Since the introduction of the Sarbanes-Oxley (SOX) Act in 2002, companies have begun to place more emphasis on information technology (IT) internal controls. IT internal controls are policies that provide assurance that technical systems operate as intended, provide reliable data, and comply with regulations. Research suggests that firms with strong internal controls perform better than those with internal control weaknesses. In this study, the authors evaluate the impact of IT internal controls on firm performance. The sample includes 72 publicly traded firms, 36 that reported IT internal control weaknesses and 36 that did not. The results of ordinary least squares (OLS) regression indicate that substantive IT internal control weaknesses negatively impact firm performance. Results and implications for research and practice are discussed.
Most firms depend on information technology (IT) to complete business transactions (Stoel & Muhanna, 2008). Despite recent advancements in technology that make it easier to monitor and manage company resources, organizations are still susceptible to numerous internal and external threats (Stoel & Muhanna, 2008). One prominent internal threat is employee fraud. Employee fraud costs organizations in the United States $400 billion each year (SIU Inc., 2007). To combat such losses, firms implement internal controls. Internal controls are major policies designed to protect firm assets and information (Barra, 2010). Internal controls have a large influence on how organizations monitor, prevent, and detect fraud (Doyle, Ge, & McVay, 2005).
Internal controls can be viewed as administrative controls that involve monitoring, measuring and taking corrective action (Langfield-Smith, 1997). They are also thought of as ex ante forms of control. Ex ante controls provide necessary information to direct or guide individual or group actions (Flamholtz, Das, & Tsui, 1985). Internal controls are key elements of the Sarbanes-Oxley (SOX) Act of 2002. The Sarbanes-Oxley Act was developed to deter corporate fraud and corruption which threatens the stability of a business (Hall, Liedtka, Gupta, Liedtka, & Tompkins, 2007; PCAOB, 2004). The major components of the Act are the creation of the Public Company Accounting Oversight Board, the placement of restrictions on executive officers and directors of public companies, and the increase in auditing and accounting standards (PCAOB, 2004). Section 404 of SOX mandates public companies to publish the adequacy of the internal control structure annually (“A Guide to the Sarbanes-Oxley Act,” 2006). Section 404 also mandates firms to give external auditors documentation of the existence and the results of tests of internal controls that generate public financial information (Braganza & Hackney, 2008; Klamm & Watson, 2009).
Prior to SOX, Enron dominated the energy market but instead of leading corporations into the future it became the largest corporate scandal to date. All roles whether executive or non-executive were thought to be sufficient in providing the appropriate “checks and balances” to ensuring accurate financial reports (Braganza & Hackney, 2008). Because of this misconception, Enron was able to falsify financial reports in order to cover up the company’s high debt. Along with “cooked books”, Enron engaged in other unethical practices which range from rerouted electricity to spiked prices. Enron’s unethical practices led to the dissolution of the company.
After the dissolution of Enron, SOX was created to deter future scandals. Now, the tradition of self-regulation is replaced with Section 404 mandated internal controls transparency (“A Guide to the Sarbanes-Oxley Act,” 2006). SOX has encouraged managers to pay more attention to issues involving internal control (Masli, Peters, Richardson, & Sanchez, 2010). During the first year of reporting in accordance with SOX more than 14% of companies reported material weaknesses (Boritz & Lim, 2007).
Among the broad spectrum of internal controls are IT internal controls which also play a part in SOX. According to Boritz and Lim (2007), specific IT internal control weaknesses identified by SOX 404 audits cannot state the exact amount of funding lost due to the weaknesses. Previous research illustrates that many organizations' information systems investments have reached 50% or more of total capital expenditures (Mahmood & Mann, 1993). Recent research confirm the findings of Mahmood and Mann by finding that companies spend more than 50% of their budget on IT expenditures (Boritz & Lim, 2007). Furthermore (Gomolski & Smith, 2007) shows that total information systems spending levels can range from 2-15% of an organization's gross revenue, depending on the industry. A Standard and Poor’s (2005) survey indicates that 59% of financial institutions surveyed had “significant” deficiencies in internal control with IT internal controls being one of the most commonly reported.