By: Jacob Z. Haislip Coauthored with : Adi Masli Vernon J. Richardson J. Manuel Sanchez The Impact of SOX Information Technology Material Weaknesses on Corporate Governance: Evidence from CEO, CFO and BOD Turnover and Changes in IT Knowledge
Research Questions Do firms that report IT related material weaknesses: experience greater levels of turnover of executives and directors than firms that report non-IT related material weaknesses? replace (appoint) more executives (directors) with IT knowledge than firms that report non-IT related material weaknesses? make more IT upgrades and IT management changes than firms that report non-IT related material weaknesses?
Background/Motivation IT serves as the foundation of an effective system of internal controls over financial reporting (Hunton et al. 2008; Kobelsky et al. 2008; Li et al. 2010a; Masli et al 2010). IT is “inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with the Sarbanes-Oxley Act” (ITGI 2006).
Background/Motivation Li et al. (2010b) and Johnstone et al. (2010) find increased turnover of executives and directors for material weakness firms. A line of research emphasizes the importance of IT in financial reporting and documents the severity of IT weaknesses (Masli et al. 2010, Klamm and Watson 2009, Li et al. 2010a). Due to the role IT plays both in controls and the financial reporting process, IT material weaknesses can permeate through the entire financial reporting structure thus they are potentially more hazardous than non-IT material weaknesses.
Hypotheses H1: The likelihood of management and director turnover is greater for firms that report IT material weaknesses in internal control than for firms that report non-IT material weaknesses. H2: Firms that report IT internal control material weaknesses are more likely to make IT governance changes than firms that report non-IT internal control material weaknesses.
Hypotheses H3: Firms that report IT internal control material weaknesses are more likely to hire executives and directors with IT knowledge than firms that report non-IT internal control material weaknesses. H4: Firms that report IT internal control material weaknesses are more likely to make IT initiative changes than firms that report Non-IT internal control material weaknesses.
Hypotheses H5: The turnover and remediation efforts are greatest for firms reporting the Data Processing Integrity subcategory of IT internal control material weaknesses.
Sample Selection We use Audit Analytics to identify firms that report material weaknesses from , and use the 404 reports to identify the IT-related material weaknesses. We also select a random sample of non-IT weakness firms. We collect information for all of our firms using Audit Analytics, Annual COMPUSTAT (financial statement variables), CRSP, I/B/E/S, Thomson Reuters, and SEC filings (DEF 14A, 10-K, etc.) for one year prior and two years past the weakness year. After eliminating any observations that are missing data, our final sample contains 578 firm year observations, of which 289 are IT material weakness firm year observations.
Panel B: Descriptive statistics for executive and director turnover IT Weakness FirmsNon-IT Weakness Firms n= 289 p-value VariablesMeanMedianMeanMedianDiff CEO Turnover CFO Turnover <0.001 Chairman Turnover <0.001 Director Turnover <0.001 Panel C: Descriptive statistics for change in IT governance variables IT Weakness FirmsNon-IT Weakness Firms n= 289 p-value VariablesMeanMedianMeanMedianDiff CEO IT Knowledge CFO IT Knowledge <0.001 Chairman IT Knowledge Director IT Knowledge Financial IT Upgrade <0.001 Accounting IT Upgrade <0.001 Table 3 – Descriptive Statistics
Research Design To test H1 we run the following Logit regression: Turnover i = β 0 + β 1 IT Weakness i,t + β 2 Number of Weaknesses + β 3 LnAssets i,t + β 4 Leverage i,t + β 5 BTM i,t + β 6 ROA i,t + β 7 Loss i,t + β 8 Institutional Holdings i,t + β 9 Analyst i,t + β 10 Restatement i,t-1,t,t+1 + β 11 Board Size i,t + β 12 Board Independence i,t + β 13 CEO Chairman + β 14 Automate i,t + β 15 Transform i,t + β 16 High Tech i,t + β 17 Low Tech. We run the above regression using different dependent variables for turnover. For all of our turnover variables we measure turnover if it occurs in the year of the weakness or either of the two years following the weakness (Similar to Desai et al and Collins et al. 2009). We specifically examine turnover for: CEO CFO Directors Chairperson of the Board
