Ahmed Hamzah Abbas (1), Zaid Aed Mardan (2), Hayder Neamah Kadhim (3)
General Background: Rapid digital technological advancement has transformed business environments, increasing complexity and challenging traditional internal control systems. Specific Background: The integration of digital systems and artificial intelligence has reshaped management practices, requiring alignment between institutional control and project risk management. Knowledge Gap: Conventional control frameworks remain inadequate in addressing risks within dynamic digital transformation contexts. Aims: This study evaluates the activation of institutional control supported by digital systems in managing project risks. Results: Findings reveal a statistically significant relationship, with institutional control explaining 16.7% of variance in project risk management outcomes and strong agreement on ethical leadership and risk identification practices. Novelty: The study introduces an integrated framework combining institutional control, digital systems, and performance evaluation tools. Implications: Results emphasize the need for adaptive control frameworks, strengthened digital governance, and improved organizational coordination to support effective risk management in evolving digital environments.
Highlights:• Strong Statistical Linkage Identified Between Control Activation and Risk Handling Outcomes• Leadership Ethics and Structured Identification Processes Show High Organizational Agreement• Integrated Framework Combining Governance Tools and Digital Infrastructure Proposed
Keywords: Digital Transformation, Institutional Control, Project Risk Management, IT Governance, Performance Evaluation.
With the current rate of technological advancements, the critical role of information technology and digital systems in shaping the present business environment is evident. Increased use of digital systems has altered the way businesses operate and manage their affairs, making it imperative to build better approaches to control and manage the entity based on the digital transformation approach. Digital systems have become a radical change with the ability to allow the entity to harness the power of technology to optimize their performance and stay competitive. Despite the benefits of the change, it has posed unprecedented risks to the entity due to the increased amounts of information as well as the increased degrees of complexity and the rising risks posed by the latest technologies. In this scenario, the concept of triggering the control of the institution for the management of risks in projects presents an integrated approach to deal with the risks posed by the digital systems to the entity. The approach supports the achievements of the entity’s goals by optimizing adaptability to the changes happening in the present business environment. In addition to the increased achievement of goals to stay competitive in the present digitalized business environment, there have been challenges in the management of risks and the control of the entity as many economic entities have failed to develop and apply the controls within the entity to align with the rising demands of the digital system. Therefore, the study seeks to investigate the effects of the digital system within the control of the institution to manage risks within projects by emphasizing the need to align the principles of IT governance with the performance strategies of the institution to develop an integrated approach to deal with the rising risks within the digital system. In the study, there will be an emphasis on the latest approaches to control within the entity with the latest monitoring systems to improve the decision-making strategy of the entity within the digital system. In the end, the study will present recommendations to improve the adaptability of the control approaches to stay above the demands of the present digital system within the entity.
1. Research Problem
In these years, the introduction of artificial intelligence within management practices has led to a great revolution in terms of efficiency in operations and strategies. It is not a technology revolution alone; it represents a new generation of reengineered management practices that are very much associated with “knowledge strategy.” Organizations continue moving towards an optimization of decision-making and work processes when technologies of artificial intelligence help analyze big data effectively and support quick solution-finding and innovative thinking on classical administration work processes. The efficiency of these technologies depends heavily upon a specific knowledge strategy being adopted and thus defining how information and knowledge should be distributed, used, and retained. Recent studies reviewed by the Public Company Accounting Oversight Board (PCAOB) have revealed rising inefficiency levels in audit work with a specific concern for error detection and financial fraud. Based upon these findings, there have been changes in audit standards that have focused upon the inclusion of data analytics in auditing. However, auditors face challenges in data interpretation. These challenges result from a less-developed creative thinking approach that is required in making unnormal data pattern observations and decisions based upon knowledge and interpretation of evolving data insights. Current evidence indicates that in comparison with professionals in other occupations, including marketing and entrepreneurship, auditors tend to display weakness in their creativity approach. Further evidence indicates that there would be a failure in interpretation by a group.
