Garry Costin-Davis.

IT Complexity Is the Real Control Risk: Why Audit and ITGC Models Must Change

IT complexity isn't just an operational challenge, it has become one of the biggest drivers of control weakness and audit failure in modern organisations.

Author: Garry Costin-Davis · Tags: IT Complexity, ITGC, Audit Opinion, Technology Risk, SOX Controls · Category: Technology Governance

An IT risk professional reviewing a complex systems architecture diagram in a modern office.
Complexity concentrates risk where control models fail to evolve.

Over the past few years, I've seen more control issues driven by IT complexity than by outright neglect. Organisations don't lack policies or frameworks; they struggle because their technology environments have outgrown the assumptions their control models were built on.

Complexity is no longer a side effect of growth. It is the operating model.

Why complexity quietly erodes control effectiveness

Most ITGC and SOX frameworks assume stability: clear system boundaries, predictable change cycles, and well understood ownership. In reality, modern estates are hybrid, interconnected, and constantly changing.

  • Controls implemented inconsistently across platforms
  • Ownership blurred across teams and vendors
  • Evidence fragmented across tools and logs
  • Changes occurring faster than controls are reviewed

None of these issues looks dramatic in isolation. Together, they create environments where controls exist on paper but are brittle in practice.

The false comfort of experience

A common response to complexity is to add more experience senior auditors, specialists, external advisors. Experience matters, but it does not scale.

No individual can reliably reason through highly complex, fast moving environments using interviews and point-in-time testing alone. When assurance depends on memory and manual effort, complexity eventually wins.

ITGC models need maturity, not expansion

I often see organisations respond to complexity by adding more controls. This usually increases noise without improving confidence.

  • Fewer, better designed, fully encompassing, controls aligned to real risk
  • Automation where humans cannot keep pace
  • Clear ownership across systems and suppliers
  • Evidence that is repeatable, not recreated

Mature controls absorb complexity rather than mirror it.

Audit must move from validation to insight

Traditional cyclical testing struggles where systems change weekly or daily. Point-in-time assurance can create a false sense of security.

Modern IT audit adds most value when it identifies where complexity concentrates risk, tests whether controls scale with change, and challenges whether governance still reflects reality.

My view going forward

Complexity will only increase cloud, automation, AI, and ecosystem dependency guarantee it. The organisations that struggle will not be those with the most technology, but those still using yesterday's control logic to manage today's environments.

Professional insight

If your ITGC or SOX framework still assumes stable systems, manual evidence, and periodic review, it is already under strain. Control design and audit approaches must evolve to work with complexity, not against it.

For professional enquiries: contact me.