Over the past few years, I’ve seen more control issues driven by IT complexity than by outright control neglect. Organisations don’t lack policies, frameworks, or audit activity, they struggle because their technology environments have outgrown the assumptions their control models were built on.
Complexity is no longer a side effect of growth; it is the operating model.
Modern organisations run hybrid estates made up of legacy systems, multiple cloud platforms, SaaS applications, third-party integrations, automation layers, and increasingly AI-enabled tooling. Each addition brings value, but it also adds dependencies, configuration variance, and operational ambiguity. Traditional ITGC frameworks were never designed for this level of interconnected change.
Why complexity quietly erodes control effectiveness
Most ITGC and SOX control environments assume a relatively stable system landscape: clearly defined system boundaries, predictable change cycles, and well understood ownership. In practice, those assumptions no longer hold.
Complexity introduces several compounding risks:
- Controls are implemented inconsistently across platforms
- Ownership becomes blurred between teams and vendors
- Evidence is fragmented across tools and logs
- Changes happen faster than controls are reviewed
None of these issues look dramatic in isolation. Together, they create environments where controls exist on paper but are brittle in operation.
The false comfort of "experienced auditors"
A common response to growing complexity is to rely more heavily on experience, adding senior auditors, specialists, or external advisors. Experience matters, but it has limits.
No individual, however skilled, can manually reason through highly complex, fast changing environments at scale. When audits depend on human memory, interviews, and point-in-time testing alone, complexity will eventually win.
The answer isn’t "more audit effort", it’s better control design and smarter assurance models.
ITGC models need to mature, not expand.
I often see organisations respond to complexity by adding more controls. That usually makes things worse. More controls layered onto an already complex environment increase noise without improving confidence.
What’s needed instead is maturity:
- Fewer, better-designed controls tied to real risk
- Automation where humans can’t keep pace
- Clear ownership mapped across systems and vendors
- Evidence that is repeatable, not recreated each audit
In other words, controls should absorb complexity, not mirror it.
Audit must move from validation to insight
Audit functions also need to evolve. Traditional cyclical testing struggles in environments where systems change weekly or even daily. Point-in-time assurance creates a false sense of security.
From my perspective, modern IT audit should focus on:
- Identifying where complexity concentrates risk
- Testing whether controls scale with change
- Using data and automation to monitor control health
- Challenging whether governance models still reflect reality
Audit adds the most value when it helps organisations understand their risk posture, not when it simply confirms last quarter’s controls still exist.
My view going forward
IT complexity isn’t going away. Cloud, automation, AI, and ecosystem dependency will only increase it. The organisations that struggle won’t be the ones with the most technology, they’ll be the ones still using yesterday’s control logic to manage today’s environments.
Call to Action
If your ITGC or SOX framework still assumes stable systems, manual evidence, and periodic review, it’s already under strain. Now is the time to simplify control design, clarify ownership, and modernise audit approaches so they work with complexity rather than fighting it. At GNAW Resources, we believe strong assurance starts by acknowledging reality, and designing controls that can survive it.
