1. No category

Internal and external influences on IT control governance

International Journal of Accounting Information Systems
8 (2007) 225 – 239
Internal and external influences on IT
control governance
Chan Li a , Jee-Hae Lim b,⁎, Qian Wang c
a
University of Pittsburgh, United States
b
University of Waterloo, Canada
c
University of Kansas, United States
Received 10 July 2006; received in revised form 19 September 2007; accepted 20 September 2007
Abstract
This study provides empirical evidence on the effects of internal and external governance on IT control
quality proxied by IT related material weaknesses. IT control governance is defined as the leadership and
organizational structures and control processes which ensure that the company's IT sustains and extends the
company's strategies and objectives. Specifically, we examine the influence of senior management, the board
of directors, and audit committees regarding IT control governance. We find that companies with more ITexperienced senior managers, with CIO positions or longer tenured CIOs and with higher percentages of
independent board directors are less likely to have IT material weaknesses. We also provide partial evidence
that more IT-experienced audit committee members are associated with less IT material weakness. The results
suggest that both internal and external governance serve important roles in IT control quality.
© 2007 Elsevier Inc. All rights reserved.
Keywords: IT control quality; IT material weakness; SOX 404
1. Introduction
Information Technology (IT) continues to grow in importance to companies, both by facilitating day-to-day operations and by contributing to a competitive advantage. Corporate spending
on IT was increased by five percent in 2005, with a value of U.S. $916 billion (IT Black Book
published by the IDC). Along with this economic improvement, companies are facing even greater
challenges to meet raised expectations to provide accurate, visible, and timely information, while
⁎ Corresponding author.
E-mail addresses: [email protected] (C. Li), [email protected] (J.-H. Lim), [email protected] (Q. Wang).
1467-0895/$ - see front matter © 2007 Elsevier Inc. All rights reserved.
doi:10.1016/j.accinf.2007.09.002
226
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
ensuring the protection, privacy, and security of their organizations' information assets. Executives
and stakeholders require IT to deliver business value, generate a return on investment, and move
from efficiency and productivity gains toward value creation and business effectiveness.
Section 404 of the landmark Sarbanes–Oxley Act (SOX) requires public companies to report
the effectiveness of their internal control systems and requires auditors to verify management's
reports as well as to provide their own reports on the effectiveness of the internal control systems.
Considering that most companies' business transactions are routinely electronic, IT systems have
become an integral part of companies' internal control systems. The Public Company Accounting
Oversight Board (PCAOB) specifically states that IT control should be considered as companylevel control or application level, given the extensive and pervasive usage of IT in the companies'
daily business processes and transactions (PCAOB, Standard No. 2, 2004).
SOX makes executives of public companies explicitly responsible for establishing, evaluating,
and monitoring the effectiveness of internal control over financial reporting and disclosure. Given
the critical role that IT-based systems play in the success of many companies and due to increased
regulatory requirements, senior management is becoming more accountable for IT control
effectiveness. However, given the paucity of quality data on IT control, to our knowledge, no
empirical studies examine the influence of internal and external governance that could potentially affect IT control. This study examines the influence of senior management, the board of
directors, and audit committee regarding IT control governance, by using companies' SOX 404
report data. We define IT control governance as the leadership and organizational structures and
control processes which ensure that the company's IT sustains and extends the company's
strategies and objectives. Specifically, IT control governance consists of internal IT control
influences (referring to senior leadership involvement with IT control) and external IT control
influences (referring to the role of independent directors, and audit committees on IT control).
Since IT controls are crucial components of internal controls, we define companies' IT control
quality by identifying IT related control weaknesses from SOX 404 reports. IT controls are of
lower quality if companies have at least one IT related material weaknesses in their SOX 404
reports. IT controls are of higher quality or effective if companies do not have any IT related
material weaknesses. IT related weaknesses in SOX 404 reports include weaknesses in
information system design, access, security, data backup and recovery, and firewall protection.1
Our results indicate that companies with Chief Information Officer (CIO) positions or CIOs
with longer tenure, more IT-experienced senior management, a higher percentage of independent
board members, and more IT-experienced audit committee members are less likely to have
material weaknesses in their IT-related internal controls. These findings suggest both internal and
external factors serve important roles in the governance and effectiveness of IT control.
This paper is structured with six sections. The second section provides background information on SOX 404 and the motivation to pursue this study. The third section discusses related
studies and develops hypotheses. The fourth section discusses models and variable specifications.
The fifth section presents the results and the final section contains our conclusions, limitations and
recommendations for future research.
2. Regulation background and motivation
SOX is viewed by many as the most significant financial legislation in nearly 70 years
(PricewaterhouseCoopers, 2004). One of the most significant provisions of SOX is Section 404:
1
See Appendix for more examples on IT related weakness.
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
227
Management Assessment of Internal Controls (SOX 404), which requires publicly registered
companies (a) to state their responsibility for establishing and maintaining adequate internal
controls for financial reporting; and (b) to provide an assessment of the effectiveness of such
internal controls. SOX 404 also requires the external auditors to attest and report on the
assessment made by the management. Auditing Standard No. 2 issued by the PCAOB in March
2004 requires, in addition to the attestation of management's report, the auditor to render an
opinion regarding the client's internal control over financial reporting (ICOFR).