2. Research Importance
This study gains its significance from several key aspects, including:
1. Highlighting the use of the refined Institutional Control Framework in the management of risks in projects as an integrated and comprehensive source of reference in relation to IT governance.
2. Emphasizing the importance of the balance scorecard as a complementary tool for appraising management’s efficiency of IT and its incorporation within the revised framework of risk management.
3. Enhancing and supporting top management's decisions by offering an integrated methodology based on balancing control activities and risk-oriented processes, thus promoting economic stability.
4. Investigating the effects of the digital transformation on the activation of institutional control in a strategic setting that takes into consideration the implications of technology advancements related to control activities.
5. Proving the need for a flexible and adaptive institutional framework that can respond to the new digital reality and allow the organization to gain sustainable advantages.
3. Research Objectives
The researcher aims to:
- Assess the extent to which control mechanisms in institutions are involved in project risk management in the given study samples.
- Determine the digital system technology that can enhance the activation of institutional control.
- Building a practical framework that combines the renewed institutional control model with project risk management to enhance the evaluation of information technology management performance.
- Emphasize the key risks and threats to internal control systems in the context of digital and information technology-based settings.
4. Research Hypotheses
- H₀: There is no statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management.
- H₁: There is a statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management.
Theoretical Framework of the Study
Section One: The Cognitive Foundations of Enterprise Risk Management Activation
Concepts of Risk and Risk Management
The International Organization for Standardization (ISO) defines risk as uncertain future events that may affect the achievement of strategic, operational, and financial objectives [1]. Risk may also be defined as the probability of the occurrence of an event, loss, damage, severe consequences, or the impact of uncertainty associated with the business environment on achieving objectives. In such a case, the effect can be positive or negative. The positive effect shows the possibilities of turning risk into an opportunity, which can be exploited, while the negative effect shows the transformation of risk into a threat, which can act as an obstacle in achieving the objectives [2].
With regard to risk management, it is defined as a comprehensive managerial activity that starts from the economic unit itself, including its leadership and employees at all three organizational levels. Its task is to identify, analyze, and treat risks in a strategic and systematic manner [3].
Frameworks Issued by the COSO Commission for Enterprise Risk Management
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued two frameworks related to Enterprise Risk Management (ERM). The first was issued in 2004 and is known as the “Integrated Framework”, while the second, which is an updated version, was issued in 2017 and is titled “Integrating with Strategy and Performance.” The following presents an explanation of the concept, model, objectives, components, and principles of each framework.
1. COSO Enterprise Risk Management Framework (2004): “The Integrated Framework” [4]
A. Concept of the Enterprise Risk Management (ERM) Framework
The ERM model is perceived to consist of a number of processes that are adopted by economic units for risk management, which may serve to favorably or adversely affect those economic units' competitiveness, success, or performance [5]. It can also be described as a number of processes adopted by an organization to determine risks, along with ways of responding to those risks, so as to create a level of reasonable assurance on meeting organizational objectives [6].
In addition, it is described as a process for risk identification and analysis with a focus on an integrated viewpoint at the economic unit level, with a structured and disciplined approach with the goal of aligning strategy, processes, people, and technology in an attempt to assess the uncertainties involved in business activities. Its primary focus is on the risk management process and moving away from a reactive approach towards a proactive and strategically organized approach [7].
The Institute of Internal Auditors (IIA) described ERM as a structured framework that is proactive in nature to the aim of risk managing. Thus, it assists in developing techniques in order to manage the important risks to the board and the management. The structured framework focuses on the important points like strategy, operations, planning and control, people, technology, and knowledge in order to view the risk to the organization in the internal as well as the external environment [8].
The framework can also be described as a process that is impacted by a company’s board of directors, management, and workforce, focusing on strategy formulation and the whole organization. The process aims to look at possible events that can impact the organization and manage the risks within the acceptable risk appetite limits, offering reasonable assurance on the fulfillment of organizational goals. The process helps organizations to manage the risks associated with environmental uncertainties, hence achieving organizational strategic, operational, reporting, and compliance objectives [9].
