Is IT Next for ERM? Information Technology Provides the Vital Infrastructure for Building a Modern Enterprise

As the waves of change caused by the U.S. Sarbanes-Oxley Act of 2002 subside, the next force likely to sweep over organizations is the need to implement enterprise risk management (ERM). ERM has sparked a paradigm shift by encouraging organizations to build a comprehensive risk strategy into their business operations and spurring internal auditors to move from a primarily control-based approach to a predominantly risk-based approach. One major area of enterprise risk that internal auditors must understand is how information technology (IT) affects their organization within the context of The Committee of Sponsoring Organizations of the Treadway Commission\u27s (COSO\u27s) Enterprise Risk Management—Integrated Framework. IT is intertwined with all eight components of COSO\u27s ERM framework—as both a source of risk and a risk management tool (see ERM Automation on page 47). Internal auditors also can add substantial value to the organization by providing advice on using IT to develop a sound ERM program. Auditors must first understand how technology impacts each component of the ERM framework

The Pervasive Impact of Information Technology on Internal Auditing

The impetus for this supplemental chapter titled The Pervasive Impact of Information Technology on Internal Auditing comes from The Institute of Internal Auditors Research Foundation (IIARF) monograph, Research Opportunities in Internal Auditing (2003), hereafter ROIA. ROIA combines theory and practice in conceptual frameworks to promote an understanding of the contemporary internal auditing environment. The goals of ROIA include stimulating academic research on significant internal auditing topics and serving as a “communication bridge” between academics and practicing professionals. ROIA provided us with internal auditing related subject matter content, including the most promising areas of information technology (IT) application in internal auditing. One significant topic that is only briefly mentioned in ROIA is the impact of IT on the internal audit function.3 IT is revolutionizing the nature and scope of worldwide communications, changing business processes, and erasing the traditional boundaries of the organization — internally between departments and externally with suppliers and customers. The resulting intra-enterprise coordination as well as inter-enterprise integration with external business partners through supply chain management and customer relationship management systems demonstrates the power of IT as both a driver and enabler of management processes and strategies. Indeed, internal auditors must recognize and leverage the powerful capabilities of computers and technology in collecting, generating, and evaluating information for managerial decision making related to strategy, risk management and controls, and, more broadly, for effective organizational governance. At the same time, internal auditors must recognize that IT, in itself, will not increase the function’s effectiveness. Rather internal auditors must first understand the audit objectives and select appropriate IT to achieve those objectives (i.e., the task-technology fit is essential). It is also imperative that internal auditors understand their organization’s appropriate leveraging of IT, and learn to harness additional IT to optimize internal audit performance.https://ecommons.udayton.edu/books/1037/thumbnail.jp

Research Opportunities in Information Technology and Internal Auditing

This paper presents research opportunities in the area of information technology (IT) within the context of the internal audit function. Given the pervasive use of IT in organizations and the new requirements of the Sarbanes-Oxley Act of 2002, internal audit functions must use appropriate technology to increase their efficiency and effectiveness. We develop IT and internal audit research questions for three governance-related activities performed by the internal audit function-risk assessment, control assurance, and compliance assessment of security and privacy