Assurance is moving from a compliance-focused function to a discipline that helps companies understand risk, make informed decisions, and strengthen long-term resilience. In Sri Lanka, technology-driven corporate transformations and recurrent economic shocks have made forward-looking assurance essential for boards to navigate emerging risks and protect stakeholder trust.
In a conversation with Echelon, leaders from Deloitte discuss assurance’s evolving impact and what the path ahead may look like in the coming years.
Anthony Crasto, President – Assurance, Deloitte South Asia, explains that assurance has evolved beyond statutory audit into a forward-looking discipline covering the management of technology, AI, sustainability, and business-model risks. Board accountability, he says, along with AI governance, risk sensing, and culture are key in this regard. He considers assurance to be a strategic enabler of trust, resilience, and long-term organisational viability, rather than a cost.
Malinda Boyagoda, Partner – Assurance Leader and Industry Leader for Financial Services, Deloitte Sri Lanka and Maldives, points out that Sri Lanka’s businesses have transformed much faster than their assurance frameworks. The Three Lines of Defence Model, a widely used mechanism for risk management and assurance, have not kept pace with rapid digitalisation, outsourced operating models, and AI advancements. Boards must now prioritise on areas such as third-party service organisation risks, AI governance and sustainability assurance, and treat Trust as a source of competitive advantage rather than merely a compliance requirement.
Rukshan Bharatha, Partner – Controls Assurance at Deloitte Sri Lanka and Maldives, highlights how data, analytics, and AI are reshaping audit quality and assurance. He notes that AI enables full population testing and boosts efficiency, but he also warns about the data privacy, security and cyber risks, underscoring the need for robust AI governance, technology risk management, and informed board oversight on these emerging risks.
Audit and assurance were often considered the same service. How is assurance changing and evolving on its own?
Anthony Crasto: Today, audit and assurance are really seen as two distinct areas. Audit is more about statutory audits of historical financial information, making sure the reported numbers are accurate and compliant, while wider assurance services are more advisory in nature, helping organisations improve processes, manage risks, and make better decisions. People sometimes use the terms interchangeably, but audit is focused on external verification, whereas assurance is more about providing independent views, guidance and insight.
Assurance remains a broad area, but specific verticals and capabilities drive different outcomes. Globally, its role is expanding beyond financial data to include business processes, technology, and other critical aspects of operations. With business models evolving rapidly, technology transforming how products are developed, delivered, and serviced, and geopolitical risks affecting supply chains and trade, boards and corporates are seeking assurance that risks are managed effectively, and future challenges are anticipated.
Organisations also want confidence that emerging technologies, including AI and agentic AI, are implemented with strong governance, robust processes, and appropriate controls. As companies pursue growth, assurance helps them navigate complexity and uncertainty while making informed decisions and sustaining long-term success.
Is assurance more a board responsibility or a management responsibility?
Anthony: Assurance involves responsibilities at multiple levels. Management takes the lead, addressing it through the first and second lines of defence. This ensures technology, new products, and regulatory compliance are properly managed, especially when entering new markets.
At the same time, the board and audit committee provide oversight, confirming that management has effective controls in place. This shared responsibility reflects the evolving approach to assurance, where both management and governance bodies play distinct but complementary roles.
From an assurance perspective, what are the biggest challenges businesses are facing today as a result of the events that we saw in recent years?
Malinda Boyagoda: The past five or six years have seen Sri Lanka face multiple crises, from the Easter attacks to COVID, financial instability, and most recently Cyclone Ditwah. Each of these events has had a significant impact on the economy and on individual organisations. What stands out is the extent of transformation that companies have undergone in response.
During COVID, there was a severe liquidity crunch and muted demand. Later, the financial crisis triggered hyperinflation and panic buying, forcing organisations to adapt their operating models. Subsequent currency fluctuations added another layer of complexity.
Throughout this period, our organisation has evolved alongside these changes, reflecting broader transformations within corporate structures. The question now is whether the three lines of defence have kept pace with these shifts. The first line involves management at the process level mitigating risks. The second line includes functions such as compliance and risk management, supporting those processes. The third line covers internal and external audits, providing oversight.
This period also saw several global changes, including digital transformation and the rise of AI. It’s not just local issues that have reshaped business environments.
