Chapter 15
Information Technology and Enterprise Risk Management
Because of the complexity in building and maintaining information technology (IT) systems, their network interconnections, and all types of applications, risk management has been a very important consideration in all aspects of IT processes. One does not have to have been a participant or observer of IT hardware and software projects for that many years to have observed many IT projects that were launched with high expectations but subsequently failed for any of a variety of reasons. Just as people involved in marketing often have overly high expectations that some new initiative will succeed, IT processes often have high, positive expectations but ignore the many business and technology risks associated with IT systems.
IT-related issues and concerns are somewhat covered in the Committee of Sponsoring Organizations Enterprise Risk Management (COSO ERM) framework through its control activities and information and communications layers. We use the phrase somewhat covered here because IT is so pervasive in all business and operations processes that these somewhat high-level descriptions in COSO ERM guidance materials seem to miss or ignore some of the many and evolving IT risks and concerns. This is also a challenging area for understanding risks and developing appropriate risk responses. As has been the pattern over the years, no matter how strong are the designed and implemented internal controls—particularly those ...
