ERM and Information Technology
Originally Published: April 01, 2006
Internal auditors are faced with new challenges as the importance of understanding information technology (IT) and its impact on risk management becomes even more critical. Internal auditors can provide value to businesses if they use their IT knowledge to help an organization implement a successful enterprise risk management (ERM) program. Since Sarbanes-Oxley, ERM's increasingly important role in organizations has forced internal auditors to use a more risk-focused approach as an alternative to the more traditional control-based approach.
The internal environment of an organization includes risk appetite as well as other components such as ethical values. Decisions made about risk tolerance correlate with information technology choices. If an organization choices to use e-commerce, it becomes a global business and should consider all the risks associated with technological changes.
IT helps to provide timely data that will assist with the identification, analysis and response to risks. The organizational changes and the speed created by IT forces auditors to recognize and monitor how it impacts risk management. Therefore, IT is an asset for organizations trying to manage risk, but concurrently the increased use of IT creates risk that cannot be overlooked.
An organization's risk appetite establishes the objectives for the business while indirectly affecting the information technology infrastructure. Organizations that utilize e-commerce have a higher risk appetite and must be prepared to take the necessary precautions for a potentially greater reward.