Matt Kelley of Radical Compliance has shared an interview he had with a couple of people from the IIA about IT General Controls (ITGC). It’s in a podcast that you can find, with a write-up, here.
Matt’s piece is worth reading, although I have slight disagreements with these comments:
IT now drives business functions — so your ability to understand and assess IT risk is essential to govern operational, finance or compliance risks as well. You can’t assess and manage those risks independent of considering how IT systems support those business processes, and how weaknesses in IT control might undermine them too.
My problem, slight as it may be, is with the very first part, that “IT drives business functions”. It certainly should not!
Technology supports business functions, as the last part of the excerpt correctly states.
It is important to understand that, similarly, risks to IT processes, systems, and assets only matter in terms of how they affect business risks, and enterprise business risks at that.
In order to understand ITGC as a source of business risk, you need to understand how business controls rely on technology, and then how weaknesses in ITGC processes could affect the continued and proper functioning of (the automated part, including reports of) controls in business processes relied…
