Internal control over financial reporting: opportunities using the COBIT framework

Purpose – The purpose of this paper is to analyze how the COBIT framework, integrated within the internal control framework, enables improvement in the quality of financial reporting while helping to reduce or eliminate the material weaknesses (MWs) of internal control over financial reporting (ICFR). The Control Objectives for Information and Related Technology (COBIT) model is a framework for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Preliminarily, the analysis in this paper illustrates how the Committee of Sponsoring Organizations (COSO) framework impacts on the MWs, highlighting strengths and weaknesses. This paper shows how these limits can be overcome with the use of the COBIT framework. Design/methodology/approach – This is a conceptual paper that aims to highlight the relationship between COBIT and COSO, by illustrating how the IT processes reduce or eliminate the main MW categories. Findings – The analysis indicates that the implementation of the COBIT framework, or more generally the adoption of effective IT controls, provides important benefits to the entire company or organization. IT control objectives have a direct impact on the IT control weaknesses and indirectly on the other categories of material weaknesses. Practical implications – The adoption of the framework allows managers to implement effective ICFR. In particular, the COBIT approach provides managers with a more evolved tool in terms of compliance with the Sarbanes–Oxley Act requirements. This framework also improves the reliability of financial reporting in relation to the requirements of Public Company Accounting Oversight Board’s Auditing Standards No. 2 and 5. Originality/value – The analysis provides an interdisciplinary approach, connecting accounting and information systems themes, and suggest solutions and tools than can help managers to address the internal control weaknesses. This paper addresses an area of relevance to both practitioners and academics and expands existing accounting literature.

Download Full-text

Repeat offenders: examining cases of multiple years of internal control weaknesses

Managerial Auditing Journal ◽

10.1108/maj-05-2019-2302 ◽

2020 ◽

Vol 35 (4) ◽

pp. 499-520

Author(s):

Kathleen Bakarich ◽

Devon Baranek

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Securities And Exchange Commission ◽

Repeat Offenders ◽

Content Type ◽

Public Company ◽

Material Weaknesses ◽

General Material ◽

Current Sample ◽

One Year

Purpose This study aims to identify characteristics of firms reporting multiple years of material weaknesses in internal control over financial reporting (MWICFR), labeled “Repeat Offenders”, and examine their characteristics and the types of material weaknesses they report using both broad and COSO-based classification schemes. The analysis compares these firms with firms reporting only one year of MWICFR and examines the differences between Repeat Offenders reporting consecutive and non-consecutive weaknesses. Design/methodology/approach Univariate and multivariate analyses were conducted on a sample of 1,793 firm-year observations, split into Repeat Offenders and non-Repeat Offenders, and collected from AuditAnalytics and Compustat from 2007 to 2015. Findings On average, 40% of adverse opinions in ICFR each year can be attributed to Repeat Offenders. Compared to one-time MWICFR firms, Repeat Offenders are significantly more likely to report general material weaknesses and, within the COSO framework, are significantly more likely to report issues with Segregation of Duties and Processes and Procedures. Repeat Offenders reporting consecutive years of MWICFR are significantly more likely to have general weaknesses than non-consecutive Repeat Offenders and are also significantly more likely to report issues with Segregation of Duties and Personnel. Research limitations/implications Prior studies have examined unremediated ICFR issues in the periods immediately following SOX implementation. This study extends this literature with a longer, more current sample period, focusing on both broad and COSO-specific control issues, as well as examining consecutive and non-consecutive MWICFR and firms with more than two years of MWICFR. Originality/value This study underpins recent Securities and Exchange Commission and Public Company Accounting Oversight Board concerns regarding pervasive ICFR issues. This study identifies some of the characteristics of firms associated with weaker ICFR and pinpoints more specific areas within internal controls that frequently lead to adverse opinions.

Download Full-text

An exploration of the choice to comply voluntarily with SOX section 404(b)

Managerial Auditing Journal ◽

10.1108/maj-10-2018-2023 ◽

2019 ◽

Vol 35 (1) ◽

pp. 93-110

Author(s):

