Effect of the SOX Act on IT Governance

Sarbanes-Oxley (SOX) Act stipulates specific roles for the CEO, CFO, and the Auditor. However, the role of the Chief Information Officer (CIO), usually in charge of IT governance (ITG), is implicit. This is despite the fact that in many firms, accounting and financial information and reporting systems either incorporate or are embedded in sophisticated information systems. Through a discussion of the literature, this paper argues that CIOs contribute to the design, implementation, and governance of these information systems which are fundamental to the SOX Act Compliance success. Hypotheses are generated and tested using panel data on the hiring of CIOs between 1999-2005. The results reveal that, after the enactment of the SOX Act in 2002, many firms created new CIO positions and staffed them with internal hires. Many of these new hires reported to the CEOs and had a strong business background characterized by graduate degrees in business administration (MBAs)

Creating a Flexible IT Organization

In 2004, the nearly billion dollar software company Business Objects undertook a major acquisition. Now, the business is looking to improve operations and position itself as a major player in the business intelligence market. This paper focuses on how Business Objects can create a flexible IT organization that can evolve with changing corporate strategies in today\u27s competitive markets. The analysis section completes a SWOT analysis and reviews business strategy, organizational strategy and IT strategy. The analysis concludes that increased legislated process and broad geographic reach in a truly flexible IT organization are not feasible. However, action can be taken to balance control and flexibility that will make IT an enabler for the business. Recommendations include appointment of a CIO, hybrid organizational structure and establishment of performance metrics. As part of implementation strategy, a gradual change management approach is recommended with a dedicated team to monitor progress and adapt the plan as the environment evolves

Investigating the Relationship between Governance Mechanisms and the Disclosure of IT Control Weaknesses

The current research is concerned with exploring the quality of information technology (IT) control over financial reporting systems as reported under Section 404 of the Sarbanes-Oxley Act of 2002. More specifically, this dissertation examines the association between organizational governance mechanisms and the occurrence and subsequent disclosure of IT control weaknesses. Despite the adverse impact of IT control weaknesses on internal control quality and financial reporting reliability, research on IT controls in general and IT control weaknesses in particular remains largely anecdotal with limited reliance on theory. The current work proposes and tests an integrated theoretical model of the antecedents of IT control weaknesses. The proposed model draws upon agency theory to provide a theoretical perspective of the occurrence of IT control weaknesses and upon corporate governance literature to solicit potential factors that influence the achievement of effective IT control over financial reporting. Drawing upon agency theory, this research views the existence of IT control weaknesses as a manifestation of an agency problem caused by information asymmetry and lack of alignment between the overall organization represented by its board of directors as a principal and its information systems (IS) organization represented by the top IS team as an agent. Drawing on corporate governance literature, this dissertation proposes two categories of governance and contracting mechanisms that the board of directors can employ to reduce information asymmetry and align the interests of the top IS team with those of the firm thereby reducing the agency problem. These categories are: IT governance mechanisms and IT executive incentive alignment mechanisms. The IT governance mechanisms involve two elements: first, the IT background element which includes (a) the IT background of the board of directors as reflected by two of its main committees, namely the corporate governance committee and the audit committee and (b) the IT background of the top management team; second, the IT executive element as reflected in terms of the structural and the expert power of the Chief Information Officer (CIO). The IT executive incentive alignment mechanisms include two elements: (a) the CIO’s absolute compensation level and (b) the pay disparity between the CIO and other members of the top management team. A research model integrating these elements is developed and tested with empirical data. For testing the proposed model, this dissertation uses a sample of firms with IT control weaknesses and a control group of similar firms with no IT control weaknesses for the years 2005-2009. Empirical results provide support for five of the seven hypotheses put forth in this research. Regarding the IT governance mechanisms, study findings indicate that a lower likelihood of disclosing IT-related control weaknesses is associated with having audit committee and corporate governance committee members with IT expertise. Furthermore, the study findings provide support for the contention that the goal congruence is contingent on the CIO’s power. To this end, the study finds that a lower likelihood of disclosing IT-related control weaknesses is associated with having CIOs with higher levels of structural and expert power. As for the incentive alignment mechanisms, empirical results provide support for the assertion that goal congruence is contingent on perceived pay equality between the CIO and other members of the top management team. The results indicate that the lower the pay disparity between IT executives and business executives in the top management team, the lower the likelihood of disclosing IT control weaknesses. The present study contributes to the current body of knowledge of literature in several ways. It is the first study to propose and test an integrated model of the antecedents of IT control weaknesses. The proposed model adds to the current literature by introducing agency theory as a theoretical basis of the antecedents of IT control weaknesses. Furthermore, this study adds to the current literature by introducing and providing empirical evidence linking the IT background of the corporate governance committee, the structural power and expert power of the CIO, and the CIO relative pay to the disclosure of IT control weaknesses over financial reporting. Lastly, this research contributes to practice by offering a much needed understanding for managers, directors, auditors, and regulators in their effort to improve the quality of IT control and the reliability of financial reporting

