IT Internal Control Weaknesses and Firm Performance: An Organizational Liability Lens

The information systems literature and the public press have called for organizations to more closely scrutinize their information technology (IT) controls; however, little more than anecdotal evidence exists on the business value of quality IT internal control, beyond regulatory compliance. In this paper, we (a) advance an organizational liability perspective to the question of IT internal control value; and (b) use the unique setting provided by the enactment of the Sarbanes–Oxley Act of 2002 (SOX) to investigate the relationship between IT internal control weaknesses (ICWs) and both accounting earnings (a contemporaneous measure of firm performance) and market value (a forward looking, risk-adjusted measure of firm performance). Using a data set that provides audited annual assessments of the effectiveness of both IT and non-IT internal controls for a cross-section of companies as mandated by SOX, we find that firms that report an IT ICW have lower accounting earnings compared to firms with strong IT internal controls. We also find that IT ICW moderates the association between accounting earnings and market valuation, with firms reporting weak IT internal controls having a lower earnings multiple. These results are sustained even after controlling for non-IT ICWs and firm-specific factors that are known determinants of ICWs, and are reinforced using an inter-temporal changes analysis in which we use each firm as its own control at a different point in time. Overall, our results provide empirical evidence which suggests that IT internal controls are a strategic necessity and that information systems risk is priced by the capital markets. The implications of these findings for theory and practice are discussed.

[1]  Ramayya Krishnan,et al.  On Data Reliability Assessment in Accounting Information Systems , 2005, Inf. Syst. Res..

[2]  Katherine Schipper,et al.  Costs of Equity and Earnings Attributes , 2004 .

[3]  Qian Wang,et al.  Internal and external influences on IT control governance , 2007, Int. J. Account. Inf. Syst..

[4]  Charles E. Wasley,et al.  Capital Markets Research in Accounting , 2001 .

[5]  Omar M. G. Keshk CDSIMEQ: A Program to Implement Two-stage Probit Least Squares , 2003 .

[6]  M. Power The risk management of nothing , 2009 .

[7]  Weili Ge,et al.  The Disclosure of Material Weaknesses in Internal Control after the Sarbanes‐Oxley Act , 2005 .

[8]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[9]  Li Wang,et al.  Information Technology Capability: Firm Valuation, Earnings Uncertainty, and Forecast Accuracy , 2007, J. Inf. Syst..

[10]  Michael R. Wade,et al.  The Resource-Based View and Information Systems Research: Review, Extension, and Suggestions for Future Research , 2004, MIS Q..

[11]  Kenneth L. Kraemer,et al.  Review: Information Technology and Organizational Performance: An Integrative Model of IT Business Value , 2004, MIS Q..

[12]  Weili Ge,et al.  Accruals Quality and Internal Control Over Financial Reporting , 2007 .

[13]  T. C. Powell Competitive advantage: logical and philosophical considerations , 2001 .

[14]  Erik Brynjolfsson,et al.  Intangible Assets: Computers and Organizational Capital , 2002 .

[15]  K. R. Subramanyam,et al.  Internal Control Weakness and Cost of Equity: Evidence from Sox Section 404 Disclosures , 2006 .

[16]  James A. Ohlson On Transitory Earnings , 1999 .

[17]  Ross L. Watts,et al.  TIME-SERIES OF ANNUAL ACCOUNTING EARNINGS , 1977 .

[18]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[19]  Jacqueline S. Hammersley,et al.  Market reactions to the disclosure of internal control weaknesses and to the characteristics of those weaknesses under section 302 of the Sarbanes Oxley Act of 2002 , 2007 .

[20]  G. West,et al.  The Achilles Heel of Firm Strategy: Resource Weaknesses and Distinctive Inadequacies , 2001, SSRN Electronic Journal.

[21]  Peter Easton,et al.  Scale and the Scale Effect in Market‐based Accounting Research , 2003 .

[22]  Terry J. Shevlin,et al.  The value-relevance of nonfinancial information: A discussion , 1996 .

[23]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[24]  Thiagarajan Ravichandran,et al.  Effect of Information Systems Resources and Capabilities on Firm Performance: A Resource-Based Perspective , 2005, J. Manag. Inf. Syst..

[25]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[26]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[27]  Gautam Ray,et al.  Information Technology and the Performance of the Customer Service Process: A Resource-Based Analysis , 2005, MIS Q..

[28]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[29]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[30]  Ws Albrecht,et al.  TIME-SERIES PROPERTIES OF ANNUAL EARNINGS , 1977 .

[31]  Maureen O'Hara,et al.  Information and the Cost of Capital , 2001 .

[32]  H. White A Heteroskedasticity-Consistent Covariance Matrix Estimator and a Direct Test for Heteroskedasticity , 1980 .

[33]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[34]  Sinan Aral,et al.  I.T. Assets, Organizational Capabilities and Firm Performance: Do Resource Allocations and Organizational Differences Explain Performance Variation? , 2007 .

[35]  Ron Kasznik Discussion of “The Effect of Accounting Restatements on Earnings Revisions and the Estimated Cost of Capital” , 2004 .

[36]  H. Slavkin,et al.  CONTEMPO UPDATES LINKING EVIDENCE AND EXPERIENCE Relationship of Dental and Oral Pathology to Systemic Illness , 2000 .

