Information Security and Sarbanes-Oxley Compliance: An Exploratory Study

2011 ◽  
Vol 25 (1) ◽  
pp. 185-211 ◽  
Author(s):  
Linda Wallace ◽  
Hui Lin ◽  
Meghann Abell Cefaratti
Keyword(s):  
Internal Control ◽  
Internal Controls ◽  
Future Research ◽  
Internal Auditors ◽  
Sarbanes Oxley ◽  
Current Usage ◽  
Survey Results ◽  
Organizational Focus ◽  
It Personnel ◽  
Control Implementation

ABSTRACT: The Sarbanes-Oxley Act of 2002 (SOX) created a resurgence of organizational focus on internal controls. In this study, we examine the extent to which the information technology (IT) controls suggested by the ISO 17799 security framework have been integrated into organizations’ internal control environments. We collected survey data from 636 members of the Institute of Internal Auditors (IIA) on the current usage of IT controls in their organizations. In addition to identifying the most and least commonly implemented IT controls, the survey results indicate that control implementation differences exist based on a company’s status as public or private, the size of the company, and the industry in which the company operates. Training of internal auditors and/or IT personnel is also associated with significant differences in implemented controls. We discuss the implications of our research and offer suggestions for future research.

External Auditors' Involvement in the Internal Audit Function's Work Plan and Subsequent Reliance Before and After a Negative Audit Discovery

2016 ◽  
Vol 35 (4) ◽  
pp. 159-173 ◽  
Author(s):  
Byron J. Pike ◽  
Lawrence Chui ◽  
Kasey A. Martin ◽  
Renee M. Olvera
Keyword(s):  
Internal Control ◽  
Internal Audit ◽  
Internal Controls ◽  
Professional Standards ◽  
Data Availability ◽  
Internal Auditors ◽  
External Auditors ◽  
Internal Audit Function ◽  
Anchoring Bias ◽  
Before And After

SUMMARY To reduce redundancies and increase efficiency in the evaluation of internal controls (PCAOB 2007, 402–403), professional standards encourage coordination between external auditors and their clients' internal audit function (IAF). Recent surveys of internal auditors find that a component of this coordination is external auditors' involvement in developing the IAF's audit plans. Nevertheless, it is not known how such involvement affects external auditors' reliance on the internal control test work of the IAF, either before or after a negative audit discovery. Based on an experiment with 107 experienced auditors, we find that external auditors involved in the development of the IAF's audit plan perceive the IAF as more objective and that both objectivity and involvement contribute to these auditors' placing more reliance on the IAF as compared to external auditors with no involvement. This initial reliance results in the involved auditors' proposing reductions to the audit budget and re-performing less of the IAF's work. Consistent with an anchoring bias, we find that involvement leads to external auditors' continuing to place greater reliance on the IAF's work, even after they become aware of a negative audit discovery that should not have occurred had the client's controls been effective. Data Availability: Data are available from the authors on request.

The Impact of Internal Controls and Penalties on Fraud

2010 ◽  
Vol 24 (1) ◽  
pp. 1-21 ◽  
Author(s):  
Roberta Ann Barra
Keyword(s):  
Internal Control ◽  
Internal Controls ◽  
Reliability Engineering ◽  
Ceteris Paribus ◽  
Sarbanes Oxley ◽  
Internal Control System ◽  
Analytical Reliability ◽  
Net Assets ◽  
Managerial Employees ◽  
The Impact

ABSTRACT: Little prior research exists on the parameters of internal control activities. The Sarbanes-Oxley Act of 2002 (SOX 2002) makes identifying the properties of these parameters under various conditions important. In this paper, an analytical/reliability engineering methodology is used to investigate the relative impact of penalties versus other types of internal controls on managerial and non-managerial employees’ propensity to commit fraud. Ceteris paribus, increasing required effort with internal controls and/or increasing employee penalties, increases the minimum amount stolen when a fraud incident occurs; that is, more net assets will be taken per fraud incident with controls than without controls. The findings show that the firm’s least-cost scenario with managerial employees is to enforce maximum penalties. The firm’s least-cost scenario with non-managerial employees is to utilize alternative internal controls while imposing minimum penalties. Further, the effectiveness of separation of duties is dependent on the detective controls in the internal control system.

