A Content Analysis of Auditors' Reports on it Internal Control Weaknesses: The Comparative Advantages of an Automated Approach to Control Weakness Identification
International Journal of Accounting Information Systems Volume 14, Issue 2, June 2013, Pages 138–163
Posted: 21 Nov 2014
Date Written: 2013
We employ an automated content analysis approach to provide a snapshot of the terminology auditors actually use to describe information technology weaknesses (ITWs). We develop and use a dictionary based on textual analysis of auditors' reports on internal control filed under Section 404 of the Sarbanes–Oxley Act from 2004 to 2009. Using the dictionary with content analysis software led to the identification of 14 categories of ITWs in order of decreasing frequency of occurrence: (1) access, (2) monitoring, (3) design issues, (4) change and development, (5) end-user computing, (6) segregation of incompatible functions, (7) policies, (8) documentation, (9) masterfiles, (10) backup, (11) staffing sufficiency and competency, (12) security (other than over access), (13) outsourcing and (14) operations. The use of automated content analysis methodology also helped us identify potential disconnects between terminology used in auditors' reports and that used in published frameworks and guidelines. We provide the dictionary and discuss the methodology used in creating and applying the dictionary to the analysis of the textual content of auditors' reports on internal control, including the advantages and limitations of automated ITW identification.
Keywords: SOX 404, Information technology control weaknesses, Internal control weaknesses, Content analysis
Suggested Citation: Suggested Citation