At its core, SOX 404 emphasizes the need of investors to have confidence not only in the
financial reports issued by a company but also in the underlying processes and controls that
generate those reports (KPMG, 2004). The key concept in evaluating the effectiveness of ICOFR is
material weakness. The PCAOB identifies three types of internal control problems (in increasing
levels of severity): control deficiencies, significant deficiencies, and material weaknesses. Material
weaknesses are the most severe ones because they indicate internal control problems that “result in
more than a remote likelihood that a material misstatement of the annual or interim financial
statements will not be prevented or detected” (p. 149, PCAOB, Standard No.2, 2004). When one or
more material weaknesses exist in the company's ICOFR, auditors are required to issue an adverse
opinion on the effectiveness of ICOFR.
The PCAOB identifies two sets of control issues: company-level controls and specific controls
(PCAOB Standard No. 2). Company-level controls refer to controls that “might have a pervasive
effect on the achievement of many overall objectives of the control criteria” (PCAOB Standard
No. 2, para. 52, p. 163). Specific controls are those that are “designed to achieve specific
objectives of the control criteria” (PCAOB Standard No. 2, para. 50, p. 163). Recent studies
suggest company-level control weaknesses are more negative and serious than specific control
weaknesses (e.g. Doyle et al., 2005; Ettredge et al., 2006; Moody's Investor Service, 2004).
SOX has a strong impact on the relationship between IT control governance and IT control
quality. Previously, internal control assertions were, for the most part, voluntary and based on
varying guidelines. This has changed. The Act specifically mentions Internal Control —
Integrated Framework from the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) as an international control framework for financial reporting. The Act
identifies the need for general and application controls but does not provide a comprehensive set
of control objectives that need to be met by IT controls. Indeed, IT controls over program
development, program change, computer operations, and access to programs and data that help
ensure the effective operation of specific controls are clearly considered as one type of companylevel control (PCAOB Standard No. 2).
Advice to board of directors traditionally focused on board structure, composition, size, and
independence, but was short on risk management and practical IT control effectiveness. Sarbanes–Oxley requirements have changed that and made a significant impact on executive and
board attention to governance over IT control. Therefore, we investigate factors affecting companies' IT control quality from the perspectives of senior management, independent directors, and
audit committees.
3. Hypotheses development
3.1. Senior management and IT control material weakness
Senior management refers to members of the top management team, including the Chief
Executive Officer (CEO), the Chief Financial Officer (CFO), the Chief Operating Officer (COO),
228
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
the Chief Information Officer (CIO) and other senior business executives responsible for key
business or functional areas. Through a variety of rich case studies, McKenney and Copeland
(1995) document the critical role of senior management in facilitating the use of IT in firms wellknown for their IT innovation success. Other scholars suggest that the CIO's technical and
business knowledge, in particular, are essential to innovation success (Earl, 1989). An IT-literate
business management team is also regarded as vital (Keen, 1991; Boynton et al., 1994). Extending prior conceptualizations and definitions of the top management team (Wiersema and
Bantel, 1992), we define senior management as the organizational collective consisting of the
firm's CEO, CFO, CIO and other senior management officers, such as COO and other Executive
Vice Presidents.
A number of researchers have maintained that, as IT applications become a significant element
of industry structure and competition, the CEO's views about investment in IT become considerably more relevant and instrumental in shaping IT use in a company (Feeny et al., 1992;
Jarvenpaa and Ives, 1991; Barker and Mueller, 2002). For example, with their broad perspective in
the firm, CEOs may be singularly positioned to recognize the value of large-sale, IT-based
integrations that cannot be justified strictly by return on investment calculations in the early stages.
Perhaps more importantly, a CEO's strong signals in support of IT can be expected to get line
management personally active in proposing and developing IT-related initiatives (Feeny et al.,
1992; Jarvenpaa and Ives, 1991). Thus, CEOs' backgrounds might influence the degree of their
involvement in IT management and would also be more likely to steer funds toward IT investment.
Most companies use the IT process to distribute automated financial reports. The CEOs and
CFOs must ensure that the process is supported with full documentation of the IT system, with
process flows detailing where, when, and how the information is extracted. Indeed, the quality of IT
controls related to financial reporting must elicit the confidence of the CEO and CFO if they are to
sign off on financial reports to shareholders. Therefore, our view is that a CEO or CFO who has an
IT background is more likely to ensure the IT is appropriately run and resourced. In addition, CEOs
and CFOs with IT knowledge are likely to have a better understanding of the nature and extent of
the challenges that the company would face if initial results from a preliminary control evaluation
by auditors find an IT control weakness. As a result, they are more likely to respond appropriately to
remedy such problems in time and avoid the need for them to be reported. We define IT-related
experience based on whether the CEO or CFO previously held CIO positions, whether they were IT
consultants, or whether they worked as senior managers in IT companies (ex. software, programming, database or internet companies). So, we summarize our first hypothesis as:
H1. Companies with a CEO or a CFO who has IT-related experience are less likely to have IT
control material weakness in the ICOFR.
The Chief Information Officer (CIO) is uniquely positioned to devise and implement a vision of
the role of IT in furthering business strategies. One of the primary motivations for creating the CIO
position is to establish an IT designated peer who is more likely to be accepted by the inner circle of
the firm's leadership (Armstrong and Sambamurthy, 1999; Earl, 1996; Ross and Feeny, 2000). The
CIO is also the chief executive of the IT function and thus can fashion the IT management
effectively. An effective IT management capability is positively related to a firm's extent of IT use
(Boynton et al., 1994). Furthermore, the announcements of newly created CIO positions are likely
to have a positive signaling effect on the market (Chatterjee et al., 2001). Companies having a CIO
position could also be an indicator that these companies highly value the importance of IT in
business process and risk management, and hence devote more resources to IT control.