scholarly journals An Examination Of Underreporting Of Time And Premature Signoffs By Internal Auditors

2010 ◽  
Vol 14 (4) ◽  
Author(s):  
Qianhua (Q) Ling ◽  
Michael D. Akers
Keyword(s):  
Internal Audit ◽  
Internal Controls ◽  
Professional Skepticism ◽  
Internal Auditors ◽  
External Auditors ◽  
Considerable Research ◽  
Internal Audit Function ◽  
Sarbanes Oxley ◽  
Audit Team ◽  
The Impact

The passage of the Sarbanes-Oxley Act of 2002 (SOX) heightened the importance of internal controls and accordingly, a key control - the internal audit function.  Consequently, management and external auditors have both increased their reliance on internal auditors’ work.  While there has been considerable research regarding the impact of the underreporting of time and premature sign-offs on the external audit, there has only been one study that has examined the impact of these two items on the internal auditors’ work.  Such research is dated (1994) and prior to the passage of SOX.  We surveyed members of the Institute of Internal Auditors (IIA) in the Midwest to examine their behavior and perceptions regarding these two items.  The respondents in our study believe the underreporting of time is unethical and is supported by their reporting of all time worked, even if such time exceeded the budget.  Our findings also show that the respondents feel premature sign-offs are unethical and result primarily from lack of professional skepticism and inadequate training.  Increasing training in audit areas and improving communications within the audit team are possible solutions to reduce premature sign-offs.  Premature sign-offs are more likely to occur in operational audits and to a lesser degree in financial audits and compliance audits. 

scholarly journals Assessing Students Learning Of Internal Controls: Closing The Loop

2009 ◽  
Vol 2 (2) ◽  
pp. 47-54
Author(s):  
T. S. Amer ◽  
Lawrence C. Mohrweis
Keyword(s):  
Internal Control ◽  
Rank Order ◽  
Internal Controls ◽  
Assessment Process ◽  
Advisory Council ◽  
Control Group ◽  
Accounting Faculty ◽  
Sarbanes Oxley ◽  
Novel Approach ◽  
Essay Question

This study describes the multifaceted components of an assessment process. The paper explains a novel approach in which an advisory council participated in a fun, hands-on activity to rank-order learning outcomes. The top ranked learning competency, as identified by the advisory council, was the need for students to gain a better understanding of internal controls. With this competency identified, the advisory council exercise was then followed-up by a modification in the auditing course. An empirical study, consisting of a control group and a treatment group, was conducted to assess whether performance on an internal control essay question by students now met or exceeded established expectations. The results indicated that students preliminary understanding of internal controls had been enhanced. The accounting faculty further closed the loop by approving a new internal controls course designed to cover, in greater detail, topics such as the COSO internal controls framework, Sarbanes-Oxley requirements, recent PCAOB statements, and real-world cases involving internal control failures.

Application of COSO framework in whistle-blowing activities of public higher-learning institutions

2020 ◽  
Vol 62 (2) ◽  
pp. 193-211
Author(s):  
Mohamad Ridhuan Mat Dangi ◽  
Anuar Nawawi ◽  
Ahmad Saiful Azlin Puteh Salin
Keyword(s):  
Internal Control ◽  
Document Analysis ◽  
Internal Controls ◽  
Higher Learning ◽  
Future Research ◽  
Preventive Action ◽  
Self Assessment ◽  
Content Type ◽  
Whistle Blowing ◽  
Learning Institutions

Purpose The purpose of this study is to determine whether higher-learning institutions have sufficient internal controls to manage whistle-blowing or similar means when encountering repetitive complaints requiring similar corrective actions. This study attempts to classify complaints as per categories, criteria and components of the COSO framework using a checklist called self-assessment checklist of internal control kits so that complaint activities can be efficiently and effectively managed. Design/methodology/approach As a case study, one public university in Malaysia was selected, and 740 complaints were examined over a four-year period. Two methods of data collection, namely, document analysis and interviews, were used. Findings This study found no internal controls established to oversee the complaints that were received. Hence, repetitive complaints were received for similar areas and functions over a period. The application of COSO framework on complaints and whistle-blowing activities, however, led to more organised and visible problems; therefore, effective corrective and preventive action may be conducted. Research limitations/implications This study was conducted on only one organisation with several series of interviews and limited period of document analysis because of privacy and confidentiality of the information. Future research should collect and analyze data from a higher number of organisations with more respondents for interviews and a longer period for document analysis to obtain more accurate results. Practical implications This study provides further evidence on the suitability of COSO framework for different types of organisations, either public or private, and has been successfully adopted globally. It is effective not only to manage the operation and financial matters but also to manage complaints and whistle-blowing activities in organisations. Originality/value This study is original because it focuses on the current practices of internal control in government entities, particularly for organisations that operate as higher-learning institutions, which is scarce in the literature. In addition, this study analysed the drawbacks of internal control systems, especially in dealing with whistle-blower reports and complaints by referring to the list of complaints made by their stakeholders.

SOX Section 404 Material Weakness Disclosures and Audit Fees

2006 ◽  
Vol 25 (1) ◽  
pp. 99-114 ◽  
Author(s):  
K. Raghunandan ◽  
Dasaratha V. Rama
Keyword(s):  
Financial Reporting ◽  
Internal Control ◽  
Audit Fees ◽  
Internal Controls ◽  
Fiscal Year ◽  
Section 404 ◽  
Control Material ◽  
Material Weakness ◽  
Sarbanes Oxley ◽  
The Mean

Section 404 of the Sarbanes-Oxley Act and Auditing Standard No. 2 (PCAOB 2004) require management and the auditor to report on internal controls over financial reporting. Section 404 is arguably the most controversial element of SOX, and much of the debate around the costs of implementing section 404 has focused on auditors' fees (Ernst & Young 2005). In this paper, we examine the association between audit fees and internal control disclosures made pursuant to section 404. Our sample includes 660 manufacturing firms that have a December 31, 2004 fiscal year-end and filed the section 404 report by May 15, 2005. We find that the mean (median) audit fees for the firms in our sample for fiscal 2004 is 86 (128) percent higher than the corresponding fees for fiscal 2003. Audit fees for fiscal 2004 are 43 percent higher for clients with a material weakness disclosure compared to clients without such disclosure; however, audit fees for fiscal 2003 are not associated with an internal control material weakness disclosure (in the 10-K filed following fiscal 2004). We also find that the association between audit fees and the presence of a material weakness disclosure does not vary depending on the type of material weakness (systemic or non-systemic).

Assessing Internal Audit with Text Mining

2018 ◽  
Vol 17 (02) ◽  
pp. 1850020 ◽  
Author(s):  
Georgia Boskou ◽  
Efstathios Kirkos ◽  
Charalambos Spathis
Keyword(s):  
Text Mining ◽  
Financial Reporting ◽  
Internal Control ◽  
Audit Quality ◽  
Internal Audit ◽  
Internal Controls ◽  
Annual Reports ◽  
Previous Attempt ◽  
Sarbanes Oxley ◽  
Audit Information

Recently internal controls, corporate governance and risk management have received a great deal of attention. Regarding internal control, several research studies address the issue of internal audit quality. Noteworthy, according to Sarbanes–Oxley (SOX) the internal controls over financial reporting are assessed by the auditors and the management. In the present study, we assess internal controls over financial reporting by employing Text Mining techniques. We analyse the annual reports of 133 publicly traded Greek Companies. The textual parts of the annual reports that refer to internal audit mechanism are extracted. We adopt a Vector Space model and the term-document matrix records the occurrence frequencies of the terms. By applying feature selection, a set of significant keywords, which are used as predictors, is extracted. The Linear Regression model developed explains the variance of the data and highlights significant predictors. The model manages to successfully assess the internal audit function. By performing PCA, major underlying procedures and concepts related to internal audit quality are revealed. Inspite of the undoubted importance of the assessment of internal audit, no previous attempt has been made to assess internal audit and to extract internal audit information from corporate disclosures by using Text Mining techniques. Our results can be useful to internal and external auditors, managers, company decision-makers, regulators and researchers.

