Boards are receiving more assurance reporting than ever before. Packs are longer, dashboards are more refined, and assurance comes from multiple sources across the organisation. On the surface, this should create greater clarity and confidence. In practice, it does not always work that way.
The question many Boards are now facing is simple. Are we getting answers, or just information?
The gap between reporting and confidence
Assurance frameworks can create a strong sense of coverage without necessarily increasing confidence. Reporting is often aggregated, simplified, and presented in a way that is easy to consume. Risks are summarised, controls are described, and status indicators are frequently positive. Over time, this can create a picture that feels complete, even when important nuances are missing. The challenge is that operational reality is rarely as clean as the reporting suggests.
Issues are discussed informally before they are formally reported. Controls operate differently in practice than they do on paper. Dependencies on individuals, workarounds, and judgement calls are part of day to day operations, but are not always visible in assurance outputs. As a result, there can be a gap between what is reported and what is truly understood.
The questions that reveal the difference
For Boards and Non-Executive Directors, the most effective way to move beyond passive reporting is not to ask for more information, but to ask better questions.
Confidence
Confidence in controls is often inferred rather than tested directly. Reporting may confirm that controls exist and are designed appropriately, but that does not always translate into assurance that they are operating effectively in practice.
- How do we know this control is operating effectively, not just designed well?
- What evidence would genuinely change our level of confidence?
Reality
Reporting can unintentionally smooth over the edges of operational reality. Issues are often known informally before they are formally reported, and aggregated dashboards can hide important detail.
- What has gone wrong recently that is not fully reflected in formal reporting?
- Where does reporting feel too clean compared to reality?
Dependency
Many control environments rely more on people than they appear to. Experienced individuals compensate for gaps, apply judgement, and keep processes working, but this is not always visible in assurance outputs.
- Where are we reliant on key individuals or workarounds?
- What only works because experienced staff compensate for gaps?
Assurance
Not all assurance provides the same level of insight. Multiple sources of assurance can create a sense of coverage, while still sharing the same blind spots.
- What assurance actually tests effectiveness, not just compliance?
- If everything is green, what gives us confidence that it should be?
Forward look
Assurance often focuses on what has happened, rather than what is emerging. Risks evolve, but controls and reporting do not always keep pace.
- What emerging risks are not yet well understood?
- What concerns are being discussed informally but are not yet on the risk register?
For Heads of Internal Audit, the perspective is slightly different. The challenge is not just whether these questions can be asked, but whether they can be answered clearly and confidently using existing assurance, reporting, and evidence.
Where the answer is uncertain, it often points to areas where assurance is either too high level, too fragmented, or too focused on activity rather than effectiveness.
What good looks like
Strong assurance environments tend to be characterised by clarity rather than volume.
There is a clear line of sight from risk to control to evidence to insight. Reporting is focused on what matters most, rather than attempting to cover everything. Issues are surfaced early, even when they are uncomfortable, and there is a willingness to challenge whether positive reporting reflects reality.
Most importantly, assurance explains why something can be relied upon, not just what is happening.
A final reflection
more….
If these questions were asked tomorrow, would your assurance stand up, and would it create real confidence?
Questions to Challenge Assurance and Build Confidence
Confidence
- How do we know this control is operating effectively, not just designed well?
- What evidence would change our level of confidence?
- Where are we relying on management assertion rather than independent validation?
- If this failed tomorrow, would we be surprised?
Reality
- What has gone wrong recently that is not fully reflected in reporting?
- Where does reporting feel too clean compared to reality?
- What are we not seeing due to aggregation or dashboards?
- What is discussed informally but not formally reported?
Dependency
- Where are we reliant on key individuals or workarounds?
- Which controls rely on people rather than systems?
- Where would pressure or absence cause breakdown?
- What only works because experienced staff compensate for gaps?
Assurance
- What assurance actually tests effectiveness, not just compliance?
- Where might multiple assurance sources share the same blind spots?
- What areas look well-covered but haven’t been challenged in depth?
- If everything is “green”, what gives us confidence that it should be?
Forward look
- What emerging risks are not yet well understood?
- Where could small issues combine into something more significant?
- Are controls evolving with risk, or static?
- What concerns exist that aren’t on the risk register?
