In a world where digital risk, regulatory expectations, and emerging technologies are accelerating, strong IT Governance remains foundational. SOC 2 compliance continues to be a key mechanism for service organizations to show they have strong controls. Understanding how IT governance and SOC 2 align, and where recent changes affect that alignment, is more critical than ever.
What is IT Governance (GEIT) & Why is it Important?
Historically, organizations viewed IT as an unnecessary expense rather than a beneficial asset. More recently, however, organizations recognize IT as a crucial component in gaining an innovative advantage over competition. IT governance, also known as the governance of enterprise IT or GEIT, delivers value by creating processes to better manage and control key IT investments, decisions, and resources. Because IT governance aligns business with IT goals and objectives, IT is considered a business enabler rather than just technology. When IT governance is absent or fails, a business risks failure to achieve financial goals and objectives.
At the same time, the scope of governance expectations has expanded significantly. Boards and senior leadership are increasingly expected to exercise oversight in rapidly evolving domains such as artificial intelligence and generative AI, data ethics, systemic third-party risk management, and supply chain resilience. This shift also demands greater digital literacy at the top: many boards are recruiting members with strong technology or cybersecurity expertise, or turning to external specialists. Risk governance, once seen as a periodic exercise, is now a continuous process. In response to fast-moving threats, from AI and cyber incidents to data leaks and regulatory shifts, organizations are adopting dashboards, metrics, and more frequent reporting cycles to provide leadership with real-time visibility and decision-making insight.
COBIT, a well-known IT governance framework, defines IT governance (GEIT) in five main principles:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
Is SOC 2 a Governance Framework?
A SOC 2 examination produces “a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided,” but is not typically considered an IT governance compliance framework. A deeper dive into the Trust Service Criteria of the SOC 2 report, contrastingly, reveals sections directly associated with the governance of IT.
The Board of Directors & IT Governance
Before understanding this concept, let’s first consider an organization’s Board of Directors. Because the Board of Directors has ultimate responsibility and authority for your organization’s IT governance, the Board of Directors of any organization plays the most critical role in the IT governance process. You may be asking yourself, “How can the Board of Directors influence my organization’s control environment?” and “Are controls of the Board of Directors tested in a SOC 2 report?” The authority of the Board of Directors ensures proper resource allocation, so it must be considered in a control environment. In fact, a criterion in the SOC 2 specifically tests your Board of Directors’ oversight of your organization’s internal controls.
COSO Principle 2: “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.”
The Board of Directors also advises and approves the alignment of business and IT initiatives, goals, and objectives. Unfortunately, most Boards of Directors fail to comprehend IT risks and challenges that their organizations encounter simply because of a lack of knowledge about IT or because they may not understand their organization’s dependency on IT. We often see organizations’ Boards of Directors defer key IT initiatives and decisions to members of the IT team, but this leaves the Board of Directors still unaware of the benefits of IT within their organization.
Bridging the Knowledge Gap: Board Education & IT Risk Awareness
Without this understanding, a Board of Directors may fail to provide IT senior management with the required insight that aids in the IT decisions made to achieve business initiatives, goals, and objectives. Luckily, another criterion of the SOC 2 considers the communication to senior management of control deficiencies and risk assessment results:
COSO Principle 17: “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Constructive relationships between IT senior management and the Board of Directors should be established to create effective communication between the business and IT. Without an understanding of the operating effectiveness of your organization’s control environment, the Board of Directors would be inhibited from addressing control deficiencies, reviewing IT operations, making accurate and clear business decisions, and creating and aligning business with IT strategies and goals. This can also lead to increased pressure on your chief information officer to manage and coordinate critical assets by themselves.
Building on this foundation, GEIT and SOC 2 remain closely aligned in their core purpose: ensuring that technology is governed, risks are identified and managed, and controls are documented, monitored, and continuously improved. SOC 2 focuses on evidence that governance exists — defined roles, documented policies, and tested controls — while GEIT broadens this to strategic alignment between IT and business goals. What’s changing in 2025 is the expectation that governance goes far beyond static compliance. Boards and senior leadership are now under pressure to actively oversee emerging risks such as AI, data ethics, systemic third-party dependencies, and supply chain resilience. They are expected to engage with regular dashboards, real-time reporting, and ongoing training, while facing sharper scrutiny and potential liability when governance lapses occur.
Communicating IT Governance: Policies & Procedures
COSO Principle 12: “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.”
Maintaining current policies and procedures most effectively communicates employee control activities, responsibilities, and expected process outcomes and behavior. Policies and procedures communicate senior management’s tone, which drives company culture and establishes values and expectations.
While organizations cannot consistently predict employee behavior or ensure employee compliance with company policies and procedures, organizations can implement controls related to employee acknowledgment of company policies and procedures to mitigate as much risk to the business as possible. These controls are most commonly present during the onboarding process, but should be present at other times as well. At the same time, IT governance roles and responsibilities can be communicated to employees when IT governance is implemented. In doing so, IT governance becomes the responsibility of every employee rather than just of senior management and the Board of Directors. All operations, processes, and employees’ day-to-day activities should consistently align with achieving your organization’s business initiatives and objectives.