This latter definition reflects several key characteristics [4]:
• A continuous process that flows throughout the entire organization.
• Influenced by individuals at all organizational levels.
• Applied in the strategy-setting process.
• Implemented across all organizational units and levels, including subsidiaries, and incorporates a portfolio or risk map at the organizational level.
• Capable of providing reasonable assurance to management and the board of directors.
• Designed to achieve objectives within one or more distinct but interrelated categories.
B. COSO ERM Cube Model
The COSO Committee developed a model to illustrate the objectives, components, and organizational structure of the economic unit. This model takes the form of a cube. The columns on the right side of the cube represent the organization as a whole, its divisions, and its subsidiaries. The horizontal rows represent the eight components of the ERM framework, while the top columns of the cube represent the four organizational objectives that management seeks to achieve in order to realize the organization’s overall goals.
The model reflects the logical interrelationship between the objectives of the control framework, its components, and the hierarchical levels of the organization [10]. Figure (1–1) illustrates the COSO ERM Cube Model [4].
Figure (1–1): COSO Enterprise Risk Management Cube Model (2004) [4]
Source : Kagermann , Henning , Kinney , William , Kuting , Karlheinz , , & Weber , Claus-Peter Internal Audit Handbook , First Edition , Springer-Verlag Berlin Heidelberg , 2008 , Page ( 10 ) [9] .
C. Objectives of Enterprise Risk Management (ERM)
The objectives of the Enterprise Risk Management (ERM) framework issued in 2004 are determined within the scope of the economic unit’s mission and vision. The process of setting these objectives should be sequential across the different organizational levels of the entity and aligned with its strategy. The objectives of the framework can be classified into four main categories as follows [11]:
• Strategic Objectives: These relate to high-level objectives that are aligned with the mission and vision of the economic unit.
• Operational Objectives: These relate to the effectiveness and efficiency of the economic unit’s operations, including performance and profitability objectives.
• Reporting Objectives: These objectives relate to the reliability and effectiveness of the economic unit’s reports, encompassing both internal and external reports and including financial and non-financial information.
• Compliance Objectives: These objectives relate to the extent to which the economic unit complies with applicable laws, regulations, and standards.
Indeed, RMF provides a reasonable assurance that reporting and compliance goals will be realized because these fall mainly within the control of the economic entity. On the other hand, strategic and operation goals could in some cases be impacted by factors beyond the control of entity management. In this regard, RMF would therefore provide a reasonable assurance that comes in the form of timely reporting to the Board of Directors of its progress in meeting both its strategic and operation goals [10].
Section Two: The Cognitive Foundations of Digital Transformation
2 1 The Concept of Digital Transformation (DT)
According to Patra, Digital Transformation is “a way of enabling a computer, a computer-controlled robot, or a software program to think intelligently in the same manner as intelligent human beings.” [12] Digital Transformation is done after analyzing human knowledge processing processes and behaviors that occur in human beings when they learn, make decisions, and take actions in problem-solving situations.
Table (1) presents some definitions related to Digital Transformation from the perspectives of a number of researchers and scholars.
2 2 The Importance of Digital Transformation
The relevance of Digital Transformation (AI) remains wide because it has application across almost every field. With the advancements in AI technology, it has the potency to bring about positive change in the world by not only making it more efficient and safer but by addressing many of the burning issues of the contemporary world [19].
Within the modern business environment, the role of the adoption and integration of technology specifically the role of Digital Transformation and machine learning is no longer an option but a need in the process of survival and success in organizations. This has not only made it easier and more efficient in terms of operations in organizations across all industries, but it has also triggered a paradigm shift in the role and application of human resource management (HRM), from the optimization of the supply chain to the development of human talents and capabilities in organizations. The role of AI and machine learning has gradually infiltrated all the other functions within the field of human resource management and indicates a paradigm shift in the application and development of all the other functions and processes within this field ranging from the acquisition and development of talents and capabilities within organizations to the application and management of performance in organizations [20]. Through the analysis and study of the changing role of these technologies, the following discussion seeks to provide a full understanding and overview on the emerging trends and opportunities in the field of human resource management in the modern business environment driven by the adoption and application of Digital Transformation and machine learning technologies.