[37]  Waleed A. Muhanna,et al.  Information Technology and Process Performance: An Empirical Investigation of the Interaction Between IT and Non-IT Resources , 2008, Decis. Sci..

[38]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[39]  Sundar G. Bharadwaj,et al.  Information Technology Effects on Firm Performance as Measured by Tobin's q , 1999 .

[40]  William R. Kinney,et al.  The Effect of SOX Internal Control Deficiencies and Their Remediation on Accrual Quality , 2007 .

[41]  M. Wade,et al.  Review: the resource-based view and information systems research: review, extension, and suggestions for future research , 2004 .

[42]  Prem C. Jain,et al.  Sustained Earnings and Revenue Growth, Earnings Quality, and Earnings Response Coefficients , 2004 .

[43]  Anandhi S. Bharadwaj,et al.  A Resource-Based Perspective on Information Technology Capability and Firm Performance: An Empirical Investigation , 2000, MIS Q..

[44]  Richard L. Arend The Definition of Strategic Liabilities, and their Impact on Firm Performance , 2004 .

[45]  J. Heckman Dummy Endogenous Variables in a Simultaneous Equation System , 1977 .

[46]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .

[47]  B. Lev,et al.  The capitalization, amortization, and value-relevance of R&D , 1996 .

[48]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[49]  Rajiv D. Banker,et al.  Value Implications of Investments in Information Technology , 2006, Manag. Sci..

[50]  Mary E. Barth,et al.  The Effects of Cross‐Sectional Scale Differences on Regression Results in Empirical Accounting Research* , 1996 .

[51]  P. Schmidt,et al.  Limited-Dependent and Qualitative Variables in Econometrics. , 1984 .

[52]  Gregg Stults An Overview of Sarbanes-Oxley for the Information Security Professional , 2004 .

[53]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[54]  B. Lev,et al.  Value-Relevance of Nonfinancial Information: The Wireless Communications Industry , 1996 .

[55]  Ryan LaFond,et al.  The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity , 2008 .

[56]  Leslie D. Hodder,et al.  Internal Control Weaknesses and Information Uncertainty , 2007 .

[57]  E. Fama EFFICIENT CAPITAL MARKETS: A REVIEW OF THEORY AND EMPIRICAL WORK* , 1970 .

[58]  S. Sutton,et al.  The Pervasive Nature of IT Controls: An Examination of Material Weaknesses in IT Controls and Audit Fees , 2009 .

[59]  Eric K. Clemons,et al.  Evaluation of strategic investments in information technology , 1991, CACM.

[60]  George Foster,et al.  Brand Values and Capital Market Valuation , 1998 .

[61]  William R. Kinney,et al.  The Discovery and Reporting of Internal Control Deficiencies Prior to SOX-Mandated Audits , 2007 .

[62]  Katherine Schipper,et al.  The market pricing of accruals quality , 2005 .

[63]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[64]  Weili Ge,et al.  Determinants of Weaknesses in Internal Control over Financial Reporting , 2006 .

[65]  Christopher F. Baum,et al.  Instrumental Variables and GMM: Estimation and Testing , 2003 .

[66]  Robert E. Hoskisson,et al.  BOARD OF DIRECTOR INVOLVEMENT IN RESTRUCTURING: THE EFFECTS OF BOARD VERSUS MANAGERIAL CONTROLS , 1993 .

[67]  Vernon J. Richardson,et al.  Information technology investments and firm value , 2005, Inf. Manag..

[68]  WeillPeter,et al.  IT Assets, Organizational Capabilities, and Firm Performance , 2007 .

[69]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[70]  J. Heckman Sample selection bias as a specification error , 1979 .

[71]  Varun Grover,et al.  Shaping Agility through Digital Options: Reconceptualizing the Role of Information Technology in Contemporary Firms , 2003, MIS Q..

[72]  Suresh Kotha,et al.  The Value-Relevance of Network Advantages: The Case of E-Commerce Firms , 2003 .

[73]  Jean-Luc Arregle,et al.  Firm performance and the axis of errors , 2007 .

[74]  P. Hribar,et al.  The Effect of Accounting Restatements on Earnings Revisions and the Estimated Cost of Capital , 2003 .

[75]  Richard J. Arend Revisiting the logical and research considerations of competitive advantage , 2003 .

[76]  Edward I. Altman,et al.  FINANCIAL RATIOS, DISCRIMINANT ANALYSIS AND THE PREDICTION OF CORPORATE BANKRUPTCY , 1968 .

[77]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[78]  Kristopher J Preacher,et al.  Addressing Moderated Mediation Hypotheses: Theory, Methods, and Prescriptions , 2007, Multivariate behavioral research.

[79]  James A. Ohlson Earnings, Book Values, and Dividends in Equity Valuation* , 1995 .

[80]  William L. Fuerst,et al.  Information technology and sustained competitive advantage: a resource-based analysis , 1995 .

[81]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[82]  P. Schoemaker,et al.  Strategic assets and organizational rent , 1993 .

[83]  Mary E. Barth,et al.  Market rewards associated with patterns of increasing earnings , 1999 .

[84]  John G. Lynch,et al.  Reconsidering Baron and Kenny: Myths and Truths about Mediation Analysis , 2010 .