Control Decay
Description
Your last audit was clean. So was the one before that. And then something happened anyway. In modern enterprises, controls rarely fail outright. They continue to operate, pass their tests, and produce their evidence. What changes is the world the controls were designed to govern - and that world is now governed by engineering, security, and operations teams moving faster than any assurance cycle was built to follow. This book introduces the concept of control decay: the gradual erosion of control effectiveness as the operating environment around a control evolves while the control itself does not.
Developed through analysis of consequential cases, including the Silicon Valley Bank collapse, the CrowdStrike outage of July 2024, and the Boeing 737 MAX MCAS case, the book presents C-DRAFT, a diagnostic framework that names six structural forces producing decay: Change Velocity, Dependency Drift, Role Dilution, Automation Opacity, Framework Lag, and Testing Illusion.
Established standards enforce and verify controls. They were not designed to detect when a control's design assumptions have drifted from the environment the control was meant to govern. C-DRAFT addresses that specific gap. Rather than replacing established standards such as COSO, COBIT, NIST, or ISO, or the security, engineering, and risk management frameworks organizations rely on day to day, C-DRAFT provides a shared lens through which audit, security, technology, engineering, and risk can read the same control environment. The focus is relevance, not compliance expansion. Control decay is everywhere. What it has lacked, until now, is a unified framework that can diagnose and respond to it.
What You Will Learn
- How to detect control decay before it produces a failure, using a diagnostic the existing frameworks were not built to provide
- How cloud, AI, automation, and third-party dependencies accelerate decay, and how to govern each one without expanding compliance
- How audit, security, technology, and risk can read the same control environment through a shared lens and stop duplicating each other
Who This Book is For
This book is written for professionals responsible for evaluating, designing, or relying on control effectiveness in modern enterprises. Internal auditors, technology auditors, cybersecurity professionals, risk managers, GRC leaders, and assurance advisors will find practical guidance, as will technology and security leaders who rely on audit and risk outcomes to understand why their controls behave as they do.
More details
Person
Ravi Sharma is a senior technology audit and risk practitioner, certified in CPA, CISA, CISSP, CRISC, CMA, AAIA, and ACMA, who has worked across the seams the book examines: between internal audit and external assurance, between security operations and audit evidence, between technology change and governance review. His work has included extensive engagement with cloud transformations, automation pipelines, identity governance platforms, SOX and regulatory assurance, and post-incident review work in complex regulated environments.
Across those engagements, he has repeatedly observed the pattern the book names: controls that pass audits while the conditions the audits were designed to verify quietly diverge from current operating reality. He has worked with internal audit teams, external auditors, security functions, technology leaders, and regulators, and has approached the same control environment through each of those lenses in turn. He has written for industry journals, contributed to professional institutes, and served in leadership roles within professional associations and university advisory councils.
Content
Chapter 1: The Illusion of Assurance.- Chapter 2: Control Decay-How Good Controls Grow Weak.- Chapter 3: Change Velocity-When Systems Move Faster Than Controls.- Chapter 4: Dependency Drift-Risk Outside Organizational Boundaries.- Chapter 5: Role Dilution-When Accountability Becomes Distributed.- Chapter 6: Automation Opacity-Controls That Work but Cannot Be Seen.- Chapter 7: Framework Lag-Compliance Without Relevance.- Chapter 8: Testing Illusion-Why Passing Audits Is Not Enough.- Chapter 9: Applying C-DRAFT-Detecting and Managing Control Decay.- Chapter 10: Aligning Internal and External Assurance.- Chapter 11: Designing Controls for Continuous Change.- Chapter 12: The Future of Assurance.