2 3 Characteristics of Digital Transformation
Digital Transformation (AI) is considered a behavior with properties that enable it to simulate human cognitive behaviors and abilities. The most important and prominent characteristics are as follows:
1. The ability to acquire knowledge and provide information in support of decision-making at the managerial level and to learn from past experiences and understand situations. The ability to envision, create, and understand [21].
2. The ability to think, perceive, learn, and apply knowledge, as well as the ability to respond quickly to new situations and conditions, and the ability to handle complex and unclear situations, even when lacking complete information [22].
3. The documentation of human experiences and the offering of various alternatives, which reduces the dependence on human expertise and resists boredom, thus upgrading human capabilities [23].
Analysis of Results: Interactional Perspective on Activating Project Risk Management in Light of Digital Systems
The aim of the study was to investigate the manner in which the process of project risk management activation is linked to digital systems to enhance governance and effectiveness. Using the dataset from the questionnaire study, the weighted means and relative importance of the items and domains have been calculated to determine the level of interdependence among the tools, processes, and digital systems.
Control Environment
The statement with which there was the highest positive response was: “Senior leadership serves as a role model in adhering to integrity and ethical values, which positively affects employee behavior.” The statement got the highest mean of 4.52 with a weightage percentage of 90.4%, meaning that there was a remarkable agreement among respondents that senior leadership takes a lead when it comes to conduct with integrity and commitment to ethics. The second-most preferred option was: “Ethical policies are periodically discussed and clarified to all employees in order to improve their dedication to the organizational values,” having a percentage weightage of 88.4% and a mean of 4.42. This indicates that the management's focus is on regularly communicating the ethical policies to the employees.
In addition, statements such as “The organization attempts to cultivate an ethics compliance culture through internal mechanisms and through training programs” and “Leaders of the organization make use of ethics standards to guide their decisions” had a considerably high weight of around 86.2% and 86.6%, respectively. These clearly reflect the presence of ethics culture within the respective organizations, which are linked to transparency and accountability by the leaders and the governing systems of these organizations. The statement that attracted the lowest relative assessment rating was “Senior management is cognizant of the fact that promotion of ethics values would improve organizational efficiency and the effectiveness of internal controls,” which had a weight measure of 79.8% and a mean rating measure of 3.92. Even though the rating measure is relatively lower, it is still within the ‘good’ rating measure.
Table (2): Frequency Distribution, Mean, Standard Deviation, Percentage Weight, and Ranking of Items for the Dimension: Integrity & Ethical Values
Risk Assessment
The Risk Identification dimension is viewed as basic in nature in the context of the Risk Assessment component of COSO. It focuses mainly on identifying risks that could potentially hamper the achievement of organizational goals from both internal and external sources and also classifying these identified risks. Descriptive statistics show that there is a mean of 3.24 and a standard deviation of 4.86 for this question. It appears there is a fairly consistent spread of data. The total percentage weight (454.0%) represents employees' awareness of the importance of risk identification in the organization.
The category "identification of external risks" scored the highest average, with an average score of 60.4, with a weight of 92%, indicating the employees' recognition of the importance of external risk identification, such as market risks, competitors, and government factors, due to their great significance to the organization. The category "identification of internal risks" scored the second highest, with a weight of 89.6%, indicating that the employees are cognizant of risks that may originate from within.
The task “identifying potential impacts” ranked third with a weightage of 84%, ensuring that there is an understanding of the requirement for evaluating the potential impact of risks on the stated organizational objectives. The last two tasks, namely “identifying risk sources” and “risk classification,” ranked fourth and fifth, with a weightage of 83.8% and 83%, respectively, thereby stressing the need for help or support with respect to risk classifications and source identifications.
