Every organization invests significant time and money designing and implementing internal controls. The controls get documented. People get trained. Audit signs off. And then, gradually, those same controls stop working the way they were intended to.
This is not a theoretical problem. It happens in organizations of every size, across every industry. Controls that functioned reliably for years begin to degrade.
Exceptions become the norm. Workarounds replace standard procedures. And by the time someone notices the gap, the organization has already absorbed losses, compliance failures, or operational disruptions that the controls were specifically designed to prevent.
The short answer to what causes this degradation is overconfidence and complacency. When a control has worked effectively for a long time, people begin to trust it without verifying it. They assume it will keep working because it always has.
They stop monitoring it closely, skip the testing, and cut corners on the procedures that keep the control functioning. That is the textbook answer, and it is accurate. But it is also incomplete.
In practice, control degradation is driven by a wider set of factors that interact with and reinforce each other. This article examines each of those factors in detail: overconfidence and complacency, staff turnover and knowledge loss, organizational change, regulatory evolution, technology drift, inadequate monitoring, and cultural erosion.
It also provides practical guidance for maintaining control effectiveness over the long term, grounded in the COSO Internal Control—Integrated Framework and established risk management process standards.
7 Key Factors
That Cause Established Controls to Lose Effectiveness
Controls become invisible when no failures occur
Institutional knowledge leaves with departing staff
M&A, restructuring, and process evolution
Standards shift while controls remain static
System changes silently break automated controls
Degradation goes undetected without testing
Weak tone at the top degrades all controls
Overconfidence and Complacency: The Primary Culprits
The most well-documented factors that cause established controls to lose their effectiveness are overconfidence and complacency. These are behavioral factors, rooted in human psychology, and they affect everyone from front-line employees to senior executives.
Overconfidence develops when a control has operated effectively for so long that people begin to believe it no longer needs active attention. The control becomes invisible. A manager who has never seen a payment approval process fail may start rubber-stamping approvals rather than scrutinizing each request.
A security team that has never experienced a breach may begin to assume their perimeter controls are impenetrable. In both cases, the control is still technically in place, but the human behavior required to make it function has eroded.
Complacency is the close relative of overconfidence. It occurs when people become comfortable with the status quo and assume that because a control has worked in the past, it will continue to work in the future.
The military has a well-known saying: complacency kills. That phrase exists because even in high-stakes environments with rigorous training, people naturally relax their vigilance when nothing bad has happened for a while. The same dynamic plays out in corporate settings, just with financial and operational consequences rather than physical ones.
A 2023 case study from Lowers & Associates illustrates the point: a U.S. law firm with five offices discovered that customer payment checks were being duplicated, forged, and re-cashed because the satellite offices had stopped following their own procedures for securing incoming payments.
No one had stolen anything for years, so the firm got lazy about the controls. The controls existed on paper. The procedures were documented. But nobody was following them, and nobody was checking to see whether they were being followed.
Overconfidence and complacency are particularly dangerous because they are self-reinforcing.
The longer a control works without a failure, the more confident people become that it will keep working, and the less attention they pay to maintaining it.
This creates a gradually widening gap between the control as designed and the control as executed. For a deeper look at how organizations can structure monitoring to catch this kind of drift early, see our article on best practices for a risk-based internal audit.
The Self-Reinforcing Cycle of Complacency
How overconfidence gradually erodes control effectiveness
Staff Turnover and Knowledge Loss
Controls do not operate themselves. They depend on people who understand why the control exists, what it is supposed to accomplish, and how to execute it correctly. When the people who designed or implemented a control leave the organization, they take that institutional knowledge with them.
The replacement hire may receive procedural training on what to do, but they often do not receive the context behind the control: what risk it was designed to address, what failure it was implemented to prevent, and what happens if the control is skipped or executed incorrectly. Without that context, the new employee is far more likely to treat the control as an administrative task rather than a risk mitigation measure.
They may shortcut the process, skip steps they perceive as unnecessary, or modify the procedure without understanding the consequences.
This problem compounds over multiple turnover cycles. The first generation of employees who implemented the control understood its purpose.
The second generation learned the procedure but may have lost some of the context. By the third or fourth generation, the control has become organizational folklore: people do it because they were told to, but nobody can explain why, and nobody is willing to push back if someone suggests cutting it.