The following are examples of IT governance policies and procedures that organizations require their employees and contractors to acknowledge:
- Acceptable Use Policy
- Information Security Policy
- Incident Response Policy
- Data Classification Policy and Procedures
Accountability within the Organization
COSO Principle 3: “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.”
COSO Principle 5: “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”
A Board of Directors and executive management are initially accountable to a business’s goals and objectives before expecting employees to also take responsibility. The Board of Directors and executive management are charged with formalizing and effectively communicating IT-based decisions to employees. Unfortunately, in most organizations, employees don’t take responsibility for helping their organization achieve business and IT initiatives and objectives, and generally don’t understand how to satisfy stakeholder expectations. Even worse, most employees are unaware of how their roles and job functions help achieve those objectives daily because most organizations fail to communicate this information to their employees. To effectively manage and govern IT and human capital, the Board of Directors, executive management, and IT managers must integrate employees into communication regarding organizational business and IT initiatives and objectives so that employees can also be held accountable.
There are several controls typically found in a SOC 2 report that test an organization’s ability to hold its employees accountable:
- Documented job descriptions that may include prerequisite considerations for employment, internal control responsibilities, and job role and functions.
- Security training for employees.
- Completing performance evaluations for employees that include strategically aligned objectives with evaluation criteria.
Implications for Companies: What to Do Now
Strengthening governance and security posture starts with action. The list below highlights practical measures organizations can implement today—ranging from board engagement and policy updates to monitoring, risk reporting, and emerging technology oversight.
- Perform a Governance Maturity Assessment
- Assess your current governance practices: policies, board oversight, risk management, vendor governance, AI usage, etc. Identify gaps against both SOC 2 expectations and emerging risk areas.
- Incorporate Emerging Risk Areas into Governance & Reporting
-
- Establish or refine policy for AI/ML, data ethics, and acceptable use.
- Ensure vendor/third-party risk assessments include resilience, security posture, and incident history.
- Update risk registers frequently.
- Include metrics/KPIs for these areas, with dashboards for senior leadership.
- Enhance Board Engagement & Oversight
-
- Make sure the board gets regular reporting on technology risk (including AI, vendor, cyber, and supply chain audits).
- Consider forming a committee or assigning responsibility for technology/AI governance.
- Ensure board members have appropriate education/updates on emerging technologies.
- Avoid mixing oversight with management: clarity in responsibilities.
- Strengthen Policy & Control Designs
-
- Review and update policies to catch new risks (e.g., data privacy, AI, ethics).
- Ensure documentation is complete, accurate, versioned, and aligned with descriptions required by SOC 2.
- Design controls for emerging technology vectors, including cloud, microservices, and AI systems.
- Improve Monitoring, Evidence & Continuous Improvement
-
- Use tools to automate evidence collection where possible.
- Set up continuous monitoring of critical controls and threats.
- Regularly test business continuity, incident response, and vendor resilience.
- After incidents or audit findings, embed lessons learned and adjust controls/policies.
- Stay Ahead of Regulatory Changes
-
- Monitor legislation & regulatory guidance around AI/data privacy in your jurisdictions.
- Be proactive: adopt best practices (even if not yet required) so compliance changes are manageable.
- Engage legal counsel or regulatory experts to interpret how your governance and SOC 2 compliance intersect with mandatory compliance obligations.
The Path Forward: Integrating IT Governance & SOC 2 for Future Success
IT governance (GEIT) and SOC 2 are no longer separate conversations — they are increasingly intertwined. While SOC 2 has traditionally served as a way for service organizations to demonstrate that key IT controls are in place, evolving expectations mean that compliance alone is not enough. Boards and senior leadership are now expected to actively oversee technology and risk, including areas such as AI governance, data ethics, third-party resilience, and supply chain vulnerabilities. This shift transforms governance from a periodic compliance exercise into a continuous discipline supported by real-time monitoring, dashboards, and ongoing board engagement.
For organizations, this means that IT governance must extend beyond policies on paper. It requires a culture of accountability, clear communication between the board, management, and employees, and well-designed controls that evolve alongside emerging technologies and regulations. SOC 2 provides the structure and evidence, while GEIT ensures strategic alignment and resilience. Together, they establish a foundation for trust, transparency, and long-term business value in a rapidly changing digital and regulatory environment.
If you have any questions regarding IT governance or are interested in our audit services, please contact Linford & Co.
This article was originally published on 2/22/2023 and was updated on 9/17/2025.
Fred is an accomplished Information Technology consulting professional with 12+ years of experience in cyber security compliance audits. Fred is currently responsible for managing SOC 1 and SOC 2 engagements across the United States for mostly SaaS companies. He started his career at Deloitte in their Enterprise Risk Services practice. Fred has served as a board member for his local ISACA chapter and holds current CISA and CISSP certifications.