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
229
CIOs need to pay attention to IT asset management as well as reporting, as IT assets are
governed by the SOX Act (Sutton and Arnold, 2005). Since CIOs need to grasp the bigger picture
including contract management, asset life cycles, and discretionary spending by IT staff, the more
experienced CIO a firm has, the more likely (s)he can better manage IT project priorities to meet
the internal control and reporting requirements of that firm, especially when changes in IT systems
take time to implement (Armstrong and Sambamurthy, 1999). In other words, longer tenured CIOs
better understand the firm's overall operation systems, as well as the weak aspects of the IT process
from their prior experience. Thus they can focus more on those aspects to prevent IT problems
from happening, or even if problems happen, they can quickly respond to the problems and correct
them before they are reported. In essence, the tenure of a CIO may not only help ensure that IT
strategy is aligned with the company's overall business strategy, but also efficiently and effectively
help avoid IT control weakness. Therefore, our second set of hypotheses is:
H2a. Companies with a CIO position are less likely to have IT control material weakness in the
ICOFR.
H2b. Companies with longer tenured CIOs are less likely to have IT control material weakness in
the ICOFR.
Strong partnerships between the CIO and the senior business management are expected to
contribute to the firm's IT controls and assimilations. Keen (1991) argues that IT successes
generally reflect an effective relationship between business management's IT understanding and
information services managers and their staffs. The firm could put more resources on IT controls
and emphasis on IT strategies, to prevent IT risks from happening or solving IT problems in time
(Keen, 1991). The IT background of other senior managers helps increase the efficiency and
effectiveness of business operations since most of those operations are conducted through
information systems. Overall, the IT experience of the senior management team is expected to have
a significant influence on their firms' IT operations and controls. We define IT-related experience
for other senior management the same way as for CEO and CFO. Therefore, our third hypothesis is:
H3. Companies with other senior management who has IT-related experience are less likely to
have IT control material weakness in the ICOFR.
3.2. Independent directors and IT control material weakness
The significance of the board of directors as an internal control mechanism has long been
recognized (Weisenbach, 1988; Brickley et al., 1994). The board of directors receives its authorities
of decision making and monitoring management from stockholders of the company. Its purpose is to
ensure the management actions in order to deter managers' opportunism which might sacrifice the
interest of stockholders (Fama, 1980). Prior accounting research suggests that the independence of
the board of directors is positively associated with the reliability of financial accounting reports.
Beasley (1996) posits that independent directors have higher incentive to develop their reputations
in the external market for directors. He examines the relationship between financial statement fraud
and composition of the board of directors, and finds that no-fraud firms have higher percentages of
outside members than firms that have experienced fraud. Dechow et al. (1996) investigate firms
subject to accounting enforcement actions by the SEC and find that firms manipulating earnings are
more likely to have boards of directors dominated by management. Based on various case studies,
King and Mcauley (1997) emphasize the involvement of board of directors in IT evaluation.
230
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
Therefore, boards with more independent directors better fulfill board oversight function, which
includes selecting competent management team members, supervising the establishment of control
processes and building a stronger internal audit department. As IT control is part of the internal
control system, we expected that board independence is negatively associated with IT control
material weakness. An independent director is defined as a director with no material relationship
with the company (e.g. current and former employees, family members of employees or other
individuals not deemed independent, and employees of organizations that receive charitable gifts
from the firm). Thus, our fourth set of hypothesis is summarized as:
H4. Companies with higher percentages of independent directors on their boards are less likely to
have IT control material weakness in the ICOFR.
3.3. Audit committees and IT control material weakness
The primary role of the audit committee is to oversee the financial reporting process with the ultimate
objective of ensuring high quality of financial reporting (SEC, 2003). Prior research provides evidence
that audit committee characteristics impact governance-related outcomes. For instance, audit committee
independence is found to be associated with less earning management (Klein, 2002), fewer earning
restatements (Abbott et al., 2004), and a lower incidence of fraudulent financial reporting (Beasley et al.,
2000). Audit committee financial expertise is associated with less earning management, lower cost of
debt, more disclosure, fewer restatements, and higher firm value (e.g. Abbott et al., 2004; Anderson
et al., 2004; Agrawal and Chadha, 2005; Bedard et al., 2004; Felo et al., 2003; DeFond et al., 2005).
Active audit committee involvement is related to fewer SEC enforcement actions, fewer earnings
restatements and lower incidence of fraud (e.g. Abbott et al., 2004; McMullen and Raghunandan, 1996).
The audit committee plays an important role in the company's internal control over financial
reporting processes, not only because it helps improve corporate governance in general, but also
because it may actually contribute to improved internal control. In the SOX 404 reporting process,
the PCAOB requires auditors to report to the audit committee when a significant deficiency in
internal control is found (PCAOB Standard No. 2, 2004). When they receive the information,
effective audit committees should exert pressure to remedy those significant deficiencies before
they can rise to the level of material weakness. In addition, IT requires more technical insight than
other disciplines to understand how IT enables the companies to maintain value and reduce risks.
So, audit committees are more likely to effectively monitor IT control and timely react to IT
weakness if they contain members who have IT experience. We define IT-related experience for
audit committee members in the same way as for CEO and CFO. Therefore, we posit that ITexperienced audit committee members help companies improve IT-related internal controls.
