As the waves of change caused by the U.S. Sarbanes-Oxley Act of 2002 subside, the next force likely to sweep over organizations is the need to implement enterprise risk management (ERM). ERM has sparked a paradigm shift by encouraging organizations to build a comprehensive risk strategy into their business operations and spurring internal auditors to move from a primarily control-based approach to a predominantly risk-based approach.
One major area of enterprise risk that internal auditors must understand is how information technology (IT) affects their organization within the context of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management—Integrated Framework. IT is intertwined with all eight components of COSO's ERM framework—as both a source of risk and a risk management tool (see "ERM Automation" on page 47). Internal auditors also can add substantial value to the organization by providing advice on using IT to develop a sound ERM program. Auditors must first understand how technology impacts each component of the ERM framework.
Copyright © 2006, Institute of Internal Auditors
Institute of Internal Auditors
Ramamoorti, Sridhar and Weidenmier, Marcia L., "Is IT Next for ERM? Information Technology Provides the Vital Infrastructure for Building a Modern Enterprise" (2006). Accounting Faculty Publications. 82.