IT systems and effective internal controls are essential to reliable financial reporting and good corporate governance. For this reason, Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) identified IT and financial systems as a key source of financial reporting risk. Disclosures made in 68 10K filings from 46 companies in 2005-2007 reported that internal controls over financial reporting were ineffective due to shortcomings in IT systems. Although evidence on the financial payoffs from IT is mixed, material weaknesses in financial controls due to IT clearly have negative shareholder value consequences. For these firms, an average abnormal return of –1.6% was found over a 2-day (0,+1) window around the reporting date. Moreover, 23 of the companies failed to remediate their control problems, and suffered an average –2.1% abnormal return in the 2-day window around their next (2006) 10K filing date. Longer term returns on portfolios of these non-compliant companies also reflect underperformance. The shareholder returns evidence shows that IT management requirements for SOX compliance contribute to good corporate governance and shareholder value.