Alan Blankley ◽

David Hurtt ◽

Jason MacGregor

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Small Businesses ◽

Small Companies ◽

Section 404 ◽

Content Type ◽

Sarbanes Oxley ◽

Financial Perspective ◽

The Law ◽

Several Delays

Purpose Central to the Sarbanes–Oxley Act was a requirement that every company have an audit of its internal control over financial reporting. However, there were concerns that this requirement was overly burdensome, from a financial perspective, for small businesses. This concern promoted several delays in enforcing the law for small companies and ultimately caused congress to permanently exempt small businesses. Yet, there are some small companies that voluntarily elect to comply with the law. The purpose of this paper is to explore why these companies elect to incur these costly audits. Design/methodology/approach Using a sample of 5,834 non-accelerator US firms, this paper uses a robust logistic regression model to examine why some firms comply voluntary with SOX Section 404(b). Findings This study shows that small companies getting audits of internal controls may be doing so to restore investor confidence after reporting failures, to appear credible prior to raising funds, as a response to organizational changes, or in anticipation of being required to comply. Practical implications This study provides regulators with an improved understanding of when it is necessary to implement mandatory rather than voluntary guidance. Originality/value This study is the first to document why a client would voluntarily comply with SOX Section 404 (b).

Download Full-text

Observed effectiveness of the COSO 2013 framework

Journal of Accounting & Organizational Change ◽

10.1108/jaoc-07-2018-0064 ◽

2019 ◽

Vol 16 (1) ◽

pp. 31-45

Author(s):

Ifeoma Udeh

Keyword(s):

Control Systems ◽

Internal Control ◽

Design Methodology ◽

Control Process ◽

Regression Analyses ◽

Section 404 ◽

Content Type ◽

Sarbanes Oxley ◽

Material Weaknesses ◽

Practical Implications

Purpose This paper aims to examine the effectiveness of the Committee of Sponsoring Organization’s 2013 Framework, by investigating how the number of auditor-reported material weaknesses compares for Early-, Timely- and Late-adopters of the framework, and how the number of auditor-reported material weaknesses changed for Early- and Timely-adopters following their adoption of the framework. Design/methodology/approach The paper uses regression analyses based on a sample of US firms subject to Sarbanes-Oxley Act Section 404(b). Findings Timely-adopters of the 2013 Framework continued to exhibit fewer instances of auditor-reported material weaknesses than Late-adopters, even though they had a marginal increase in the number of auditor-reported material weaknesses, in the post-2013 Framework period. Practical implications The findings suggest that the effectiveness of the 2013 Framework may lie in the iterative nature of the internal control process, and as firms remedy deficiencies they or their auditors identify, they will continuously improve the effectiveness of their internal control systems. Originality/value Unlike existing literature, this paper uses data from the pre-2013 Framework, transition and post-2013 Framework periods to examine changes in the number of auditor-reported material weaknesses, thus differentiating between Early-, Timely- and Late-adopters of the 2013 Framework. It also shows the effect of adopting the 2013 Framework on the number of auditor-reported material weaknesses.

Download Full-text

Corporate Governance and Internal Control over Financial Reporting: A Comparison of Regulatory Regimes

The Accounting Review ◽

10.2308/accr.2009.84.3.839 ◽

2009 ◽

Vol 84 (3) ◽

pp. 839-867 ◽

Cited By ~ 288

Author(s):

Udi Hoitash ◽

Rani Hoitash ◽

Jean C. Bedard

Keyword(s):

Corporate Governance ◽

Financial Reporting ◽

Internal Control ◽

Audit Committee ◽

Section 404 ◽

Sarbanes Oxley ◽

Material Weaknesses ◽

Financial Expertise ◽

Financial Expert ◽

Section 302

ABSTRACT: This study examines the association between corporate governance and disclosures of material weaknesses (MW) in internal control over financial reporting. We study this association using MW reported under Sarbanes-Oxley Sections 302 and 404, deriving data on audit committee financial expertise from automated parsing of member qualifications from their biographies. We find that a lower likelihood of disclosing Section 404 MW is associated with relatively more audit committee members having accounting and supervisory experience, as well as board strength. Further, the nature of MW varies with the type of experience. However, these associations are not detectable using Section 302 reports. We also find that MW disclosure is associated with designating a financial expert without accounting experience, or designating multiple financial experts. We conclude that board and audit committee characteristics are associated with internal control quality. However, this association is only observable under the more stringent requirements of Section 404.

Download Full-text

Investor reactions to restatements conditional on disclosure of internal control weaknesses

Journal of Applied Accounting Research ◽

10.1108/jaar-10-2017-0107 ◽

2018 ◽

Vol 19 (3) ◽

pp. 423-439 ◽

Cited By ~ 3

Author(s):

Yiwen Li ◽

You-il Park ◽

Jinyoung Wynn

Keyword(s):

Stock Returns ◽

Financial Reporting ◽

Internal Control ◽

Private Information ◽

Abnormal Returns ◽

Content Type ◽

Sarbanes Oxley ◽

Financial Restatements ◽

Abnormal Stock Returns ◽

Internal Control Weaknesses

Purpose The purpose of this paper is to investigate investor reactions to financial restatements conditional on disclosures of internal control weaknesses under Section 404 of the Sarbanes-Oxley Act. Design/methodology/approach The research uses cumulative abnormal stock returns (CARs) as a proxy for investor reactions. Restatements and internal control reports are available on audit analytics. Multivariate regression analyses were used for testing. Findings Using a sample of restating firms whose original misstatements are linked to underlying internal control weaknesses, the research finds that cumulative abnormal returns for firms disclosing internal control weaknesses in a timely manner is negative in a three-day window around the restatement announcements. The finding indicates that restatements with early disclosure of internal control weaknesses provide more persuasive evidence of the ineffectiveness of a firm’s internal control over financial reporting, rather than early disclosure lowering the information asymmetry between a firm and investors. Research limitations/implications This study employs CARs to examine the market reaction to restatements conditional on disclosure of internal control weaknesses. Practical implications Further study on reactions by creditors who have access to private information on firms could extend the implications of the finding. Originality/value The study contributes to the existing research by documenting that early disclosure of material weaknesses in internal control affects investors’ reactions to financial restatements.

Download Full-text

The Persistence in the Association between Section 404 Material Weaknesses and Financial Reporting Quality

Auditing A Journal of Practice & Theory ◽

10.2308/ajpt-50570 ◽

2013 ◽

Vol 33 (1) ◽

pp. 93-116 ◽

Cited By ~ 15

Author(s):

Emma-Riikka Myllymäki

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Reporting Quality ◽

Financial Reporting Quality ◽

Control Problems ◽

Section 404 ◽

Material Weakness ◽

Sarbanes Oxley ◽

Material Weaknesses ◽

History Of

SUMMARY This study examines whether Sarbanes-Oxley (SOX) Section 404 material weakness (MW404) disclosures are predictive of future financial reporting quality. I find evidence that for companies with a history of MW404s, the likelihood of misstatements in financial information continues to be significantly higher for two years after the last MW404 report compared to companies without a history of reported MW404s. The magnitude of the effect decreases non-linearly with decreasing speed. The findings further imply that the reason for the misstatement incidences is the unacknowledged pervasiveness of control problems. In particular, it appears that in many cases, the future misstatements are unrelated to the MW types disclosed in the last MW404 report, suggesting that some MW types are unacknowledged and, hence, control problems are even more pervasive than what was identified. Overall, the findings of this study highlight the importance of discovering and disclosing material weaknesses in internal control over financial reporting.

Download Full-text

Controls, Security, and Audit in Online Digital Accounting

Digital Accounting ◽

10.4018/978-1-59140-738-6.ch010 ◽

2011 ◽

pp. 318-383

Author(s):

Ashutosh Deshmukh

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Annual Report ◽

Control Structure ◽

Internal Controls ◽

Section 404 ◽

Checks And Balances ◽

The Public ◽

Sarbanes Oxley ◽

Public Company

Internal controls have existed since the dawn of business activities. Internal controls are basically systems of checks and balances. The purpose is to keep the organization moving along desired lines as per the wishes of the owners and to protect assets of the business. Internal controls have received attention from auditors, managers, accountants, fraud examiners and legislatures. Sarbanes Oxley Act 2002 now requires the annual report of a public company to contain a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and management’s assessment of the effectiveness of the company’s internal control structure and procedures for financial reporting. Section 404 of the Act also requires the auditor to attest to and report on management’s assessment of effectiveness of the internal controls in accordance with standards established by the Public Company Accounting Oversight Board (PCAOB).

Download Full-text

Auditors' Internal Control over Financial Reporting Decisions: Analysis, Synthesis, and Research Directions

Auditing A Journal of Practice & Theory ◽

10.2308/ajpt-50345 ◽

2012 ◽

Vol 32 (Supplement 1) ◽

pp. 131-166 ◽

Cited By ~ 33

Author(s):

Stephen K. Asare ◽

Brian C. Fitzgerald ◽

Lynford E. Graham ◽

Jennifer R. Joe ◽

Eric M. Negangard ◽

...

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Future Research ◽

The Public ◽

Road Map ◽

Sarbanes Oxley ◽

Environmental Attributes ◽

Public Company ◽

Reporting Decisions ◽

Five Phases

SUMMARY We synthesize the literature on auditors' evaluation of, and reporting on, internal control over financial reporting (ICOFR), as required by the Sarbanes-Oxley Act. The purpose of the synthesis is (1) to provide information on how and how well auditors perform the task, which serves as feedback to the Public Company Accounting Oversight Board on implementation issues and problems related to auditors' application of the professional standards on ICOFR; and (2) to identify gaps in the current literature and fruitful areas of future research. Consistent with Auditing Standard No. 5, we delineate five phases of the ICOFR audit: (1) planning; (2) scoping; (3) testing; (4) evaluation; and (5) reporting. We structure our synthesis using a framework that classifies the determinants of performance in each phase into five broad areas: (a) the auditor's attributes, (b) the client's attributes, (c) the interaction between the auditor and the client, (d) task attributes, and (e) environmental attributes. Key contributions include providing an ICOFR tasks taxonomy, proposing a model of the determinants of performance for each task, evaluating auditors' performance of the tasks in our taxonomy, highlighting findings and gaps of importance to regulators, and providing a road map for future research.

Download Full-text

Determinants of the Persistence of Internal Control Weaknesses

Accounting Horizons ◽

10.2308/acch-10266 ◽

2012 ◽

Vol 26 (2) ◽

pp. 307-333 ◽

Cited By ~ 38

Author(s):

Bonnie K. Klamm ◽

Kevin W. Kobelsky ◽

Marcia Weidenmier Watson

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Management Training ◽

Internal Controls ◽

Senior Management ◽

Data Availability ◽

The Public ◽

Sarbanes Oxley ◽

Material Weaknesses ◽

Specific Control

SYNOPSIS This paper analyzes the degree to which material weaknesses (MWs) in internal control reported under the Sarbanes-Oxley Act of 2002 (SOX) affect the future reporting of MWs. Particularly, we examine information technology (IT) and non-IT MWs and their breakdown into specific IT-related entity-level, non-IT-related entity-level, and account-level deficiencies. Analysis reveals that most account-level and entity-level deficiencies occur at a significantly higher rate in SOX 404 reports with at least one IT MW than in MW reports with only non-IT MWs. Further, the presence and count of both types of MWs and all three types of deficiencies are associated with increased future MWs, as are lower profitability, non-Big 6 auditor, and firm complexity. Specific control deficiencies related to senior management, training, and IT control environment have the strongest impact on future MWs. These results indicate that effective corporate governance of both the IT and non-IT domains is pivotal in establishing and maintaining strong internal controls over financial reporting. Data Availability: Data are available from the public sources identified in the paper.

Download Full-text

Internal control and financial reporting quality of small firms

Review of Accounting and Finance ◽

10.1108/raf-05-2018-0107 ◽

2020 ◽

Vol 19 (2) ◽

pp. 221-246

Author(s):

Jagan Krishnan ◽

Jayanthi Krishnan ◽

Sophie Liang

Keyword(s):

Financial Reporting ◽

Internal Control ◽

Small Firms ◽

Reporting Quality ◽

Financial Reporting Quality ◽

Policy Debate ◽

Content Type ◽

Material Weaknesses ◽

The Impact

Purpose The Dodd–Frank Act of 2010 exempts small, non-accelerated filers from compliance with Sarbanes–Oxley Act (SOX) Section 404b internal control audits. However, these firms are required to comply with other internal control regulations, namely, SOX Sections 302 and 404a, starting in 2002 and 2007, respectively. A small number of these firms also voluntarily adopted (and sometimes dropped) Section 404b during 2004-2010. The purpose of this study is to investigate the impact of a series of internal control regulations introduced by SOX on the financial reporting quality of small firms. Design/methodology/approach The research design for this study is empirical. Using unsigned and signed discretionary accruals as measures of financial reporting quality, the authors compare the financial reporting quality for adopters and non-adopters across four regulation regimes over the period 2000-2010: PRESOX, SOX 302, SOX 404a and SOX 404b. Findings The results indicate that most of the adopters and non-adopters benefited from SOX 302 and 404a compared with the PRESOX period. However, only the non-adopters gained incrementally when moving from SOX 302 to SOX 404a. Also, Section 404b benefited firms with material weaknesses, as well as firms without material weaknesses that had the lowest reporting quality, in the PRESOX period. Research limitations/implications This study helps inform the important policy debate on whether to increase the threshold that is used for the SOX 404b exemption. It shows incremental benefits for firms that adopted Section 404b audits, even when they were complying with Section 302 and Section 404a. Consequently, extending the exemption to more companies would result in a loss of the reporting quality benefit of 404b. Originality/value This study contributes to the literature by focusing exclusively on non-accelerated filers and by examining differences across four regulation regimes over a long window compared to prior studies. It provides evidence that the financial reporting benefit of SOX 404b is not transitional, but rather extends for a few years even after some firms discontinued the 404b audits.

Download Full-text