Evaluating Control Effectiveness as the Ultimate Test for Regulatory Compliance | FSCA/PA Joint Standard

Under the FSCA/PA Joint Standard, compliance is no longer about whether an organisation has policies, tools, or frameworks in place. The regulatory focus is on whether cyber, IT and risk management controls actually work.

The Joint Standard is outcomes driven, risk-based standard. It requires organisations to demonstrate both the design adequacy and the operating effectiveness of their controls. Controls that exist only on paper, or tools that are poorly configured or inconsistently applied, do not meet the regulatory expectation.

There is also a clear requirement for ongoing monitoring and testing. Cyber and IT risks evolve continuously, and controls must be reviewed, tested, and improved accordingly. Static or once-off compliance efforts are insufficient.

Incidents, near misses, and recurring audit findings are treated as indicators of ineffective controls, even where documentation appears complete. Regulators assess effectiveness through real-world outcomes, not intent.

Importantly, control effectiveness is positioned as a governance responsibility. Boards and senior management are expected to obtain assurance that controls are effective and to ensure timely remediation where weaknesses are identified.

The Joint Standard aligns closely with international frameworks such as ISO/IEC 27001, NIST CSF, and COBIT, all of which emphasize control effectiveness over checkbox compliance.

The key message is clear; if an organisation cannot demonstrate that its controls are effective in practice, it is unlikely to meet regulatory expectations. Compliance has shifted from “having controls” to “proving that controls work.”