Critical Factors Affecting the Evaluation of Information Control Systems with the COBIT Framework

This paper empirically investigates the factors affecting auditors in evaluating information technology (IT) control structures by employing the COBIT framework, a popular IT internal control with integrated platform, and examines the relationship between monitoring function and other COBIT dimensions. The results of our empirical analysis indicate that key factors of IT governance endorsed by certified public accountants (CPAs) in Taiwan match fairly well with those prescribed in the COBIT framework. CPAs can utilize COBIT as a guideline for developing their approach to internal control structure and further limiting their audit liabilities.     

An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners

The importance of information technology (IT) auditing has grown with increased reliance on IT for business operations and new regulations regarding the assurance of IT for these operations. Prior work on IT and financial auditing has suggested several general frameworks that may affect IT audit quality; however, the prior work has not provided measurable constructs nor has it considered whether these proposed constructs are the same or different. Building on prior work that has proposed frameworks of IT audit quality, we identify and evaluate potential constructs suggested by these frameworks as well as financial auditing literature. We develop a survey tool and ask IT and financial accounting practitioners to assess the impact of these items on IT audit quality. A factor analysis is used to refine the set of IT audit quality factors identified, and we are able to provide insight into the prioritized impact of each factor on IT audit quality. In comparison to prior research, we find that additional factors are significant for IT audit quality and that the relative importance of the factors for IT audit quality differs for IT versus financial auditors.     

An internal control perspective on the market value consequences of IT operational risk events

IT internal controls are an important component of an organization's arsenal of internal controls. Upon conceptualizing failures of operational IT systems, or what we call IT operational risk events, as signals of IT internal control weaknesses, we theorize about these events' impact on internal control objectives in general and about how this impact is influenced by the regulatory environment in particular. We then perform an event study to examine the economic impact of a diversified sample of IT operational risk events from the U.S. financial services industry during 1985–2009. We specifically test the impact of contextual factors on the degree of this effect, including the events' target (confidentiality, integrity, or availability of IT assets), the source of disclosure (regulatory or voluntary), the enactment of the Sarbanes–Oxley Act, and firm-specific attributes. We find that investors penalize firms most strongly for experiencing events that compromise the availability of IT systems, consistent with our prediction that these events more negatively impact the reliability of financial reporting and the efficiency and effectiveness of operations. This result contrasts extant empirical studies that are predominantly concerned with information and security breaches. We find also that investors' penalty is the strongest for firms experiencing IT operational risk events that occurred after the passing of the Sarbanes–Oxley Act or were disclosed by a regulatory body. Finally, the market reaction is shown to be stronger for firms with high growth potential, firms that are larger, riskier, and are in the banking sector. Implications for research and practice are discussed along with directions for future research.     

The effect of auditor IT expertise on internal controls

Material weaknesses in internal controls related to information technology (IT) represent unique threats to organizations. Utilizing the external auditor as an example of an externally observable governance mechanism, we investigate if firms with revealed IT internal control deficiencies employ a strategy of disassociation with their current auditor. Our tests show that prior evidence of disassociation strategies hold in both IT and non-IT contexts. Of particular focus to our study, we document a positive association between firms that report IT material weaknesses and subsequent auditor dismissals or switching. We next investigate the potential internal control benefits of switching to auditors with greater expertise in environments that emphasize the importance of IT. We argue that greater audit firm IT expertise promotes improved internal controls for their clients, especially those controls that are dependent on IT. We find that clients that switch to auditors with greater IT expertise, relative to their former auditor, have a greater likelihood of material weakness remediation within one year of reporting control weaknesses. Complementing these findings, we find that audit IT expertise is negatively associated with both non-IT and IT material weaknesses in an ex ante reporting setting. Prior literature takes a longstanding interest in both the incentive for developing auditor expertise and the effects of that expertise. We contribute to this literature stream by providing additional evidence related to a specific type of expertise.     

Audit Firm Attributes and Auditor Litigation Risk

This study examines the association between auditors' litigation risk and audit firm attributes. Using professional liability insurance premiums as a proxy for auditors' litigation risk, we present evidence that the risk is lower in audit firms having: (1) separate non-audit and audit divisions; (2) a higher proportion of partners; and (3) a higher annual growth in number of CPAs employed. Additionally, we find that the risk is higher in audit firms having: (1) operating losses; and (2) high revenue growth. Our results are consistent with the idea that audit firms' financial condition and organizational structure affect their independence/ expertise, and, in turn, their litigation risk. Our results are broadly supportive of the PCAOB's (2015) and US Department of Treasury's (2008) views that investors, audit committees, management, and other regulators could benefit from having access to financial and organizational information about audit firms.     

