IT Control Weaknesses, IT Governance and Firm Performance
39 Pages Posted: 12 Jan 2008 Last revised: 6 Jan 2015
Date Written: January 11, 2008
The Sarbanes-Oxley Act (SOX) was passed to improve corporate responsibility through measures that strengthen internal controls and increase accountability. We examine whether companies reporting internal control weaknesses will have weaker financial performance because of the required expenditures on audit fees, costs associated with fraud, waste and inefficiencies associated with internal control weaknesses, reduced revenues from disruptions to operations caused by internal control weaknesses and costs to remediate internal control weaknesses once they have been identified by the auditor. Next, we examine that the size of the impact on financial performance varies with the categories of internal control weaknesses. In particular, we distinguish between information technology (IT) controls and other controls.
Our results provide evidence that, after controlling for other factors, the material IT control weaknesses reported in conjunction with SOX 404 audits are associated with significantly higher audit fees and lower financial performance than other control weaknesses. Of the 20 material IT control weaknesses reported in conjunction with SOX 404 audits for 2004, 2005 and 2006, security control weaknesses are most strongly associated with increased audit fees and reduced financial performance.
We also investigate whether companies with material IT control weaknesses have weaker IT governance than companies without such weaknesses. We measure the strength of IT governance as a function of the IT knowledge of top company executives and board members, the tenure of the company's CIO and the presence of an IT strategy committee. We find that all of these indicators of IT governance effectiveness are significantly associated with a reduced likelihood of a company reporting material IT control weaknesses. By reducing IT control weaknesses and their associated costs, IT governance contributes to improved financial performance.
Keywords: SOX 404, IT control weaknesses, IT governance, financial performance
Suggested Citation: Suggested Citation