The pervasive nature of IT controls

Abstract

PurposeThe complexity of computerized information systems increases the complexity of the external auditor's assessment of the reliability of a client's internal control systems. The purpose of this paper is to investigate the impact of weaknesses in IT related internal controls on the cost of a SOX 404 audit of internal controls over financial reporting.Design/methodology/approachThe paper considers the impact on audit fees through three dimensions: percentage increase in audit fees; amount of change in audit fees per outstanding common share; and actual dollar amount of audit fees. Examination of first year reports by accelerated filers yields 131 companies with material IT‐control weaknesses. These 131 companies are matched with a similar set of companies with no reported material weaknesses, and for a subset of 54 from the 131 companies in which a good match could be identified, a set of companies having only material non‐IT‐based control weaknesses are compared.FindingsAs expected, substantial fee differentials were identified for companies reporting material IT‐based control weaknesses as compared to both companies without any material weaknesses and those companies with only non‐IT related material weaknesses.Originality/valuePreliminary evidence in regard to the costs of SOX 404 compliance for stockholders is provided. The cost of SOX 404 compliance has often been cited in criticisms of SOX, yet the focus of SOX is not on corporate wealth, but rather on enhancing corporate governance to protect the interest of stockholders. The cost of SOX compliance across the number of reported outstanding common shares for the companies studied is factored. It is found that the increased cost of audit fees on a per share basis is higher for companies reporting IT material weaknesses.