What Do Auditor’s Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
40 Pages Posted: 19 Jan 2012 Last revised: 7 Jan 2015
There are 2 versions of this paper
What Do Auditor's Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
What Do Auditor’s Reports on Internal Control Tell Us About IT Control Weaknesses in Financial Reporting Systems?
Date Written: November 6, 2012
Abstract
By analysing auditors’ SOX 404 reports from 2004 to 2011 we find that after 2006 Big 4 reporting of both information technology control weaknesses (ITWs) and non-ITWs in reports with ITWs decreased significantly. This change appears to reflect Big 4 reporting practices in response to a change in auditing standards rather than the nature of Big 4 clients’ internal control systems, suggesting that SOX 404 auditors’ reports have become less informative. We find that associations between ITWs, non-ITWs and financial misstatements are moderated by auditor type and time period (2004-2006 vs. 2007-2011). We identify a small number of ITWs and non-ITWs in SOX 404 reporting that may hold practical implications for an auditor’s consideration of IT control testing, management’s remediation of ITWs, and an educator’s teaching of IT and non-IT controls.
Keywords: SOX 404, IT control weaknesses, determinants of IT control weakness reporting
Suggested Citation: Suggested Citation