What Do Auditor’s Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
AAA Annual Meeting, 2012
AMCIS Annual Meeting, 2012
40 Pages Posted: 19 Jan 2012 Last revised: 7 Jan 2015
Date Written: November 6, 2012
By analysing auditors’ SOX 404 reports from 2004 to 2011 we find that after 2006 Big 4 reporting of both information technology control weaknesses (ITWs) and non-ITWs in reports with ITWs decreased significantly. This change appears to reflect Big 4 reporting practices in response to a change in auditing standards rather than the nature of Big 4 clients’ internal control systems, suggesting that SOX 404 auditors’ reports have become less informative. We find that associations between ITWs, non-ITWs and financial misstatements are moderated by auditor type and time period (2004-2006 vs. 2007-2011). We identify a small number of ITWs and non-ITWs in SOX 404 reporting that may hold practical implications for an auditor’s consideration of IT control testing, management’s remediation of ITWs, and an educator’s teaching of IT and non-IT controls.
Keywords: SOX 404, IT control weaknesses, determinants of IT control weakness reporting
Suggested Citation: Suggested Citation