For years, assurance lived quietly in the second and third lines of defence.
Controls were designed. Tests were scheduled. Reports were written. Boxes were ticked.
And as long as the audit opinion was clean, everyone slept reasonably well.
That model worked very well, when risk moved slowly.
But today, assurance is no longer an internal control exercise.
It’s becoming a board-level accountability.
The board is no longer asking “are controls designed well and have we passed the audit?”
They’re asking:
- Are we exposed right now?
- What’s our level of risk and where is it?
- What changed since the last report?
- Where are our third-party dependencies weakest?
- Can you prove this will hold up under regulatory scrutiny?
And crucially:
- If something goes wrong, can we show we were continuously managing risk not just reviewing it quarterly?
That shift matters.
Because once assurance becomes something the board relies on for decision-making, reputational defence and regulatory accountability, “point-in-time comfort” stops being enough.
Point-in-time assurance was built for a different world
Traditional assurance models assume three things:
- Environments are relatively stable
- Controls change infrequently
- Risk can be sampled and extrapolated
None of those assumptions hold anymore.
Modern enterprises run on:
- Cloud platforms that change daily
- Automated pipelines deploying constantly
- Identity estates that sprawl faster than they can be reviewed
- Hundreds – sometimes thousands – of third-party dependencies
- AI and data flows no one fully mapped two years ago
Risk no longer emerges neatly between audit cycles.
It appears in configuration drift.
In access creep.
In vendor changes.
In silent control failures that sit unnoticed for weeks.
By the time assurance reports land on the board table, they are already out of da
Regulators are moving the goalposts – and not quietly..
This isn’t just a board problem. Regulators are rewriting the rules underneath it.
Frameworks like DORA, NIS2, PRA SS1/21, APRA CPS 234 and others are no longer satisfied with:
- Annual testing
- Static control inventories
- Retrospective reporting
They expect:
- Ongoing operational resilience
- Continuous oversight of critical services and third parties
- Evidence that controls are working in practice, not just designed on paper
The uncomfortable truth?
In many future enforcement cases, the question won’t be:
“Did you have controls?”
It will be:
“Can you prove you were continuously assuring them?”
Assurance is becoming part of personal accountability
This is the real shift.
When assurance feeds:
- Board risk decisions
- Regulatory attestations
- Senior management accountability statements
…it stops being a technical exercise.
It becomes personal.
CISOs, CROs, Heads of Compliance and even board members are increasingly signing their names against statements that imply:
- We understand our risk posture
- We have effective controls
- We are operationally resilient
If those statements are based on quarterly snapshots and manual sampling, that’s a fragile position to defend after an incident.
No one wants to be in front of a regulator explaining:
“We didn’t know because our assurance model couldn’t see it.” Personal accountability makes it harder to ignore the new reality of continuously being operationally resilient.
Continuous Controls Monitoring changes the role of assurance
This is where Continuous Controls Monitoring (CCM) quietly changes the game.
Not by replacing audit.
Not by automating compliance for the sake of it or monitoring controls continuously for a laugh.
But by shifting assurance from:
Retrospective → Continuous
Sample-based → Evidence-driven
Periodic → Real-time
Instead of asking:
“Did this control pass last quarter?”
You can answer:
- Is it operating today?
- Has it drifted since yesterday?
- Which systems, identities or vendors are out of tolerance right now?
- What changed since the board pack was produced?
That turns assurance into something the board can actually rely on.
Not comfort.
Not compliance theatre.
But live risk intelligence.
The new question boards will ask
In the next few years, the board-level assurance question will shift from:
“Are we compliant?”
to:
“How quickly would we know if we weren’t?”
That’s a very different standard.
And it’s one that point-in-time assurance simply cannot meet.
Final thought…..
Assurance is no longer there just to satisfy audit.
It now underpins:
- Board confidence
- Regulatory defence
- Executive accountability
- Organisational resilience
When the consequences of being wrong include fines, personal liability, public scrutiny and operational disruption, the quality of your assurance model really matters.
In a world of continuous risk, assurance itself has to become continuous.
Otherwise, it’s not assurance.
It’s hindsight.
For more information on continuously monitoring your environment visit our ccm page here.