The Impact of Information Technology Internal Controls on Firm Performance

2012 ◽  
Vol 24 (2) ◽  
pp. 39-49 ◽  
Author(s):  
Lemuria D. Carter ◽  
Brandis Phillips ◽  
Porche Millington
Keyword(s):  
Information Technology ◽  
Firm Performance ◽  
Internal Control ◽  
Ordinary Least Squares ◽  
Internal Controls ◽  
Publicly Traded ◽  
Sarbanes Oxley ◽  
Internal Control Weaknesses ◽  
Performance Results ◽  
The Impact

Since the introduction of the Sarbanes-Oxley (SOX) Act in 2002, companies have begun to place more emphasis on information technology (IT) internal controls. IT internal controls are policies that provide assurance that technical systems operate as intended, provide reliable data, and comply with regulations. Research suggests that firms with strong internal controls perform better than those with internal control weaknesses. In this study, the authors evaluate the impact of IT internal controls on firm performance. The sample includes 72 publicly traded firms, 36 that reported IT internal control weaknesses and 36 that did not. The results of ordinary least squares (OLS) regression indicate that substantive IT internal control weaknesses negatively impact firm performance. Results and implications for research and practice are discussed.

Earnings Management of Firms Reporting Material Internal Control Weaknesses under Section 404 of the Sarbanes-Oxley Act

2008 ◽  
Vol 27 (2) ◽  
pp. 161-179 ◽  
Author(s):  
Kam C. Chan ◽  
Barbara Farrell ◽  
Picheng Lee
Keyword(s):  
Earnings Management ◽  
Internal Control ◽  
Internal Controls ◽  
Corporate Disclosure ◽  
Section 404 ◽  
Sarbanes Oxley ◽  
Material Weaknesses ◽  
Potential Benefits ◽  
Internal Control Weaknesses ◽  
Reported Earnings

SUMMARY: The main objectives of the Sarbanes-Oxley Act of 2002 are to improve the accuracy and reliability of corporate disclosure. Under Section 404 of the Sarbanes-Oxley Act, the external auditor has to report an assessment of the firm’s internal controls and attest to management’s assessment of the firm’s internal controls. Material weaknesses in internal controls must be disclosed in the auditor and management reports. The objective of this study is to examine if firms reporting material internal control weaknesses under Section 404 have more earnings management compared to other firms. The results provide mild evidence that there are more positive and absolute discretionary accruals for firms reporting material internal control weaknesses than for other firms. Since the findings of ineffective internal controls by auditors under Section 404 may cause firms to improve their internal controls, Section 404 has the potential benefits of reducing the opportunity of intentional and unintentional accounting errors and of improving the quality of reported earnings.

Using a Movie to Study the COSO Internal Control Framework: An Instructional Case

2008 ◽  
Vol 22 (1) ◽  
pp. 63-76 ◽  
Author(s):  
Arline Savage ◽  
Carolyn Strand Norman ◽  
Kathryn A. S. Lancaster
Keyword(s):  
Internal Control ◽  
House Of Representatives ◽  
Financial Institution ◽  
Internal Controls ◽  
Publicly Traded ◽  
Accounting Firms ◽  
Publicly Traded Companies ◽  
Sarbanes Oxley ◽  
Control Framework ◽  
Accounting Graduates

Following enactment of the Sarbanes-Oxley Act (SOX) of 2002 (U.S. House of Representatives 2002), public accounting firms and publicly traded companies are much more focused on internal controls. Accordingly, many accounting graduates will be asked to evaluate, document, and perhaps test the adequacy of an organization's internal control structure. The Committee of Sponsoring Organizations' (COSO 1992) Internal Control—Integrated Framework is the most widely used tool for this purpose. This instructional case, based on the movie, Rogue Trader, gives students the opportunity to see the consequences of lax corporate governance and weak internal controls at the Barings Bank. Students view the movie and then use the COSO framework to critically analyze the collapse of a well-established financial institution.

Sign in / Sign up

Export Citation Format

Share Document