I would say a business’ biggest assurance challenge is to ensure that all three lines of defence evolve in step with these transformations. This is the only way they will be able to manage risk effectively and maintain resilience.
Where does Sri Lanka stand currently with regard to these three lines of defence?
Malinda: There have been numerous corporate changes, such as our operating models, the way we undertake financial reporting, how we serve clients, and even how we integrate AI and technology into existing processes. However, if the three lines of defence continue to rely on traditional audit and compliance methods, such as manual files or spreadsheets, assurance may not keep pace with these changes.
Malinda Boyagoda, Partner – Assurance Leader and Industry Leader for Financial Services, Deloitte Sri Lanka and Maldives.
“During COVID, there was a severe liquidity crunch and muted demand. Later, the financial crisis triggered hyperinflation and panic buying, forcing organisations to adapt their operating models.”
It is essential that these lines of defence evolve alongside technological and operational shifts to ensure risks are effectively managed and oversight remains meaningful.
Anthony: Much of assurance in the past focused on what had gone wrong, but today the emphasis is on what can go wrong. This means organisations need to scan the horizon for emerging risks that could have severe impacts. Large organisations, especially financial institutions, cannot afford failures, as the consequences for the economy can be significant.
Assurance now not only provides confidence to boards, management, and investors but also identifies potential risks and ensures controls are in place to address them proactively.
India’s tech transformation is at the heart of its economic growth spurt. How has this impacted its business landscape?
Anthony: India is experiencing rapid growth, driven both by significant government infrastructure spending and by companies transforming themselves digitally and technologically. Today, many organisations are redefining their identity: banks increasingly position themselves as tech companies, while telecoms are moving towards media-focused models. These shifts are reshaping the very definition of what a company is and how it operates.
When we consider assurance across the three lines of defence, the first critical aspect is capability building. Understanding and addressing these changes requires the right skill sets and technical expertise at all levels, from management to advisory firms. Ensuring these capabilities are in place enables organisations to assess and respond effectively to evolving risks.
The second aspect is technology. The pace of change and the volume of data generated are immense, making technology-driven assurance essential. As a resource, data has become the new oil, and platform-based solutions allow for more accurate and efficient evaluation. In the second line of defence, management is increasingly implementing analytical tools, data mining platforms, and dashboards to access information directly from the source, rather than relying on manual processes like Excel. These solutions enhance oversight, provide real-time insights, and strengthen controls.
What role does data analytics, and now AI, play in the process of audit quality and risk assessment?
Rukshan Bharatha: If you really think about it, every discussion about modern assurance eventually comes back to technology. Previously, data was scattered everywhere, and getting a clear picture was a real challenge. Then the cloud arrived, bringing data together in one place. Analytics followed, helping us make sense of it, and now AI is taking things to a whole new level. It can learn patterns, use complex algorithms, even deep learning, and generate insights on its own.
This shift has completely changed the way audits are done. In the past, we relied on sampling and manual checks, often going through paper records. Today, centralised data and digital platforms mean that every transaction can be evaluated, data integrity can be verified, and controls can be tested systematically. We are using analytics and data science to test 100% of relevant data instead of just a sample, which reduces audit risk and gives much deeper assurance.
AI has also transformed efficiency. Tasks that once took weeks or even a month can now be done in hours if the data is fit for purpose and algorithms are applied correctly. Generative AI is already changing the game, and agentic AI is starting to extend that even further. Overall, technology has moved audits from manual, sample-based exercises to fully data-driven, analytical, and highly efficient practices, allowing us to deliver assurance that is faster, smarter, and far more reliable than ever before.
How is the shift towards forward-looking assurance playing out in Sri Lanka? Where are the opportunities and challenges?
Rukshan: The shift towards forward-looking assurance in Sri Lanka is widely visible, particularly across top companies. Instead of focusing only on past compliance or errors, organisations are looking at data, analysing patterns, and trying to extract real value from their systems. Therefore, a major opportunity lies in IT and technology investments. Companies want assurance that these systems are properly controlled and that the data feeding into them is accurate and fit for purpose.
Anthony: If you look at a large tech company’s system architecture, they will have anywhere between 100 to 150 applications interacting with each other before the data moves into the Enterprise Resource Planning (ERP) system. The data flows from a multitude of sources, and these interactions are what contribute to overall complexity, especially since each source must be accurate and free of manipulation.
Anthony Crasto, President – Assurance, Deloitte South Asia
Traditional models are evolving now, increasing complexity further. We see this in retail companies, which may now have financing, digital, e-commerce, or quick commerce arms, each with its own applications feeding into the ERP. Each raises concerns on data integrity, system controls, and overall security.
That said, I think the biggest risk we face is in cybersecurity, which is compounded by many boards not understanding all the layers involved. They don’t know who’s providing assurance on the infrastructure, the applications, the data, and the governance around these systems, or whether these risks are being addressed in a holistic and coordinated manner.
Beyond cybersecurity, boards are also increasingly focused on cultural, sustainability, and regulatory risks, as behaviours and decision-making directly affect how controls operate in practice.
Rukshan: AI has now invalidated the traditional approach to IT risk. It requires a different set of frameworks and governance practises to be valuable. We know that AI can provide great value to businesses, if implemented right.
How would you assess the uptake of assurance services in Sri Lanka?
Malinda: From an assurance perspective, I see uptake in some traditional lines of service in terms of how technology is applied and implemented in delivery. More teams are aware of risk-based approaches so the focus on data analytics and governance has increased.
In the local context, some assurance initiatives are driven by regulations. In sectors like banking, there is structured reporting on internal controls, including how directors assess and report on its effectiveness, as well as enhanced corporate governance disclosures.
However, it is questionable whether we give the same amount of attention when it is not mandated. AI governance is one such example. For instance, if you consider how many Sri Lankan companies outsource their payroll to third-party service providers and see whether those companies have sought assurance over the systems, processes, and procedures of such third parties, the answer in most cases would be “No”.
As Anthony noted, in many organisations there are scores of peripheral applications interfaced with the ERP system, and some of these applications may be run by third parties. It is good that boards are focusing inward in terms of controls, but they should also be reconsidering their reliance on these external providers, especially those who manage systems that are critical to their operations. They must be certain that every provider’s system is secure, and their cybersecurity practices are up to expected standards.
Anthony: Another important aspect is the cost that an organisation can spend protecting itself. Just as a car can reach high speeds because it is confident in its brakes, an organisation can drive growth if it invests enough in assurance. It is valuable because it helps protect the brand, manage risk effectively, and stay competitive.
This is why audit committees and boards must commit enough time and funding to ensure their organisations’ audit functions are up to the task of taking risks head on. We need to change the mindset from assurance being a cost centre to a mandatory safety expenditure. It cannot be overlooked.
“Today, many organisations are redefining their identity: banks increasingly position themselves as tech companies, while telecoms are moving towards media-focused models.”
As Sri Lanka’s financial sector expands overseas, it’s going to draw increased scrutiny from global regulators as well. They will have to raise their bar for governance to comply with international expectations.
Rukshan: Yes, it’s not about looking at the past to form a comfortable picture. It’s about looking ahead and analysing systems to make sure they’re robust enough to handle the future.
How should companies approach AI governance? Is there something they’re missing?
Rukshan: Everyone’s looking for the benefit that AI promises, but what makes AI platforms fit for purpose is governance. We can’t have ‘shadow’ AI where people independently bring in various AI applications and use them behind the scenes. Every action should be taken as per company policy, keeping within the risk appetite of the board.
Every action that deviates from this brings undue risk to the company, and AI by its nature can turn this into dire consequences. We have already seen case studies of companies devastated in a matter of hours due to the improper use of AI.
This is why the tone should be set at the top. The policies must be nailed down, with controls and procedures in place at the operational level to ensure employees understand how to comply with the overall structure. AI champions can be appointed, committees can be set up, and so on, to ensure AI is offering real business value rather than fanfare and undue risk.
Anthony: The board’s role here is critical. Members need to understand how many AI projects the organisation is running, which committees are overseeing their progress, what the expected outcomes are, and so on.
The EU has provided a framework for AI, and the National Institute of Standards and Technology (NIST) offers a means for risk management. Boards need to address how AI development accounts for bias, hallucinations, data privacy, and other risks.