Based on the above arguments, we generate our fifth hypothesis:
H5. Companies with more IT-experienced audit committee members are less likely to have IT
control material weakness in the ICOFR.
4. Sample and methods
4.1. Sample and matching process
We obtain our data from the Audit Analytics database, which derives SOX 404 management
assessment and auditors' opinions on ICOFR from companies' Form 10-K filings. We identify
626 companies that received adverse opinions on their ICOFR from January 2005 to December
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
231
Table 1
Definition of variables and expected signs
Hypothesis Variable
Expected Definition
sign
ITMW
H1
H2
H3
H4
H5
CEOCFOIT
CIO
CIOYR
MGMTIT
INDEPBRD
−
−
−
−
−
ACIT
BIG4
CEOCHAIR
LEVERAGE
LOSS
GROWTH
AUDCHG
AUDFEE
ARINVEN
SEGMENT
RESTRUCTURE
−
−
?
+
+
+
+
+
+
+
+
1 if IT control material weakness (see Appendix A) is reported in the 404
report; 0 otherwise.
1 if the CEO or CFO has IT-related experience; 0 otherwise.
1 if company has a CIO position; 0 otherwise.
Number of years (s)he has been CIO in the company.
Total number of other senior management with IT-related experience.
Percentage of independent directors on the board. It is calculated as the total
number of independent directors divided by the total number of directors.
Number of audit committee members with IT-related experience.
1 if auditor is a Big 4, 0 otherwise.
1 if the CEO also chairs the board of directors.
Total liabilities divided by total assets.
1 if net income is negative; 0 otherwise.
Percent change in sales, from fiscal year 2003 to 2004.
1 if the company changed auditor in 2004; 0 otherwise.
Natural logarithm of audit fees divided by natural logarithm of total assets.
Total accounts receivables and total inventories divided by total assets.
Natural logarithm of the number of firms' reportable segments.
1 if the client restructured from 2002 to 2004; 0 otherwise. a
a
This variable is coded one if at least one of the following Compustat annual data items is not equal to zero: #376, #377,
#378 or #379, for any year in 2002–2004.
2005. For each firm identified as having a material weakness, we read the auditor's 404 report to
determine whether the weakness was IT related. Two of the authors independently categorize the
material weakness as IT related. The percentage agreement between the two coders is 95%. At the
end of the coding process, the two coders meet to reconcile differences and arrived at a consensus.
Examples of IT control material weaknesses are provided in the Appendix. We identify 110
companies with IT control material weaknesses, which constitute 17.5% of all client firms
reporting material weaknesses.
Following the recommendation of Srinivasan (2005) and Desai et al. (2006), each company
with IT material weakness is matched with a control company having similarities in both industry
(SIC code) and size (revenue) during the year preceding the SOX 404 report.2 The above
procedures yield our final sample: 110 companies having IT material weakness in the ICOFR
matched with 110 companies reporting effective ICOFR. We obtain information about senior
management, the board of directors, and audit committees for the 220 firms from the proxy
statements that are filed with SEC. All other financial data are from Compustat.
4.2. Research models and variable definitions
We use the following logistic regression to test the relationships between the likelihood of IT control material weaknesses and companies' internal and external IT control
2
We are able to match 53% of the IT weakness companies with internal control effective companies in the same fourdigit SIC code, the rest are matched at the three- or two- digit SIC levels. 90% of our IT weakness companies are matched
within 20% of the revenue. The p-value for the mean difference of revenue is 0.912.
232
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
governance. All variables are measured at the end of the fiscal year 2004, unless specified
otherwise.
ITMW ¼ b0 þ b1 CEOCFOIT þ b2 CIO=CIOYR þ b3 MGMTIT þ b4 INDEPBRD
þ b5 ACIT þ b6 BIG4 þ b7 CEOCHAIR þ b8 LEVERAGE þ b9 LOSS
þ b10 GROWTH þ b11 AUDCHG þ b12 AUDFEE þ b13 ARINVEN
þ b14 SEGMENT þ b15 RESTRUCTURE
ð1Þ
The variables in the model (1) are defined in Table 1. Based upon recent studies on the
determinants of internal control material weaknesses, we control for the effects of the following
additional factors that likely affect IT control material weaknesses: company financial conditions
(e.g. leverage and loss), growth (e.g. sales growth), auditor and auditor changes, audit fees,
business complexity (e.g. total inventories and account receivables and number of segments), and
business restructuring (Doyle et al., 2005; Ashbaugh-Skaife et al., 2006; Ettredge et al., 2006). In
addition, we also include an indicator variable to capture the effect of a CEO also serving as the
chairman of the board, since prior studies provide evidence that chairmen who also serve as CEOs
have negative impacts on the board monitoring function, although the results are not consistent
(e.g. Alexander et al., 1993; Dechow et al., 1996).
5. Results
5.1. Univariate analysis
Table 2 provides an industry distribution of the 110 companies with IT material weakness
companies and 626 companies with any kind of material weaknesses based on their two-digit SIC
codes. The 110 IT material weakness companies cover seven industry groups. Among them, the
manufacturing industry has the highest number of IT material weakness companies, followed by
the service industry, then by the financial industry. The 626 material weakness companies cover
ten industry groups. The industry distribution for those companies is similar to that of the 110 IT
material weakness companies, i.e. the manufacturing industry contains the highest number of
material weakness companies, followed by the service industry, then by the financial industry.
Table 2
Industry distributions of IT material weakness companies
Two-digit SIC
01–09
10–14
15–17
20–39
40–49
50–51
52–59
60–67
70–89
91–97
Total
Industry
Agriculture, forestry and fishing
Mining
Construction
Manufacturing
Transportation and communication
Wholesale trade
Retail trade
Finance, insurance and real estate
Service industry
Public administration
IT material
weakness companies
All material
weakness companies
No.
%
No.
%
0
5
0
41
11
4
4
12
33
0
110
0.0
4.5
0.0
37.3
10.0
3.6
3.6
10.9
30.0
0.0
100
2
26
6
210
65
14
67
103
133
2
626
0.3
4.2
1.0
33.5
10.4
2.2
10.7
16.5
21.2
0.3
100
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
233
Table 3
Descriptive statistics
IT material weakness
Effective control
N=
110
110
CEOCFOIT
CIO
CIOYR
MGMTIT
INDEPBRD
ACIT
BIG4
CEOCHAIR
LEVERAGE
LOSS
GROWTH
AUDCHG
AUDFEE
ARINVEN
SEGMENT
RESTRUCTURE
0.273
0.273
0.991
0.100
0.753
0.300
0.627
0.436
0.737
0.436
0.117
0.264
0.721
0.282
2.555
0.400
0.364
0.555
2.782
0.491
0.796
0.727
0.891
0.582
0.462
0.255
0.381
0.055
0.687
0.263
2.173
0.209
t-statistics
p-value
− 1.448
− 4.409
− 4.058
− 4.210
− 2.859
− 4.028
− 4.784
− 2.171
3.917
2.876
− 5.051
4.404
3.713
0.578
1.502
3.130
0.149
0.000
0.000
0.000
0.005
0.000
0.000
0.031
0.000
0.004
0.000
0.000
0.000
0.564
0.135
0.002
p-values are two-tailed.
See Table 1 for variable definitions.
Table 3 presents descriptive statistics for the companies with IT-related internal control material
weakness and the companies with effective internal control. Compared to companies with effective
controls, the companies with IT material weaknesses are less likely to have CIO positions, have
shorter tenured CIOs, have fewer other senior managers with IT-related experience, have a lower
percentage of independent directors on the board, and have fewer audit committee members with ITrelated experience. The CEO or CFO's previous ITexperience does not differ between the two groups.
With respect to control variables, IT material weakness companies are less likely to be clients
of Big 4 auditors, are less likely to have CEOs serving as the chairman of the board, are more
highly leveraged, report more losses, have a lower growth rate, are more likely to experience
auditor changes, report higher audit fees, and are more likely to have organizational restructuring.
Table 4 reports the correlations among our variables. Similar to the results in the descriptive
statistics, ITMW is negatively associated with CIO, CIOYR, MGMTIT, INDEPBRD, ACIT, BIG4,
CEOCHAIR and GROWTH, and positively associated with LEVERAGE, LOSS, AUDCHG,
AUDFEE and RESTRUCTURE. None of the correlations are above 0.35 (CIO and CIOYR are put
in the separate models as discussed below), and the highest variance inflation factor (VIF) in our
regression is only 2.21, which is well below the suggested multicollinearity problem threshold of 10
(Marquandt, 1980; Gujarati, 1995). Our examination of the standard errors and size of the coefficient
also shows that they are not sensitive to the inclusion or exclusion of the highly correlated variables,
indicating that multicollinearity is unlikely to be problematic (Hosmer and Lemeshow, 1989).
5.2. Logistic regression analysis
Table 5 presents the results of logistic regression analysis of model (1). Because CIOYR is a
continuous measure of CIO, we examine the two variables separately. The models are highly
significant (p-values b .001) with good explanatory power (pseudo R2 = 0.629 and 0.640). The
results of Table 5 indicate that companies with the presence of CIO, or longer tenured CIOs, as
234
Table 4
Correlation
CIO
CIOYR
MGMTIT
INDEPBRD
ACIT
BIG4
CEOCHAIR
LEVERAGE
−0.098
− 0.286⁎⁎⁎
0.259⁎⁎⁎
−0.265⁎⁎⁎
0.170⁎
0.665⁎⁎⁎
−0.274⁎⁎⁎
0.278⁎⁎⁎
0.338⁎⁎⁎
− 0.190⁎⁎⁎
− 0.263⁎⁎⁎
0.265⁎⁎⁎
0.219⁎⁎⁎
0.252⁎⁎⁎
0.201⁎⁎⁎
0.119⁎
−0.308⁎⁎⁎
−0.145⁎⁎
0.124⁎
0.256⁎⁎⁎
− 0.166⁎⁎
− 0.091
− 0.115⁎
0.110
0.111
0.236⁎⁎⁎
0.148⁎⁎
0.159⁎⁎
0.130⁎
0.208⁎⁎⁎
−0.061
0.005
−0.014
−0.041
0.084
0.000
− 0.025
− 0.122⁎
− 0.173⁎⁎
− 0.160⁎⁎
0.046
LOSS
ITWEAK
CEOCFOIT
CIO
CIOYR
MGMTIT
INDEPBRD
ACIT
BIG4
CEOCHAIR
LEVERAGE
LOSS
GROWTH
AUDCHG
AUDFEE
ARINVEN
SEGMENT
0.099
0.011
− 0.033
0.078
0.191⁎⁎⁎
0.222⁎⁎⁎
0.030
0.030
− 0.087
− 0.136⁎⁎
0.031
− 0.105
0.006
0.052
GROWTH
AUDCHG
− 0.324⁎⁎⁎
0.286⁎⁎⁎
− 0.007
0.067
0.038
0.149⁎⁎
0.066
0.068
0.043
− 0.038
− 0.048
− 0.096
0.023
− 0.037
− 0.099
− 0.058
− 0.036
− 0.133⁎⁎
− 0.336⁎⁎⁎
− 0.070
0.072
0.285⁎⁎⁎
− 0.077
AUDFEE
0.244⁎⁎⁎
0.158⁎⁎
0.048
0.085
− 0.049
− 0.122
0.055
0.047
0.024
0.165⁎⁎
0.143⁎⁎
− 0.088
0.093
p-values are two-tailed. ⁎⁎⁎, ⁎⁎ and ⁎ represent significant at 0.01, 0.05 and 0.10, respectively.
ARINVEN
SEGMENT
0.039
−0.210⁎⁎⁎
−0.103
−0.094
−0.117⁎
0.054
−0.153⁎⁎
−0.224⁎⁎⁎
0.101
− 0.178⁎⁎⁎
0.039
0.006
− 0.033
− 0.032
− 0.133⁎⁎
0.131⁎
−0.045
−0.089
− 0.044
− 0.116⁎
− 0.072
−0.055
−0.021
−0.236⁎⁎⁎
−0.134⁎⁎
− 0.076
0.068
− 0.105
− 0.112⁎
RESTRUCT
0.207⁎⁎⁎
− 0.007
0.026
− 0.042
− 0.025
0.024
0.002
0.073
− 0.022
0.115⁎
0.184⁎⁎⁎
− 0.154⁎⁎
0.090
0.004
0.028
0.145⁎⁎
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
ITMW
CEOCFOIT
CIO
CIOYR
MGMTIT
INDEPBRD
ACIT
BIG4
CEOCHAIR
LEVERAGE
LOSS
GROWTH
AUDCHG
AUDFEE
ARINVEN
SEGMENT
CEOCFOIT
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
235
Table 5
Logistic regression of relationship between IT control material weakness and IT control governance
IT-material weakness: N =
Effective internal control: N =
CEOCFOIT
CIO
CIOYR
MGMTIT
INDEPBRD
ACIT
BIG4
CEOCHAIR
LEVERAGE
LOSS
GROWTH
AUDCHG
AUDFEE
ARINVEN
SEGMENT
RESTRUCTURE
INTERCEPT
ITMW predicted correctly
Effective IC predicted correctly
Model Chi-Square
Pseudo R2
110
110
Coefficient
p-value
Coefficient
p-value
0.252
− 1.592
0.617
0.001
0.163
0.744
− 0.894
− 5.082
− 0.503
− 2.168
− 1.541
2.665
0.389
− 2.359
0.803
16.317
− 0.533
0.058
0.795
− 5.320
82%
79%
140.438
0.629
0.069
0.034
0.061
0.000
0.001
0.001
0.415
0.000
0.213
0.000
0.593
0.610
0.091
0.137
− 0.265
− 1.171
− 5.026
− 0.445
− 2.378
− 1.562
2.706
0.487
− 2.491
0.662
17.091
− 0.702
0.037
0.656
− 5.649
81%
81%
143.872
0.640
0.000
0.020
0.037
0.111
0.000
0.001
0.001
0.325
0.000
0.334
0.000
0.485
0.740
0.171
0.122
0.000
0.000
p-values are two-tailed.
See Table 1 for variable definitions.
well as with more IT-experienced senior managers are less likely to have IT material weaknesses
in the ICOFR, which support our H2a, H2b and H3. The coefficients of CEOCFOIT are not
significant in two regressions, providing no support for H1.
We also find that companies with a higher percentage of independent directors are less likely to
have IT control material weaknesses, supporting our H4. The number of audit committee
members with IT-related experience is also negative and marginally significant in one of the
models, indicating that the IT experience of audit committee members may help companies build
strong IT control, although this relationship becomes insignificant when CIOYR is included in the
model. Thus, H5 is only partially supported.
For control variables, companies with non-Big 4 auditors, CEOs serving as the chairman of the
board, higher leverage, lower growth rates, and higher adjusted audit fees are more likely to have
IT material weaknesses.
6. Conclusions and discussions
IT control is recognized as one of the most important components of a company's internal control
systems. Information technology plays a key role that ensures the efficiency and effectiveness of
information processing and the protection of information assets. The PCAOB specifically emphasizes
the pervasive effects of IT control on companies' daily business processes and transactions. Yet, no
empirical studies have examined the factors influencing companies' IT control quality. We investigated
236
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
how internal and external governance affected companies' IT control quality using a sample of
companies reporting IT-related material weaknesses, complying with the SOX 404 requirement. We
investigated how internal and external governance affected companies' ITcontrol quality using a sample
of companies reporting IT-related material weaknesses, complying with the SOX 404 requirement.
In general, the results support our hypotheses that both the internal and external governance play
an important role in determining the companies' IT control effectiveness. First, we find that
companies with longer tenured CIOs and with more IT-experienced senior managers are less likely to
have IT material weaknesses. This is consistent with our hypotheses that effective senior
management should have a positive impact on the ITcontrol governance. The result confirms that the
role of the CIO in IT companies positively evolves under SOX. Therefore, CIOs will need to take a
much more proactive role in acclimating to the SOX provisions. Only in so doing can they evaluate
the relative benefits of the many IT applications being touted as the answer to all their SOX problems
and to prioritize their efforts. In the future, IT departments can expect greater scrutiny, including
more thorough and more frequent audits. Those CIOs who can make this transition successfully will
find themselves in the inner circle of the CEO and CFO. We also find that companies with higher
percentages of independent directors and more IT-experienced audit committee members have
higher IT control quality, although the association for audit committee members' IT experience is
only marginally significant. These results confirm the crucial role that the board and audit
committees have, not only in strategic decision making but in the overall IT control processes.
