IT Control Weaknesses, IT Governance and Firm Performance

Discussant CommentsGary Baker, Partner, Deloitte & Touche LLP

Saturday, October 13, 2007

© Deloitte & Touche LLP and affiliated entities.

Summary of Study’s Key Conclusions

1. Companies with stronger IT Governance report fewer material IT control weaknesses

2. Companies with material IT control weaknesses have significantly lower financial performance (ROA, ROS, Growth)

– than companies with material non-IT weaknesses

– than companies with no reported material control weaknesses

3. Companies with stronger IT Governance have improved financial performance over and above their impact on reduced IT control deficiencies

I agree with the author’s conclusion that this presents a compelling case for improving IT Governance

– Especially since not all of the lower financial performance is attributed to higher audit costs

© Deloitte & Touche LLP and affiliated entities.

Introduction

• I am not a statistician

– I thought I was Ok at math until I started to read the tables and formula

– Cannot comment on veracity of the models/formula, etc.

• Comments and observations are my own

– not necessarily those of Deloitte & Touche

• First observation – Intended audience of paper not clear

– Likely needs to be separated into a publication for the business community and one available to challenge approaches, methods, assumptions and results

– In its current form will not likely appeal to business community

© Deloitte & Touche LLP and affiliated entities.

Conclusion #1 - Companies with stronger IT Governance report fewer material IT control weaknesses

• A restatement (in the inverse) of the conclusion reached in Section 5

– Companies with material IT control weaknesses have:

– Less IT knowledgeable management and boards

– Weaker IT governance as evidenced by

– Shorter tenure of CIO’s

– Fewer IT strategy committee’s

• I think it is logically sound to conclude that:

– Since companies with IT weaknesses have less of these attributes, therefore:

– Companies with more of these attributes have less IT weaknesses

• It may be logical to surmise that increasing these attributes could lead to improved IT controls (all other factors being equal)

• It may be intuitive, but does it follow that increasing these attributes will lead to stronger IT Governance?

– From the evidence in the study it is not clear that these attributes equate to stronger IT Governance

© Deloitte & Touche LLP and affiliated entities.

IT Governance

• Are the proxies used by the study good measures of effective IT Governance?

– # of IT knowledgeable Board members and Management

– Tenure of CIO

– Existence of IT Strategy Committee

• The study found that

– # of IT knowledgeable Board members and Management was not significant to financial performance (but was to # of IT weaknesses)

– Although CIO tenure and IT Strategy committee were significant to financial performance

• Further, the study acknowledges that:

– # of companies that have adopted an IT Strategy Committee is “small”, and

– “the question is whether those that have adopted them have benefited”

– the study did not appear to focus on this as a direct objective nor did it provide a conclusion to this question

• Additional study may be needed to identify good indicators of effective IT Governance

© Deloitte & Touche LLP and affiliated entities.

Conclusion #2 - Companies with material IT control weaknesses have significantly lower financial performance

Related finding that “… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.”

• Organizations implement “information security” controls to:– Prevent/detect unauthorized access (both physical and logical) to information and

related assets– Unauthorized disclosure/theft (not likely a SOX404 issue)

– Loss of integrity of information (accidental/intentional)

– Enforce organizational segregation of duties

• Information security controls operate at multiple “levels” within an organization– IT environment (often referred to as “general controls”)

– To manage physical access to information systems

– To manage logical access to network and information resources

– Business applications (could be “general” or “application controls”)– To manage logical access to automated functionality

• It is not clear from the study whether the security weaknesses were general control weaknesses or application control weaknesses

© Deloitte & Touche LLP and affiliated entities.

Security Controls

“… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.”

• Since “security” was identified as the only statistically significant weakness, without further analysis of the nature of the “security” weaknesses the finding of the impact of General Controls may be suspect

• In practice effective management of the provisioning and de-provisioning of application level access rights and privileges is one of the most challenging tasks related to information security

– Lack of clarity between IT and Process owners re: roles, responsibilities and accountabilities

– Lack of effective tools and technologies to enable efficiencies

© Deloitte & Touche LLP and affiliated entities.

Security Controls

“… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.”

• In addition, the statement that such weaknesses are “comparatively pervasive” may be inaccurate if the weaknesses identified relate to security within specific applications

– although application security weaknesses in ERP applications may be more pervasive than in non-ERP applications

• Finally, no evidence was provided to support the statement that security controls are “more difficult to correct than other IT control weaknesses”

– fixing application control deficiencies may require compensating manual controls and/or system replacements which can be very expensive and time consuming

© Deloitte & Touche LLP and affiliated entities.

Other random thoughts and musings

• The study evaluates material IT weaknesses and appears not to consider “significant deficiencies”

– May not have reliable information as companies are not required to publicly report significant deficiencies

– Profession challenged to determine what IT control deficiencies constitute a material weakness

– Guidance on evaluating control deficiencies chart #3

– Might we have found a large number of “significant deficiencies” that did not make it to material weaknesses?

• Not clear from the paper if the # of IT weaknesses (or non-IT weaknesses) had any correlation to financial performance

– It might be interesting to analyze whether the number of reported deficiencies was a factor in financial performance

• Acknowledged limitation that the study does not extend to market valuation of the financial impact due to IT control weaknesses

– Would encourage consideration as this could add significantly to the discussion of the value delivered by IT

© Deloitte & Touche LLP and affiliated entities.Presentation name10

Other random thoughts and musings

• The study uses terminology such as IT Governance, IT controls, application controls and general IT controls

• I believe the profession needs better clarity of definition around these terms

– What is termed IT Governance often refers in fact to IT management

– IT Governance is often interpreted to be “governance of the IT department” instead of “Enterprise governance of information”

– IT “general” controls are often thought to be pervasive, but may be unique to a particular business system

– Are IT general controls more appropriately considered as IT process controls? (similar to business process controls)

– IT general controls are often considered to be “owned” by IT

– But who owns responsibility for “IT general controls” over end-user computing environments for example?

– Application controls are often thought of only in the context of business transaction applications

– when they should be used in the context of any automated control activity

© Deloitte & Touche LLP and affiliated entities.

Other random thoughts and musings

• Commentary that IT Governance is an entity level control

– Fine for “governance” level considerations such as Board/Management IT knowledge, existence/tenure of CIO, IT strategy committees, definition of roles & responsibilities, etc.

– Does not address nature of “IT process controls” or Application controls

– Definition of activity level controls appears limited to business “transaction” processes

– Creates confusion in the marketplace as definition of IT Governance often confused with IT management or “General Controls”

© Deloitte & Touche LLP and affiliated entities.

Other random thoughts and musings

• Finding that firms with non-big 4 auditors more likely to report IT control weaknesses - warrants additional study

– Are such firms less likely to have invested in IT governance and control processes?

– Are approaches/methodologies of big 4 firms less likely to identify IT control weaknesses?

– Are firms with big 4 auditors more likely to have invested in compensating controls reducing the impact of IT control weaknesses?

© Deloitte & Touche LLP and affiliated entities.

Summary

1. Companies with stronger IT Governance report fewer material IT control weaknesses

2. Companies with material IT control weaknesses have significantly lower financial performance

3. Companies with stronger IT Governance have improved financial performance over and above their impact on reduced IT control deficiencies

I agree with the author’s conclusion that this presents a compelling case for improving IT Governance

– Assuming the statistics are valid

– Assuming the proxies for effective IT Governance are valid

– Assuming further granularity around “security” weaknesses does not materially impact conclusions

© Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada’s leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,800 people in 51 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

© Deloitte & Touche LLP and affiliated entities.