坚固第三道防线

伴随着信息科技与业务发展的深度融合,银行对信息科技这一关键资源的效率和效能、可用和安全有着越来越高的要求。任何与信息科技相关的风险事件的发生,对银行的IT审计都是重大挑战。"十二五"时期,IT审计作为银行的"第三道防线"(信息科技管理为"第一道防线"、信息科技风险管理为     

Exploring differences between smaller and large organizations' corporate governance of information technology

Corporate governance of information technology (CGIT) is targeted at maximizing IT investment to achieve business objectives and value. Yet there is little empirical evidence about organizations' attitudes to and use of CGIT to deliver such value, or the role of related policies, practices, frameworks and methodologies. This study explored the views of Chief Information Officers and executive managers of smaller and large, primarily Australian organizations, regarding governance of IT. Through a survey, we investigated their views regarding the perc eived relevance, influential drivers, challenges and perceived benefits from the use of CGIT. Regardless of organizational size, our findings demonstrate substantially the same benefits, influences and challenges. Further, besides the widely acknowledged importance of strategic alignment of business and IT, risk management was found to be significant both in influencing the decision to adopt CGIT and as a perceived key capability for delivering improved organizational performance and resource-based value. As such, the study contributes new knowledge related to delivering business value through governing IT.     

论会计管理信息化的ISCA模型

本文总结和审视现代信息技术应用于会计工作的内涵和作用,根据目前我国信息化现状及未来可能的实践提出建立和实施会计管理信息化的ISCA(Information System,Control and Auditing)模型:首先是建立在企业管理信息系统环境中的会计信息系统,是一种事件驱动模式的系统,其核心是集成;同时,为了确保会计信息系统(AIS)安全有效地运作,必须建立健全的信息系统内部控制制度;并且,为了确保和审查内部控制制度的有效执行,必须开展对AIS及其内控制度的审计,以最终地达到对AIS安全、可靠、有效和高效地应用.三者的有机结合构成了AIS的ISCA模型。正确地实施ISCA模型,可实现企业的物流、业务流、资金流、信息流、控制过程和审计过程的整合和集成,使现代信息技术应用于会计管理工作并取得较好的效果。     

The relationship between internal audit and information security: An exploratory investigation

The internal audit and information security functions should work together synergistically: the information security staff designs, implements, and operates various procedures and technologies to protect the organization's information resources, and internal audit provides periodic feedback concerning effectiveness of those activities along with suggestions for improvement. Anecdotal reports in the professional literature, however, suggest that the two functions do not always have a harmonious relationship. This paper presents the first stage of a research program designed to investigate the nature of the relationship between the information security and internal audit functions. It reports the results of a series of semi-structured interviews with both internal auditors and information systems professionals. We develop an exploratory model of the factors that influence the nature of the relationship between the internal audit and information security functions, describe the potential benefits organizations can derive from that relationship, and present propositions to guide future research.     

The cost stickiness of information technology material weaknesses: An intertemporal comparison between it-related and other material weaknesses

The PCAOB's audit firm inspections drive audit focus and costs. The PCAOB's 2010-initiated increased emphasis on internal control audit work intensified concern over internal control weaknesses (ICW). IT-related material weaknesses (ITMW) have emerged as particularly significant with PCAOB reports (2008, 2012) highlighting on-going deficiencies in IT controls auditing and the 2015 PCAOB brief noting an on-going focus on recurring audit deficiencies. We explore how ICW affect audit fees and how alternative types of ITMW lead to varying degrees of persistence in fee premiums. Using propensity score matched samples, we find fee premiums associated with ITMW linger longer than premiums for non-IT entity-level material weaknesses (ELMW) or firms reporting account-specific material weaknesses. Moreover, we find that audit fee premiums by type of ICW remediated is overall strongest for ITMW linked to data processing integrity. Our findings underscore the importance of distinguishing not only between non-IT ELMW and ITMW but also types of ITMW as identified in data quality research.     

Costs and Returns on Graduates of the University of Bradford

Global repercussions of the Enron scandal and particularly the enactment of the Sarbanes–Oxley Act (SOX) in the USA, resulted in significant changes in the UK regulatory regime for audit and corporate governance, including an increased role for audit committees and independent inspection of audit firms. UK-listed company chief financial officers, audit committee chairs (ACCs) and audit partners were surveyed in 2007 to obtain views on the impact of 36 economic and regulatory factors on audit quality post-SOX. Four hundred and ninety-eight usable responses were received, representing a response rate of 36%. All groups rated various audit committee interactions with auditors among the factors most enhancing audit quality. However, International Standards on Auditing (ISAs) and the audit inspection regime, aspects of the ‘standards-surveillance-compliance’ regulatory system, are viewed as less effective. Exploratory factor analysis reduces the 36 factors to nine independent dimensions: economic risk; audit committee activities; risk of regulatory action; audit firm ethics; economic independence of auditor; audit partner rotation; risk of client loss; audit firm size and, lastly, ISAs and audit inspection. Post-SOX regulations have introduced additional dimensions to the factors influencing audit quality. Respondents commented that aspects of the changed regime are largely process and compliance driven, with high costs for limited benefits, a finding consistent with regulatory over-reaction.     

An empirical examination of CobiT as an internal control framework for information technology

One commonly used framework for developing and evaluating technology intensive information systems is CobiT. This framework was originally a benchmark of best control practices developed and maintained by the Information Technology Governance Institute, the umbrella organization to the Information Systems Audit and Control Association. We empirically examine the conceptual model that underlies the CobiT internal control framework as it applies to an audit setting (including operational, compliance, and financial audit settings). We find that superimposing CobiT's conceptual model onto audit relevant assessments made by a panel of highly experienced IT auditors confirms the internal consistency between the underlying constructs of CobiT. Furthermore, we find that CobiT's conceptual model predicts auditor behavior in the field related to their seeking help and giving help as evidenced by their postings to a general IT audit listserv. Given the results of this study, we propose future research aimed at developing a general theory of internal control applicable to information technology based on CobiT.     

The association between human resource investment in IT controls over financial reporting and investment efficiency

This study investigates the association between human resource investment in information technology (IT) controls over financial reporting and its investment efficiency. To conduct the analysis, it uses novel hand-collected data on the number of IT control personnel. In particular, it uses the ratio of (1) the number of IT control personnel, (2) the number of IT control personnel who are certified public accountants to the total number of employees in a firm, and (3) the natural logarithm of average working experience of IT control personnel in months as a proxy for human resource investment in IT controls. This study finds that such investment is negatively associated with the firm's abnormal investment, suggesting that investing in IT control personnel enhances a firm's investment efficiency. Furthermore, not only quantitative but also qualitative investment in IT control personnel improves investment efficiency. We also find that the association between human resource investment in IT controls and a firm's investment efficiency is more pronounced for firms with lower financial reporting quality and information environment. The results of this study provide useful implications for management, regulators, and market participants, as they demonstrate the positive role of investment in IT control personnel on the firm's internal decision.     

The impact of audit firms’ characteristics on audit fees following information security breaches

Given the importance of auditors’ assessing business risks and evaluating internal controls, we investigate whether an audit firm’s industry expertise, tenure, and size can help its auditors better understand external and internal threats faced by the client with less effort. Using reported information security breach incidents from 2004 to 2013, we find that, consistent with prior studies, audit fees are higher after the occurrence of an information security breach. However, such an association is negatively moderated when the audit firm has industry-specific expertise, longer experience with the client, and is one of the Big 4 firms. Our results suggest that because of their better knowledge about a specific industry, increased familiarity with the client’s operations, and more resources to understand a client’s vulnerabilities and/or information security policies and procedures, these auditors are more capable of assessing the potentially changing information security risks implied by the occurrence of information security breach incidents. Our results are robust to a variety of sensitivity checks.     

IT governance: Objectives and assurances in internet banking

This paper develops and tests a new factor of the trust model in electronic commerce; namely, internet banking. Internal control of internet banking is very consistent with high levels of trust factors such as security, privacy, and other risk issues. However, this type of association has not yet been widely recognized as a trusted model from the consumer's electronic commerce point of view. This study attempts to create new factors in IT governance and the COBIT (Control Objectives for Information and Related Technologies) assurance seal. The empirical results of this experiment show that customer familiarity with IT governance and the COBIT assurance seal has impacted customers' trust in internet banking. Moreover, the results also show that perceived internet banking quality and reputation impact customers' trust in internet banking. Given the results of this study, we propose future research aimed at developing a COBIT assurance web seal of internal control, applicable to information technology based on IT governance.     

