Under the FSCA/PA Joint Standard , compliance is no longer about whether an organisation has policies, tools, or frameworks in place. The regulatory focus is on whether cyber, IT and risk management controls actually work. The Joint Standard is outcomes driven, risk-based standard. It requires organisations to demonstrate both the design adequacy and the operating effectiveness of their controls. Controls that exist only on paper, or tools that are poorly configured or incon