The conference room went silent. The CFO had just asked a simple question: "Can someone explain why our financial reporting controls passed last year but failed this year when nothing changed?"
I watched the IT director shift uncomfortably in his seat. The external auditor cleared his throat. And I knew exactly what had happened—they'd overlooked COSO IT controls, assuming that "IT stuff" was separate from financial reporting.
It wasn't. And that assumption had just cost them their clean audit opinion and triggered a complete reassessment of their internal controls.
After spending over 15 years conducting IT audits and helping organizations navigate COSO frameworks, I've learned one undeniable truth: technology controls aren't optional add-ons to your COSO framework—they're the foundation that everything else stands on.
Let me show you why, and more importantly, how to get it right.
What Makes COSO IT Controls Different (And Why Most Auditors Get This Wrong)
Here's something that drives me crazy: I constantly meet organizations that think COSO is just about financial controls, while IT controls are "someone else's problem."
Wrong. Dead wrong.
The Committee of Sponsoring Organizations (COSO) framework recognizes that in our digital-first world, every financial control ultimately relies on technology. Your journal entries? They're in a system. Your three-way match for accounts payable? Automated by software. Your segregation of duties? Enforced through access controls in your ERP.
When technology controls fail, everything fails. I learned this the hard way.
The $4.2 Million Lesson
In 2017, I was brought in to help a mid-sized manufacturing company after their auditors identified a material weakness. The issue? Their IT general controls (ITGCs) were so weak that the auditors couldn't rely on ANY of their automated controls.
The company thought they had strong financial controls. Their finance team was excellent. Their procedures were documented. Everything looked good on paper.
But when we dug into the technology layer, we found chaos:
23 people had administrator access to their ERP system (they had 180 employees total)
No logging of who changed what in the financial systems
Developers could push code to production without approval
No backup testing in over 18 months
Access reviews hadn't been done in two years
The remediation took 14 months and cost $4.2 million. The stock price dropped 18% when they announced the material weakness. Two senior executives "retired."
All because they treated IT controls as an afterthought.
"In modern business, there's no such thing as 'just' an IT control. Every control is an IT control, because every business process runs on technology."
The COSO IT Control Framework: What You're Actually Assessing
Let me break down what COSO IT controls really mean in practical terms. This isn't theory—this is what I look for when I walk into an organization to conduct an IT audit.
The Five COSO Components Through an IT Lens
COSO Component | IT Control Focus | Common Pitfalls I've Seen | Real-World Impact |
|---|---|---|---|
Control Environment | IT governance, security policies, organizational structure | IT reports to CFO instead of having independent oversight | IT decisions driven by finance needs rather than security requirements |
Risk Assessment | Technology risk identification, change management, threat assessment | Annual risk assessment that ignores emerging threats | Ransomware attack because nobody assessed cloud migration risks |
Control Activities | Access controls, segregation of duties, change controls, automated controls | Relying on manual controls when automation exists | Manual journal entries bypassing system controls, leading to fraud |
Information & Communication | System interfaces, data integrity, reporting accuracy | No monitoring of interface failures between systems | Revenue misstatement because sales system didn't sync with GL |
Monitoring Activities | Continuous monitoring, security logging, control testing | Set-it-and-forget-it mentality | Privilege creep resulting in terminated employees retaining access |
Let me tell you what each of these really means when you're in the trenches.
Control Environment: The Foundation That Everyone Ignores
I walked into a financial services company in 2019 that had "excellent" IT controls on paper. They'd spent $800,000 on a governance, risk, and compliance (GRC) platform. They had 200+ pages of documented policies.
But their control environment was fundamentally broken.
How did I know? In my first week, I observed:
The CIO reporting to the CFO (creating a conflict of interest for financial reporting)
IT budget decisions made entirely based on finance department needs
Security team recommendations routinely overridden by business pressure
No IT steering committee or independent governance body
Their policies were beautiful. Their implementation was terrible. And it all stemmed from a weak control environment.
