What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?

54 Pages Posted: 6 Jan 2010 Last revised: 6 Jan 2015

See all articles by J. Efrim Boritz

J. Efrim Boritz

University of Waterloo - School of Accounting and Finance

B. Louise Hayes

University of Guelph - Gordon S. Lang School of Business and Economics

Jee-Hae Lim

University of Hawaii, Manoa

Multiple version iconThere are 2 versions of this paper

Date Written: July 8, 2010

Abstract

After five years and hundreds of SOX 404 reports of material control weaknesses, including information technology (IT) weaknesses, there are no published studies of IT weaknesses at a detailed level and their associations with non-IT control weaknesses and financial misstatements. This study contributes to our understanding of internal control by using content analysis to identify IT weaknesses as reported by auditors rather than managers and without grouping controls according to textbooks, professional standards, or other frameworks. Analysing auditor's SOX 404 reports for the five year period 2004-08 we find, contrary to the assumption implicit in studies that classify ITWs as ‘company-wide’, that not all ITWs reported are general control weaknesses having entity-wide, pervasive effects on applications. We demonstrate the advantages and limitations of using content analysis software to identify IT weaknesses and show that SOX 404 reports classified under a single code by Audit Analytics can be sub-divided into meaningful sub-categories based on content analysis. We identify a small number of frequently-occurring combinations of IT control weaknesses and non-IT control weaknesses in auditors’ reports. We identify a significant change in auditors’ SOX 404 reports after 2006, and differences in reported IT control weaknesses associated with industry, size, and auditor type. We also investigate differences in the persistence of non-IT and IT weaknesses. We present our content analysis dictionary of words and phrases, search logic, and findings to help other researchers hampered by the lacking granularity of the coding of IT weaknesses in Audit Analytics.

Keywords: SOX 404, IT control weaknesses, Content analysis, relationship between IT and non-IT control weaknesses

Suggested Citation

Boritz, Efrim and Hayes, B. Louise and Lim, Jee-Hae, What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems? (July 8, 2010). CAAA Annual Conference 2010. Available at SSRN: https://ssrn.com/abstract=1532024 or http://dx.doi.org/10.2139/ssrn.1532024

Efrim Boritz (Contact Author)

University of Waterloo - School of Accounting and Finance ( email )

200 University Avenue West
Waterloo, Ontario N2L 3G1 N2L 3G1
Canada
519-888-4567 (Phone)
519-888-7562 (Fax)

B. Louise Hayes

University of Guelph - Gordon S. Lang School of Business and Economics ( email )

50 Stone Road East
Guelph, Ontario N1G 2W1
Canada

Jee-Hae Lim

University of Hawaii, Manoa ( email )

2404 Maile Way
Honolulu, HI Honolulu 96822
United States
(808) 956-8503 (Phone)
(808) 956-9888 (Fax)

HOME PAGE: http://shidler.hawaii.edu/directory/jee-hae-lim/soa

Register to save articles to
your library

Register

Paper statistics

Downloads
309
Abstract Views
1,733
rank
47,979
PlumX Metrics