Internal Controls and IT Governance Evaluation

Internal controls have always been central to audit effectiveness. But in a digital environment—where systems, processes, and even decision-making are automated—the nature and design of controls have fundamentally changed. No longer are we merely evaluating whether a manual process was followed; we must now determine if the code was secure, if access was authorized, if changes were logged, and if artificial intelligence made reliable decisions.

This article explores how Dawgen Global evaluates internal controls and IT governance in a digitally transformed world—ensuring our audits remain relevant, risk-focused, and value-driven.

The New Landscape of Internal Control

In a technology-driven business, controls are increasingly:

• Embedded in code and workflows

• Executed automatically via software or bots

• Stored across multiple platforms (on-prem, cloud, hybrid)

• Dependent on vendor-managed infrastructure

This shift requires auditors to expand their evaluation scope from simple control walkthroughs to technical assessment, system review, and governance analysis.

Types of Internal Controls in a Digital World

1. IT General Controls (ITGCs)
   These are foundational and impact the reliability of all automated processes:

   • Access controls (who can log in, and with what privileges)

   • Change management controls (how systems are modified)

   • Data backup and recovery

   • System development life cycle controls (SDLC)

2. Application Controls
   These are system-enforced checks within software applications:

   • Input validation (e.g., format checks for data fields)

   • Automated calculations (e.g., tax or interest formulas)

   • Edit checks, completeness checks, exception reporting

3. Cybersecurity Controls
   A growing area of focus, these include:

   • Firewalls, intrusion detection, and endpoint protection

   • User provisioning and de-provisioning

   • Encryption of data in transit and at rest

4. Automated and AI-Driven Controls
   Involve logic-based and machine-learning systems:

   • AI risk scoring (e.g., loan approval)

   • Robotic Process Automation (e.g., automated reconciliations)

   • Smart contract execution on blockchain

Evaluating IT Governance Structures

Strong governance ensures controls are implemented, monitored, and improved. Dawgen Global evaluates:

• IT strategy alignment with business objectives

• Board oversight and risk appetite regarding technology

• Information Security Policy and digital ethics

• Roles and responsibilities between IT, operations, and compliance

• Monitoring frameworks, such as IT KPIs and audit logs

We often use the COBIT framework to benchmark client IT governance maturity.

Audit Methodology: Control Evaluation at Dawgen Global

 

Step 1: Identify Key Systems and Processes

• Map the client’s core financial and operational systems

• Identify control points in each critical digital process

Step 2: Understand and Document Control Design

• Review system documentation, SOPs, and automation logic

• Conduct walkthroughs (demo or sandbox environments)

• Interview process owners, IT, and cybersecurity personnel

Step 3: Evaluate Control Design Effectiveness

• Determine if control objectives are adequately addressed

• Consider whether automated processes are:

  • Reliable

  • Repeatable

  • Resilient

Step 4: Test Control Operating Effectiveness

• Test samples of transactions for system-generated controls

• Perform re-performance tests (e.g., re-run logic)

• Use data analytics to test population-wide automated controls

• Review system logs for evidence of control execution

Step 5: Evaluate Control Gaps and Mitigating Measures

• Identify missing or poorly functioning controls

• Assess whether other controls compensate for identified risks

• Determine materiality of control gaps

Use of Technology in Control Testing

At Dawgen Global, we integrate audit technology into control testing:

• ACL Robotics and IDEA to automate control tests

• GRC platforms to monitor workflows and exceptions

• SIEM tools (e.g., Splunk) for log analysis

• Custom RPA scripts for recurring control validation

Common Control Weaknesses in Digital Audits

• Inadequate user access controls

  • Shared accounts, no MFA, excessive privileges

• Weak change management

  • Unapproved updates to systems or rules

• Overreliance on vendors without oversight

  • No audit rights, unclear roles

• Lack of monitoring for AI and automation

  • “Black box” systems with no audit trail

Dawgen Global addresses these by recommending improvements aligned with ISO 27001 and other IT control standards.

Case Example: Automated Controls in an E-Commerce Company

Dawgen Global audited a Caribbean-based e-commerce firm using an ERP with automated inventory, pricing, and billing. Our review identified:

• Strong controls over inventory reconciliation via system logic

• A gap in approval workflow for automated discounts

• No monitoring of bots executing refunds on return orders

We recommended enhanced review protocols and implemented alerts within the ERP. The client improved oversight without sacrificing automation efficiency.

Conclusion & Key Takeaways

In a digital world, internal control evaluation is no longer limited to paper trails and process documentation. It is about understanding systems, testing automation, and assessing governance over digital assets and decisions.

Key Takeaways:

• Digital controls include ITGCs, application, cybersecurity, and automated controls

• Governance is essential for ensuring control strength and alignment

• Dawgen Global uses structured methodologies, supported by technology, to evaluate control design and effectiveness

• Auditors must be prepared to assess automation logic, AI decision-making, and cloud-based control environments

Next Step!