What a Strong IT Control Environment Actually Looks Like
After working with dozens of organizations, here's what I've found works:
Organizational Structure:
IT leadership with direct board access
Independent information security function
Clear escalation paths for control failures
Separation between development, operations, and security
Tone at the Top:
Executive team that understands technology risks
Board-level technology committee
Regular IT control reporting to audit committee
Consequences for control violations (yes, even for executives)
Policies and Procedures:
Written and approved by appropriate stakeholders
Reviewed at least annually
Actually followed (I know, revolutionary concept)
Enforced through technical controls, not just training
I helped a healthcare organization transform their control environment in 2021. We didn't change their systems or spend millions on new tools. We restructured their governance:
Created an IT steering committee with C-suite representation
Gave the CISO direct reporting to the CEO
Implemented quarterly board reporting on IT risks
Established clear accountability for control ownership
Within six months, their control failures dropped by 67%. Not because the technology changed, but because the environment around it did.
"You can't control what you don't govern. And you can't govern what doesn't report to anyone who cares."
Risk Assessment: Where Most Organizations Stop Thinking
Here's a question I ask every organization I audit: "When was your last IT risk assessment?"
The answers I get are depressing:
"We did one when we implemented our ERP five years ago"
"IT does that, right?" (narrator: IT doesn't do that)
"We assess risks in our annual audit planning"
"What's an IT risk assessment?"
Let me be blunt: if you're not continuously assessing IT risks, you're not following COSO, and you're probably not compliant.
The IT Risk Assessment I Actually Perform
When I conduct a COSO IT audit, here's my risk assessment methodology:
Risk Category | Assessment Questions | Evidence I Require | Red Flags That Trigger Deep Dives |
|---|---|---|---|
Access Risk | Who has privileged access? How is it managed? When was it last reviewed? | Access lists, review logs, approval records | >5% of users with admin rights, reviews >90 days old |
Change Risk | How are system changes managed? Who approves? How are emergencies handled? | Change tickets, approval workflows, emergency change log | >10% emergency changes, changes without approval |
Availability Risk | What's your RTO/RPO? When did you last test DR? How quickly can you restore? | DR plans, test results, restore time logs | No testing in 6+ months, RTO >24 hours for critical systems |
Data Integrity Risk | How do you ensure data accuracy? What controls prevent unauthorized changes? | Reconciliation records, interface monitoring, data quality reports | Manual reconciliations, unmonitored interfaces |
Security Risk | What protects against external threats? How do you detect intrusions? | Vulnerability scans, penetration tests, SIEM logs | High/critical vulns >30 days old, no active monitoring |
A Risk Assessment That Saved Everything
I'll never forget a manufacturing client in 2020. During my risk assessment, I noticed something odd: their financial planning system had a direct network connection to their production control systems.
"Why?" I asked.
"For efficiency," they said. "We can pull real-time production data for cost accounting."
"And what happens if someone compromises your financial system and moves laterally to production systems?"
Silence.
We ran a tabletop exercise. I played the role of an attacker who compromised the financial planning system through a phishing email. Following actual network paths, I showed how I could reach their production control systems within 15 minutes.
The production line that generates $40 million in revenue per month could be shut down by someone targeting the finance department.
They implemented network segmentation within 60 days. Six months later, they actually got hit with ransomware through—you guessed it—a finance department phishing email. The attack spread to 40 systems.
But it couldn't reach production. The manufacturing line never stopped. The company survived.
That's what proper IT risk assessment does—it identifies the scenarios that seem far-fetched until they aren't.
Control Activities: The Technical Controls That Actually Matter
Let's get into the nitty-gritty. When I conduct a COSO IT audit, here are the control activities I assess:
1. IT General Controls (ITGCs)
These are the foundation of everything. If your ITGCs are weak, I can't trust any automated control in your environment.
Access Controls:
Control Objective | What I Test | Pass Criteria | Typical Findings |
|---|---|---|---|
Segregation of Duties | User access matrix vs. role definitions | No SOD conflicts for critical combinations | 15-30% of organizations have developers with production access |
Privileged Access Management | Who has admin rights and why | <3% of users with elevated privileges | Average organization: 12-18% have unnecessary admin access |
Access Reviews | Quarterly certification of access | 100% of access reviewed within 90 days | 60% of organizations skip these or rubber-stamp them |
Terminated User Access | Deprovisioning process | Access removed within 24 hours | Average time to revoke: 3-7 days (scary, right?) |
I audited a financial services firm last year that thought they had great access controls. Then I ran a simple test: I pulled a list of everyone with access to their general ledger system and cross-referenced it with HR records.
Results:
7 terminated employees still had access (one had been gone for 11 months)
23 contractors with the same privileges as full-time employees
14 people in finance with both accounting and approval rights
3 users with "test" in their name who nobody could identify
They'd been passing their SOX audits for years because their auditors only looked at access to specific accounts, not system-level access. The controls looked good in isolation but were fundamentally broken.
Change Management:
Here's where I see the most failures. Organizations understand they need change management. They just don't actually do it properly.
What good change management looks like:
Change Request → Risk Assessment → Approval → Testing →
Implementation → Validation → Documentation
What I usually find:
"Hey, I'm making a change" → Change happens →
(Sometimes documentation happens)
I worked with a company where developers had a Slack channel called "#yolo-deploys" for pushing emergency changes on Fridays. I'm not joking. They thought it was funny.
It wasn't funny when an undocumented Friday deployment corrupted their revenue recognition data and they had to restate earnings.
Data Backup and Recovery:
Quick quiz: When was the last time you actually restored from backup and verified it worked?
If you can't answer that immediately, you don't have effective backup controls—you have backup theater.
I test this religiously:
Select a random database from the financial systems
Ask them to restore it to a point-in-time from 30 days ago
Time how long it takes
Verify data integrity
Success rate? About 40% on the first try.
Common failures:
Backups exist but are corrupted
Restore process takes 3x longer than documented
Restored data doesn't match production (serious problem)
"We've never actually tested this" (terrifying)
2. Application Controls
These are the controls embedded in your financial applications. Let me share the most critical ones:
Automated Controls in Financial Systems:
Control Type | Purpose | Testing Approach | Failure Rate in My Audits |
|---|---|---|---|
Three-way match | Prevent unauthorized payments | Test PO/Receipt/Invoice matching logic | 15% have bypass mechanisms |
Approval hierarchies | Ensure proper authorization | Submit test transactions above limits | 25% allow workarounds |
Journal entry controls | Prevent unauthorized GL changes | Test edit checks and approval workflows | 30% have weak or missing controls |
Close process controls | Ensure period accuracy | Test period-end lockdown and reopening | 20% allow backdating |
The $890,000 Journal Entry
I discovered this during an audit in 2018. A company had beautiful documented procedures for journal entry approval:
All entries >$50,000 required CFO approval
All entries affecting revenue required dual approval
All manual entries required business justification
Perfect on paper.
In practice? Their ERP system had a "mass upload" feature that bypassed all approval workflows. One person in the accounting department had discovered it. Over 18 months, they'd processed $12.4 million in unauthorized journal entries.
The fraud? $890,000 embezzled through fake vendor payments.
The failure? Nobody tested whether the application controls actually worked as documented.
"Documentation without validation is just fiction. Test your controls like someone is trying to break them, because someone is."
Information and Communication: The Controls Nobody Talks About
This is the COSO component that gets the least attention and causes the most problems.
System Interfaces: The Silent Killers
I can't tell you how many times I've found material misstatements caused by interface failures that nobody was monitoring.
Real example from 2022:
A retail company had an interface that moved sales data from their point-of-sale systems to their general ledger every night. It had been running for four years without issues.
Then it stopped working. Nobody noticed for 43 days.
Why? Because:
No interface monitoring was in place
Reconciliations were performed monthly (not daily)
The sales team and finance team didn't talk regularly
There was no automated alerting for interface failures
When they finally discovered it, they had a $4.7 million gap between actual sales and recorded revenue. The restatement triggered an SEC investigation.
The fix cost $60,000 to implement proper monitoring. The failure cost them over $3 million in legal fees, audit costs, and stock price decline.
Interface Controls I Always Test:
Control Area | What I Look For | Testing Method | Common Gaps |
|---|---|---|---|
Interface Monitoring | Automated alerts for failures | Review alert logs and response times | 70% have no monitoring |
Error Handling | How errors are logged and resolved | Intentionally create error conditions | 50% lose error records |
Data Completeness | Verification all records transfer | Compare source vs. destination counts | 40% don't reconcile |
Data Accuracy | Field-level validation | Sample transactions and verify | 30% have transformation errors |
Reporting Controls: Trust But Verify
Financial reports come from systems. If you can't trust the systems, you can't trust the reports.
I worked with a company that had a "mystery variance" in their inventory valuation. Every month, the system-generated report showed inventory values that were 2-3% off from their reconciliation.
They'd been manually adjusting it for two years. "It's just a rounding issue," they claimed.
It wasn't rounding. It was a SQL query in their reporting tool that was missing a filter. They'd been understating inventory by an average of $1.8 million monthly for 26 months.
Total misstatement: $46.8 million.
They'd been "fixing" the symptom instead of investigating the cause because they didn't understand their reporting controls.
Monitoring Activities: Continuous Doesn't Mean Optional
The biggest shift in COSO over the past decade is the emphasis on continuous monitoring. Yet most organizations still operate in an annual audit mindset.
What Effective Monitoring Looks Like
I implemented a continuous monitoring program for a healthcare organization in 2021. Here's what we monitored in real-time:
Privileged Access Monitoring:
Any use of admin credentials (alerts within 5 minutes)
Access to sensitive data tables (logged and reviewed daily)
After-hours system access (immediate alerts)
Geographic anomalies (alerts for unusual locations)
Change Monitoring:
All production changes (compared against approved change tickets)
Database schema changes (immediate alerts)
Security configuration changes (alerts and auto-revert for unauthorized)
User permission changes (weekly review)
Control Effectiveness Monitoring:
Daily SOD violation scans
Automated access review reminders
Interface failure detection
Backup validation testing
Results after 6 months:
Control failures detected 12x faster
Incidents resolved 8x quicker
Audit findings reduced 73%
Manual testing effort reduced 60%
"Monitoring isn't about catching people doing wrong things—it's about catching wrong things before they become disasters."
The COSO IT Audit Process: How I Actually Do This
Let me walk you through my actual audit methodology. This isn't textbook theory—this is what works in the real world.
Phase 1: Planning and Scoping (Weeks 1-2)
Step 1: Understanding the IT Environment
I start with these questions:
What financial applications do you use?
What custom code have you written?
What interfaces move financial data?
Who has administrative access?
When did you last have a significant change?
Step 2: Identifying In-Scope Systems
System Category | Examples | Why They're In Scope | Common Mistakes |
|---|---|---|---|
Financial Applications | ERP, GL, AP/AR, Payroll | Direct impact on financial reporting | Organizations miss departmental shadow IT |
Supporting Systems | HR systems, CRM, inventory management | Feed data to financial systems | Interfaces not considered |
Infrastructure | Active Directory, databases, network | Controls all system access | "That's just infrastructure" mentality |
End-User Computing | Excel models, Access databases, macros | Often used for adjustments and calculations | Completely overlooked in 60% of audits |
Step 3: Risk Assessment
I use this framework:
Impact (High/Medium/Low) × Likelihood (High/Medium/Low) ×
Control Strength (Weak/Moderate/Strong) = Audit Priority
This helps me focus on what actually matters rather than checking boxes.
Phase 2: Control Documentation Review (Weeks 3-4)
I'm looking at:
IT policies and procedures
System documentation
Access control matrices
Change management logs
Backup and recovery procedures
Incident response plans
Red Flags That Tell Me Everything:
Documentation last updated >2 years ago
Procedures written by people no longer with the company
No version control on documentation
"We don't really follow this anymore"
Different departments have different versions
Phase 3: Control Testing (Weeks 5-8)
This is where theory meets reality. Here's my testing approach:
Access Control Testing:
Sample size: Depends on population, but I typically test:
100% of privileged access
25-40 users per major system
All access for high-risk roles
Any access that looks suspicious
What I'm testing:
Is the access appropriate for their job?
Does it violate segregation of duties?
Was it properly approved?
Has it been reviewed recently?
Change Management Testing:
I select a sample of changes (usually 25-40) across:
Normal changes
Emergency changes
Security patches
Application updates
For each change, I verify:
Proper authorization
Risk assessment performed
Testing completed
Approval before implementation
Post-implementation validation
Complete documentation
Real Example:
I tested 30 changes at a financial services company. Results:
4 had no approval documentation
7 were classified as "emergency" inappropriately
12 had incomplete testing records
3 were implemented before approval
1 was never documented at all
Their change management control? Failed.
Phase 4: Interface and Data Integrity Testing (Weeks 9-10)
This is my favorite part because it's where I usually find the scariest issues.
Testing Methodology:
1. Identify all system interfaces
2. Map data flow from source to destination
3. Select sample transactions
4. Trace through each system
5. Verify accuracy and completeness
6. Test error handling
7. Review monitoring and reconciliation
Actual Test I Performed:
Company: Mid-sized manufacturer Interface: Production system → Cost accounting → General ledger
Test sample: 100 production orders
Findings:
3 orders never made it to cost accounting (3% failure rate)
7 orders had incorrect quantities (7% data accuracy issue)
No monitoring alerts for failures
Monthly reconciliation identified variances but didn't investigate
Error logs showed 847 failures in past 12 months (nobody looked at them)
Impact: Cost of goods sold was understated by approximately $2.1 million.
Phase 5: Reporting and Remediation (Weeks 11-12)
My audit reports include:
For Each Finding:
Control objective
What should happen
What actually happens
Risk and impact
Root cause analysis
Recommended remediation
Management response
Remediation timeline
Severity Classification:
Severity | Definition | Example | Typical Response Time |
|---|---|---|---|
Critical | Material weakness in IT controls | No segregation of duties in financial systems | Immediate - 30 days |
High | Significant deficiency with workaround | Weak change management with compensating manual review | 30-60 days |
Medium | Control gap with limited impact | Access reviews delayed but eventually completed | 60-90 days |
Low | Documentation or process improvement | Policy needs updating but control works | 90-180 days |
Common COSO IT Audit Findings: What I See Repeatedly
After hundreds of audits, here are the findings I see most frequently:
Top 10 IT Control Failures
Rank | Finding | Occurrence Rate | Average Remediation Cost | Real Impact I've Witnessed |
|---|---|---|---|---|
1 | Excessive privileged access | 85% of audits | $40K-$120K | Fraud, unauthorized changes, data breaches |
2 | Weak change management | 78% of audits | $60K-$200K | System outages, data corruption, compliance failures |
3 | No access reviews | 72% of audits | $30K-$80K | Terminated employees with access, SOD violations |
4 | Inadequate backup testing | 68% of audits | $20K-$100K | Failed recovery, data loss, extended downtime |
5 | Missing interface monitoring | 65% of audits | $50K-$150K | Revenue misstatement, inventory errors |
6 | Weak security monitoring | 61% of audits | $80K-$300K | Undetected breaches, compliance violations |
7 | Poor documentation | 58% of audits | $15K-$50K | Failed audits, knowledge loss, inconsistent execution |
8 | Segregation of duties violations | 54% of audits | $45K-$180K | Fraud opportunity, unauthorized transactions |
9 | Insufficient DR testing | 51% of audits | $40K-$200K | Extended outages, failed recovery |
10 | Manual reconciliation gaps | 47% of audits | $25K-$90K | Undetected errors, untimely identification |
The Pattern I Always See
Organizations usually fail in predictable ways:
Small companies: They have the right ideas but lack resources to implement properly. Controls exist on paper but aren't consistently executed.
Mid-sized companies: They've grown faster than their controls. Systems are patchworked together. Nobody has full visibility.
Large companies: They have great controls in some areas and massive gaps in others. Left hand doesn't know what the right hand is doing.
