The effect of internal control deficiencies on the usefulness of earnings in executive compensation

Since SOX 404 disclosures are informative about earnings, and due to the widespread practice of using earnings-based measures in executive compensation, this study examines whether reports of internal control material weaknesses (ICMW) under SOX 404 influence firms' reliance on earnings in tying executive pay to performance. Using 391 (366) firm-year observations with reported ICMW and 3648 (3138) firm-year observations for CEOs (CFOs) reporting NOMW under SOX 404, we find a decreased strength in the association between earnings and executives' (CEO and CFO) compensation when the firm reports an ICMW, and as the number of reported ICMW increases. In addition, we find this decreased weight on earnings for the more severe Company-Level than Account- Specific material weaknesses. Our study suggests that the ICMW report under SOX 404 provides incremental information for executive compensation beyond that contained in reported earnings.     

IT internal control weaknesses and firm performance: An organizational liability lens

The information systems literature and the public press have called for organizations to more closely scrutinize their information technology (IT) controls; however, little more than anecdotal evidence exists on the business value of quality IT internal control, beyond regulatory compliance. In this paper, we (a) advance an organizational liability perspective to the question of IT internal control value; and (b) use the unique setting provided by the enactment of the Sarbanes–Oxley Act of 2002 (SOX) to investigate the relationship between IT internal control weaknesses (ICWs) and both accounting earnings (a contemporaneous measure of firm performance) and market value (a forward looking, risk-adjusted measure of firm performance). Using a data set that provides audited annual assessments of the effectiveness of both IT and non-IT internal controls for a cross-section of companies as mandated by SOX, we find that firms that report an IT ICW have lower accounting earnings compared to firms with strong IT internal controls. We also find that IT ICW moderates the association between accounting earnings and market valuation, with firms reporting weak IT internal controls having a lower earnings multiple. These results are sustained even after controlling for non-IT ICWs and firm-specific factors that are known determinants of ICWs, and are reinforced using an inter-temporal changes analysis in which we use each firm as its own control at a different point in time. Overall, our results provide empirical evidence which suggests that IT internal controls are a strategic necessity and that information systems risk is priced by the capital markets. The implications of these findings for theory and practice are discussed.     

The effect of external audits of internal control over financial reporting on financial reporting for clients of Big 4, Second-tier,and small audit firms

The external audit of internal control over financial reporting (ICFR) is a very expensive and contentious aspect of the Sarbanes–Oxley Act (SOX). Larger public firms were first required to file a management report on and have an external audit of ICFR in 2004. Smaller public firms were first required to file a management report on ICFR in 2007 but are exempt from the audit requirement. Whereas most related prior research investigates the combined effect of management and auditor reports on financial reporting, this study examines the distinct effect of auditor reports on reporting quality. For companies audited by small auditors, we find evidence that financial reporting quality improves with an auditor report on ICFR. We find no evidence that auditor ICFR reports improve reporting quality for clients of Big 4 or Second-tier audit firms. Our study adds to the debate on the applicability of SOX Section 404 to smaller firms.     

The role of strategic enterprise risk management and organizational flexibility in easing new regulatory compliance

The impact of new regulatory requirements for internal control reporting on an organization's ability to maintain strategic flexibility has been debated in the popular press extensively. This paper tests theory from strategic management to examine the relationship between an organizations' pre-regulatory strength of strategic enterprise risk management (ERM) processes and their ability to react to new regulatory mandates. In the context of companies' adoption of SOX Section 404 internal control reporting requirements, we examine organizations' pre-SOX ERM processes, ERM supporting technologies, and organizational flexibility in order to better understand the antecedents to the difficulty encountered in meeting SOX 404 requirements. Using responses from 113 Chief Audit Executives (CAEs), we find that organizations with stronger strategic ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates. On the other hand, organizations using weaker ERM processes, which focused on control compliance, experienced more difficulty. These findings provide key insights into the importance of strategic ERM in effectively complying with new regulatory controls in volatile environments.     

CFOs’ and public accountants’ perceptions of material weaknesses in internal control areas as required by Section 404 of the Sarbanes-Oxley act

One of the most controversial aspects of the Sarbanes-Oxley Act of 2002 (SOA) is related to Section 404, which requires management to assess the entity’s internal controls, and then its independent auditor to attest and report on management’s assessment. The auditing standard governing this requirement was promulgated by the Public Company Accounting Oversight Board (PCAOB). Its title is Auditing Standard (AS) No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements [Public Company Accounting Oversight Board (PCAOB) (2004). An audit of internal control over financial reporting performed in conjunction with an audit of financial statements. Auditing Standard No. 2, Washington, DC: PCAOB]. AS No. 2 requires, among other things, that management must disclose any “material weaknesses” in internal controls. However, absent any guidance other than definitions from the PCAOB, management and independent auditors are left to their own judgment to define and recognize “material weakness in internal control” or “significant deficiency” while implementing AS No. 2. The research question, then, becomes to what extent, if any, are weaknesses in internal control over financial reporting consistently assessed, recognized and agreed upon by both parties? Or does their professional judgment and point of view cause different perceptions? Most of the Section 404 research has focused on the characteristics of the material weaknesses disclosed (and the capital market or other impacts of reported material weaknesses). This study, in contrast, is behavioral in context, and examines the perceptions of CFOs and CPAs as to whether they believe an internal control material weakness exists under four independent scenarios. The results indicate that the CPAs were significantly more conservative in their assessments in two of the four cases.     

Market reactions to the disclosure of internal control weaknesses and to the characteristics of those weaknesses under section 302 of the Sarbanes Oxley Act of 2002

We examine the stock price reaction to management’s disclosure of internal control weaknesses under §302 of the Sarbanes Oxley Act and to the characteristics of these weaknesses, controlling for other material announcements in the event window. We find that some characteristics of the weaknesses—their severity, management’s conclusion regarding the effectiveness of the controls, their auditability, and the vagueness of the disclosures—are informative. We also find that the information content of internal control weakness disclosures depends on the severity of the internal control weakness. Moreover, in a sub-sample uncontaminated by other announcements in the event window, we find negative price reactions to the disclosure of internal control weaknesses and material weaknesses.

The Impact of Disclosures of Internal Control Weaknesses and Remediations on Investors' Perceptions of Earnings Quality

We hypothesize and find that firms making SOX‐mandated disclosures of material weaknesses in internal control over financial reporting (ICOFR) exhibit lower investor‐perceived earnings quality (IPEQ) than nondisclosers. We measure IPEQ using e‐loading, a market‐returns–based representation of earnings quality developed by Ecker, Francis, Kim, Olsson, and Schipper (2006). Firms do not exhibit decreases in IPEQ after initially disclosing material weaknesses. This is consistent with investors having anticipated ICOFR strength based on observable firm characteristics. However, firms exhibit increases in IPEQ after receiving their first clean audit reports that confirm the remediation of previously disclosed weaknesses. This indicates that, although investors do not find initial weakness disclosures to be incrementally informative, SOX motivates firms to remediate weak controls and provides a venue for credible remediation disclosures, thus enhancing investors' perception of financial reporting reliability. These findings are consistent with the existence of regulatory benefits associated with SOX's internal control disclosure and audit requirements.