The Role of Boards in Reviewing Information Technology Governance (ITG) as Part of Organizational Control Environment Assessments

IT Governance (ITG) is an important topic as US companies must now monitor ITG under the provisions of the Sarbanes-Oxley Act (2002) (Hoffmann, 2003). Trites (2003) indicates that directors are responsible for strategic planning, internal control structures and business risk. The control environment is defined in Australian Auditing Standard AUS 402 to mean "the overall attitude, awareness and actions of management regarding internal control and its importance to the entity". This paper contributes to the knowledge of ITG by forming an integrated ITG Literature (IIL) which links prior research to four key dimensions of ITG. The paper presents a review of literature on ITG performance measurement systems which assess the ability of organizations to achieve these four ITG dimensions. A revised ITG Dimensions Model offered for consideration. The final contribution of the paper is to propose critical issues Boards should consider as part of their assessment of organizational control environments

Senior Executives' IT Management Responsibilities: Serious IT-Related Deficiencies and CEO/CFO Turnover

While the information systems scholarly and practice literatures both stress the importance of senior executive engagement with IT management, the recommendations for doing so remain, at best, limited and general. Examining the influence of serious IT-related deficiencies on CEO/CFO turnover within the post-SOX financial reporting context, specific CEO/CFO IT management responsibilities are identified: CEOs are shown to be held accountable for global IT management responsibilities, and CFOs are shown to be held accountable for demand-side IT management responsibilities. Implications for information systems research, management research, and information systems practice are provided

IT governance in small and medium enterprise post Sarbanes Oxley

The history of IT governance research has been dichotomous in that research either focused on the IT governance structural arrangements or the contingencies that affect IT organizational decisions. Weill and Ross’s (2004) seminal text on IT governance represents a synthesis of these two streams of research and thus establishes a new trajectory in the discourse related to IT governance. Their study included analysis from both survey data and case studies. However, the case study sites included were of large capitalized companies. Moreover, the cases were conducted prior to the mandated implementation of Section 404 of Sarbanes Oxley (SOX), which oversees the requirements for companies to ensure they have adequate controls in place to safeguard financial data and reporting. Compliance efforts with SOX have disproportionately impacted the finances of small publicly traded companies; consequently, the compliance efforts of small and medium publicly traded companies may differ from that of large companies. Most small companies have taken SOX seriously and complied with the requirements mandated by the legislation by implementing the controls that demonstrate that the organization has reasonable assurance of governance over the company’s IT function. Still other small companies have chosen to use SOX as a catalyst for systemic change throughout the company’s IT function. While the latter may seem the logical progression of a company’s IT governance effort, that is not always the case. This study seeks to understand the reasons behind why some companies extend compliance efforts to invoke positive systemic change while others only do enough to comply with regulatory requirements. Using a multiple-case methodology, this study attempts to build upon the existing body of IT governance research by examining how the aforementioned IT governance concepts discussed by Weill and Ross are manifest in small and medium publicly traded companies. Additionally, the reason(s) why or why not those concepts may be present is examined using the theoretical lens of institutional theory. Findings of the study include an identification of differences small and medium publicly traded companies and large publicly traded companies in establishing enterprise-wide IT governance

