner may not manage the system directly, own the supplier relationship or control every data source and operational dependency. But they still need enough visibility to understand whether the control is continuing to deliver the outcome expected of it.
That requires clearer accountability across teams, not simply more reporting.
A role for internal audit
Internal audit has an important part to play in this shift.
Its role is not to operate controls or create management’s confidence for them. It is to challenge whether that confidence is well founded.
That may involve looking at whether the firm has identified its most important controls, whether significant change triggers an appropriate reassessment and whether management information is strong enough to identify deterioration before it becomes a larger issue.
Internal audit can also help test whether the assurance model reflects the reality of how the business now operates.
Are the right controls being tested? Are assurance plans still aligned to the most material risks? Is there a gap between what management believes is happening and what the evidence shows?
These are valuable questions, particularly in businesses where change is constant but assurance remains largely fixed.
Questions worth asking
A stronger approach to control confidence begins with a small number of practical questions:
- Which controls are most important to customer outcomes, resilience, regulatory compliance or financial stability?
- What changes could make those controls less effective?
- What evidence would show that they are beginning to weaken?
- Are management reports highlighting early warning signs or only confirmed failures?
- Does a system, process or supplier change trigger a reassessment of relevant controls?
- Are control owners able to explain how they know their controls remain reliable?
- Is assurance activity focused on the areas where confidence matters most?
These questions do not replace periodic testing. They make it more meaningful.
Confidence needs to be current
Annual testing, risk assessments and audit activity will continue to play an important role in how firms manage control risk.
But confidence cannot be updated only once or twice a year.
Where the business is changing quickly, assurance needs to keep pace with the controls that matter most. That means paying closer attention to the signs that show whether a control is under pressure, whether assumptions remain valid and whether management has enough evidence to act before a weakness becomes a failure.
The most important question is not simply whether a control worked when it was last reviewed.
It is whether the organisation would know if it stopped working now.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>





