Accountants, Auditors Unveil Risk-Management Framework

The nonbinding framework defines two categories of information systems controls: general and application.

Steven Marlin, Contributor

September 29, 2004

2 Min Read

CIOs with extra time on their hands can thank the Committee of Sponsoring Organizations, an umbrella group of accounting and auditing firms. On Tuesday, the group--known as COSO--unveiled its Enterprise Risk Management-Integrated Framework, a guideline for identifying and measuring financial and nonfinancial risks.

The risk-management framework follows up COSO's Internal Control-Integrated Framework, issued in 1992, which is the underpinning for a section of the Sarbanes-Oxley Act in which companies and their auditors must attest to the effectiveness of internal controls over financial reporting. Beginning Nov. 15, most public companies must include such an attestation with their 2004 annual reports.

Although the framework is nonbinding on companies, it's likely to receive widespread adoption because of the clout COSO wields in setting accounting and auditing policies, many of which have been adopted by the Securities and Exchange Commission in its Sarbanes-Oxley regulations.

The enterprise risk-management framework goes beyond the internal control framework by addressing nonfinancial risks. For example, whereas the internal control framework is intended to ensure the reliability of published financial statements, the enterprise risk framework is designed to address all reports disseminated internally and externally, including regulatory filings.

The framework also adds the concept of setting strategic objectives based on a company's appetite for risk, which governs all major business decisions.

CIOs play an integral role in assuring the "availability and timeliness of information," says Miles Everson, a partner at PricewaterhouseCoopers, which was commissioned by COSO to develop the framework.

The framework defines two categories of information systems controls: general and application. General controls include technology management, infrastructure management, security management, and software acquisition, development, and maintenance. Application controls focus on the completeness and accuracy of information, such as error detection, data reasonableness tests, logic tests, and providing users with predefined lists of acceptable data.

Read more about:

20042004

About the Author(s)

Steven Marlin

Steven Marlin

Contributor

See more from Steven Marlin
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

Bald eagles, eagle in flight.
Cyber Resilience
9 Ways CISOs Can Stay Ahead of Bad Actors9 Ways CISOs Can Stay Ahead of Bad Actors
byLisa Morgan
Jul 24, 2024
9 Slides
Binary code concept pattern and big data structure.Net and source code.Abstract background of technology, science and cloud computer.
Data Management
How Much Data Is Too Much for Organizations to Derive Value?How Much Data Is Too Much for Organizations to Derive Value?
byCarrie Pallardy
Jul 22, 2024
11 Min Read
CrowdStrike Holdings, Inc. logo is displayed on a smartphone screen.
Cyber Resilience
CrowdStrike Aftermath: Lessons Learned for Future RecoveryCrowdStrike Aftermath: Lessons Learned for Future Recovery
byJoao-Pierre S. Ruth
Jul 24, 2024
6 Min Read
Calculator displaying the text "SALARY" on top of $100 bills.
IT Leadership
2024 InformationWeek US IT Salary Report: Profits, Layoffs, and the Continued Rise of AI2024 InformationWeek US IT Salary Report
byInformationWeek Staff
Jun 4, 2024
1 Min Read
Digital Security and Threat of a System
IT Leadership
11 Ways Cybersecurity Threats are Evolving11 Ways Cybersecurity Threats are Evolving
byLisa Morgan
Jun 13, 2024
11 Slides
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports