Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator

Auditor Responsibility?

Audit Committee Power"The things that senior leadership does respond to

are GAO reports [and] IG reports, and in private industry the audit committee is the most powerful on any board,”

Cybersecurity is "now being brought into the audit committee because that's what leadership looks at – they look at the results of an audit,"

(http://fcw.com/Articles/2013/10/10/cybersecurity-audits-secret-ingredient.aspx?Page=1)

Sarbanes OxleyInformation Technology Weaknesses

Background QuestionsWhat is SOX?

How/Why did it come about? What are SOX requirements?

Which if any rely on or are related to IT controls?

The effect of IT controls on financial reportingGrant, Miller & Alali (2008)

Grant, Miller & Alali (2008)Article Overview

What Standards does paper use for support? How are these standards used? What do they say (not say) about IT controls?

SAS 94 “The nature and character of an entity’s use of technology in its information

system affects the entity’s overall internal control structure” SOX PCAOB AS #5

an IC deficiency occurs when the design or operation of the control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis

IT general controls could have an effect on the operating effectiveness of other controls and requires auditors to provide an opinion on the effectiveness of internal controls over financial reporting. General Controls – Insure Proper Operations Application Controls – Processing & Storage of Information

SOX 302What are the requirements?

The signing officers have reviewed the report

The report does not contain any material untrue statements or material omission or be considered misleading

The financial statements and related information fairly present the financial condition and the results in all material respects

The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings

A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities

Any significant changes in internal controls or related factors that could have a negative impact on the internal controls

SOX 404404 (a)

Management statement of responsibility over Internal Controls &

Assessment of Internal Controls

404 (b)

Auditors must attest and report on managements assessment

Report Material Weaknesses in Internal Control and Remediation Plan

What are/define MW’s?

Most Companies use COSO as Internal Control Framework

Section 409Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations.

Section 802all audit or review papers must be maintained for a period of 5 years

How are audit/review papers maintained in 2012?

What IT deficiencies did the paper look at?IT deficiencies include controls related to

software programs program implementations segregation of duties associated with access to

computer accounting or financial reporting records problems with access to electronic data and programs

What other controls might be important for accounting/auditing?

Why weren’t they investigated?

FindingsIT Deficiency ranked 6th among all MWs (20% so 1 in 5)

IT Deficiency -> Internal Control deficiency

IT Deficiency -> accounting errors (Why?)

revenue recognition

receivables, investments, and cash issues

inventory, vendor, and cost of sales issues

financial statement, footnote, US GAAP, and segment disclosures issues

IT Deficiency -> Higher Audit Fees

SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information TechnologyKlamm and Watson (2009)

Klamm and Watson (2009)Article Overview?

OverviewExamined IT and non-IT Controls Material Weaknesses with respect to COSO Components

Material Weaknesses were mapped to a specific COSO component

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring

IT Vs. non-IT MWs

What is your assessment of the IT MW’s?

COSO ComponentsControl environment

Foundation

Sets tone of the firm

integrity, ethical values, competence, philosophy, and operating style of the firm’s managers and employees

Risk assessment

identification, analysis, and management of (operating, economic, industry, regulatory) risks that may prevent a firm from achieving its objectives

Management implements control activities

segregation of duties, approvals, reviews, reconciliations, and authorizations

Information & Communication

timely capture and dissemination of pertinent information on internal and external events

communication among and between management, employees, suppliers, and customers

Monitoring

continual evaluation of the other components’ effectiveness.

Findings

Weak Control Environment is related to other weaknesses in COSO components

Weak Monitoring is related to weak risk assessment and control activities

Financial Statement reliability is affected by the number of weak COSO components

IT related MW’s are associated with a greater amount of non-IT related MW’s

IT related MW’s are related with:

More misstatements

Greater overall number of MWs

Information Security and Sarbanes-Oxley Compliance: An Exploratory StudyWallace, Lin, and Cefaratti (2011)

Wallace, Lin, and Cefaratti (2011)Article Overview?

FrameworksWhat frameworks did this article mention as possible IT security frameworks to consider?