Research Design To test H2, H3, and H4 we run the following Logit regression: IT Governance Change i or Major IT Initiatives i = α 0 + α 1 IT Weakness i,t + α 2 Number of Weaknesses + α 3 LnAssets i,t + α 4 ROA i,t + α 5 Avg Sales Growth i,t + α 6 Leverage i,t + α 7 Uncertainty i,t + α 8 Automate i,t + α 9 Transform i,t + α 10 High Tech i,t + α 11 Low Tech i,t + α 12 Foreign i,t + α 13 Merger i,t + α 14 Restructuring i,t + α 15 Product Differentiation i,t + α 16 Cost Leadership i,t. We vary our dependent variable depending on which IT governance change we are interested in. These variables include: CEO IT Knowledge CFO IT Knowledge Director IT Knowledge Chairperson IT Knowledge IT Upgrades
Table 4. IT Material Weaknesses and Turnover Panel A. Executive and director turnover Model 1Model 2Model 3Model 4Model 5Model 6 VariablesPred CEO Turnover CFO Turnover Director Turnover CEO Turnover CFO Turnover Director Turnover IT Weakness+0.338**0.738***0.982*** (0.047)(0.000) IT Weakness Classification Data Processing Integrity+0.438**0.629**0.733*** (0.047)(0.014)(0.005) System Access and Security (0.968)(0.528)(0.481) System Structure and Usage (0.318)(0.738)(0.408) The control variables are suppressed. Model c Pseudo R Correctly Classified
Panel B. Type of director turnover Model 1Model 2Model 3Model 4 VariablesPred Chairman of BOD Turnover Independent Director Turnover Chairman of BOD Turnover Independent Director Turnover IT Weakness Firm ***0.951*** (0.001)(0.000) IT Weakness Classification Data Processing Integrity ***0.679*** (0.000)(0.004) System Access and Security (0.922)(0.315) System Structure and Usage (0.687)(0.489) The control variables are suppressed. Model c Pseudo R Correctly Classified
The control variables are suppressed. Table 5. IT Material Weaknesses and Changes to IT Governance Model 1Model 2Model 3Model 4 VariablesPred Any Change to IT Governance Count of IT Governance Changes Any Change to IT Governance Count of IT Governance Changes IT Weakness Firm+1.211***1.157*** (0.000) IT Weakness Classification Data Processing Integrity+0.840***0.610*** (0.001)(0.004) System Access and Security (0.132)(0.125) System Structure and Usage (0.808)(0.635) Model c Pseudo R Correctly Classified
The control variables are suppressed. Table 6. IT Material Weaknesses and Executive IT Knowledge Model 1Model 2Model 3Model 4 VariablesPred CEO IT Knowledge CFO IT Knowledge CEO IT Knowledge CFO IT Knowledge IT Weakness Firm+0.821*0.845** (0.075)(0.011) IT Weakness Classification Data Processing Integrity (0.249)(0.620) System Access and Security (0.646)(0.133) System Structure and Usage (0.411)(0.532) Model c Pseudo R Correctly Classified
The control variables are suppressed. Table 7. IT Material Weaknesses and Board of Directors IT Knowledge Model 1Model 2Model 3Model 4 VariablesPred Chairman IT Knowledge Director IT Knowledge Chairman IT Knowledge Director IT Knowledge IT Weakness Firm+0.725**0.211 (0.011)(0.217) IT Weakness Classification Data Processing Integrity+0.581* (0.065)(0.824) System Access and Security (0.884)(0.142) System Structure and Usage (0.142)(0.367) Model c Pseudo R Correctly Classified
The control variables are suppressed. Table 8. IT Material Weaknesses and other Major IT Initiatives Model 1Model 2Model 3Model 4Model 5Model 6 VariablesPredIT Upgrade Financial IT Upgrade Accounting IT Upgrade IT Upgrade Financial IT Upgrade Accounting IT Upgrade IT Weakness Firm+2.036***2.484***2.617*** (0.000) IT Weakness Classification Data Processing Integrity+1.237***1.393***1.556*** (0.000) System Access and Security **0.599**0.171 (0.017)(0.021)(0.297) System Structure and Usage (0.793)(0.821)(0.834) Model c Pseudo R Correctly Classified
Table 9. Remediation of Weaknesses: The Influence of IT Governance Changes DV =Change in # of Weaknesses from t to t+2 Pred Model 1Model 2Model 3Model 4 IT Knowledge Changes Any IT Knowledge Change ** (0.048) CEO IT Knowledge (0.391)(0.409)(0.484) CFO IT Knowledge *-0.930*-0.909* (0.070)(0.089)(0.072) Chairman IT Knowledge (0.694)(0.695)(0.725) Director IT Knowledge *-0.913*-0.900** (0.058)(0.065)(0.045) Audit Committee IT Knowledge (0.561)(0.560)(0.588) Major IT Initiatives Financial IT Upgrade (0.230)(0.225) IT management (0.364) F Statistics Adjusted R The control variables are suppressed.