The solution is documentation that goes beyond step-by-step procedures to include the risk rationale, the control objective, and the consequences of non-compliance. Organizations that maintain robust risk management policies that connect individual controls to the risks they address are far more resilient to turnover-driven control degradation.
Institutional Knowledge Retention Over Turnover Cycles
How control understanding degrades with each generation of employees
Implementers
Employees
Employees
Employees
Organizational Change and Business Process Evolution
Organizations are not static. They acquire new businesses, restructure departments, launch new products, enter new markets, and redesign processes. Each of these changes has the potential to render existing controls obsolete or ineffective.
Consider a control designed to ensure that all purchase orders above $10,000 receive executive approval. This control made sense when the organization was a mid-sized company processing 200 purchase orders per month.
After an acquisition that doubled the company’s headcount and tripled its purchasing volume, the same threshold now creates a bottleneck that executives handle by batch-approving requests without individual review.
The control still exists, but its effectiveness has been gutted by a business change that nobody adjusted the control to accommodate.
Mergers and acquisitions are a particularly common source of control degradation. When two organizations combine, they bring different control frameworks, different risk tolerances, and different operational cultures.
The integration process often focuses on financial consolidation and systems migration, while the alignment of internal controls receives less attention. Gaps emerge where one organization’s controls assumed a process that the combined entity no longer follows.
Process reengineering creates similar risks. When an organization redesigns a business process for efficiency, the controls embedded in the old process may not transfer to the new one. The risk that the control was addressing has not gone away, but the mechanism for managing it has been removed or bypassed. For guidance on how to identify these gaps systematically, see our article on how to conduct a risk assessment.
Control Effectiveness Gap Over Time
How organizational changes create widening gaps between designed and actual control performance
Regulatory and Legal Changes
Regulatory environments evolve continuously. New regulations are enacted, existing regulations are amended, enforcement priorities shift, and judicial interpretations change. Controls that were designed to meet regulatory requirements at a specific point in time can fall out of compliance as those requirements change.
In the United States, the Sarbanes-Oxley Act of 2002 dramatically changed the requirements for internal controls over financial reporting at public companies.
Organizations that had considered their existing controls adequate suddenly faced material weakness findings because the regulatory standard had moved. The controls themselves had not changed; the standard against which they were measured had.
This pattern repeats across industries. Data privacy regulations like GDPR and state-level privacy laws in California (CCPA/CPRA), Virginia (VCDPA), and Colorado (CPA) have introduced new control requirements that did not exist five years ago.
Anti-money laundering regulations continue to expand in scope and rigor. Cybersecurity regulations, from the SEC’s new disclosure rules to state-level requirements, are imposing new control expectations on organizations that may have designed their security programs under a different regulatory baseline.
The risk is not that organizations ignore regulatory changes entirely. Most compliance teams track new regulations.
The risk is that the organization updates its policies to reflect new requirements but fails to update the underlying controls that implement those policies. Policy says one thing; execution does another. This is why compliance key risk indicators are essential: they provide measurable signals of whether controls are actually achieving compliance, not just whether policies have been updated.
Regulatory Evolution Timeline
Key regulations that shifted control requirements for organizations
Technology Drift and System Changes
Controls that depend on technology are vulnerable to a specific form of degradation: the underlying technology changes while the control does not. This happens more often than most organizations realize.
Software updates can alter the behavior of automated controls. A system upgrade that changes how access permissions are inherited can silently break a segregation of duties control that relied on the previous permission model.
A patch that modifies data validation rules can allow transactions through that the old rules would have rejected. A cloud migration that moves a process from an on-premises server to a SaaS platform can change the logging and monitoring capabilities that a detective control depends on.
Shadow IT compounds this problem. When business units adopt new tools without going through the IT governance process, they often create processes that bypass existing controls entirely.
An employee who starts using a personal file-sharing account to send documents to clients has just circumvented the data loss prevention controls that the organization implemented on its approved file-sharing platform. The control is still operating on the approved platform. It is just no longer covering all the relevant activity.
Organizations that implement operational risk management processes with explicit technology risk categories are better positioned to catch technology-driven control degradation.
This includes maintaining a current inventory of the systems that support each control, requiring change management reviews when those systems are updated, and testing controls after significant system changes.
