IT Control Weaknesses, IT Governance and Firm Performance Discussant Comments Gary Baker, Partner, Deloitte & Touche LLP Saturday, October 13, 2007.

Slides:



Advertisements
Similar presentations
Presented by YOUR NAME THE DATE
Advertisements

0 Project success © Deloitte & Touche LLP and affiliated entities. Project success is only the beginning… Manage your post implementation phase Christian.
Auditing Concepts.
The Corporate Laws Amendment Bill, B6/2006. © 2006 Deloitte Touche Tohmatsu Corporate Laws Amendment Bill, B6/2006 – 29 May 2006 Introduction Presenting.
Page 1 Non-Assurance Services Caroline Gardner IESBA June 2013 New York, USA.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Meeting with IESBA CPAB Update Glenn Fagan and Kam Grewal April 7, 2014.
CCIM Maximize your business value May 28, 2008 Presented by Tom Strezos.
Internal Control.
University of Connecticut April 17, Copyright © 2006 Deloitte Development LLC. All rights reserved. Items to discuss… Introduction Deloitte Overview.
Pricing for value Tom Friedman, Principal Deloitte Consulting LLP Global Consulting Leaders Symposium December 5–7, 2007.
The Impact of Information Technology Material Weaknesses on Corporate Governance: Evidence from Executive and Director Turnover, and IT Governance Changes.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Risk Intelligence Map – Board level output
1 Copyright © 2006 Deloitte Development LLC. All rights reserved. The Case ABC Molecular Imaging is seeking an Investment Bank to advise them on the sale.
Financial structure, management, and IFRS Reporting Creating value for growth Presenter: John Robinson Partner.
ISA 220 – Quality Control for Audits of Historical Financial Information
INTERNAL CONTROL OVER FINANCIAL REPORTING
Information Technology Audit
Internal Auditing and Outsourcing
Recent Financial Products Developments Jeff Callender Partner Deloitte Tax LLC June 25, 2008.
An Accountant’s Look at the Changing Horizons within SOX 404 Presented to Colorado Bar Association’s Securities Law Group Presented by Bill Evert Hein.
The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.
Good to Great Governance. Audit Trends in Municipal Government GFOA November 4, 2004.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Conference on Accountants’ Liability ALI-ABA Zoe-Vonna Palmrose Deputy Chief Accountant Professional Practice Office of the Chief Accountant U.S. Securities.
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Differing Roles of Internal Auditor and Risk.
Natives of Kodiak, Inc. September 20,2014 Beth Stuart kpmg.com.
Practical Aspects Of Participating In The Ontario Power Markets CERT Conference Pat Concessi, Partner – Global Energy Markets May 31, 2005.
1 IT Control Weaknesses, IT Governance and Firm Performance Efrim Boritz Jee-Hae Lim University of Waterloo UWCISA: October 11-13, 2007, Toronto.
Introduction to Auditing. Introduction The role of audits is critical in the business environment of the early twenty-first century. Important decisions.
1 The Impact of SAS 112 on Governmental Financial Statement Audits GAQC Member Conference Call January 4, 2007 Presented by Chuck Landes, CPA.
Copyright © 2007 Deloitte Development LLC. All rights reserved. BSA/AML Update Peter Fitzgerald Principal Deloitte & Touche LLP.
Results of CFO Survey in Central Europe The only way is up Gavin Hill Partner, Central Europe.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Domestic Production Activities Deduction – Section 199 March 26, 2007 Pamela C. Beckey.
DoC NTIA Digital-to-Analog Converter Box Coupon Program NPRM Nicholas Van Dongen, Senior Manager Allen Hockenbury, Senior Manager November 14, 2006.
By: 1. Kenneth A. Kim John R. Nofsinger And 2. A. C. Fernando.
Factors Associated with IT Audits by the Internal Audit Function Discussant Comments October 2, 2009 INFORMATION RISK MANAGEMENT ADVISORY.
Presentation Audit Committee Institute Ireland Conrad Hotel, Dublin 2 7 September 2004.
Public Hearings Companies Bill, Submission to the Portfolio Committee on Trade and Industry August 2008.
1 Copyright © 2006 Deloitte Development LLC. All rights reserved. The Case ABC Automotive Products has selected you to advise them on the sale of their.
PCAOB Inspection Findings PCAOB Audit Committee Dialogue Auditor Assessment Toolkit Doug Morally Senior Audit Manager September 14, 2015.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
8/9/ AAA Annual Meeting1 Fair Value Measurement and Accounting Restatements James Fornaro (SUNY at Old Westbury) Solomon Huang (National Cheng.
Financing in the Canadian Power Sector Michael Badham, Partner September 20, 2004.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
From cost to value: 2010 Global Survey on the CIO Agenda June 15 th, 2010 IT ADVISORY KPMG INTERNATIONAL.
Exploring differences between large and medium organizations’ Corporate Governance of Information Technology Discussant Comments Christopher O’Connor,
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Blended Value Accounting & Social Enterprise Success John Anner, PhD SIERC Annual Conference Auckland, New Zealand 12 February, 2016.
2 - 1 ©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.
Audit Committee Update CAFR Assistance Project March 25, 2010.
1Third Party Assurance Optimization and Control RationalizationCopyright © 2016 Deloitte Development LLC. All rights reserved. Third-Party Assurance (TPA)
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
IT Focus Areas- PCAOB Inspection
Auditing Concepts.
Capital Project / Infrastructure Renewal – Making the Business Case
Innovative Financial and Non-financial Reporting
Modernizing compliance: Moving from value protection to value creation
Alignment of Part 4B with ISAE 3000
Sarbanes-Oxley Act (404) An IT Viewpoint
Alignment of Part 4B with ISAE 3000
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Alignment of Part 4B with ISAE 3000
Presentation transcript:

