Question

Discuss how the COSO's Enterprise Risk Management — Integrated Framework relates to internal Control for Technology

Answer 1

Internal control is an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for management. Internal control is defined and described in Internal Control – Integrated Framework. Because that framework has stood the test of time and is the basis for existing rules, regulations, and laws, that document remains in place as the definition of and framework for internal control. While only portions of the text of Internal Control – Integrated Framework are reproduced in this framework, the entirety of that framework is incorporated by reference into this one.

There have been a wide variety of frameworks utilized across companies and across countries. Some of these focus narrowly on risk management (rather than enterprise risk management). Others focus on specific industries or specific types of risk. In addition, many of these focus on mechanisms for reducing — rather than managing — risk. By contrast, the COSO Enterprise Risk Management – Integrated Framework addresses enterprise risk management applicable to all industries and encompassing all types of risk. Moreover, the framework recognizes that an effective enterprise risk management process must be applied within the context of strategy setting. This is a fundamental difference from most risk models used to date. It starts with the top of the organization and supports an organization’s major mission. In addition, many of the pre-existing frameworks stood by themselves, and thus tended to be implemented within functions. As a result, many risk management practices have been implemented in silos (i.e., in one part or one function, of the organization). Consequently, risk management may be done very well in one section, but not consider how actions of other parts of the organization affect their risks, or it might not capture the overall significant risks that the organization faces. The Enterprise Risk Management – Integrated Framework presents an enterprise-wide perspective of risk and standardizes terms and concepts to promote effective implementation across the organization.

There are natural linkages between enterprise risk management, improved financial reporting and transparency. The Enterprise Risk Management – Integrated Framework requires that organizations establish a risk appetite, measure actions and decisions against that risk appetite and communicate results. Communication of enterprise risk management to users of financial information clearly enhances transparency.The Enterprise Risk Management – Integrated Framework requires feedback of information from throughout the company. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Therefore, the technology that provides this data must have the highest levels of integrity and controls. Enterprise risk management cannot be effective if the technology that provides the data used to manage risk is flawed. Controls related to technology, also referred to as general computer controls, were also discussed in the Internal Control – Integrated Framework.

The Internal Control – Integrated Framework is conceptually sound and has stood the test of time. The Enterprise Risk Management – Integrated Framework is a broader framework that incorporates the internal control framework within it. In other words, one approach to risk is to develop controls to mitigate the risks. The frameworks are compatible and are based on the same conceptual foundation. We believe the consistent conceptual underpinnings are a major strength of the two models. Appendix C of the Enterprise Risk Management – Integrated Framework provides a detailed discussion of the relationship to Internal Control – Integrated Framework.The Enterprise Risk Management – Integrated Framework requires feedback of information from throughout the company. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Therefore, the technology that provides this data must have the highest levels of integrity and controls. Enterprise risk management cannot be effective if the technology that provides the data used to manage risk is flawed. Controls related to technology, also referred to as general computer controls, were also discussed in the Internal Control – Integrated Framework.

A strong system of internal control supports the achievement of the organization’s business objectives and therefore good internal control is a way of managing risk. However, enterprise risk management is much broader than internal control. In addition to supporting management’s efforts to achieve business objectives, it aligns risk management with strategy setting and aids a company’s ability to assess whether the organization is accepting risk appropriately.

Thank you.