Skip to content

10.2 Risk, audit, and assurance

Overview and motivation

Risk, audit, and assurance is the practice of understanding what could go wrong: with your software and with the organization that builds and runs it. You decide what to do about it. Then you prove that the controls you claim to have actually work. You prove it to executives, regulators, auditors, and the public. On a small team, risk management is mostly implicit. A few people hold the whole picture in their heads. In a large enterprise or government agency, you have to make risk explicit and systematic. No one person can see the whole surface. The consequences of failure are large and often regulated. Trust has to be shown, not assumed.

This matters more for large organizations, for three reasons. First, scale multiplies exposure. More systems, suppliers, data, people, and connections mean more ways to fail and a bigger blast radius when failure comes. Second, large organizations answer to outsiders (regulators, auditors, boards, courts, and citizens) who want evidence, not assurances. Third, concentration creeps in quietly. Shared platforms, common suppliers, and reused components create single points of failure that no single team notices, yet that can take down the whole enterprise at once.

This chapter aims to bring enterprise risk-management discipline to software without smothering delivery in bureaucracy. Done well, risk and assurance are not a tax on engineering. They are how a large organization earns the right to operate at scale. They turn "trust us" into "here is the evidence."

Key principles

  • Risk is managed, not eliminated. The job is to identify, assess, treat, and monitor risk to an accepted level, not to pretend it can be reduced to zero.
  • Own risk where it is created. The team that builds and runs a system owns its risk; central functions set standards and check, they do not absorb accountability.
  • Evidence over assertion. A control you cannot demonstrate is a control you do not have.
  • Continuous over point-in-time. Annual audits catch drift too late; controls should be monitored continuously and automatically where possible.
  • Third parties inherit your risk. Your suppliers' weaknesses become your weaknesses; supply-chain risk is your risk.
  • Concentration is a first-class risk. Efficiency through consolidation quietly creates single points of failure that must be named and managed.
  • Proportionality. Match the depth of control to the consequence; treating every system as maximum-criticality wastes effort and breeds evasion.

Recommendations

Apply enterprise risk management to software

Adopt a common risk framework and vocabulary across the organization, so you can compare and add up risks. Keep a risk register for each significant system, and roll the individual registers up to a portfolio view. For each risk, record likelihood, impact, owner, current controls, and treatment decision (accept, mitigate, transfer, or avoid). Use the "three lines" model to separate duties: teams own and manage their risks (first line), risk and compliance functions set policy and challenge (second line), and internal audit independently assures (third line). Set an explicit risk appetite at the top, so teams know how much risk the organization is willing to carry instead of each team guessing.

Assure third-party and supply-chain risk

Inventory your suppliers and, just as important, your software dependencies, including transitive open-source components. Assess each supplier in proportion to the access and criticality it carries. Lean on recognized attestations (such as SOC 2, an independent audit report on a provider's security controls, or ISO 27001 reports) rather than reinventing questionnaires where good evidence already exists. Require a software bill of materials (SBOM) for the components you consume, so you can answer "are we affected?" the moment a vulnerability breaks. Build supply-chain integrity into your pipeline: verify provenance, pin and sign artifacts, and control what enters your build. Write security, breach-notification, audit-rights, and exit terms into contracts. Reassess suppliers on a regular cadence, rather than only at onboarding.

Build audit trails, evidence, and continuous controls monitoring

Design systems to produce evidence as a by-product of running. Capture immutable, time-stamped, tamper-evident audit logs of significant actions: who did what, to what, when, and with what authorization. Protect those logs from being changed by the very people they record. Favor controls that are automated and continuously monitored: policy-as-code that blocks non-compliant changes, pipeline gates that enforce required reviews, and dashboards that show control status in real time. Continuous controls monitoring turns audit from a periodic scramble to reconstruct evidence into a steady stream of assurance. It catches drift within hours instead of at the next annual review.

Govern business continuity and disaster recovery

Know what your organization must keep doing, and how fast, if systems fail. Run a business-impact analysis to set recovery-time and recovery-point objectives (RTO/RPO) per service based on business need, not engineering convenience. Then maintain the business-continuity and disaster-recovery (DR) plans and (this is the part organizations skip) actually test them. Run regular exercises that include full failover and restore-from-backup drills. Untested backups and untested failover are assumptions, not capabilities. Govern this at the enterprise level, so you understand cross-system dependencies before a real disaster, not during it.