Conclusions and Implications for Practice We find that IT weakness firms have higher levels of turnover and IT governance changes, suggesting that firms recognize the need to make changes to correct the weaknesses. Executives and directors should recognize the importance IT plays both within financial reporting and the internal controls surrounding financial reporting. Hiring an executive or director that understands IT can help decrease the likelihood of material weaknesses.
IT Weaknesses Firm and YearText from SOX 404 ReportControl IssueControl Category Online Resources Corporation 2007 “the Company’s procedures for the supervisory review of the performance by Company personnel of manual controls associated with account analysis and the verification of the accuracy of electronic spreadsheets that support financial reporting were ineffective. This material weakness resulted in deficiencies in the operation of controls not being detected timely and in multiple errors in the Company’s preliminary 2007 financial statements, including errors in revenue, interest expense, and share based compensation.” Spreadsheet(s), lack of controls over Data Processing Integrity TRC Companies 2006 “The Company did not adequately design controls to maintain appropriate segregation of duties in its manual and computer- based business processes which could affect the Company’s purchasing controls, the limits on the delegation of authority for expenditures, and the proper review of manual journal entries” Segregation of duties not implemented in system Access and Security Digimarc Co 2004“Implementation of the new accounting system also was flawed because some of our accounting, finance and operations employees were not properly trained in the use of the new accounting system.” Insufficient training on system. Structure and Usage
IT Weaknesses Quality DimensionIdentifierDefinitions * Data processing integrity IT PROCESS The extent to which data is correct and reliable. System Access and SecurityIT SECURITY The extent to which: data is available, or easily and quickly retrievable access to data is restricted appropriately to maintain its security. System Structure and UsageIT STRUCTUREThe extent to which data is: easily comprehended presented in the same format
IT Knowledge An executive (board member) is said to have IT Knowledge if he/she has prior experience as a CIO (or other IT related management positions), has previously worked in an IT/technology firm, or has IT related degrees such as computer science or management information systems. CEO IT Knowledge (Vitria Technology) M. Dale Skeen, Ph.D., is 51 years old, co-founded Vitria in 1994 and has been our Chief Executive Officer since April Dr. Skeen has also served as Chief Technology Officer and as a director since Vitria’s inception. From 1986 to 1994, Dr. Skeen served as Chief Scientist at Teknekron Software Systems, now TIBCO, Inc., a software company. From 1984 to 1986, Dr. Skeen was a research scientist at IBM’s Almaden Research Center. From 1981 to 1984, Dr. Skeen was on the faculty at Cornell University. Dr. Skeen holds a B.S. in Computer Science from North Carolina State University and a Ph.D. in Computer Science on Distributed Database Systems from the University of California, Berkeley.
IT Upgrades Financial IT Upgrade (Richardson Electronics LTD) The Company is in the application development stage of implementing certain modules of enterprise resource management software (PeopleSoft). Accounting IT Upgrade (Adelphia Communications) With respect to the access to financial applications and data material weakness described above, subsequent to December 31, 2004, we have substantially completed our remediation efforts. We have implemented controls, including policies and procedures that govern security and access to our IT systems, programs and data, including those supporting our financial data relating to property and equipment and our general ledger and financial reporting applications. Non-Financial IT Upgrade (Actividentity Corp.) To meet these challenges we implemented a new customer relationship management system in fiscal 2005, and are continuing the process of modifying and refining it to better meet our needs. Any upgrade to the IT is included in the general IT upgrade. Upgrades specific to the financial functions of the firm are included in the Financial upgrades. Accounting upgrades are financial upgrades that specifically mention changes to the accounting information systems. All other IT upgrades are included in the Non-Financial upgrades.