There is a growth pattern in internal control environments that is almost universal in financial institutions that have scaled quickly. In the early years, controls are minimal and informal — the institution is small enough that senior management has direct visibility of most transactions, and the primary control is managerial proximity. As the institution grows and the volume of transactions increases, controls are added reactively in response to risk events, audit findings, regulatory observations, and policy requirements. Each new control is documented, assigned to an owner, and monitored through a compliance checklist. Over several years, the control inventory grows substantially — sometimes to several hundred documented controls for a mid-sized institution — and the operational overhead of managing the control environment becomes a material cost.

The problem is not that the institution has too many controls. The problem is that the expansion of the control inventory has not been accompanied by a periodic reassessment of which controls are genuinely reducing risk and which are procedural overhead. The two categories look identical in a control register — both have owners, both have documentation, both are tested during the annual review cycle. Their effect on the risk profile, however, is not identical. The control that requires a manager to sign a daily exception report that nobody reads has a different risk-reduction value than the automated reconciliation that flags exceptions in real time and routes them to the relevant team before end of business.

What the CBUAE framework requires

The CBUAE three-lines-of-defence framework, embedded in the Risk Management Standards and reinforced through the Corporate Governance Standards and ICoFR requirements, establishes the governance logic for internal controls.

Two elements of Article 7 are worth attention. First, the first-line obligation is to maintain effective controls — not maximum controls, not documented controls, but effective ones. The effectiveness standard is the regulatory test. Second, the second-line function’s role is oversight and challenge, not ownership. Where the second line has taken on first-line control responsibilities — running controls on behalf of the business rather than monitoring them independently — the independence of the second line is compromised and the framework is not working as designed.

The ICoFR standards, which govern internal controls over financial reporting, apply the same effectiveness logic. Documentation and testing of controls are required. The annual assessment — typically supported by internal audit — must assess whether each control is operating as designed and is adequate to address the risk it is intended to mitigate. A control that exists in documentation and is signed off quarterly without genuine execution is not an effective control, and an ICoFR assessment that does not distinguish between effective and nominal controls is not a meaningful one.

The two failure modes of manual proliferation

Manual control proliferation produces two distinct failure modes, each of which increases risk rather than reducing it.

The first is control fatigue. When the volume of manual controls assigned to a business-line owner reaches the point where each individual control requires less time than its genuine execution demands, the controls begin to be performed as ritual rather than genuine review. Exception reports are signed without exceptions being investigated. Reconciliations are approved without discrepancies being resolved. Authorisation checklists are completed from memory rather than from evidence review. The institution’s control framework, on paper, is complete. In practice, a substantial portion of it is nominal.

Manual control proliferation produces an inverse relationship between the number of controls and the effectiveness of the control environment.

The second failure mode is selective attention. When the owner of a large manual control portfolio prioritises the controls they consider most important, the controls that receive genuine attention and the controls that receive nominal attention tend to diverge from the controls that the risk assessment would identify as highest priority. The controls that are easiest to execute well, or that have been most recently audited, tend to receive genuine attention. The controls that are hardest to execute — because they require real-time data, cross-system reconciliation, or judgment about ambiguous exceptions — tend to receive nominal attention, which means the controls on the institution’s highest-residual-risk activities are often the least well-executed.

The case for automation in the first line

Automated controls address both failure modes directly. A system-enforced segregation of duties cannot be bypassed through control fatigue — the system prevents the restricted action regardless of whether the first-line owner is paying attention. An automated reconciliation does not produce a nominal sign-off — it either reconciles the position or it flags an exception, and the exception requires resolution before the process can continue. The human error rate for an automated control is, by design, lower than for the equivalent manual control, and the execution quality does not degrade with the volume of controls or the workload of the control owner.

Segregation of duties in digital workflows

Segregation of duties is one of the oldest and most fundamental internal control principles. The person who initiates a transaction should not be the person who approves it; the person who holds custody of assets should not be the person who records them. For physical and branch-era banking operations, this principle was implemented through organisational structure and manual authorisation workflows.

In digital-first banking environments, the same principle applies but the implementation logic is different. The control that prevents one person from both creating and approving a digital transaction is not a management policy or an organisational reporting line — it is a system permission configuration. If the permission configuration is wrong, the segregation fails regardless of what the policy says. And if the permission configuration has drifted over time — through user access accumulation, system migrations, or informal access grants — the control failure may not be visible in any governance documentation.

In our engagements, access control drift is among the most common first-line control gaps in institutions that have grown rapidly or that have migrated core systems in the past three to five years. Users accumulate permissions that were granted for a temporary purpose and never revoked. System migrations carry over permission structures that were designed for the previous system’s architecture. Departments inherit access profiles from predecessors whose roles have changed. The result is a permission landscape that does not reflect the institution’s stated segregation-of-duties policy, and in which the first-line control is notional rather than enforced.

The discipline of periodic access certification — reviewing the actual permission profile of each user against their current role and revoking permissions that do not match — is the operational maintenance that keeps the segregation-of-duties control functional. Where access certification is done once as part of a system implementation and not maintained thereafter, the control decays at the rate of organisational change.

Rationalising the control inventory

The governance discipline of periodically rationalising the control inventory — assessing each control against the risk it is intended to mitigate, the effectiveness with which it is currently executing, and whether the risk would be better addressed by a different control design — is one of the less common investments in internal control management, and one of the more valuable.

The rationalisation process is not primarily about eliminating controls. It is about ensuring that the controls that exist are proportionate to the risks they address, that the highest-residual-risk activities are covered by the strongest controls, and that the first-line owner’s control capacity — which is finite — is concentrated on the controls that genuinely matter. Where the rationalisation surfaces controls that are nominal in practice, the choice is to automate, redesign, or remove — not to continue performing them as ritual.

The ICoFR annual assessment provides a natural occasion for this rationalisation. The effectiveness test applied to each control should include a realistic assessment of whether the control is being executed as designed and whether the execution is producing the intended risk reduction. Where a control consistently passes testing at a formal level while not producing meaningful risk reduction in practice, the assessment has not been completed to the standard that the ICoFR framework requires.

For a detailed treatment of internal control rationalisation and automation — including control design methodology, the automation decision framework, and the documentation patterns that support effective ICoFR assessment — see our discussion in the Library.