Abstract
By analysing auditors’ SOX 404 reports from 2004 to 2009 we find after 2006 that reporting of information technology control weaknesses (ITWs) decreased significantly, primarily by Big 4 firms. This change appears to reflect Big 4 reporting practices in response to a change in auditing standards rather than the nature of Big 4 clients’ internal control systems, suggesting that SOX 404 auditors’ reports have become less informative. We find associations between ITW reporting and both non-ITW and financial misstatement reporting are moderated by auditor type and time period (2004-2006 vs. 2007-2009). Based on frequency of reporting, the relative ordering of individual ITWs, while differing over time, is similar over auditor type, company size and industry. We identify a small number of non-ITWs in SOX 404 reporting that may hold practical implications for an auditor’s consideration of IT control testing and an educator’s teaching of IT and non-IT controls.
Recommended Citation
Boritz, J.; Hayes, Louise; and Lim, J., "On IT Control Weaknesses in Auditors’ Reports on Internal Control" (2012). AMCIS 2012 Proceedings. 6.
https://aisel.aisnet.org/amcis2012/proceedings/AccountingInformationSystems/6
On IT Control Weaknesses in Auditors’ Reports on Internal Control
By analysing auditors’ SOX 404 reports from 2004 to 2009 we find after 2006 that reporting of information technology control weaknesses (ITWs) decreased significantly, primarily by Big 4 firms. This change appears to reflect Big 4 reporting practices in response to a change in auditing standards rather than the nature of Big 4 clients’ internal control systems, suggesting that SOX 404 auditors’ reports have become less informative. We find associations between ITW reporting and both non-ITW and financial misstatement reporting are moderated by auditor type and time period (2004-2006 vs. 2007-2009). Based on frequency of reporting, the relative ordering of individual ITWs, while differing over time, is similar over auditor type, company size and industry. We identify a small number of non-ITWs in SOX 404 reporting that may hold practical implications for an auditor’s consideration of IT control testing and an educator’s teaching of IT and non-IT controls.