Inadequate Monitoring and Testing
The COSO Internal Control—Integrated Framework identifies monitoring as one of the five essential components of an effective internal control system, alongside the control environment, risk assessment, control activities, and information and communication. COSO’s monitoring guidance is built on two principles.
First, organizations must conduct ongoing or separate evaluations to determine whether controls continue to function over time. Second, internal control deficiencies must be identified and communicated to the right people in a timely manner.
When monitoring is inadequate, control degradation goes undetected. The controls may still be documented. People may believe they are following the procedures.
But without testing, there is no independent verification that the controls are actually operating as designed. This is one of the most common pathways from a functioning control to a material weakness.
Monitoring failures take several forms. The most obvious is simply not testing controls at all. But more subtle forms include testing the wrong controls (focusing on low-risk areas while neglecting high-risk ones), testing too infrequently (annual testing of controls that should be tested quarterly), and testing design effectiveness without testing operating effectiveness (confirming that a control is well-designed on paper without verifying that people are actually executing it).
The COSO framework emphasizes that monitoring should be risk-based: controls that address higher-risk areas should be monitored more frequently and more rigorously than controls that address lower-risk areas. Organizations that apply the same testing cadence across all controls inevitably under-test high-risk controls and over-test low-risk ones.
COSO Internal Control Framework
Five essential components — monitoring failures undermine the entire system
Cultural Erosion and Tone at the Top
The control environment, as COSO defines it, is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The tone set by the board and senior management is the single most influential factor in whether that control environment is strong or weak.
When leadership consistently demonstrates that internal controls are important, that compliance is non-negotiable, and that control failures have consequences, employees follow suit. When leadership treats controls as bureaucratic overhead, pressures staff to cut corners in the interest of speed or cost, or fails to hold people accountable for control failures, the entire control environment degrades.
This erosion is typically gradual. It does not happen because a CEO sends an email saying “stop following internal controls.”
It happens through dozens of small signals: approving budget cuts to compliance staffing, deprioritizing audit findings, promoting managers who deliver results regardless of how they achieve them, and tolerating known control gaps because addressing them would be inconvenient. Over time, employees learn that controls are optional in practice even if they are mandatory on paper.
The Enron and WorldCom scandals of the early 2000s are extreme examples, but the pattern is visible in organizations of all sizes. Cultural erosion is particularly damaging because it affects all controls simultaneously.
A weak tone at the top does not degrade one specific control; it degrades the entire control system by reducing the collective willingness to enforce standards. For a detailed look at how organizational culture intersects with risk management frameworks, see our article on the COSO framework and how it is used.
Human Factors: Fatigue, Workload, and Cognitive Bias
Controls that depend on human judgment are inherently vulnerable to human limitations. Fatigue, workload pressure, cognitive bias, and stress all reduce the quality of human decision-making, and every manual control is a human decision-making exercise.
An accounts payable clerk who reviews 200 invoices per day will inevitably apply less scrutiny to invoice number 195 than to invoice number 5.
A compliance analyst who has reviewed 50 transaction alerts and found nothing suspicious may begin to treat alert number 51 as another false positive before fully investigating it. A manager who is under pressure to close the quarter may approve an exception request that they would have rejected under normal circumstances.
These are not failures of character. They are predictable consequences of how human cognition works under sustained load.
Organizations that understand this design controls to account for human limitations: they automate high-volume, low-complexity controls; they rotate responsibilities to prevent fatigue-driven complacency; they implement dual controls for high-risk decisions; and they create escalation paths that do not depend on a single person’s judgment.
The field of operational risk management explicitly identifies people risk as one of the four categories of operational risk (alongside process, system, and external event risk).
Organizations that track key risk indicators for human factors, such as overtime hours, error rates, training completion rates, and staff-to-workload ratios, are better positioned to detect when human factor risks are approaching levels that threaten control effectiveness.
Human Factor Impact on Control Quality
How cognitive and workload factors reduce control effectiveness
How to Maintain Control Effectiveness Over Time
Understanding why controls degrade is necessary but not sufficient. Organizations need practical mechanisms to prevent degradation and catch it early when it occurs.
The following practices, drawn from the COSO framework and ISO 31000, provide a structured approach.
7 Best Practices
For Maintaining Control Effectiveness Over Time
Implement Risk-Based Monitoring
Allocate monitoring effort based on risk significance. Controls that address material risks, such as financial reporting integrity, regulatory compliance, data security, and fraud prevention, should be tested more frequently and more rigorously than controls over lower-risk activities.