IT Control Weaknesses, IT Governance and Firm Performance Discussant Comments Gary Baker, Partner, Deloitte & Touche LLP Saturday, October 13, 2007

© Deloitte & Touche LLP and affiliated entities. Summary of Study’s Key Conclusions 1. Companies with stronger IT Governance report fewer material IT control weaknesses 2. Companies with material IT control weaknesses have significantly lower financial performance (ROA, ROS, Growth) –than companies with material non-IT weaknesses –than companies with no reported material control weaknesses 3. Companies with stronger IT Governance have improved financial performance over and above their impact on reduced IT control deficiencies I agree with the author’s conclusion that this presents a compelling case for improving IT Governance –Especially since not all of the lower financial performance is attributed to higher audit costs

© Deloitte & Touche LLP and affiliated entities. Introduction I am not a statistician –I thought I was Ok at math until I started to read the tables and formula –Cannot comment on veracity of the models/formula, etc. Comments and observations are my own –not necessarily those of Deloitte & Touche First observation – Intended audience of paper not clear –Likely needs to be separated into a publication for the business community and one available to challenge approaches, methods, assumptions and results –In its current form will not likely appeal to business community

© Deloitte & Touche LLP and affiliated entities. Conclusion #1 - Companies with stronger IT Governance report fewer material IT control weaknesses A restatement (in the inverse) of the conclusion reached in Section 5 –Companies with material IT control weaknesses have: –Less IT knowledgeable management and boards –Weaker IT governance as evidenced by –Shorter tenure of CIO’s –Fewer IT strategy committee’s I think it is logically sound to conclude that: –Since companies with IT weaknesses have less of these attributes, therefore: –Companies with more of these attributes have less IT weaknesses It may be logical to surmise that increasing these attributes could lead to improved IT controls (all other factors being equal) It may be intuitive, but does it follow that increasing these attributes will lead to stronger IT Governance? –From the evidence in the study it is not clear that these attributes equate to stronger IT Governance

© Deloitte & Touche LLP and affiliated entities. IT Governance Are the proxies used by the study good measures of effective IT Governance? –# of IT knowledgeable Board members and Management –Tenure of CIO –Existence of IT Strategy Committee The study found that –# of IT knowledgeable Board members and Management was not significant to financial performance (but was to # of IT weaknesses) –Although CIO tenure and IT Strategy committee were significant to financial performance Further, the study acknowledges that: –# of companies that have adopted an IT Strategy Committee is “small”, and –“the question is whether those that have adopted them have benefited” –the study did not appear to focus on this as a direct objective nor did it provide a conclusion to this question Additional study may be needed to identify good indicators of effective IT Governance

© Deloitte & Touche LLP and affiliated entities. Conclusion #2 - Companies with material IT control weaknesses have significantly lower financial performance Related finding that “… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.” Organizations implement “information security” controls to: –Prevent/detect unauthorized access (both physical and logical) to information and related assets –Unauthorized disclosure/theft (not likely a SOX404 issue) –Loss of integrity of information (accidental/intentional) –Enforce organizational segregation of duties Information security controls operate at multiple “levels” within an organization –IT environment (often referred to as “general controls”) –To manage physical access to information systems –To manage logical access to network and information resources –Business applications (could be “general” or “application controls”) –To manage logical access to automated functionality It is not clear from the study whether the security weaknesses were general control weaknesses or application control weaknesses