However, based on the findings, there is adequate attention paid by the Petroleum Products Distribution Company in respect to the risk identification process. The risk factors are properly identified as both external and internal sources. Despite this observation, improving risk classification and sources could add value to risk assessment in line with COSO guidelines in terms of minimizing possible deviations and maximizing risk management capabilities by the organization.
Table (2): Frequency Distribution, Mean, Standard Deviation, Percentage Weight, and Ranking of the Paragraphs for the Risk Identification Dimension
1. Study Hypothesis:
There is a statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management.
• Null Hypothesis (H₀):
There is no statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management.
Table (3): Results of the Impact of Cloud Computing Technology on the Elements of Accounting Information Systems
Based on the results presented in Table (59) above, it is evident that there is a statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management. This is confirmed by the calculated F-value of (16.028), which exceeds the tabulated value of (3.937) at a significance level of (0.05) and degrees of freedom (1, 80). Accordingly, it is possible to infer the level of impact of institutional control supported by digital transformation on enhancing project risk management effectiveness.
Furthermore, the coefficient of determination (R²) reached a value of (0.167), indicating that institutional control supported by digital transformation explains approximately (16.7%) of the total variance in project risk management effectiveness, while the remaining variance can be attributed to other random variables outside the regression model. In addition, the beta coefficients (β) and the corresponding t-test results show that the calculated t-value amounted to (4.003), which is greater than the tabulated value of (1.993). Accordingly, the study hypothesis is supported, which states that there is a statistically significant effect of enabling institutional control supported by digital transformation on improving the effectiveness of project risk management.
1. Risk management is a crucial strategic objective for the achievement of digital system project endeavors, due to the risks posed by technology, organizational structure, and cybersecurity threats presented to these endeavors. It thus becomes necessary to have a successful risk management approach for these projects.
2. In today’s ever-changing business environment, new risks posed by digital systems are emerging with increased dependencies and high levels of complexity with the growing usage of artificial intelligence, internet of things, cloud computing, and data platforms. These risks cannot be managed by conventional tools of risk management.
3. Organizational culture continues to play a very important role in alignment in adopting digital solutions and their risk management. In situations where a lack of transparency, accountability, and openness in data decision-making is experienced, alignment in digital solution implementation is impeded.
4. Digital technology greatly improves risk management efficiencies because of improved monitoring and tracking capabilities, as well as enhanced analytical functionalities that can aid in the rapid identification of anomalies without interrupting the normal processes.
5. The digital platform enhances risk communication and reporting, and facilitates direct leaders access and improves their capacity for decision-making.
6. The interface between the adoption and application of information technology and risk management practices bears a strong relationship with good corporate governance in the area of compliance and accountability.
7. Lack of coordination among administrative bodies hampers the efficiency of risk management and information technology. It results in overlapping work and reduces the effectiveness of operational and strategic activities.
8. There could be a backlog in terms of when data infrastructure may be available as opposed to when there is capacity in terms of human resources that can interpret data and make the most of what technology offers.
1. Incorporate the enterprise risk management process at the point of inception when designing a digital system in order to integrate risk within the strategic planning processes through scanning and the achievement of strategy goals in digital transformation processes.
2. Improve risk management solutions by taking advantage of modern digital technology such as digital transformation, predictive analytics, and the use of big data analytics. All this can also be enhanced by intelligent dashboards that can visualize risk patterns at the right time.
3. Encourage a risk-aware culture that promotes digital transformation by creating opportunities for continuous learning, awareness, and a work culture driven by transparency, action, and innovation related to digital risks.
4. It is essential to integrate completely the risk management Tracking System into digital infrastructure so that there are not any issues with connecting risk management systems with the overall organizational system such as ERP or CRM or workflow management solutions.
5. Building risk reporting and documentation platforms that enable instant risk reporting and documentation through a systematic archiving and risk assignment process according to their respective risk types in specialized risk teams within an organization.
6. Create frameworks for digital governance based on those in ERM, such as regular updates related to control policies, application of digital performance indicators as factors in enhanced digital governance effectiveness, and active senior management review.