Manage concentration risk and single points of failure

Go looking, on purpose, for the places where many services depend on one thing: a single cloud region, one authentication provider, one key supplier, one database, one person. Map these concentrations at the portfolio level, because individual teams cannot see them. For the most critical, reduce concentration through redundancy, multi-region or multi-supplier strategies, and graceful degradation, while weighing the added cost and complexity honestly. Where you accept concentration for efficiency, make it a conscious, documented, owned decision with a tested backup plan. Do not let it be an accident nobody noticed until it failed.

Trade-offs: pros and cons

Approach Pros Cons
Heavy formal controls Strong assurance; audit- and regulator-ready Slows delivery; invites checkbox compliance and evasion
Lightweight risk-based controls Fast; effort focused on real exposure Requires mature judgment; gaps if risk assessed poorly
Point-in-time audit Familiar; clear pass/fail moment Catches drift late; incentive to prepare only for audit day
Continuous controls monitoring Early drift detection; less audit scramble Upfront automation investment; tooling and instrumentation cost
Consolidation / single supplier Lower cost; simpler; volume leverage Concentration risk; single point of failure; lock-in
Redundancy / multi-supplier Resilience; no single point of failure Higher cost and complexity; more to maintain and secure

The recurring trade-off is assurance versus velocity. The resolution is proportionality plus automation. Blanket heavy controls slow everyone down and, worse, teach teams to treat compliance as theater to be gamed. Purely lightweight controls depend on judgment that not every team has. The way through: match control depth to consequence, and automate controls into the delivery pipeline so that assurance comes from the act of building rather than bolted on afterward. The concentration trade-off (efficiency versus resilience) has no universal answer. Decide it consciously for each critical dependency, with the accepted risk documented and a backup plan tested.

Examples

Startup. A six-person health-tech startup handling patient data cannot afford a risk department, so it makes assurance a by-product of building. It keeps one short risk register in a shared doc, with an owner and a treatment decision for each entry, and reviews it at the Friday standup. It leans on its cloud provider's SOC 2 report rather than writing its own controls from scratch, generates an SBOM in the pipeline so it can answer "are we exposed?" the day a dependency flaw lands, and runs a restore-from-backup drill every month because an untested backup is only a hope. It also names its one glaring concentration risk out loud: the single founder who can deploy, and pairs a second engineer with him so that knowledge is not trapped in one head.

Enterprise. A payments company operates under continuous regulatory scrutiny. It runs the three-lines model. It maintains per-service risk registers rolled up to a board-level dashboard. It encodes its key controls as policy-as-code, enforced in the deployment pipeline. Change approvals, access grants, and configuration changes emit immutable audit events into a tamper-evident store. Rather than preparing for annual audits, the company gives auditors read access to live control dashboards, turning audit into sampling of continuous evidence. When a widely used open-source library discloses a critical flaw, the company's SBOM inventory answers "where are we exposed?" in minutes.

Government. A national government agency follows a formal authorization process before any system may operate. It requires documented controls, an independent assessment, and an accountable official who accepts residual risk. It maintains continuous monitoring, so authorization is an ongoing state rather than a one-time certificate. A regional cloud outage once exposed a single-region dependency in a citizen-facing benefits system. In response, the agency mapped concentration risk across its portfolio, mandated multi-region failover and tested restores for its most critical services, and now runs periodic disaster-recovery exercises whose results are reported to leadership.

Business case: motivations, ROI, and TCO

The return on risk and assurance is dominated by avoided catastrophic loss: a major breach, a regulatory penalty, a prolonged outage of a critical service, or a supply-chain compromise. These events are individually rare but individually enormous. A single avoided incident can exceed the multi-year cost of the entire assurance program. Beyond loss avoidance, mature assurance lowers the ongoing cost of compliance, because evidence is produced automatically rather than assembled in a panic. It makes it easier to win regulated business and pass customer due-diligence. And it speeds incident response, because you already know your exposure.

The adoption cost includes risk and audit staff, tooling for monitoring and evidence, and the engineering effort to automate controls into pipelines. The cost of not adopting is the expected value of the catastrophes you did not prevent, plus the slow tax of manual audit preparation and the reputational damage that compounds after any public failure. When you make the case to leadership, quantify a small number of plausible worst cases and their likelihood. Frame continuous controls monitoring as trading a large, unpredictable, occasional loss for a small, steady, predictable cost. Emphasize total cost of ownership: a control automated once pays down audit cost every year thereafter.

Anti-patterns and pitfalls

  • Checkbox compliance. Producing documents that satisfy an auditor while the real control does not function.
  • Audit-day theater. Systems that are compliant only in the weeks before the annual audit and drift the rest of the year.
  • Risk register as a graveyard. A register that is filled once and never revisited, disconnected from actual decisions.
  • Untested DR. Backup and failover plans that have never been exercised and therefore do not work when needed.
  • Supplier trust by logo. Assuming a well-known vendor is secure without evidence, and ignoring transitive dependencies entirely.
  • Invisible concentration. Consolidating onto one region, supplier, or person for efficiency without anyone owning the resulting single point of failure.
  • Assurance as a delivery blocker. Heavy central controls with no proportionality, which teams route around, creating shadow systems with no assurance at all.
  • Logs the actor can edit. Audit trails that the people being audited can alter, which prove nothing.

Maturity model

Level 1: Initial. Risk is handled reactively after incidents. No shared framework or register. Controls are undocumented and unverified. Audits are painful, manual scrambles. Concentration and supplier risk are unexamined.

Level 2: Managed. Risk registers exist for major systems. A control framework is adopted and audits pass, but preparation is manual and point-in-time. Key suppliers are assessed at onboarding. Backups exist but are rarely tested. Some single points of failure are known.

Level 3: Defined. The three-lines model and a common framework operate across the organization. Many controls are automated into pipelines. Continuous monitoring covers key controls. Supplier and dependency inventories, including SBOMs, are maintained. DR is tested on a schedule. Concentration risk is mapped at the portfolio level.

Level 4: Optimizing. Assurance is continuous and largely automated; auditors sample live evidence. Risk appetite is explicit and drives proportional controls. Supply-chain integrity is verified in the pipeline. DR exercises are routine and cross-system. Concentration decisions are conscious, owned, and contingency-tested, and the organization adapts controls as its risk profile changes.

Ideas for discussion

  • How do you set a meaningful risk appetite that teams can actually use to make daily trade-offs?
  • What is the right boundary between controls automated in the pipeline and controls that require human judgment?
  • When is accepting concentration risk for efficiency the right call, and how do you keep that decision honest over time?
  • How much supply-chain assurance is proportionate for a small transitive dependency versus a critical vendor with deep access?
  • Can continuous controls monitoring ever fully replace independent audit, or does independence require a human outsider?
  • How do you prevent risk and assurance functions from becoming a delivery bottleneck that teams route around?

Key takeaways

  • Risk is managed to an accepted level, owned where it is created, and proven with evidence rather than assertion.
  • Prefer continuous, automated controls monitoring over point-in-time audits so drift is caught early and evidence is produced as a by-product of operation.
  • Third-party and supply-chain risk (including transitive open-source dependencies) is your risk; inventory it, demand SBOMs, and verify provenance.
  • Business continuity and DR are capabilities only if tested; untested backups and failover are assumptions.
  • Concentration risk and single points of failure are portfolio-level concerns invisible to individual teams; map them and make consolidation a conscious, contingency-tested decision.
  • The business case is dominated by avoided catastrophe; trade a large unpredictable occasional loss for a small steady predictable cost.

References and further reading

  • ISO 31000, Risk Management: Guidelines
  • ISO/IEC 27001 and 27005, Information Security Management and Information Security Risk Management
  • NIST, Risk Management Framework (SP 800-37) and Security and Privacy Controls (SP 800-53)
  • NIST, Secure Software Development Framework (SP 800-218) and Cybersecurity Framework
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management: Integrating with Strategy and Performance
  • AICPA, SOC 2 Trust Services Criteria
  • The Open Group, FAIR (Factor Analysis of Information Risk)
  • Betsy Beyer et al., Site Reliability Engineering (Google)
  • Institute of Internal Auditors, The Three Lines Model