The solution isn't always more money or more people. It's usually about:
Clear accountability
Consistent execution
Regular monitoring
Leadership commitment
Preparing for a COSO IT Audit: My Practical Checklist
If you're facing a COSO IT audit, here's my pre-audit checklist that actually works:
30 Days Before Audit
Week 1: Documentation Sprint
[ ] Update all IT policies (not just print dates—actually review them)
[ ] Compile system documentation for all financial applications
[ ] Create current network diagrams
[ ] Document all interfaces and data flows
[ ] Prepare access control matrices
Week 2: Evidence Gathering
[ ] Run access reports for all critical systems
[ ] Pull change management logs for past 12 months
[ ] Gather backup logs and test results
[ ] Compile incident response records
[ ] Document any control failures and remediation
Week 3: Quick Fixes
[ ] Remove access for terminated employees (yes, this should already be done)
[ ] Complete any overdue access reviews
[ ] Close out old change tickets
[ ] Test backup restoration
[ ] Fix obvious segregation of duties violations
Week 4: Final Prep
[ ] Conduct internal walkthrough of controls
[ ] Test sample transactions yourself
[ ] Identify potential findings proactively
[ ] Prepare explanation for any known gaps
[ ] Brief your team on what to expect
"The audit will find what you know is broken. Find it first and you control the narrative. Get surprised and you control nothing."
Tools and Technology: What Actually Helps
I get asked constantly: "What tools should we use for COSO IT controls?"
Here's my honest answer: The tools matter less than how you use them.
That said, here are technologies that actually help:
Essential Tools by Control Area
Control Area | Tool Category | Examples | What It Actually Does | Investment Level |
|---|---|---|---|---|
Access Management | Identity Governance | SailPoint, Saviynt, Microsoft Identity Manager | Automated access reviews, SOD detection, access certification | $50K-$500K |
Change Management | ITSM Platform | ServiceNow, Jira Service Management, Remedy | Change tracking, approval workflows, CMDB | $30K-$300K |
Monitoring | SIEM | Splunk, LogRhythm, Microsoft Sentinel | Log aggregation, anomaly detection, alerting | $40K-$400K |
GRC Platform | Integrated GRC | ServiceNow GRC, MetricStream, SAP GRC | Risk assessment, control testing, compliance tracking | $60K-$600K |
Backup Management | Backup & Recovery | Veeam, Commvault, Rubrik | Automated backup, testing, recovery verification | $20K-$200K |
The Tool Trap I See Organizations Fall Into
A healthcare organization spent $800,000 on a GRC platform in 2020. Two years later, they weren't using half the features. Why?
Bought before defining requirements
Implemented without process redesign
No training for users
No dedicated resources to maintain it
Treated it like "set and forget"
The platform could have solved most of their control problems. Instead, it became expensive shelfware.
My recommendation: Start with basic tools and manual processes. Get them working. Then automate. Organizations that automate broken processes just get broken processes at scale.
Real-World Success Story: Complete IT Control Transformation
Let me share a success story that shows what's possible.
The Situation (Early 2021):
Mid-sized software company, 800 employees, $120M revenue. They'd received a qualified audit opinion due to IT control deficiencies. The findings were devastating:
Material weakness in access controls
Significant deficiency in change management
Multiple issues with interface monitoring
No disaster recovery testing
Weak segregation of duties
Stock price dropped 22%. Two enterprise customers paused renewals pending remediation. The board was furious.
The Approach:
I was brought in to lead the remediation. Here's what we did:
Month 1: Quick Wins
Removed 127 instances of excessive access
Implemented emergency access review process
Started daily interface monitoring
Began weekly control testing
Months 2-3: Foundation Building
Redesigned change management process
Implemented access review automation
Created SOD matrices and violations detection
Established backup testing schedule
Built continuous monitoring dashboards
Months 4-6: Process Integration
Trained all IT staff on new controls
Integrated controls into daily workflows
Implemented automated compliance checks
Created self-service reporting for management
Established quarterly control assessments
The Results (12 Months Later):
Clean audit opinion restored. But more importantly:
Control failures reduced 91%
Security incidents decreased 76%
Audit preparation time cut from 8 weeks to 2 weeks
IT efficiency improved (less firefighting, more strategic work)
Customer confidence restored—both paused renewals signed multi-year contracts
Total investment: $420,000 Measurable ROI: $2.8M (from avoided contract losses alone) Intangible benefits: Priceless
The CEO told me: "We thought IT controls were a tax on the business. Now we understand they're the foundation of sustainable growth."