Monitoring should include both design effectiveness (is the control well-designed to address the risk?) and operating effectiveness (are people actually executing the control as designed?). For a practical guide to structuring this work, see our article on audit risk assessment.
Tie Controls to Risk Rationale
Every control should have documented justification that explains what risk it addresses, what the control objective is, and what the consequences of control failure would be.
This documentation should be part of the organization’s risk register and should be accessible to the people who execute the control. When employees understand why a control exists, they are far more likely to execute it properly and far less likely to shortcut it.
Conduct Control Self-Assessments
Control Self-Assessment (CSA) programs empower the people who execute controls to evaluate their own control environment.
CSA workshops and questionnaires surface problems that formal audit engagements often miss because the people closest to the process know where the real risks and workarounds are. CSA also reinforces accountability by making control ownership explicit. For more on CSA, see our article on the operational risk management process.
Update Controls After Organizational Changes
Establish a formal trigger-based review process that requires control reassessment after significant organizational changes: mergers and acquisitions, restructurings, system migrations, process redesigns, and new product launches.
The review should identify controls that have been bypassed, controls that no longer address the relevant risk, and gaps where new controls are needed. This is a critical step in the five steps of the risk management process: the monitoring step must be responsive to change, not just routine.
Invest in Training and Knowledge Transfer
Training should go beyond procedural instruction to include risk context. When new employees are trained on a control, they should learn what risk the control addresses, what failure looks like, and what past incidents the control was designed to prevent.
Cross-training and documented succession plans help mitigate the knowledge loss that accompanies staff turnover.
Track Leading Indicators of Control Degradation
Rather than waiting for a control failure to reveal degradation, track leading indicators that signal emerging problems.
These key risk indicators might include the number of control exceptions granted, the time elapsed since the last control test, employee turnover rates in control-critical roles, the volume of audit findings related to control execution, and the percentage of controls that have not been updated since a major organizational change. When these indicators breach defined thresholds, they should trigger investigation and remediation.
Strengthen Tone at the Top
Senior leadership must visibly and consistently reinforce the importance of internal controls.
This means holding people accountable for control failures, funding compliance and internal audit functions adequately, including control effectiveness in performance evaluations, and responding to audit findings with genuine corrective action rather than defensive pushback. Without leadership support, all other efforts to maintain control effectiveness will be undermined by cultural erosion.
The Bottom Line
Controls are not “set and forget.” They are living systems that depend on people, processes, and technology, all of which change over time. The factors that cause established controls to lose their effectiveness are both predictable and preventable, but only if organizations actively manage them.
Overconfidence and complacency are the headline causes, but they operate alongside staff turnover and knowledge loss, organizational change, regulatory evolution, technology drift, inadequate monitoring, cultural erosion, and human cognitive limitations. Each of these factors alone can degrade a control. In combination, they can dismantle an entire control framework while everyone assumes it is still functioning.
The organizations that maintain strong controls over the long term are the ones that monitor them continuously, test them rigorously, update them proactively, and embed them into a culture that treats risk management as a shared responsibility rather than a compliance exercise.
The COSO framework provides the architecture. ISO 31000 provides the principles. But execution depends on leadership commitment, adequate resources, and the discipline to treat controls as assets that require ongoing investment.
Looking for more on internal controls and risk management? Visit riskpublishing.com for practical guides on enterprise risk management, operational risk, key risk indicators, and the COSO framework. Have questions about strengthening your organization’s control environment? Reach out through our contact page.
Sources and Further Reading
1. COSO, Internal Control—Integrated Framework (2013): coso.org
2. COSO Monitoring Guidance: COSO Monitoring Guide
3. Deloitte, Guide for Management: Next Steps After Identifying a Deficiency in Internal Control Over Financial Reporting (October 2024): dart.deloitte.com
4. Lowers & Associates, “4 Culprits of Complacency”: blog.lowersrisk.com
5. Pathlock, Types of Internal Control Weaknesses and How to Fix Them: pathlock.com
6. Riskonnect, Why Effective Controls Are Essential to Mitigate Risk: riskonnect.com
7. Linford & Company, Effective Internal Control Environment and Risk Assessment: linfordco.com
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.