 |
 |
|
ERM and Information Technology
ERM and Information Technology
Originally Published: April 01, 2006
Internal auditors are faced with new challenges as the
importance of understanding information technology (IT) and its impact
on risk management becomes even more critical. Internal auditors can
provide value to businesses if they use their IT knowledge to help an
organization implement a successful enterprise risk management (ERM)
program. Since Sarbanes-Oxley, ERM's increasingly important role in
organizations has forced internal auditors to use a more risk-focused
approach as an alternative to the more traditional control-based
approach.
The internal environment of an organization includes risk appetite as well as other components such as ethical values. Decisions made about risk tolerance correlate with information technology choices. If an organization choices to use e-commerce, it becomes a global business and should consider all the risks associated with technological changes.
IT helps to provide timely data that will assist with the identification, analysis and response to risks. The organizational changes and the speed created by IT forces auditors to recognize and monitor how it impacts risk management. Therefore, IT is an asset for organizations trying to manage risk, but concurrently the increased use of IT creates risk that cannot be overlooked.
An organization's risk appetite establishes the objectives for the business while indirectly affecting the information technology infrastructure. Organizations that utilize e-commerce have a higher risk appetite and must be prepared to take the necessary precautions for a potentially greater reward.