Business Insight

Controls Modernisation Spotlight

By Gwladys Ngo Tedga Yagla and Justin Jones

20 November 2025

Share Share
computer generated shapes
Share

    What you need to know

    • Keeping up to date with the year-on-year increase in the number of regulatory obligations imposed by Government and regulators has led to many organisations to reactively adding controls, without taking the time to consider whether they are efficient.
    • Regulatory obligations are increasing and enforcement is tougher, which raises the risk and cost of non compliance.
    • Excessive controls dilute assurance, create audit fatigue, and make change harder to manage as systems and obligations evolve.
    • Modernisation using data, automation and AI is now essential to create robust, risk based controls that meet legal and strategic needs.

    What you need to do

    • Diagnose and prioritise your controls by mapping the landscape, removing duplication, and focusing on key obligations and highest risks.
    • Benchmark and rationalise your framework by comparing to peers and standards. Consolidate and streamline controls to close gaps and prioritise effectively.
    • Automate and modernise monitoring, testing and reporting using data, automation and AI to enable continuous improvement.
    • Strengthen governance by clarifying ownership and accountability and aligning controls to legal duties so they remain defensible and agile.

    Are your controls costing more than they deliver?

    Given the current economic climate and the increasing focus on cost-out strategies, organisations are re-evaluating how they operate and the control environment is no exception. Over time, layers of controls have been accumulated in response to regulatory changes, incidents, breaches, and shifting organisational priorities. The result is often a complex and burdensome framework weighed down by excess controls - many of which are inefficient, redundant, or misaligned with actual risk and compliance needs and legal requirements. As regulatory demands continue to intensify and the pressure to reduce costs grows, the urgency to streamline and modernise these control environments has never been greater.

    The Challenge: more controls, less assurance

    For most organisations, the internal control environment has grown organically over time, often as a result of overlapping, manual, or outdated controls that can expose organisations to heightened legal and regulatory risks. This creates several critical challenges to be resolved:

    • Demonstrating effective risk management to regulators and key stakeholders has become difficult.
    • Increased risk of non-compliance as controls are misaligned with regulatory expectations or simply unfit for purpose.
    • Ineffective assurance and audit fatigue as excessive controls dilute testing capacity. This often leads to repetitive testing which obscures genuine gaps.
    • Ineffective and complex change management as it is harder to update and embed controls as systems and obligations evolve.

    More obligations and increasing regulatory scrutiny

    Keeping up to date with the year-on-year increase in the number of regulatory obligations imposed by Government and regulators has led to many organisations to reactively adding controls, without taking the time to consider whether they are efficient. This is both inefficient, and ultimately increases legal and regulatory risk, particularly in the face of regulators who expect high standards of compliance, have very low tolerance for contraventions that are capable of leading to consumer harm or market distortion, and are more willing and able than ever before to take high impact enforcement action.

    Why act now?

    With the emergence of technologies such as artificial intelligence (AI), organisations have a unique opportunity to rethink their approach - eliminating waste, enhancing effectiveness, and delivering real value from controls while doing more with less. Organisations cannot afford to carry bloated or outdated control environments and need to act now to:

    • Reduce cost pressures by eliminating duplication and low-value controls, directing resources where they matter most.
    • Meet evolving regulatory expectations with proportionate, risk-based controls that can be robustly defended in audits or enforcement actions.
    • Improve agility with leaner control environments that can adapt quicker to regulatory changes and business transformations.
    • Strengthen accountability as heightened focus on director duties and accountability regimes mean ineffective controls or unclear ownership can lead to personal liability.

    How to effectively optimise your controls?

    To address these challenges, organisations should adopt the following better practices:

    1. Diagnose and prioritise – Assess the current control landscape to identify duplication, inefficiency, and manual effort. Focus on controls that are needed to meet regulatory obligations and/or address the most significant risks.
    2. Benchmark and rationalise – Compare practices against peers and regulatory standards. Consolidate and streamline controls to close gaps and prioritise effectively.
    3. Automate and modernise – Leverage data, automation, and AI to enhance monitoring, testing, and reporting. Embed smarter oversight and enable continuous improvement.

    Ashurst's control modernisation approach

    Controls sit at the intersection of law and risk. They are mechanisms that give effect to legal and regulatory obligations while also protecting the organisation from financial, operational and reputational harm. When controls are designed in isolation, either as a compliance checkbox or as a process efficiency exercise, gaps emerge that regulators and stakeholders are quickly expose to.

    Ashurst is uniquely positioned to offer deep insight by bringing together an integrated legal and risk offering to ensure that controls are both legally robust and operationally effective. This combination bridges the gap between regulatory requirements and business execution and results in advice that is defensible under legal scrutiny, sustainable in practice and aligned with organisational strategy.

    Time to re-examine your control environment

    Modernising and rationalising controls is no longer a discretionary efficiency exercise but a legal necessity and a strategic differentiator. Engage with Ashurst to discover how your organisation can achieve greater efficiency, stronger assurance, and sustainable resilience in today’s increasingly complex regulatory landscape.

    Other authors: Khoon Leng Cheng, Yumo Wang and Joseph Seliong

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 20 November 2025  but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts