What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
54 Pages Posted: 6 Jan 2010 Last revised: 6 Jan 2015
There are 2 versions of this paper
What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
What Do Auditor’s Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
Date Written: July 8, 2010
Abstract
After five years and hundreds of SOX 404 reports of material control weaknesses, including information technology (IT) weaknesses, there are no published studies of IT weaknesses at a detailed level and their associations with non-IT control weaknesses and financial misstatements. This study contributes to our understanding of internal control by using content analysis to identify IT weaknesses as reported by auditors rather than managers and without grouping controls according to textbooks, professional standards, or other frameworks. Analysing auditor's SOX 404 reports for the five year period 2004-08 we find, contrary to the assumption implicit in studies that classify ITWs as ‘company-wide’, that not all ITWs reported are general control weaknesses having entity-wide, pervasive effects on applications. We demonstrate the advantages and limitations of using content analysis software to identify IT weaknesses and show that SOX 404 reports classified under a single code by Audit Analytics can be sub-divided into meaningful sub-categories based on content analysis. We identify a small number of frequently-occurring combinations of IT control weaknesses and non-IT control weaknesses in auditors’ reports. We identify a significant change in auditors’ SOX 404 reports after 2006, and differences in reported IT control weaknesses associated with industry, size, and auditor type. We also investigate differences in the persistence of non-IT and IT weaknesses. We present our content analysis dictionary of words and phrases, search logic, and findings to help other researchers hampered by the lacking granularity of the coding of IT weaknesses in Audit Analytics.
Keywords: SOX 404, IT control weaknesses, Content analysis, relationship between IT and non-IT control weaknesses
Suggested Citation: Suggested Citation
Do you have negative results from your research you’d like to share?
Recommended Papers
-
Determinants of Weaknesses in Internal Control over Financial Reporting
By Jeffrey T. Doyle, Weili Ge, ...
-
Accruals Quality and Internal Control Over Financial Reporting
By Jeffrey T. Doyle, Weili Ge, ...
-
Internal Control Weakness and Cost of Equity: Evidence from Sox Section 404 Disclosures
By Maria Ogneva, Kannan Raghunandan, ...
-
By Jacqueline S. Hammersley, Linda A. Myers, ...
-
Internal Control Weaknesses and Information Uncertainty
By Messod D. Beneish, Mary Brooke Billings, ...
-
The Wealth Change and Redistribution Effects of Sarbanes-Oxley Internal Control Disclosures
By Gus De Franco, Yuyan Guan, ...
-
The Discovery and Reporting of Internal Control Deficiencies Prior to Sox-Mandated Audits
By Hollis Ashbaugh Skaife, Daniel W. Collins, ...
-
By Stephen H. Bryan and Steven B. Lilien