Our study contributes to the literature in several ways. First, it is the first empirical study to
investigate the factors that influence companies' IT control quality. Through examination of
companies' SOX 404 reports, which contain detailed descriptions of internal control problems,
we can identify companies with IT-related control problems. Second, our study adds to the current
literature on the role of corporate governance in financial reporting by examining the impact of
internal and external governance on companies' IT control processes. While the senior management of companies plays a critical role in facilitating the use of IT as documented in prior studies
(McKenney and Copeland, 1995), it is noted that boards of directors and audit committees also
play important roles. Specifically, the experience and IT knowledge of senior managers and audit
committee members help to ensure the integrity of companies' IT control governance. Third,
while prior research suggests that audit committee members' financial experience improve firms'
financial reporting quality, our study further documents that other types of experience, such as IT
experience, can also help companies improve their overall financial reporting process.
One limitation of this study is that we employ data from only the first year's 404 reports, which
consists of fairly large companies. Future research should determine whether these results persist into
subsequent years. In addition, we see IT control as a dichotomy (have vs. do not have) but not as a
continuum. A company with four or five pervasive IT weaknesses (e.g., financial system access
controls, backup and recovery etc.) possibly would have lower IT control quality than a company
who identified a single IT weakness, or would have other control issues. Future research should
further investigate the relationship between the degree of IT material weakness and IT control
governance. Finally, due to the nature of all archival studies, we cannot make clear causality
relationships between IT control governance and IT material weaknesses. For instance, CIOs have
longer tenure because the overall IT control is effective and in good quality, and they don't get fired.
It is still too early to predict the impact of SOX on the IT industry as a whole; however, one
implication is greater accountability of internal and external governance for certifying the
reliability of their systems. This is a challenging and ongoing process, but it benefits all stakeholders. Companies must continually work toward satisfying the quality, fiduciary, and security
requirements for their information, as they do for all assets. This is a constantly changing goal, as
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
237
management must demonstrably attain increasing levels of security and control. While most
companies recognize the benefits that new technology can offer, successful companies will focus
on understanding and managing the associated risks.
Appendix A. Examples of IT control material weaknesses
Insecure and unreliable
communications
Almost two-thirds of companies in a survey conducted by CIO Magazine (2005) had
suffered a security breach in the past year, most commonly a virus or Trojan horse,
unauthorized entry into a computer system or a denial-of-service attack. The attacks
resulted in e-mail and applications being inaccessible more than 50% of running time
or causing network downtime. More than a quarter of the incidents resulted in
employee or customer records being compromised or lost. Many companies use
e-mail to communicate a majority of ordering, inventory, and planning information
to their customers and trading partners. This includes the attaching of customer and
purchasing documents to e-mails. Chronic security breaches and virus disruptions in
e-mail services make it difficult to claim adequate controls.
• Deficiencies related to segregation of duties
• Deficiencies related to configuration changes, authorization for changes, approval of
testing, testing of changes, communication of changes, updates
of control documentation, developer access to production, and emergency changes.
Poor order commitments Many companies do a poor job of maintaining the visibility of valid open-order
visibility
commitments for both customers and trading partners. In many cases, these past-due
items are bogus or the result of sloppy order maintenance. Lack of maintenance can
result in the accumulation of several months' worth of past-due items and represent
false estimations of receivables and payables.
• Deficiencies related to updates of control documentation, data migration, training on
new applications, post-implementation review, and testing approach.
Inventory write-off
Poor practices regarding forecasting, trading partner collaboration, and end-of-life
product management often result in write-offs for excess or obsolete inventory in
inadequate designed systems. Many companies struggle to project the magnitude of
these write-offs. So companies must demonstrate that they have implemented formal
process controls to minimize and forecast the impact of end-of-life product cycles.
• Inadequate design and implementation of new accounting system.
Poor physical and logical Many nonmanufacturing companies have substantial amounts of capital equipment,
control of assets
which is often not physically or logically controlled in a timely manner.
• Lack of information systems access and security controls
• Insufficient control over information technology back-up, recovery and firewall protections
• Inadequate controls and procedures in place to effectively identify and monitor
amendments to software license arrangements.
References
Abbott LJ, Parker S, Peters GF. Audit committee characteristics and restatements: a study of the efficacy of certain Blue
Ribbon Committee recommendations. Audit J Pract Theory 2004;23(1):69–87.
Agrawal A, Chadha S. Corporate governance and accounting scandals. J Law Econ 2005;48(3):371–406.
Alexander JA, Fennell ML, Halpern MT. Leadership instability in hospitals: the influence of board–CEO relations and
organization growth and decline. Adm Sci Q 1993;38:74–99.
Anderson RC, Mansi SA, Reeb DM. Board characteristics, accounting report integrity, and the cost of debt. J Account
Econ 2004;37(3):315–42.
Armstrong CP, Sambamurthy V. Information technology assimilation in firms: The influence of senior leadership and IT
infrastructure. Inf Syst Res 1999;10(4):1–31.
Ashbaugh-Skaife H, Collins D, Kinney W. The discovery and consequences of internal control deficiencies prior to SOXMandated audits. Working paper. University of Wisconsin-Madison, University of Iowa, and University of Texas-Austin;
2006.