7. Build cross-functional teams for digital projects, including input from the IT, risk management, and strategic planning departments, to achieve alignment between technology capabilities, risk mitigation, and business performance objectives.
8. Invest in human capability development in digital risk management. The focus would be on training and certification programs in collaboration with institutions of higher learning. This would enable organizations to develop a high level of competency to deal with all manner of digital threats.
International Organization for Standardization, ISO 31000: Risk Management—Guidelines. Geneva, Switzerland: ISO, 2018.
T. Kose and S. Agdeniz, “Risk management and organizational performance,” Journal of Risk Research, vol. 22, no. 4, pp. 510–511, 2019.
A. Firsova and I. Vaghely, “Risk management as a strategic tool for business sustainability,” Economic Annals, vol. 63, no. 218, pp. 248–249, 2018.
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework. New York, NY, USA: AICPA, 2004.
E. J. Blocher, D. E. Stout, P. E. Juras, and S. Smith, Cost Management: A Strategic Emphasis, 8th ed. New York, NY, USA: McGraw-Hill Education, 2019.
R. H. Garrison, E. W. Noreen, and P. C. Brewer, Managerial Accounting, 16th ed. New York, NY, USA: McGraw-Hill Education, 2018.
L. F. Woon, N. A. Azizan, and M. F. A. Samad, “A strategic approach to enterprise risk management,” Journal of Risk Management, vol. 4, no. 1, pp. 23–35, 2011.
B. Soltani, Auditing: An International Approach. Harlow, U.K.: Pearson Education, 2007.
H. Kagermann, W. R. Kinney, K. Küting, and C.-P. Weber, Internal Audit Handbook, 1st ed. Berlin, Germany: Springer-Verlag, 2008.
M. B. Romney and P. J. Steinbart, Accounting Information Systems, 13th ed. Boston, MA, USA: Pearson Education, 2015.
R. M. Steinberg, M. E. Everson, F. J. Martens, and L. E. Nottingham, Enterprise Risk Management—Integrated Framework: Executive Summary. New York, NY, USA: COSO, 2007.
S. Patra, Artificial Intelligence and Intelligent Systems. Oxford, U.K.: Oxford University Press, 2011.
T. Thabit, “Intelligent systems and decision-making processes,” International Journal of Computer Science, vol. 10, no. 3, pp. 236–245, 2015.
D. Castro and N. Joshua, The Promise of Artificial Intelligence. Washington, DC, USA: Center for Data Innovation, 2016.
R. Calo, “Artificial intelligence policy: A primer and roadmap,” University of California Law Review, vol. 51, no. 2, pp. 399–435, 2017.
Microsoft Corporation, Artificial Intelligence and Digital Transformation. Redmond, WA, USA: Microsoft, 2019.
P. Boucher, Artificial Intelligence: How Does It Work, Why Does It Matter, and What Can We Do About It? Brussels, Belgium: European Parliamentary Research Service, 2020.
J. Guan, J. Zhang, and Y. Yan, “Artificial intelligence and intelligent systems: Theory and applications,” Technological Forecasting and Social Change, vol. 155, pp. 136–145, 2020.
M. Shohsanam, “Artificial intelligence and sustainable development,” Journal of Digital Innovation, vol. 9, no. 1, pp. 159–170, 2023.
S. Basnet, “Artificial intelligence and machine learning in human resource management: Emerging trends and future prospects,” International Journal of Human Resource Studies, vol. 14, no. 2, pp. 281–295, 2024.
A. Abdul Rahman, “Artificial intelligence capabilities and managerial decision support,” Journal of Management Systems, vol. 12, no. 3, pp. 1202–1203, 2025.
M. Al-Fadhil, R. Hassan, and K. Yaseen, “Artificial intelligence applications in complex organizational environments,” Information Technology & Management, vol. 25, no. 2, pp. 112–125, 2024.
M. U. Scherer, “Regulating artificial intelligence systems: Risks, challenges, and opportunities,” Harvard Journal of Law & Technology, vol. 29, no. 2, pp. 56–75, 2016.