Chatbots can interface with customers, but they can misrepresent a brand without governance. If it offers the wrong products, this impacts the brand’s reputation. Cases like this are why the importance of oversight cannot be understated.
What about people using their personal AI assistants to help with their work? Do policies account for this?
Anthony: You should not use personal assistants for corporate uses. I know of an actual case where a large manufacturing company employee put all their design data into ChatGPT to check for recent changes.
Whether it can do this or not is irrelevant. Once information is shared, it enters the public domain.
Therefore, great care must be taken with confidential data. Even Deloitte operates its own closed network to prevent such leaks. Every company should build closed networks to ensure their data remains within the organisation.
Rukshan: I know of another company that was pasting their code into an AI platform to check its accuracy. By doing so, they were unwittingly leaking their proprietary data via regular web traffic. I believe this company eventually ceased using that particular platform after this came to light.
Rukshan Bharatha, Partner – Controls Assurance, Deloitte Sri Lanka and Maldives.
“Everyone’s looking for the benefit that AI promises, but what makes AI platforms fit for purpose is governance.”
Anthony: Such code can carry login credentials as well, exposing the network to hackers.
Malinda: Locally, we focus on governance, helping large financial services companies review their procedures. In my view, their boards recognise the responsibility they have in preventing such incidents, especially with increased accountability brought about by legislations like the Companies Act and the new Banking Act.
They know what kind of weight, responsibility, and liability their decisions will carry.
However, what’s interesting is boards make these decisions based on the information they receive. If all the risk factors we’ve discussed can threaten the accuracy of the information they receive, and if there is no third-party or an independent layer to give them assurance regarding accuracy, then they risk making decisions based on bad information.
I think this needs to be understood more widely. We need to connect how these risk factors translate into personal responsibility and liability to certain individuals.
Rukshan: No one can make good decisions without information that is fit for said purpose. If the integrity of the information they use is not preserved, it’s a serious problem.
Anthony: We’re also seeing leadership becoming more concerned with fake news. It is easier than ever to sabotage a product with synthetic information, thus affecting the brand’s reputation.
The Securities Exchange Board of India requires boards to report an issue within 24 hours of identification. As AI becomes more prominent across the country, it’s becoming more important to quickly decipher what’s real and what’s fake, because content that goes viral across social media can damage a brand well before any mitigating action is taken.
Risks and failures are becoming more widespread in Sri Lanka. What frameworks are available to the assurance service providers to respond to this?
Malinda: If the first, second, and third lines of defence work as intended, then we can identify and deal with most risk factors. From the perspective of formal standards, Sri Lanka has always proudly adopted the latest frameworks to engage with those spaces. Sri Lanka adopted the International Standard on Assurance Engagements (ISAE) 3000 series, and then more recently, the Sri Lanka Standard on Sustainability Assurance (SLSSA) 5000 series. We also have the Agreed-Upon Procedures (AUP) platform. These frameworks give us sufficient ability to address evolving concerns.
Like I said, though, the issue is that companies tend to seek assurance mostly when it is regulated and mandated. Having seen the kind of risks that are prevalent in this environment, I am sceptical that enough companies understand how vital assurance is for them. They’re not taking the initiative outside compliance. A competitive advantage does not only come from the brand or products. “Trust” also contributes to competitive advantage, and assurance will be one way how trust is earned.
With ESG and integrated reporting now becoming mainstream in Sri Lanka, how crucial is independent assurance over sustainability disclosures?
Anthony: Global regulations are gaining traction, so it’s critical to include independent assurance on your sustainability reports. Any statement shared with shareholders must be independently verified, because we have come across many board members and stakeholders who want to be sure no greenwashing is taking place.
For one, independent assurance helps put your business’ narrative in the right perspective, but it also helps in situations where much of your data is captured manually. Water consumption, for example, might be tracked via flow metres, which is unlikely to be connected to Internet of Things (IoT) devices. You need to ensure that reported figures are accurate, and that’s why independent assurance is so important.
Does independent assurance help prevent companies from cherry-picking ESG data?
Anthony: India has guidelines and specific definitions that form a baseline of reporting that companies must adhere to, so it’s not left to individual leadership committees to decide. They can always report more than they are obligated to, but that baseline means you can look at specific KPIs holistically.