The impact of CIO characteristics on data breaches

The exponential rate of increase in IT security breach incidents has led governments, regulators, and practitioners to respond by introducing standards and frameworks for the disclosure and management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT risk management, is affected by the capability and the ability of senior leadership responsible for IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer (CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a CIO are more likely to be breached, even after matching on the likelihood of a breach and controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds predictable variations in the likelihood of a breach among CIOs based on various human capital dimensions (including past technology experience, external board memberships, firm tenure, and CIO tenure) and structural capital dimensions (including a recognized commitment to IT and charging the CIO with multiple responsibilities). Finally, this study finds evidence that the observed associations depend on both the source of the breach (external vs. internal) as well as the type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study contribute to the growing body of academic breach literature, while also informing practitioners as they evaluate the costs and benefits of various methods for combating breaches.     

系统重要性地方政府综合识别研究 ——基于个体风险与信息传染风险视角

从“太大而不能倒”和“联系太紧而不能倒”两个维度，分别运用因子分析和转移熵网络分析测度地方政府的个体风险与信息传染风险，综合识别我国系统重要性地方政府。结果表明：两个维度综合确定的我国系统重要性地方政府名单更为符合系统重要性之要义；根据个体风险指数和传染风险指数的排名组合情况，可将31个地方政府归为四类；针对不同类型的系统重要性地方政府，监管部门应采取针对性的监管措施；传染风险对系统重要性的贡献更大，处于风险传染网络中心的地方政府需要实行更加严格的管控。     

电子商务的风险管理与审计研究

电子商务尽管现在处于低潮期，但是作为重要的变革力量，它仍然是2l世纪的一个必然趋势。另外，电子商务发展受阻的一个重要原因就是电子商务的安全问题，这一问题影响了消费的决策，也极大地改变了企业的整个风险结构。本从外部审计与内部审计两个角度分析了审计可以在应对电子商务风险中发挥的重要作用。从外部审计来看，数据完整性与机密性是网站审计与认证的重要方面，从内部审计来看，审计应该在包括了电子商务风险的全面风险管理框架内发挥重要的作用。     

IT internal control weaknesses and firm performance: An organizational liability lens

The information systems literature and the public press have called for organizations to more closely scrutinize their information technology (IT) controls; however, little more than anecdotal evidence exists on the business value of quality IT internal control, beyond regulatory compliance. In this paper, we (a) advance an organizational liability perspective to the question of IT internal control value; and (b) use the unique setting provided by the enactment of the Sarbanes–Oxley Act of 2002 (SOX) to investigate the relationship between IT internal control weaknesses (ICWs) and both accounting earnings (a contemporaneous measure of firm performance) and market value (a forward looking, risk-adjusted measure of firm performance). Using a data set that provides audited annual assessments of the effectiveness of both IT and non-IT internal controls for a cross-section of companies as mandated by SOX, we find that firms that report an IT ICW have lower accounting earnings compared to firms with strong IT internal controls. We also find that IT ICW moderates the association between accounting earnings and market valuation, with firms reporting weak IT internal controls having a lower earnings multiple. These results are sustained even after controlling for non-IT ICWs and firm-specific factors that are known determinants of ICWs, and are reinforced using an inter-temporal changes analysis in which we use each firm as its own control at a different point in time. Overall, our results provide empirical evidence which suggests that IT internal controls are a strategic necessity and that information systems risk is priced by the capital markets. The implications of these findings for theory and practice are discussed.     

Organizational and environmental influences in the adoption of computer-assisted audit tools and techniques (CAATTs) by audit firms in Malaysia

Despite the usefulness of computer-assisted audit tools and techniques (CAATTs) in increasing audit productivity and reducing costs, their adoption by audit firms is low in developing countries. The aim of this study is to investigate whether organizational and environmental factors can help explain CAATTs adoption in less developed countries, such as Malaysia. The research framework was developed based on the Technology-Organization-Environment framework (TOE). The results reveal that for environmental factors, the complexity of clients' accounting information systems (AIS) and perceived level of support of professional accounting bodies (PABs) affect CAATTs adoption. For organizational factors, firm size, top management commitment and employee IT competency were found to be significant factors. Moreover, firm size partially moderates the influence of clients' AIS complexity on CAATTs adoption. This paper contributes to existing adoption theory by extending our understanding of the impact of factors unique to CAATTs adoption.