News & Blogs

Beyond Compliance: Building Resilient Control Environments for the Age of Disruption

Global · · tobyderoche.substack.com

This article challenges internal auditors to shift their focus from merely confirming control existence to evaluating control resilience, especially in dynamic environments like those incorporating AI. It highlights that controls designed solely for compliance often fail under pressure, urging auditors to test for degradation pathways and design for continuity rather than perfection. This perspective is crucial for audit professionals aiming to provide meaningful assurance in an increasingly complex and unpredictable operational landscape.


The Flaw in Compliance-Driven Controls

Many organizations only discover weaknesses in their control environments when faced with significant stress, such as cybersecurity incidents, regulatory inquiries, or unexpected AI model behaviors. This reveals a fundamental flaw: controls are often designed for compliance and documentation rather than for resilience and disruption. Internal audit, in its traditional role, frequently assesses controls under stable conditions, verifying documentation and management affirmations. However, this approach can mask underlying fragilities, as the true test of a control lies in its ability to withstand unexpected challenges and assumptions breaking down.

Existence vs. Resilience: A Critical Distinction

The article emphasizes the crucial difference between a control merely existing and being truly resilient. A policy requiring monthly access reviews, for instance, might show evidence of sign-offs, but a resilient system would automatically escalate or detect failure if a high-turnover department misses cycles. Similarly, an AI governance framework might define risk categories, but a resilient system would detect unauthorized AI deployments rather than relying solely on disclosure. Controls fail under pressure primarily because they are built to answer compliance questions (e.g., "Is the documentation complete?") instead of resilience questions (e.g., "What happens when someone doesn't follow the procedure?").

Common Failure Points and a Call for Stress Testing

Three common failure points are identified: manual dependency, where controls degrade under increased workload or staffing changes; signal blindness, where organizations collect data but fail to escalate meaningful anomalies; and fragmented ownership, where risks are siloed and pressure events expose these boundaries. To address this, internal auditors must evolve their testing methodologies. Instead of asking if a review was performed, they should inquire about the consequences of a skipped review. Instead of confirming an incident response plan, they should ask about the last time leadership rehearsed a scenario requiring external communication. This shift involves evaluating controls for their degradation pathways and anticipating failure modes, moving towards a design philosophy that assumes deviation and prioritizes continuity over perfection.

Designing for Failure and the Future-Ready Audit Function

Effective control systems should incorporate automated escalation, cross-functional visibility, redundancy in oversight, real-time monitoring, and clear ownership for anomalies. This is particularly vital in dynamic environments, such as those integrating AI, where traditional static controls struggle with non-deterministic behavior and evolving inputs. The article advocates for a future-ready audit function that moves beyond confirming procedural adherence to evaluating system resilience. By understanding how control systems absorb stress without collapsing, internal auditors can provide significantly more value, ensuring organizations are prepared for the challenges of digital, AI-driven ecosystems.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →