A CFO's Perspective on Internal Controls, IT, and Cybersecurity
A finance leader on why internal controls now live inside systems, and why IT and cybersecurity belong in the control environment whether we label them that way or not.
I'll be honest: for most of my career, I thought about internal controls the way most finance leaders do. Segregation of duties. Approvals. Reconciliations. Audit trails. All important. All familiar.
What I didn't spend much time thinking about early on was IT, at least not beyond "is the system working?" That always felt like someone else's responsibility.
That perspective changed over time, not because I suddenly developed an interest in cybersecurity, but because I realized how much of our internal control environment now depends on technology doing what we assume it's doing.
Internal controls live inside systems now
Most finance teams today operate almost entirely inside technology platforms:
- Accounting and ERP systems
- Payroll software
- AP and AR workflows
- Cloud file storage
- Email-based approvals
Even processes that feel manual usually rely on systems behind the scenes.
That changes the nature of internal controls. Instead of controls being enforced primarily by policy and people, many of them are enforced, or bypassed, by system configuration, access rights, and workflow design.
Whether we call it IT risk or not, the financial impact is real.
Why cybersecurity is a finance issue (not just an IT one)
Cybersecurity tends to be framed as a technical problem, but it rarely shows up that way in practice. It usually shows up as:
- A payment request that turns out to be fraudulent
- An accounting system that's suddenly unavailable
- Financial data that can't be trusted
- A former employee who still has system access
None of those start as "cybersecurity incidents." They show up as control issues, audit concerns, operational disruption, or cash flow problems.
That's why more CFOs are starting to see cybersecurity as part of internal controls and risk management, not as a separate IT conversation.
IT controls are financial controls (whether we label them or not)
From a finance perspective, some simple questions go a long way:
- Who has access to financial systems, and why?
- Does access change automatically when someone changes roles or leaves?
- Can we see who approved or changed something when questions come up?
- How long could core systems be down before it materially affects the business?
These aren't technical deep dives. They're governance questions. And they matter more as businesses rely increasingly on cloud systems and remote access.
Manual workarounds and informal processes can fill gaps for a while, but they're harder to audit, harder to scale, and easier to break.
You don't have to be technical to care about IT risk
This isn't about CFOs becoming cybersecurity experts. In my experience, the most effective finance leaders don't worry about tools, they worry about outcomes:
- Accuracy of financial data
- Reliability of reporting
- Continuity of operations
- Defensibility of controls
Understanding how IT supports (or undermines) those outcomes is now part of modern financial leadership. Ignoring it doesn't eliminate the risk, it just makes it harder to see until something goes wrong.
Where this lands for me
The conclusion I've come to is fairly straightforward. That doesn't mean alarmism. It just means awareness.
The bottom line
Finance and IT don't have to speak the same language, but they do have to understand how much they rely on each other, especially when the cost of disruption shows up not as a technical issue, but as a financial one. That shift in perspective has made my view of internal controls more practical, and frankly, more realistic.
Want a clearer view of your IT controls?
We help finance leaders across Maryland, DC, and Delaware see who has access to financial systems, where controls actually live, and how the business holds up if systems go down.
Book a 15-min call