238
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
Barker III VL, Mueller GC. CEO characteristics and firm R&D spending. Manage Sci 2002;48(6):782–801.
Beasley MS. An empirical analysis of the relation between the board of director composition and financial statement fraud.
Account Rev 1996;71(4):443–65.
Beasley MS, Carcello JV, Hermanson DR, Lapides PD. Fraudulent financial reporting: consideration of industry traits and
corporate governance mechanism. Account Horiz 2000;14(4):441–54.
Bedard J, Chtourou SM, Courteau L. The effect of audit committee expertise, independence, and activity on aggressive
earnings management. Audit J Pract Theory 2004;23(2):13–35.
Brickley JG, Cole JS, Terry RL. Outside directors and the adoption of poison pills. J Financ Econ 1994;35:371–90.
Boynton AC, Zmud RW, Jacobs G. The influence of IT management practices on IT use in large organizations. MIS Q
1994;18:299–318.
Chatterjee D, Richardson VJ, Zmud RW. Examining the shareholder wealth effects of announcements of newly created
CIO positions. MIS Q 2001;25(1):43–70.
Dechow PM, Sloan RG, Sweeney AP. Cases and consequences of earnings manipulation: an analysis of firms subject to
enforcement actions by the SEC. Contemp Account Res 1996;13(1):1–36.
DeFond ML, Hann RN, Hu X. Does the market value financial expertise on audit committees of boards of directors?
J Account Res 2005;43(2):154–94.
Desai H, Hogan CE, Wilkins MS. The reputational penalty for aggressive accounting: earnings restatements and management turnover. Account Rev 2006;81(1):83–112.
Doyle J, Ge W, McVay S. Determinants of weakness in internal control over financial reporting and the implications for
earning quality. Working Paper. University of Utah; 2005.
Earl MJ. Management strategies for information technology. London: Prentice Hall; 1989.
Earl MJ. The Chief Information Officer: past, present, and future. Information management. Oxford, UK: Oxford
University Press; 1996. p. 456–84.
Ettredge M, Heintz J, Li C, Scholz S. Auditor realignments accompanying implementation of SOX 404 reporting
requirements. Working Paper. University of Kansas; 2006.
Fama EF. Agency problem and the theory of the firm. J Polit Econ 1980;88:288–308.
Feeny DF, Edwards BR, Simpson KM. Understanding the CEO/CIO relationship. MIS Q 1992:435–47 [December].
Felo AJ, Krishnamurthy S, Solieri SA. Audit committee characteristics and the perceived quality of financial reporting: an
empirical analysis. Working Paper. Penn State Great Vally; 2003.
Gujarati DN. Basic econometrics. 3rd edition. New York, NY: McGraw-Hill; 1995.
Holmes A. The global state of IT security. CIO Magazine; 2005 [February].
Hosmer D, Lemeshow S. Applied logistic regression. New York, NY: John Wiley & Sons; 1989.
Jarvenpaa SL, Ives B. Executive involvement and participation in the management of information technology. MIS Q
1991;1:205–27 [June].
Keen PGW. Shaping the future. Boston, MA: Harvard Business School Press; 1991.
King M, Mcauley L. Information technology investment evaluation: evidence and interpretations. J Inf Technol 1997;12:
131–43.
Klein A. Economic determinants of audit committee independence. Account Rev 2002;77(2):435–52.
KPMG. Sarbanes–Oxley section 404 — an overview of the PCAOB's requirement. KPMG LLP; 2004.
Marquandt D. You should standardize the predictor variables in your regression models. Discussion of: a critique of some
ridge regression methods. J Am Stat Assoc 1980:87–91.
McKenney JL, Copeland D. Waves of change: business evolution through information technology. Cambridge, MA:
Harvard Business School Press; 1995.
McMullen DA, Raghunandan K. Enhancing audit committee effectiveness. J Account 1996;182(2):79–81.
Moody's Investor Service. Special comment: Section 404 reports on internal control. New York, NY: Moody's Investor
Service; 2004.
PricewaterhouseCoopers. Sarbanes–Oxley Act: Section 404 practical guidance for management. PricewaterhouseCoopers
LLP; 2004.
Public Company Accounting Oversight Board (PCAOB). Auditing standard No. 2 — an audit of internal control over
financial reporting performed in conjunction with an audit of financial statements; 2004.
Ross JW, Feeny DF. The evolving role of the CIO. In: Zmud RW, editor. Framing the domains of IT management:
projecting the future through the past. Cincinnati, OH: Pinnaflex educational resources; 2000. p. 385–401.
Security and Exchange Commission (SEC). Final rule: disclosure required by Sections 406 and 407 of the Sarbanes–
Oxley Act of 2002. Washington, D.C.: SEC; 2003
Srinivasan S. Consequences of financial reporting failure for outside directors: evidence from accounting restatements and
audit committee members. J Account Res 2005;43(2):291–334 [May].
C. Li et al. / International Journal of Accounting Information Systems 8 (2007) 225–239
239
Sutton SG, Arnold V. The Sarbanes–Oxley Act and the changing role of the CIO and IT function. Int J Bus Inf Syst
2005;1(1/2):118–28.
Weisenbach MS. Outside directors and CEO turnover. J Financ Econ 1988;20:431–60.
Wiersema MF, Bantel KA. Top management team demographics and corporate strategic change. Acad Manage J 1992;35(1):
91–121.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz