Introduction

Statement of Auditing Standard (SAS) No. 94 affirms that the nature and character of an entity's use of technology in its information system affects the entity's overall IC structure. However, a minimal amount of information existed prior to the Sarbanes-Oxley Act of 2002 (SOX) to develop an understanding of the impact of IT control deficiencies on financial reporting. Recent management and audit reports filed with the Securities and Exchange Commission (SEC) by accelerated SOX companies now provide a rich body of data to measure this impact. SOX focuses on internal controls, including IT controls, to foster the preparation of reliable financial statements. Section 404 of SOX requires companies to identify, report, and resolve IC material weaknesses. Thus, IT deficiencies never reported before are now in the spotlight and are targeted for evaluation and improvement.

The purpose of this study is to examine IT control deficiencies and their affect on financial reporting. These IT deficiencies include controls related to software programs, program implementations, segregation of duties associated with access to computer accounting or financial reporting records, and problems with access to electronic data and programs. This paper examines the impact of IT control deficiencies on financial reporting and on the overall corporate-wide IC structure. The focus is on accounting errors described in the annual reports of companies reporting IT control deficiencies from 2004 to 2006. Currently, no available analysis of the data exists to identify the relationship of IT controls and accounting errors.

Results indicate that IC deficiencies and accounting errors occur more often in companies when IT deficiencies exist. Accounting issues dealing with revenue recognition; receivables, investments, and cash; inventory, vendor, and cost of sales; and financial statement, footnote, US GAAP, and segment disclosures issues are more widespread in companies that report IT deficiencies. When compared to companies that do not report IT deficiencies, IT deficient companies pay higher audit fees, while employing smaller audit firms. In addition, companies that report IT deficiencies are smaller, based on revenues, than companies that do not report IT deficiencies.

The first part of this paper discusses SOX legislation and the reporting and auditing requirements of SOX. The second part examines IC and IT implementation guidelines and evaluates auditing guidelines for internal controls. A discussion of the impact...