What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
54 Pages Posted: 6 Jan 2010 Last revised: 6 Jan 2015
Date Written: July 8, 2010
After five years and hundreds of SOX 404 reports of material control weaknesses, including information technology (IT) weaknesses, there are no published studies of IT weaknesses at a detailed level and their associations with non-IT control weaknesses and financial misstatements. This study contributes to our understanding of internal control by using content analysis to identify IT weaknesses as reported by auditors rather than managers and without grouping controls according to textbooks, professional standards, or other frameworks. Analysing auditor's SOX 404 reports for the five year period 2004-08 we find, contrary to the assumption implicit in studies that classify ITWs as ‘company-wide’, that not all ITWs reported are general control weaknesses having entity-wide, pervasive effects on applications. We demonstrate the advantages and limitations of using content analysis software to identify IT weaknesses and show that SOX 404 reports classified under a single code by Audit Analytics can be sub-divided into meaningful sub-categories based on content analysis. We identify a small number of frequently-occurring combinations of IT control weaknesses and non-IT control weaknesses in auditors’ reports. We identify a significant change in auditors’ SOX 404 reports after 2006, and differences in reported IT control weaknesses associated with industry, size, and auditor type. We also investigate differences in the persistence of non-IT and IT weaknesses. We present our content analysis dictionary of words and phrases, search logic, and findings to help other researchers hampered by the lacking granularity of the coding of IT weaknesses in Audit Analytics.
Keywords: SOX 404, IT control weaknesses, Content analysis, relationship between IT and non-IT control weaknesses
Suggested Citation: Suggested Citation