IT Risk Disclosure, Governance and Compliance: Complementary or Conflicting Agendas?
Blaskovich, Jennifer, Christopher J. Davis, and Eileen Z. Taylor. "Enterprise Risks, Rewards, And Regulation." Journal of Applied Business Research (JABR) 28.4 (2012): 563-580.
Posted: 15 Jan 2010 Last revised: 28 Oct 2014
Date Written: January 15, 2010
Abstract
In 2005, the Securities and Exchange Commission mandated disclosure in an organization’s annual report of significant risks that may adversely affect the company. We examine the risk disclosures of the largest 100 U.S. firms over the period 2004-2006 to determine the extent of coverage of IS/IT risks. We find that IS/IT risks represent less than 4% of total risks disclosed and that 40% of companies do not address a single IS/IT risk. An analysis of disclosures by industry suggests evidence of normative or mimetic isomorphism. We conclude that IS/IT risks are underreported or under-analyzed, giving financial statement users a false sense of IS/IT security.
JEL Classification: M41
Suggested Citation: Suggested Citation