The Compliance of IT Control and Governance: A Case of Macao Gaming Industry

Introduction

Corporate accountability and information reliability is an essential part of compliance requirements for business stakeholders. To protect the stakeholders from financial frauds such as Anderson, Enron and WorldCom (Hall and Liedtka, 2007), legislation was passed by the United States (US) congress for governing companies’ information reliability and corporate accountability. The Sarbanes-Oxley Act of 2002 (hereinafter referred to as SOX) was one such example of setting new standards for corporate control and governance for reducing the chances of further corporate scandals (Damianides 2005). Due to the US economic power and great influence on the world economy, the impact of SOX has been affecting major companies across the globe (Barta and Walker 2008). Corporations SOX not only has immense impact on corporate internal control requirement over financial reporting, but also signifies a need for perfecting IT control and overall IT governance of companies (Hall and Liedtka 2007; Haworth and Pietron 2006; Damianides 2005).

IT control in this study is defined as a procedure or policy that provides a reasonable assurance that the IT used by an organization operates as intended in compliance with applicable laws and regulations. IT control objectives can include the confidentiality, integrity, and availability of data and the overall management of the IT function of the business organization (https://enwikipedia.org/wiki/Information_technology_controls). IT control processes created by management for IT implementations are aligned with an organization’s strategies and objectives (Li, Lim and Wang, 2007). Control Objectives for Information and related Technology (COBIT), a framework providing a set of best practices for IT management, has gained wide acceptance for IT governance and IT control (Tuttle and Vandervelde 2007; Guldentops 2002). COBIT has evolved from an audit framework in 1996 to a governance and management of enterprise IT framework in 2012, which addresses policies as fundamental factors for influencing proper governance and management over IT (Carrillo 2013). Another framework is the internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). With cross references of control components and objectives of the COSO and COBIT frameworks, the IT Governance Institute developed a common set of control considerations that can be used by companies to determine whether their entity-level IT control objectives have met the SOX regulatory compliance requirement (ISACA 2013; Chan 2004).

In 2012, six gaming concessionaries were authorized to operate in Macao (DSEC 2012). Sociedade de Jogos de Macau, and Galaxy Entertainment Group are local-based companies with origin in Macao or publicly listed in the Hong Kong stock market. Wynn Macau and Sands China are US-based companies with origin in the United States and publicly listed in the US stock market. Melco Crown Entertainment Limited, and MGM China are joint venture companies with more than one parent companies and are comprised of local and foreign corporations publicly listed in overseas stock market. Both US-based and joint venture companies are publicly listed in the US, so they have to comply with SOX.

The purpose of this research was to gain better understanding of the Macao gaming industry from an IT perspective. Specifically, the research focused on the level of IT control, as IT governance has become an important element of modern corporate governance. The two research questions were:

• 1.

  What is the status of IT control of the gaming industry in Macao?

• 2.

  Are there differences in the level of IT control among these gaming companies?