Is IT next for ERM? Information technology provides the vital infrastructure for building a modern enterprise

Internal Auditor, April, 2006 by Sridhar Ramamoorti, Marcia L. Weidenmier

aS THE WAVES OF change caused by the U.S. Sarbanes-Oxley Act of 2002 subside, the next force likely to sweep over organizations is the need to implement enterprise risk management (ERM). ERM has sparked a paradigm shift by encouraging organizations to build a comprehensive risk strategy into their business operations and spurring internal auditors to move from a primarily control-based approach to a predominantly risk-based approach. * One major area of enterprise risk that internal auditors must understand is how information technology (IT) affects their organization within the context of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework. IT is intertwined with all eight components of COSO's ERM framework--as both a source of risk and a risk management tool (see "ERM Automation" on page 47). Internal auditors also can add substantial value to the organization by providing advice on using IT to develop a sound ERM program. Auditors must first understand how technology impacts each component of the ERM framework.

[ILLUSTRATION OMITTED]

INTERNAL ENVIRONMENT

The internal environment sets the overall tone of the organization's response to risk and provides an actionable basis for all other components of COSO's ERM framework. It includes the organization's ethical values, risk appetite, ERM philosophy, and the competence and development of its employees, as well as how the organization views risk and implements controls. Risk appetite is the level of risk that an organization is willing to accept, which affects its choice of IT, e-commerce strategy, and use of emerging technologies. Such technology decisions not only change the organization's risks, but also make them more complex. For example, the moment an organization engages in e-commerce, it becomes "global," even if its operations are geographically confined to one country. As a result, organizations that sell products and services online must address a host of security, confidentiality, and privacy risks and technology compatibility issues that they might not face if they only did business through traditional retail channels.

OBJECTIVE SETTING

According to COSO ERM, the organization's mission and risk appetite drive its objective-setting process, which defines high-level strategic objectives and the corresponding operating, financial reporting, and compliance objectives needed to accomplish them. Strategic objectives affect the organization's selected IT infrastructure and risk level. IT, however, influences organizational objectives in a sort of "chicken and egg" way: It can drive as well as enable organizational strategy. But IT also generates new risks that may require technology solutions. For example, organizations that use e-mail to communicate and manage knowledge must establish appropriate IT protocols, passwords, and authentication procedures to keep messages secure.

Moreover, IT is critical to using operational assets effectively and ensuring the integrity and reliability of the organization's financial reporting system. IT can help organizations comply with applicable laws and regulations, especially the Sarbanes-Oxley Act's sweeping requirements. Indeed, many publicly listed companies rely on IT-based controls and real-time data collection and analysis to facilitate compliance with Sarbanes-Oxley sections 302 (attesting to the integrity of financials), 404 (internal control over financial reporting), and 409 (near-real-time reporting of material changes). The extensive organizational information-gathering effort requires enterprisewide systems, such as enterprise resource planning (ERP) applications and data warehouses, to extract and analyze data for trends and relationships among the data.

Internal auditors can also use technology to collect and analyze performance measures to ensure that the organization is operating within its acceptable risk-tolerance level. Embedded audit modules that perform exception reporting, for example, can call attention to processing of transactions of more than US $1 million for all business units or listing transactions that are duplicative, represent sales returns, or exceed a certain established number or value of vendor/customer transactions per month. Auditors can easily specify such exception-reporting criteria as part of their financial reviews and use automated tools to scrutinize nonroutine, and flagged, journal entries.

EVENT IDENTIFICATION

COSO ERM highlights the unique role that IT plays in identifying events or incidents that may affect the organization's ability to achieve its objectives. Events may be characterized as negative risks or positive opportunities. COSO contends that IT is the only factor that can be viewed as an external or internal event, while functioning as an "environmental scanner" to identify other events.

When viewing IT as an external event, an organization must consider the positive and negative effects that its e-commerce environment and new technology can have on the business. Although new technologies and services can enhance the availability of data and lower infrastructure costs, they also can increase demand for technology-based services and cause service interruptions. Moreover, these advances can disrupt the organization's business model and relationships with suppliers, customers, and other business partners. For example, American Airlines' SABRE system revolutionized the airline industry's ticketing process--enabling consumers to book their own flight reservations and issuing electronic tickets--but adversely impacting travel agents. Similarly, the viability of publishing companies like Encyclopaedia Britannica has been threatened by free and low-cost Internet-based information sources.