A CFO's Take on Why IT Matters More Than We Admit
A finance leader on how IT quietly became part of the control environment, and why you don't have to be technical to care.
I'll be honest: for most of my career, I thought about internal controls the way most finance leaders do. Segregation of duties. Approvals. Reconciliations. Audit trails. All important. All familiar.
What I didn't spend much time thinking about early on was IT, at least not beyond "is the system up and running?" That always felt like someone else's lane.
That view has changed a lot. Not because I suddenly became fascinated with cybersecurity tools or enterprise software, but because I realized how much of our control environment quietly depends on technology doing what we assume it's doing.
Finance and IT are already tied together (whether we like it or not)
Most finance teams today run almost entirely inside systems. General ledger, AP, AR, payroll, reporting, budgeting, everything touches technology somewhere. Even approvals often live in inboxes, shared drives, or cloud apps.
Which means the real questions aren't "Do we have internal controls?" They're more like:
- Who can actually access these systems?
- What happens when roles change?
- Can we tell who did what when something looks off?
- And how fragile is all of this if a system goes down?
Those aren't IT questions in the abstract. They turn into very real finance problems when workflows stall, data can't be trusted, or auditors start asking uncomfortable follow-ups.
Cybersecurity doesn't show up as "cybersecurity"
One thing I've learned is that cybersecurity rarely announces itself that way. It shows up as:
- A wire request that looks legit but isn't
- An accounting system that's suddenly unavailable
- An employee who left months ago but still has access
- Reporting delays with no obvious explanation
None of those start as "security incidents." They start as operational headaches, control gaps, or cash flow concerns, and finance often feels them first. That's not fearmongering. It's just how modern businesses work now.
You don't need to be technical to care about this
To be clear, I'm not suggesting CFOs need to learn firewalls or argue about security tools. That's not realistic, nor useful. What is useful is having a basic understanding of:
- Whether access is intentional or accidental
- Whether controls are enforced by systems or by people remembering to do the right thing
- Whether the business could function if systems were offline longer than expected
Those are governance and risk questions, not technical trivia.
Where this lands for me
The way I think about it now is pretty simple. Ignoring this doesn't make it someone else's risk. It just makes it harder to see until something breaks.
The bottom line
You don't have to obsess over IT. You do have to acknowledge how much your finance operation depends on it quietly working in the background. At least, that's where I've landed.
Not sure where IT sits in your control environment?
We help finance leaders across Maryland, DC, and Delaware see exactly who has access, where controls actually live, and how the business holds up if systems go down.
Book a 15-min call