Everybody understands that strong controls over technology are crucial to effective corporate compliance, governance, and external reporting — but not enough people (myself included) understand how those IT controls are supposed to work. So when the Institute of Internal Auditors recently announced a certificate in IT general controls, I was intrigued.
What education need did the IIA see around IT general controls? Why are “ITGCs” becoming more important to risk and compliance assurance, anyway? How are digital transformation, ITGCs, and corporate performance all dependent on each other, that you need a solid understanding of all three if you want any one of them to succeed?
With those questions on my mind, I decided to call the IIA and ask. The result is the podcast at the top of this page. I spoke with Jim Pelletier, the IIA’s vice president of standards and knowledge; and Shawna Flanders, director of the IIA’s IT curriculum. You can hear our full conversation (13 minutes) above; and my own thoughts about ITGCs are also below.
First, a refresher on what IT general controls are for anyone who might be a bit shaky on the subject. The COSO framework for internal control defines ITGCs (in Principle 11, if you’re curious) as controls over “the technology infrastructure, security management, technology acquisition, development, and maintenance.”
More simply, ITGCs govern how your IT systems work. For example, controls that log who makes what changes to software applications, controls for automated backup of data, controls for when software patches are implemented into your ERP systems — they all qualify as IT general controls.
Without such controls, someone could amend software code to change how applications work, and you’d never know who did it. Or you might not implement that software patch, and leave yourself vulnerable to hackers. (This was the issue in the SEC’s $1 million enforcement action against Pearson last week.) Strong IT controls give you more ability to manage IT risks.
We can say a few other things about ITGCs, too.
The Role That ITGCs Play Is Changing
Once upon a time, IT was its own business function, akin to HR or legal or product development. Sure it was important, but IT was also highly specialized. So a company could leave ITGCs to dedicated IT auditors; or if you didn’t have any on staff, your existing audit team would just do the best it could to assess the effectiveness of ITGCs — in the same way that audit teams do the best they can to audit HR, legal, product management or other functions.
That state of affairs has changed. IT now drives business functions — so your ability to understand and assess IT risk is essential to govern operational, finance or compliance risks as well. You can’t assess and manage those risks independent of considering how IT systems support those business processes, and how weaknesses in IT control might undermine them too.
“It’s virtually impossible to audit something today without taking a look at the technologies underneath it,” Flanders said in our podcast. She’s right.
That’s not to say auditors ignored or overlooked ITGCs in the past. Rather, the importance of ITGCs has risen so swiftly that now all auditors should have a basic understanding of the field, so that they can keep addressing all the other risks they watch.
Boards Need This Depth Too
I have long said that corporate boards want to worry about cybersecurity and IT risk; they just don’t know how to worry about those things in an efficient, disciplined manner. Pelletier and Flanders didn’t echo my exact phrasing… but they didn’t disagree with my fundamental point, either.
For example, Pelletier said the IIA surveys corporate directors every year about their top risk management concerns and the knowledge that directors have about those concerns. The comfort gap for IT risk — that is, directors’ perception that IT is a big risk for the organization, versus their personal understanding of IT risks — is huge, and not getting any smaller over time.
“It’s a concern we’ve seen for years, that we haven’t seen that gap narrow between their perception of relevance and their own personal knowledge,” he said.
Nobody should be surprised by this. Board directors are mostly recruited for their strategic industry knowledge or financial acumen, not their understanding of IT risk. Again, however: the more IT becomes the driver of business processes and performance, the more IT risk entwines with corporate strategy and risk management. So if boards want assurance for business and compliance objectives, they’ll need to understand the plumbing behind those things, too.
Well, internal audit should be where the board turns for advice on IT risks — and, consequently, IT general controls. Which presumes that internal audit has the knowledge of IT general controls to have those conversations.
I understand the IIA’s commercial interest in talking up the need for better knowledge of ITGCs, since selling training and certifications is what the IIA does. That doesn’t dilute the basic point here: IT general controls are becoming hugely important to effective financial reporting, compliance, and cybersecurity programs. Risk assurance professionals of any stripe will need to know more about how ITGCs do and don’t work.
So if you’re an audit or risk professional thinking about career security, and wanting to skate where the puck is going to be, understanding ITGCs isn’t the worst idea.
Disclosure: The IIA does pay me to write an every-other-month column about board governance issues. The IIA did not pay me to write this, and didn’t even know I was going to do it until I called up asking for a podcast.