Common Mistakes That Will Destroy Your Audit
Let me save you from the mistakes I see repeatedly:
Mistake #1: Treating the Audit as an Event, Not a Process
Organizations scramble for 3 months before the audit, get through it, then let everything slide until next year.
Reality: Controls need to operate continuously. If they only work during audit season, they don't actually work.
Mistake #2: Hiding Problems from Auditors
I've had organizations try to hide control failures from me. It never works. Ever.
Better approach: Tell me about the problem, show me your remediation plan, and demonstrate you're taking it seriously. I'll work with you. Lie to me? Now you've got a credibility problem on top of a control problem.
Mistake #3: Accepting "Compensating Controls" as Permanent Solutions
Compensating controls are temporary Band-Aids while you fix the real issue. I see organizations that have had the same "compensating control" for 5 years.
That's not compensation—that's a broken control you're working around.
Mistake #4: Focusing on Documentation Instead of Effectiveness
Beautiful documentation of broken controls is still broken controls.
I don't care how pretty your policy manual is if your actual practices don't match it.
Mistake #5: Assuming Technical People Understand Control Concepts
Your network engineer might be brilliant at network architecture. That doesn't mean they understand control objectives, risk assessment, or audit evidence requirements.
Train your people. Don't assume.
The Future of COSO IT Audits: What's Changing
The landscape is evolving rapidly. Here's what I'm seeing:
Continuous Auditing
The future isn't annual assessments—it's continuous validation. Technologies now exist to monitor controls in real-time and alert on failures immediately.
I'm working with organizations that have dashboards showing control effectiveness updated every 15 minutes. When something breaks, they know within the hour, not next quarter.
Cloud Complexity
As organizations move to cloud platforms, the shared responsibility model creates new control challenges. Your cloud provider handles infrastructure controls, but you're still responsible for configuration, access, and data protection.
I'm seeing a 40% increase in cloud-related control failures as organizations migrate without understanding this split responsibility.
Automation and AI
AI-powered tools can now:
Detect anomalies in access patterns
Predict control failures before they happen
Automate evidence collection
Identify emerging risks
But they also create new risks that need new controls.
Integration of Cybersecurity and Financial Controls
The lines are blurring. A cybersecurity breach can cause material financial misstatement. A financial system compromise can expose customer data.
Future COSO audits will need to consider cybersecurity controls as fundamental to financial reporting, not optional add-ons.
Your Action Plan: Starting Today
If you're responsible for IT controls, here's what you should do:
This Week
Inventory your critical financial systems
Identify who has administrative access to each
Document your major system interfaces
Review your most recent control failures
Talk to your auditors about their expectations
This Month
Conduct a self-assessment using the frameworks in this article
Identify your top 5 control gaps
Create remediation plans with timelines and accountability
Brief leadership on findings and needed resources
Start weekly control monitoring
This Quarter
Implement automated access reviews
Strengthen change management processes
Establish interface monitoring
Test disaster recovery
Train your team on control concepts
This Year
Build continuous monitoring capabilities
Implement a GRC platform (if scale justifies it)
Integrate IT controls into business processes
Achieve clean audit opinion
Shift from reactive to proactive control management
Final Thoughts: It's Not About the Audit
Here's what I've learned after 15+ years doing this work:
COSO IT controls aren't about passing audits. They're about building organizations that can trust their data, make informed decisions, and survive the inevitable crisis.
The organizations that "get it" don't see controls as compliance overhead—they see them as competitive advantages. They make better decisions because they trust their data. They move faster because they're not constantly firefighting. They sleep better because they know problems will be detected before they become disasters.
The organizations that don't get it? They'll keep scrambling every audit season, hoping to get through one more year, never quite fixing the underlying problems.
Which one will you be?
Remember the conference room story I started with—the CFO asking why controls failed when "nothing changed"? That company spent 18 months and $3.2 million fixing their IT controls.
The CFO later told me: "We learned an expensive lesson. Technology isn't separate from financial reporting—it IS financial reporting. We were auditing the building but ignoring the foundation."
Don't ignore your foundation.
"Strong IT controls don't guarantee success, but weak IT controls guarantee eventual failure. The only question is when."