Who should own IT application controls?

author: AcadiFi Team

• Related article: cia-process-break-early-warning-controls-map
• Related question-bank placeholders: ["interface-control-ownership", "control-owner-vs-control-operator"]
• Question: Who should own IT application controls?
• Question detail:
• For automated calculations and system interface controls, our business team says IT should own them, while IT says the business owns the risk. How should I think about this for CIA exam purposes?
• Answer:
• Start with the risk the control mitigates. The risk owner should be accountable for whether the control objective is met, even if IT operates or maintains a technical part of the control.
• For example, if an interface control ensures that all shipped orders reach billing completely and accurately, finance or the relevant business process owner may own the billing risk. IT may own job scheduling, system configuration, interface monitoring, and log retention. Both roles matter, but they are not identical.
• A practical model separates responsibility:
• risk owner: accountable for the business risk
• control owner: accountable for design and performance of the control
• operator: performs the technical or manual step
• evidence provider: supplies logs, reports, or signoffs for testing
• If no one accepts ownership and exceptions are unresolved, the ownership gap itself may be a control design or governance issue.