On Information Systems Complexity and Vulnerability

ABSTRACT: This study examines the relationship between information systems complexity and information systems vulnerability from the perspective of the enhanced internal controls after Sarbanes-Oxley. It is conjectured that the increased statutory and regulatory requirements on more stringent internal controls increase information systems complexity and, therefore, increase information systems vulnerability. This study hypothesizes that the increased information systems complexity also increases information systems vulnerability even though the overall internal control is improved. The results of the empirical tests support the hypotheses.

[1]  Jean C. Bedard,et al.  Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies , 2011 .

[2]  Srinivasan Sankaraguruswamy,et al.  Evidence on the Joint Determination of Audit and Non-Audit Fees , 2003 .

[3]  Yu-Chi Ho,et al.  The no free lunch theorems: complexity and security , 2003, IEEE Trans. Autom. Control..

[4]  S. Sutton,et al.  The pervasive nature of IT controls , 2013 .

[5]  T. B. O'keefe,et al.  The Production of Audit Services: Evidence from a Major Public Accounting Firm , 1994 .

[6]  Weili Ge,et al.  The Disclosure of Material Weaknesses in Internal Control after the Sarbanes‐Oxley Act , 2005 .

[7]  Narayan Ramasubbu,et al.  Does Complexity Deter Customer-Focus? , 2010 .

[8]  Anne Beatty,et al.  How Does Internal Control Regulation Affect Financial Reporting , 2010 .

[9]  Doyle,et al.  Highly optimized tolerance: robustness and design in complex systems , 2000, Physical review letters.

[10]  David Baccarini,et al.  The concept of project complexity—a review , 1996 .

[11]  Gordon B. Davis,et al.  Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study , 1998 .

[12]  William F. Messier,et al.  Auditor Detected Misstatements and the Effect of Information Technology , 2004 .

[13]  Chris E. Hogan,et al.  Evidence on the Audit Risk Model: Do Auditors Increase Audit Fees in the Presence of Internal Control Deficiencies? , 2008 .

[14]  S. Sutton,et al.  The Pervasive Nature of IT Controls: An Examination of Material Weaknesses in IT Controls and Audit Fees , 2009 .

[15]  Michael J. Peel,et al.  Audit Fee Determinants Of Independent & Subsidiary Unquoted Companies In The Uk—An Exploratory Study , 1994 .

[16]  Willie E. Gist,et al.  Explaining Variability in External Audit Fees , 1992 .

[17]  Bharat A. Jain,et al.  Venture capitalist participation and the post-issue operating performance of IPO firms , 1995 .

[18]  Tor Guimaraes,et al.  The Relationship Between User Participation and User Satisfaction: An Investigation of Four Contingency Factors , 1994, MIS Q..

[19]  Sally Wright,et al.  Are Financial Auditors Overconfident in Their Ability to Assess Risks Associated with Enterprise Resource Planning Systems? , 2004, J. Inf. Syst..

[20]  Bin Ke,et al.  SOX-Mandated Internal Control Deficiency Disclosure under Section 302 and Earnings Quality: Evidence from Cross-Listed Firms , 2009 .

[21]  Anandhi S. Bharadwaj,et al.  A Resource-Based Perspective on Information Technology Capability and Firm Performance: An Empirical Investigation , 2000, MIS Q..

[22]  Dasaratha V. Rama,et al.  Audit Fees after Remediation of Internal Control Weaknesses , 2011 .

[23]  D. Simunic The Pricing Of Audit Services - Theory And Evidence , 1980 .

[24]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[25]  Scott R. Boss,et al.  Factors associated with IT audits by the internal audit function , 2010, Int. J. Account. Inf. Syst..

[26]  Vernon J. Richardson,et al.  Information Transfer among Internet Firms: The Case of Hacker Attacks , 2003, J. Inf. Syst..

[27]  David D. Williams,et al.  Long‐Term Trends in Audit Fees , 2001 .

[28]  Yinghong Zhang,et al.  Costs to Comply with SOX Section 404 , 2008 .

[29]  Manohar U. Kalwani,et al.  Long-Term Manufacturer-Supplier Relationships: Do They Pay off for Supplier Firms? , 1995 .

[30]  Weili Ge,et al.  Determinants of Weaknesses in Internal Control over Financial Reporting , 2006 .

[31]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[32]  David Hay,et al.  Audit Fees: A Meta-Analysis of the Effect of Supply and Demand Attributes , 2006 .

[33]  Jere R. Francis,et al.  Pricing Initial Audit Engagements: A Test of Competing Theories , 1999 .

[34]  Kathleen Foley Curley,et al.  An Applied Framework for Classifying the Complexity of Knowledge-Based Systems , 1991, MIS Q..

[35]  Reem okab al-kasswna The Impact of Information Technology on External Audit Fees - A Field Study in the Hashemite Kingdom of Jordan , 2012 .

[36]  Mahmoud Ezzamel,et al.  Determinants of audit fees for quoted UK companies , 1993 .