How To Set Critical Control Verification Frequency

Critical control verification cadence shouldn’t default to audit cycles or gut feel. Here’s how to set a starting frequency — and how to know when to adjust it.


Verification cadence should be tied to how often the control is relied on, not calendar time. A useful starting point: verify a critical control once for every ten interactions with it (10% rule of thumb). As controls prove reliable, frequency can be scaled back – but how far back should be governed by the nature of the risk, not just the track record. Conversely, if controls aren’t proving reliable, frequency may need to be scaled up. 


Most organisations that start taking critical control verification seriously run into the same question quickly: how often is enough? 

It’s a reasonable thing to wonder – and the answer most people land on is some version of “regularly” or “in line with our audit cycle.” Neither is wrong, exactly. But neither gives you a basis for being confident you’re catching gaps before they become incidents. 

Verification cadence is worth thinking through more deliberately than that. 


The most useful way to think about verification frequency isn’t in terms of time – it’s in terms of activity. How often is a given control being tested by real work? 

A practical starting point, drawn from IMPAC’s experience working with organisations on critical risk: verify a control once for every ten interactions with it. 

If a piece of equipment is used 100 times in a given period, verify the relevant control 10 times across that period. If a procedure is followed 50 times, verify it 5 times. The frequency tracks the exposure – the more often a control is being relied on, the more often you need to confirm it’s working. Another way of looking at it is that the frequency of verification must give you confidence that it reflects the actual state of the control in the field at any time. 

This isn’t a rigid formula. It’s a starting point that gives you something concrete to work from, rather than defaulting to a schedule that has no relationship to how much work the control is doing. 


Once verifications are passing consistently – the control is repeatedly found to be in place and working – there’s a basis for scaling frequency back. Moving from verifying 1 in 10 interactions to 1 in 15 or 1 in 20 may be reasonable when the track record supports it. 

But “the track record supports it” isn’t the only test. Before reducing frequency, it’s worth asking two questions about the control and the context it operates in: 

How stable is this control? Some controls are inherently reliable – well-established, simple to apply, rarely affected by changing conditions. Others are more variable: dependent on individual behaviour, sensitive to environmental factors, or frequently bypassed under pressure. Less stable controls need more frequent verification, regardless of recent track record. 

How much is the work environment changing? Controls that were adequate for stable, well-understood work may not keep pace with change – new people, new equipment, new pressures, new conditions. When the environment is shifting, recent verification history is a less reliable guide to current control effectiveness. 

These two factors don’t produce a precise number. What they do is give you a principled basis for deciding how far to reduce frequency – and a check against reducing it further than the risk warrants. 


Setting a verification cadence is a two-stage exercise. Start at 10% of activity. Track the results. When the track record is consistently positive, consider scaling back – but use the two factors above to determine how far. 

The companion resource below walks through both stages as a simple decision tool. It’s designed to be used in a team setting – something you can work through with the people responsible for managing and verifying your critical controls. 


Download our one-page PDF guide to help your team work through setting the critical control verification frequency that’s right for you.


How often should you verify critical controls to start with? Use 10% as the rule of thumb, verifying the control once for every ten interactions with it.

What factors determine ongoing critical control verification frequency? How stable the control is and how much the work environment around it is changing.

When can you reduce verification frequency? When you can prove a consistent track record of passed verifications and the two-factor check around stability and environment supports it.

What’s the difference between verification cadence and audit cycles? One is activity-based and one is calendar-based.


Critter is built by IMPAC – New Zealand’s leading health and safety company, with 27 years of experience guiding organisations through complex critical risk challenges. Learn more about IMPAC.