For a long time, trust in assurance was implicit.
If controls were documented, audits were clean, and regulators weren’t asking questions, boards assumed the organisation was under control.
That assumption no longer holds.
Today, trust is no longer something assurance automatically earns. It has to be demonstrated — continuously.
A material incident rarely starts with a headline. It starts quietly. A configuration drifts. A third party changes something upstream. An access entitlement lingers longer than it should. When the issue finally surfaces, the board’s first question isn’t whether controls existed — it’s whether anyone could see the risk building.
The assurance reports are accurate. They’re just months old.
And in that gap between accurate and current, trust starts to erode.
Why trust has eroded
Boards aren’t becoming more demanding by accident. They’re responding to a risk environment that now moves faster than traditional assurance models were designed to handle. They’re responding to serious events that are happening to not only major global companies, but those smaller as well.
Cyber incidents unfold in hours, not quarters. Third-party failures propagate instantly. Cloud and identity environments change daily. Regulatory scrutiny intensifies after incidents, not before.
In this world, assurance based on historic snapshots creates a false sense of security. By the time a board pack is approved, the risk landscape has already shifted.
The questions boards are really asking
Modern boards are no longer asking whether controls exist or whether an audit opinion is clean.
They’re asking:
- Are we exposed right now?
- What changed since the last report?
- Where are our weakest dependencies?
- How confident are we in our third-party resilience?
- Could we defend this position to a regulator after an incident?
These aren’t compliance questions. They’re tests of confidence.
Boards are trying to understand whether assurance can be relied on when decisions are made under pressure — during incidents, regulatory scrutiny, or moments where the cost of being wrong is high.
Assurance is no longer a comfort mechanism. It’s a decision-support function.
Why point-in-time assurance can’t answer them
Traditional assurance models were built on assumptions that no longer hold:
- Environments are relatively stable
- Controls change infrequently
- Risk can be sampled and extrapolated
Modern enterprises operate in a constant state of change. Continuous deployment, configuration drift, identity sprawl and expanding third-party ecosystems mean risk no longer emerges neatly between audit cycles.
When assurance is retrospective, trust becomes fragile.
Why more reporting doesn’t restore trust
When trust starts to wobble, the instinctive response is often to add more reporting.
More dashboards.
More metrics.
More KRIs.
But volume doesn’t equal confidence.
Boards don’t lose trust because they lack information. They lose trust because the information arrives too late, is disconnected from real risk, or can’t be defended after the fact.
Lagging indicators tell you what failed. Sample-based metrics tell you what might be happening elsewhere. Quarterly reports tell you what was true at a moment in time.
None of these answer the question boards are really asking:
How quickly would we know if something started to go wrong?
Why third-party assurance is where trust breaks first
Third-party risk is where traditional assurance models are most exposed.
Assurance is often based on annual questionnaires, point-in-time attestations, and assumptions that vendor controls remain static. In reality, critical services now depend on complex, interconnected supplier ecosystems that change continuously.
When a third-party issue causes disruption, boards aren’t interested in last year’s assurance pack.
They want to know whether risk was visible as it emerged, whether dependencies were understood, and whether anyone was watching in real time.
This is why regulators are focusing so heavily on third-party resilience — and why trust erodes fastest here.
Regulators have made trust explicit
Frameworks such as DORA, NIS2, PRA SS1/21 and APRA CPS 234 don’t explicitly talk about trust, but their expectations make it unavoidable.
They demand ongoing operational resilience, continuous oversight of critical services and third parties, and evidence that controls work in practice — not just on paper.
After an incident, regulators are far less interested in whether controls were designed correctly. They want evidence they were operating, monitored and managed as risk evolved.
In that context, assurance that cannot demonstrate continuity becomes difficult to defend — regardless of how complete the documentation appears.
What boards now need from assurance
Boards don’t need more reports.
They need assurance that is timely, defensible and actionable. Assurance that reflects the current state, not last quarter. Assurance that links control health to business services and real outcomes. Assurance that holds up when scrutiny arrives.
In short, they need assurance they can trust when decisions matter.
How modern assurance is evolving
This is where Continuous Controls Monitoring (CCM) quietly reshapes the role of assurance.
Not by replacing audit.
Not by automating compliance for its own sake.
But by shifting assurance from retrospective to continuous, from sample-based to evidence-driven, and from periodic to near real-time.
Instead of asking whether a control passed at the last review, boards can ask whether it is operating today, whether it has drifted since the last report, what is out of tolerance now, and what changed after the board pack was signed off.
That’s how trust is rebuilt.
The new standard for trust
The board-level question is no longer:
Are we compliant?
It’s:
How quickly would we know if we weren’t?
Do we have assurance that we have full visibility into our entire business ecosystem so we know we are secure?
In a world of continuous risk, trust can’t be assumed. It has to be earned, evidenced and sustained.
And that requires assurance to evolve.
For more information on continuously monitoring your environment visit our ccm page here.