© Deloitte & Touche LLP and affiliated entities. Security Controls “… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.” Since “security” was identified as the only statistically significant weakness, without further analysis of the nature of the “security” weaknesses the finding of the impact of General Controls may be suspect In practice effective management of the provisioning and de- provisioning of application level access rights and privileges is one of the most challenging tasks related to information security –Lack of clarity between IT and Process owners re: roles, responsibilities and accountabilities –Lack of effective tools and technologies to enable efficiencies

© Deloitte & Touche LLP and affiliated entities. Security Controls “… the impact on financial performance is primarily associated with general control weaknesses related to security controls which are comparatively pervasive and more difficult to correct than other IT control weaknesses.” In addition, the statement that such weaknesses are “comparatively pervasive” may be inaccurate if the weaknesses identified relate to security within specific applications –although application security weaknesses in ERP applications may be more pervasive than in non-ERP applications Finally, no evidence was provided to support the statement that security controls are “more difficult to correct than other IT control weaknesses” –fixing application control deficiencies may require compensating manual controls and/or system replacements which can be very expensive and time consuming

© Deloitte & Touche LLP and affiliated entities. Other random thoughts and musings The study evaluates material IT weaknesses and appears not to consider “significant deficiencies” –May not have reliable information as companies are not required to publicly report significant deficiencies –Profession challenged to determine what IT control deficiencies constitute a material weakness –Guidance on evaluating control deficiencies chart #3 –Might we have found a large number of “significant deficiencies” that did not make it to material weaknesses? Not clear from the paper if the # of IT weaknesses (or non-IT weaknesses) had any correlation to financial performance –It might be interesting to analyze whether the number of reported deficiencies was a factor in financial performance Acknowledged limitation that the study does not extend to market valuation of the financial impact due to IT control weaknesses –Would encourage consideration as this could add significantly to the discussion of the value delivered by IT

© Deloitte & Touche LLP and affiliated entities. Presentation name 10 Other random thoughts and musings The study uses terminology such as IT Governance, IT controls, application controls and general IT controls I believe the profession needs better clarity of definition around these terms –What is termed IT Governance often refers in fact to IT management –IT Governance is often interpreted to be “governance of the IT department” instead of “Enterprise governance of information” –IT “general” controls are often thought to be pervasive, but may be unique to a particular business system –Are IT general controls more appropriately considered as IT process controls? (similar to business process controls) –IT general controls are often considered to be “owned” by IT –But who owns responsibility for “IT general controls” over end-user computing environments for example? –Application controls are often thought of only in the context of business transaction applications –when they should be used in the context of any automated control activity

© Deloitte & Touche LLP and affiliated entities. Other random thoughts and musings Commentary that IT Governance is an entity level control –Fine for “governance” level considerations such as Board/Management IT knowledge, existence/tenure of CIO, IT strategy committees, definition of roles & responsibilities, etc. –Does not address nature of “IT process controls” or Application controls –Definition of activity level controls appears limited to business “transaction” processes –Creates confusion in the marketplace as definition of IT Governance often confused with IT management or “General Controls”

© Deloitte & Touche LLP and affiliated entities. Other random thoughts and musings Finding that firms with non-big 4 auditors more likely to report IT control weaknesses - warrants additional study –Are such firms less likely to have invested in IT governance and control processes? –Are approaches/methodologies of big 4 firms less likely to identify IT control weaknesses? –Are firms with big 4 auditors more likely to have invested in compensating controls reducing the impact of IT control weaknesses?

© Deloitte & Touche LLP and affiliated entities. Summary 1. Companies with stronger IT Governance report fewer material IT control weaknesses 2. Companies with material IT control weaknesses have significantly lower financial performance 3. Companies with stronger IT Governance have improved financial performance over and above their impact on reduced IT control deficiencies I agree with the author’s conclusion that this presents a compelling case for improving IT Governance –Assuming the statistics are valid –Assuming the proxies for effective IT Governance are valid –Assuming further granularity around “security” weaknesses does not materially impact conclusions

© Deloitte & Touche LLP and affiliated entities. Deloitte, one of Canada’s leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,800 people in 51 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. © Deloitte & Touche LLP and affiliated entities.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.