Controls Assurance

Reviewers of an internal control framework must consider several elements to guarantee an independent assessment and provide an organisation with impactful added value:

• The first element to considered is the potential lack deep operational knowledge, leading to controls being judged in theory rather than in the real business context. As such, concrete experience/expertise, knowledge of best market practices will be considered as an asset.
• Access to information and people: gaps in documentation, reluctance of staff to speak openly, or siloed systems can make it hard to obtain completed, reliable evidence.
• Resource and time constraints: independent reviews are often periodic and time-boxed, limiting how deeply controls cans be tested and which areas can be covered.
• Perception and cooperation issues: Managers may feel “audited” rather than supported, becoming defensive, which can hinder frank discussions and transparency.
• Balancing rigor with practicality: independent reviewers may recommend ideal but impractical controls, causing friction with the business and risking non-implementation.
• Maintaining true independence: if the review function is not clearly separated in reporting lines or relies heavily for information, its objectivity can be questioned.

Implementing a SOC report (SOC 1, SOC 2, or SOC 3) brings several recurring challenges:

• Scoping the report correctly: Deciding which systems, locations, processes, vendors and control objectives to include; too narrow misses key risks, too broad becomes unmanageable and costly.
• Control design maturity: Existing processes may be informal or inconsistent; translating them into well designed, documented controls that meet SOC criteria often requires significant redesign.
• Evidence and documentation: SOC audits rely heavily on formal evidence (logs, tickets, reports, approvals, policies). Many organizations lack the level of documentation and retention needed, especially for historical periods.
• Roles and ownership: Clarifying who owns each control, who collects evidence, who responds to auditors, and who manages exceptions can be complex across IT, security, operations, HR, and compliance.
• Remediation of gaps: Initial readiness assessments typically reveal control gaps or weak operation. Fixing these (e.g., implementing logging, access reviews, backup tests, change management) within the audit period can be demanding.
• Change management during the period: System upgrades, migrations, or organizational changes during the audit period must be reflected in the control environment and explained to the auditor.
• Consistency in execution: SOC requires controls to operate consistently over time (for type 2). Getting staff to follow new procedures systematically, and not revert to old habits, is a major challenge.
• Third party dependencies: Cloud providers and key vendors may need to provide their own SOC reports or assurance. Aligning your controls with theirs and addressing shared responsibility gaps is often complex.
• Cost and resource constraints: SOC implementation and audits require time from senior engineers, security, and management, plus external auditor fees. Balancing this with business priorities can be difficult.
• Aligning with business reality: There’s a risk of designing controls to “pass the audit” but that are impractical, slowing operations or not truly reducing risk. Finding a pragmatic balance is essential.
• Communication with customers and stakeholders: Explaining what the SOC report covers (and does not cover), the time period, and the type (1 vs 2, SOC 1 vs SOC 2) can be challenging but is key to managing expectations.

Because Agentic AI can autonomously plan, decide, and execute multi step actions across tools and APIs, traditional AI and IT control frameworks are no longer sufficient. Existing governance models were designed for systems that respond to human commands, not for autonomous digital agents.

Its autonomy introduces new governance, risk, and control challenges that require active oversight by Boards, management, and Internal Audit. In particular, organizations must:

• Establish clear governance, ownership, and accountability for Agentic AI deployment.
• Evaluate whether workflows, approval steps, and fail safes are appropriate for autonomous actions.
• Strengthen cybersecurity controls against adversarial attacks, unauthorized access, and data leakage.
• Identify and monitor any unapproved or unmonitored use of Agentic AI (“shadow AI”).
• Assess models for fairness, explainability, and compliance with regulatory standards.

The use of data analytics in internal audit is a big improvement. It enables full population testing instead of sampling, reducing the chance of missing key issues. It helps detect hidden risks and fraud patterns (e.g. ghost employees, duplicate payments), and dashboards support clear, timely, data driven insights for management and the Audit Committee.

However, it comes with inherent challenges: if underlying data is unreliable, analytics results and audit conclusions may be flawed, and implementation can be costly and time consuming and may require support from an (external) data scientist.

RCSA encourages managers to take ownership of their risks and controls, rather than seeing them as “Audit’s problem,” and allows Internal Audit to extend coverage without increasing headcount. However, without strong training and guidance, self assessments may be superficial or poorly documented, leading to inconsistent quality. Business units may feel overwhelmed if the RCSA process is too complex and may prioritize day to day business activities over thorough self assessment.

To succeed, RCSA must be supported by strong training, clear documentation, and a simple, practical framework. A clear and consistent tone from top management is essential to secure broad acceptance of RCSA and ensure effective implementation across the organization.