Article Preview
Top1. Introduction
High quality and effective internal controls are necessary to ensure the reliability and integrity of companies’ financial reporting. In response to high-profile corporate fraud cases such as Enron and WorldCom, the Sarbanes-Oxley (SOX) Act was enacted by the US congress in order to set more rigorous auditing standards, and has had a significant impact on firms’ internal control practices. Under section 404 of the SOX Act, all publicly traded companies are mandated to disclose deficiencies in internal controls over financial reporting (ICOFR)1. The most severe type of internal control deficiencies (ICDs) is referred to as material weakness (MW). It is defined by Auditing Standard (AS) No. 52 as “a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements would not be prevented or detected on timely basis by the company” (PCAOB, 2007, A. 1-11). The most commonly used guidance for internal control is the Committee of Sponsoring Organization’s Internal Control-Integrated framework (COSO), which is important for SOX assessment of internal control (Klamm & Watson 2009). Public firms in the U.S. rely on COSO framework in compliance with MWs under SOX act.
Given the current prevalence of computerized business transactions, firms’ financial reporting processes are highly dependent on information systems (Carter et al., 2012; Stoel & Muhanna, 2011). These systems are deeply embedded in initiating, authorizing, modifying, recording, processing, retrieving, and reporting a wide range of financial data and transactions. Traditional paper-based files, such as source documents, ledgers and journals, have been, and continue to be digitized and stored in large electronic databases (Hall, 2011, p. 10). “Information systems are inextricably linked to the overall financial reporting processes and need to be assessed, along with other important processes for compliance with the SOX” (ITGI 2004, p. 19; ITGI 2006). Hence, some MWs relevant to SOX compliance are likely to be IT-related. Effective internal controls over information systems, such as enterprise resourcing planning (ERP) systems and various databases, are thus seen as important. Information system research has begun to examine issues of IT-related MWs, or ITMWs (Grant et al., 2008; Klamm & Watson, 2009; Li et al., 2007; Li et al., 2012; Stoel & Muhanna, 2011). If companies disclose at least one ITMW, their IT controls are considered ineffective and of low quality (Li et al., 2007). Common types of ITMWs in SOX 404 reports include deficiencies in the IT environment, computer operations, accounting software, security and access control, data backup and disaster recovery.
Previous research has examined antecedents of MWs in general, and ITMWs in particular, from two different perspectives (Grant et al., 2008; Klamm & Watson, 2009; Li et al., 2007; Li et al., 2012; Stoel & Muhanna, 2011). One stream of research examines characteristics of firms that are associated with MWs disclosure (Ashbaugh-Skaife et al., 2007; Doyle et al., 2007; Ge & McVay, 2005). A second stream of research examines whether effective governance implemented by companies can help firm mitigate ITMWs. However, prior research has not integrated both perspectives in an effort to examine the antecedents of ITMWs. To fill this gap, we intend to answer the following research question in the current study: How are firm characteristics and IT governance related to ITMWs? To answer this question, we draw upon multiple streams of research including general internal control MWs, ITMWs, corporate governance, and IT governance to develop an effective research model. Our model highlights the important role of IT governance, which ensures the quality of a firm’s IT internal controls. Effective IT governance over planning and the system development life cycle should result in more accurate and timely financial reporting (Masli et al. 2009). Further, we propose and operationalize a new IT governance construct called ITGOV based on publicly available secondary data. Such a construct helps to objectively measure the overall effectiveness of IT governance in organizations.