How To Verify Critical Controls Are Working
Having a critical control and having an effective one aren’t the same thing. Here’s what “effective” means in this context – and why the distinction matters.
How do you verify a critical control is working?
Key takeaway: Verifying a critical control means asking – and being able to answer – whether it’s in place and working under actual operating conditions. That question needs to be asked at two levels: by the people close to the work, and by the leaders responsible for governance. What “in place and working” looks like will vary by organisation and control type. The discipline of asking it consistently shouldn’t.
An earlier post in this series established what an effective critical control requires: it has to be both in place and working. Those are two separate tests, and a control can pass the first while failing the second.
The harder question is how you know.
Most organisations have a reasonable sense of what controls they’ve put in place. What’s harder – and more important – is having a reliable way to confirm, on an ongoing basis, that those controls are doing their job. That’s what verification is for.
What verification actually means
Verification isn’t a specific method or format. It’s defined by the question being asked.
A check that asks “is this thing present and compliant?” is a different exercise from one that asks “is this control in place and working?” Both might involve looking at the same equipment, talking to the same people, reviewing the same records. What distinguishes verification is the intent – confirming the control is achieving its protective purpose, not just that it exists.
What “in place and working” looks like will vary. Different organisations, different industries, different control types will each have their own answer to that question. That’s as it should be – the standard needs to reflect the actual work and the actual risk. What verification provides is a consistent way to ask the question and record the answer over time.
The key thing verification isn’t: a point-in-time event. An annual audit can tell you what the situation was on the day. Verification is the discipline of asking the question on an ongoing basis – frequently enough that gaps don’t go undetected for months before anyone notices.
Two levels of verification
Verification needs to happen at two levels – and both matter.
Operational verification is the question being asked close to the work. The people doing it or supervising it are best placed to know whether a control is functioning as intended in practice – whether it’s being applied correctly, whether conditions have changed, whether there’s any drift from how it’s supposed to work. This is where the real-world picture of control effectiveness lives.
What this looks like in practice will depend on the control and the organisation. It might be a structured check completed by a supervisor before work begins. It might be a periodic review by an operations manager. The format matters less than the question being consistently asked and the answer being recorded.
Governance verification is the question being asked at the leadership level – not about individual controls, but about whether the operational verification process itself is working. Are the right questions being asked, by the right people, at the right frequency? Are the answers reliable? Are gaps being surfaced and acted on?
This is where boards and executives engage with critical risk. Not by conducting operational checks themselves, but by having enough visibility of the verification process to be confident it’s functioning. The officer duty under HSWA 2015 requires exactly this – boards and executives must verify that critical risk systems are working, which means they need to be able to see that the verification process is actually happening and producing reliable information.
The two levels reinforce each other. Operational verification generates the picture of control effectiveness. Governance verification ensures that picture is accurate and complete – and that when something isn’t working, it gets addressed.
What gets recorded – and why it matters
Verification without a record is difficult to rely on. If a control is checked but nothing is recorded, there’s no way to track whether the checking is happening consistently, no way to identify patterns in how controls perform over time, and no way for governance to confirm the process is working.
What a record needs to contain isn’t complicated:
- Which control was verified
- When it was verified and by whom
- Whether it was found to be in place and working
- If not, what the gap was and what action was taken
That record serves two purposes. Operationally, it creates accountability and a basis for follow-up. At the governance level, it’s the evidence that due diligence is being exercised – that verification is happening, not just being assumed.
This is the distinction that matters most for boards and executives. A report that says “our controls are in place” is an assertion. A record that shows what was verified, when, by whom, and what the outcome was is evidence. Under HSWA 2015, the officer duty requires the latter – not just assurance that systems exist, but the ability to verify they’re operating.
What this discipline looks like over time
Verification done well isn’t a project with a start and end date. It’s an ongoing discipline – a rhythm of asking the right question, at the right levels, often enough that gaps get caught before they become incidents.
What that rhythm looks like – how often different controls need to be verified, and by whom – is worth thinking through carefully. It varies by control type, consequence severity, and the stability of the work environment. A control in a high-consequence, variable environment needs more frequent verification than one in a stable, well-established setting.
How to set that cadence, and what factors should drive it, is the next piece in this series.
Frequently asked questions
What does it mean to verify a critical control? It means checking that the critical control is in place and working – serving its protective purpose in real world conditions.
Who is responsible for verifying critical controls? Operations and governance teams share this responsibility, and the two levels reinforce each other.
What should a critical control verification record contain? Which control was verified, when it was verified and by whom, whether it was found to be in place and working and if not, what the gap was and what action was taken.
How is verification different from an audit? Audits tell you the status of a critical control on the day the audit was done. Verification requires you check those same critical controls on an ongoing basis, so you can identify and fix gaps as soon as possible.
Critter is built by IMPAC – New Zealand’s leading health and safety company, with 27 years of experience guiding organisations through complex critical risk challenges. Learn more about IMPAC.