You might have 10 plants and prefer to highlight four because they’re performing well, but we all understand that’s not right. On the other hand, if you say nine out of 10 plants are performing well this year, but next year say only one plant is performing poorly, you have changed the narrative despite not moving the needle.
This is where independent assurance comes into play. It helps you frame the narrative correctly and show your actual growth.
Are Sri Lanka’s sustainability reporting standards currently voluntary or mandatory, and does adopting them meaningfully reduce the risk of greenwashing?
Malinda: Assurance is voluntary. The purpose of introducing the sustainability standards is to reduce discretionary or judgement-based reporting and bring greater structure and consistency to sustainability disclosures.
They clearly define the minimum disclosures required. Companies must not only assess and report on sustainability-related opportunities but also risks and governance practices, adopting a more holistic approach. Over time, adoption is likely to become mandatory for most sectors, and the uptake on assurance over sustainability reporting will also increase. This should lead to meaningful improvements in the overall quality and reliability of sustainability reporting.
Anthony: Sustainability reporting is not just about disclosure. It is also about highlighting best practices across organisations. When companies comply with reporting requirements, they may follow a particular method of collecting and presenting sustainability data. However, should one find a better approach, sharing these insights allows others to strengthen their processes and elevate their sustainability practices to the next level.
That said, sustainability is not only a reporting or assurance matter. In my view, it is fundamentally an engineering challenge. While assurance plays an important role in validating disclosures, real progress depends on technical innovation. Take a simple example: reducing air conditioning usage by setting temperatures at 24°C instead of 18°C may help, but it does not address the root issue. In a hot climate, cooling is necessary. The better question is whether buildings can be designed differently so they require less artificial cooling in the first place.
Engineering can solve that problem rather than bluntly saying don’t use an air conditioner. You can take another look at your building’s design and perhaps make air conditioning less necessary.
Rukshan: Speaking of heating and cooling, large language models (LLMs) that run in data centres often consume huge amounts of energy. This has raised concerns about the carbon footprint they eventually produce.
Anthony: We deploy certain assets that help in data compression, reducing how much space is needed in the cloud. This helps reduce environmental impact. Another example is there are also tools that assess the colour palette of your web pages, determining their environmental impact. A simple palette change can help reduce emissions. Little changes like this still go a long way.
“That said, sustainability is not only a reporting or assurance matter. In my view, it is fundamentally an engineering challenge. While assurance plays an important role in validating disclosures, real progress depends on technical innovation.”
At board level, is assurance primarily the responsibility of the audit committee, or does the full board play a broader role in overseeing risk and assurance?
Malinda: Managing corporate affairs and an entity’s risk is the responsibility of the full board, but organising which specialised teams or individuals take charge of specific areas is equally important. In that structure, the audit committee plays a pivotal role from a risk, control and governance perspective. It continues to lead on assurance-related matters while ensuring that the first and second lines of defence operate effectively and in line with expectations to mitigate risks appropriately.
Audit committees and boards both have a responsibility to all stakeholders, including regulators, customers, the wider public, and so on. This is why it’s critical that the decisions they make are based on accurate information.
Can boards still assume they have all the necessary skills from day one, as might have been possible 20 years ago?
Anthony: Boards are increasingly delegating operational oversight to specialised subcommittees. You now see Audit and Risk Committees, Sustainability Committees, Technology Committees, CSR Committees, or Stakeholder Grievance Committees focusing on the details while the full board retains overall accountability. At the same time, boards are reassessing their own skill sets. Where the focus was once primarily on finance and accounts, there is now a greater need for expertise in technology, strategy, and even economics to navigate geopolitical risks and supply chain shifts.
Boards are also bringing in younger members, recognising that contemporary risks like cyber breaches, reputational issues, or fast-moving market disruptions require relevant, up-to-date knowledge. To address these challenges, boards either recruit specialists directly, include them in committees, or ensure management engages expert support. The goal is to augment decision-making capabilities and provide the board with sufficient assurance over critical risk areas.
Rukshan: Even in the Sri Lankan context, boards rely on specialised teams and committees to provide the knowledge they need to understand complex issues. Information security, cybersecurity, and Board Integrated Risk Management Committees (BIRM Committees) all offer concurrent insights to keep the board informed. Without this input, it would be very challenging for boards to grasp the full context. In many cases, CTOs or other technology leaders represent subcommittees to ensure the technological landscape is properly managed, helping the board navigate critical business and cyber risks effectively.