COSO

Model for controlling and managing Internal Control

COBIT

IT Governance / NOT IT Security Specifically

What needs Controls

ISO

Specific IT Security Controls

How To

ISO1. Security Policy

2. Organizational Security

3. Asset Classification and Control

4. Personnel Security

5. Physical and Environmental Security

6. Communications and Operations Management

7. Access Control

8. Systems Development and Maintenance

9. Business Continuity Management

10.Compliance

In all there are 124 recommended IT controls

What did the research find?

FindingsWhat is the Extent that ISO controls are in place?

Most Common:Controls such as deploying antivirus software and authenticating remote users accessing the network

Least CommonProtecting equipment from unauthorized access and tracking the location of removable computer media

“Not Sure” ResponsesCPA’s selected “not sure” more frequently than non-CPA’s

CISA’s selected “not sure” less frequently than non-CISA’s

Certified Information Systems Auditor

What Is ISO Category 8? 9?

TrainingAuditors with IT Training

35 more controls were likely to be implemented

IT employees participate in SOX Compliance

55 more controls were likely to be implemented

IT personnel received SOX compliance training

65 more controls were likely to be implemented

IT internal control weaknesses and firm performance: An organizational liability lensStoel & Muhanna (2011)

Stoel and Muhanna (2011)Article Overview

Internal ControlSEC definition:

policies and procedures for the recording of transactions and maintenance of financial records

Since modern enterprises are heavily dependent on integrated computer- based systems

“internal control over financial reporting” process regulated by the SEC must include controls over the accounting and management process as well as over the organizational IT infrastructure and systems.

Statement of Auditing Standards No. 94 (SAS 94) affirmed that the nature and characteristics of a company's use of information technology affect the company's internal control over financial reporting and requiring auditors to consider information technology as an integral part of overall internal controls (AICPA 2001).

Therefore, SOX requires review of Accounting Internal Control as well as IT controls

IT ControlsPertain specifically to IT systems, processes and infrastructure

used to capture, process and record raw transactional data corresponding to economic events

as well as support the preparation of financial reports

Encompass the management, operational, and technical safeguards or countermeasures prescribed for the firm's information systems to protect the

Confidentiality

Integrity

Availability

of those systems and their information

What framework does this definition come from?

When examining a companies IC – which framework do companies use? Which are prescribed?

What does PCAOB AS #2 say about IT controls?

Overview H1What is the business value of IT Controls?

What is the relationship between IT Quality and ROA?IT Control MW’s -> Lower ROA (Why?)

What were the ROA for the 3 segments examined in this study?

“We argue that IT internal control weaknesses adversely impact corporate performance by interfering with organizational ability to meet the essential needs for reliable information and systems to conduct daily operations and to effectively and efficiently deliver customer service, management support and productivity gains. “

Overview H2 and H3 H2, not supported:

We find no direct effect of IT internal control quality on market valuation

H3, supported: IT internal control quality negatively moderates the association between

accounting earnings and market valuation. “In other words, our empirical findings indicate that earnings become less

useful in explaining market valuation for firms with IT ICWs”

“This provides empirical evidence which suggests that information systems risk is priced by the capital markets and that information about the quality of the firm's IT controls is useful to investors beyond financial information disclosed in company filings.”

The consequences of Internal Control Weaknesses on Management Information Systems: The Case of SOX Internal Control Reports

Li, Peters, Richardson, Watson, 2012

Li, Peters, Richardson & Watson (2012)Article Overview

What do the researchers assert?Quality of financial reporting system output.

In what form? how is quality being operationalized? What can impact quality?

IT ControlsHow are these determined?

How are they coded?

How did the authors categorize them?1. Data Processing Integrity

2. Systems Access and Security

3. System Structure and Usage

FindingsWhat did they find?

A content Analysis of auditors reports on IT internal control weaknesses... (Boritz, Hayes, and Lim, 2013)

What is this about?Why did they do it?

What did they find?Are any of these categories correlated with each

other? If so what might be an explanation?

What didn’t they find?Or what keywords might you expect that didn’t turn

up or turned up infrequently?

What might this mean?

Can it be fixed?