Environmental modelling of the Chief Information Officer

Since the introduction of the term in the 1980’s, the role of the Chief Information Officer (CIO) has been widely researched. Various perceptions and dimensions of the role have been explored and debated. However, the explosion in data proliferation (and the inevitable resulting information fuelled change) further complicates organisational expectations of the CIOs role. If organisations are to competitively exploit the digital trend, then those charged with recruiting and developing CIOs now need to be more effective in determining (and shaping) CIO traits and attributes, within the context of their own organisational circumstances and in line with stakeholder expectations. CIOs also need to determine their own suitability and progression within their chosen organisation if they are to remain motivated and effective. Before modelling the role of the future CIO, it is necessary to synthesise our current knowledge (and the lessons learnt) about the CIO. This paper, therefore, aims to identify and summate the spectrum of key researched ‘themes’ pertaining to the role of the CIO. Summating previous research, themes are modelled around four key CIO ‘dimensions’, namely (1) Impacting factors, (2) Controlling factors (3) Responses and (4) CIO ‘attributes’. Having modelled the CIOs current environment, and recognising the evolving IT enabled information landscape, the authors call for further research to inform the recruitment and development of the future CIO in terms of personal attributes and the measurable impact such attributes will have on their respective organisation

Developments In Practice XXI: IT in the New World of Corporate Governance Reforms

In the past, IT was only marginally affected by regulatory matters. Today, however, IT is in the middle of a whirlwind of corporate governance reforms. New standards for internal controls are affecting almost every aspect of IT work. These, in turn, have significant implications on how IT is managed and on IT costs and productivity. For example, many IT organizations have been so involved in developing and implementing Sarbanes-Oxley (SOX) procedures that very little has actually been accomplished for the business itself. This paper explores how new compliance frameworks and governance reforms, mandated by governments and/or industry groups, are changing IT work. It examines what IT managers perceive to be most significant issues these reforms present IT in their particular organizations. This paper is not designed to provide detailed information about IT controls and how to achieve them. Instead, it is intended to be a general introduction to the changing expectations of IT and how these are affecting IT work, structure and governance. It looks at the new effects regulatory issues are having in IT, and then examines the key issues IT managers face in an increasingly regulated environment. Next, it identifies the key areas within IT that are affected and the types of activities that need to be addressed by managers in order to achieve effective controls. Finally some recommended good practices are presented. The authors conclude that there is no question that new laws and regulations governing organizations, their finances and their information are having a huge impact on IT. IT managers are struggling to implement new controls and document existing ones, while still ensuring business as usual and trying to develop the new systems their companies need. The world is requiring IT to become thoroughly professional about what it does. The IT of the future will therefore of necessity be increasingly controlled, standardized and bureaucratized. It remains to be seen whether or not management will be able to use this new and improved IT for competitive advantage

Incorporating Sarbanes-Oxley Into A College Accounting Curriculum: Lessons Learned

This paper attempts to identify the ways and give examples of how Sarbanes-Oxley compliance can be taught in real time using the SAP R/3 system and the many lessons derived from the experience. The Sarbanes-Oxley Act significantly impacts CEO’s, CFO’s and public accountants. It also applies to all levels of management. Organizations and their managers need to recognize the significance of Sarbanes-Oxley compliance as well as the benefits it can provide. These benefits include reliability of the financial statements, quality of reporting, and also the opportunity to review a company’s processes and enhance the efficiency of all financial and operating departments. Integrating SAP technology into the classroom has been one of the primary initiatives of the Department of Accounting, a signature program at Saint Joseph’s University, in Philadelphia, Pennsylvania.  The implementation and roll-out process has covered a variety of areas from navigation to key business processes and accounting within SAP R/3.  With the evolution of the Sarbanes-Oxley Act and the need for compliance within a company, the department decided that students should be given exposure on how to use SAP R/3 to conduct 404 walkthroughs in consonance with the Sarbanes-Oxley initiatives. Due to the integrative nature of SAP technology the system is best able to conduct audit processes and create exception reports needed to identify material weaknesses and deficiencies