Malinda: Note that some of these committees exist because they are mandated by regulation. The question is whether they should be limited to regulated industries or whether there ought to be widespread use of such specialised and independent committees across all industries. I think the economy would benefit from this practice, as better governance can help tap into stable sources of foreign direct investments.
Anthony: Another area that we are driving a lot is educating and enhancing the capabilities of existing independent directors. Information becomes outdated swiftly, so they need to be constantly informed of developments in regulatory spaces, emerging risks, and more.
We’re running an independent directors training forum in India called Saarthi, offering a curated programme in various topics to continually upskill directors on emerging impacts. This is an example of the kind of ongoing guidance directors must receive so they understand the issues at large, what their implications are, and what their responsibilities are in relation to said issues.
This continuous growth has another purpose: it helps in nation building. The better a country’s boards, the better their respective organisations will grow, and in turn the nation will grow as well.
What should companies do immediately to ensure their assurance frameworks address emerging but under-recognised risks?
Rukshan: Businesses cannot afford to overlook technology and AI. They must embrace these tools and explore how to create real value from them. The challenge, as we discussed, is that only a handful of companies or those in highly regulated industries truly understand these risks.
Boards, audit committees, and supporting subcommittees need to grasp technology dependencies and associated risks and ensure management and assurance processes address them proactively. Without this, issues like fraud or misappropriation can escalate, sometimes with catastrophic consequences. Continuous technology assurance must become a core part of board oversight and organisational practices.
It is not common to find board subcommittees in Sri Lanka that focus exclusively on technology and AI risks. In most industries, these areas are only lightly addressed. Even in the financial services sector, which is more regulated, dedicated technology oversight is rare.
Many other sectors also rely heavily on technology; however, if the related risks are not managed properly, the impact can be significant for the company as well as the wider economy. Boards must ensure these risks are addressed and that their technology programmes are designed to be future proof.
What should Sri Lankan business leaders and audit committees be doing now to future-proof their assurance frameworks?
Malinda: The frameworks are there if the goal is to future-proof assurance; it is the usage of such frameworks that needs to be more widespread.
I would summarise it in three points. First, future-ready assurance starts with future-ready decision making. Greater awareness at board and management levels helps enable that. Second, those charged with governance and management need to understand the personal responsibility placed on them by laws and regulations, especially in emerging risk areas. Finally, assurance should not be seen as a mere compliance requirement or a cost. Trust itself can be a competitive advantage and recognising that helps set the right context for future-proofing assurance.
Anthony: I agree that trust and credibility are core to any organisation that understands it operates as a long-term entity.
To achieve this, the board and management teams can begin by developing a strong risk management framework within the organisation. They need to identify both current risks and future risks based on their strategies, whether it’s a two- or five-year plan. It’s important to assess the risks inherent in the strategy and the risks that the strategy itself may create. Getting this right lays the foundation for informed decision-making and effective risk management across the organisation.
Boards also need to understand how organisations are identifying and monitoring risks. Companies are increasingly using risk sensing tools that scan global data, flag potential issues, and highlight strengths. Data scientists then analyse this information to make it relevant for the organisation.
The focus should be on turning knowledge into actionable insights and applying it to the risks the organisation faces today and those it may face tomorrow.
Second, the organisation should support a culture of bringing issues to the board. It’s great to know when good news arrives, but it is more important to know the bad news first. The response to any issue should not be to sweep it under the carpet and leave it to potentially worsen over time. It must be brought to a management team who can address it promptly.
Third, a board needs to consider their organisation’s viability over a five-year period. Some European legislation goes so far as to require boards to certify the viability of a company for eight years. Disruption can take place quickly, and stakeholders ultimately lose if a company goes under, so it is important to look ahead and identify the possibility of technological, market, or competitive disruptions.
A lot of boards and committees spend time on risk, controls, and compliance, but I think they ought to focus on strategy as well. Strategy is what drives the company, so while development is necessary, active review ensures that risks and opportunities are properly managed. Their knowledge as board members and as leaders in the Sri Lankan community is what will help their company do better.