1 / 18

Research Reports from Waterloo

Research Reports from Waterloo. Discussant Comments Gary Baker, CA, CGEIT gary@gsbaker.com 416-452-7373 October 2, 2009. Paper #1. What can we learn from IT control weaknesses reported under SOX404?. Conclusions ar e not clear to me.

dunne
Download Presentation

Research Reports from Waterloo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research Reports from Waterloo Discussant Comments Gary Baker, CA, CGEIT gary@gsbaker.com 416-452-7373 October 2, 2009

  2. Paper #1 What can we learn from IT control weaknesses reported under SOX404?

  3. Conclusions are not clear to me • RQ#1 provides useful information, but not presented in as meaningful/useable way • As a practitioner it is useful to understand what are the most commonly reported IT control weaknesses Source: Table 2 – less restrictive search

  4. Conclusions not clear • RQ#2 – Implications of findings are not explored • Would expect # IT weaknesses reported to decline over time which seems not to be the case – what are the implications? • What are the implications of “Our findings indicate that IT weaknesses do not occur in isolation. They generally occur in companies with a large number of non-IT weaknesses..”? • RQ#3 – Implications of significant pairwise associations not explored? • e.g. since “2.  Accounting personnel resources, competency/trainingwas associated with Monitoring, End user computing and Control environment IT weaknesses (p<.10). ” • does it suggest that companies with Monitoring/EUC or Control environment weaknesses are more likely to have personnel competency/training issues?

  5. Reliability of identifying IT weaknesses • “We concluded that the code 20 indicator in Audit Analytics is reliable; merely less informative than the codes for non-IT weaknesses…” • Did the researchers test Audit Analytics for “false negatives”? i.e. IT weaknesses exist but were not identified as code 20 • Are we able to test: “Do internal control weaknesses exist that have elements of IT control weaknesses but are not identified/categorized as IT control weaknesses? And as such, are we underreporting the extent of IT control weaknesses?”

  6. Understate the importance of a key limitation • “The sub-division of IT weaknesses based on content analysis can help researchers hampered by the lacking granularity of the coding in Audit Analytics.” • Would it not make sense to have a more granular classification of IT weaknesses? • This lack of granularity is an issue for IT practitioners - is there some way to influence this?

  7. Paper #2 The role of IT Innovation Capability on Value Creation

  8. Key take-aways • Companies that have developed a systematic approach to IT innovation capability are better prepared to deal with the modern hypercompetitive environment • A systematic IT innovation capability strategy leads to the creation of sustainable value creation

  9. Discussant comments • Differentiating “sustainable” from “opportunistic” IT innovation capability is very appealing • Study discusses why it is important to develop sustainable IT innovation capability • This sounds consistent with the popular press that talks to “innovation” as a key to recovery from a recession

  10. Additional thoughts • Do companies with high IT innovation capability also tend to have high enterprise innovation capability? • It is not clear how much of the sustainable value creation is attributable to “IT” innovation capability vs. the “enterprise’s” innovation capability • Could enterprise innovation capability (including IT innovation) be a better predictor of sustainable value creation?

  11. Concluding thoughts • During economic down-turns there is tremendous pressure on IT budgets • The message that systematic IT innovation capability contributes to sustainable value creation – even during down-turns is a very important message that needs to get into the business press • More research is needed to understand “how” organizations create systematic IT innovation capability

  12. Paper #3 Uncertainty and the Decision to Manipulate Reported Performance

  13. Effect of internal controls • Model considers the impact of detection, but suggests this as a proxy for internal control effectiveness • “C is a detection parameter and a proxy for effectiveness of internal controls. Values of C approaching zero indicate that internal controls are very effective and, as a result, the probability of detection is very high. On the other hand, high C values indicate that internal controls are ineffective thus probability of detection is minimal. ” (p 9) • The Audit Risk model differentiates Detection risk from Internal Control risk Audit Risk = Inherent Risk x Control Risk x Detection Risk • As such shouldn’t the model consider control effectiveness as a variable separate from audit detection?

  14. Effect of internal controls • Internal controls can be either preventive or detective • Arguably detective internal controls are similar to audit detection and as such could conceivably be combined into a single “detection” variable • In terms of measuring propensity to manipulate, does it really matter if the manipulation may be detected by internal management or by external auditors? • However probability of detection does not account for preventive controls which in effect provides a “reduced opportunity” to manipulate

  15. Effect of internal controls and information systems • The paper argues that information systems can provide a more accurate ability to forecast which would result in more attempts at manipulation • “These integrated information systems are superior tools for forecasting (Colkin and Maselli 2002; Fliedner 2003; Whiting 2002) and may affect the certainty of the forecasts provided to the managers.” (p5) “…greater certainty in forecast accuracy leads to more attempts to manipulate; however, these attempts will be of smaller magnitude” (p18) • Clearly we need less accurate information systems  • Argument could be valid – “all else being equal” • however this does not factor the improvements in internal controls typically resulting from such systems

  16. Effect of internal controls and information systems • More advanced information systems can: • Reduce the opportunity to manipulate e.g. reduced access/ability to change information, etc. • Increase the potential for detection e.g. more accurate monitoring tools, more robust audit trails, etc. • This also suggests the importance of improving internal controls along with improvements to information systems • Since keeping internal control effectiveness the same while improving accuracy of information (and ability to forecast accurately) would seem to suggest greater manipulation attempts

  17. Relationship to the Fraud Triangle • The paper does not seem to reference literature related to fraud such as the 3 elements of the fraud triangle* • Motive (or pressure) – the need for committing fraud (need for money, etc.); • Rationalization – the mindset of the fraudster that justifies them to commit fraud; and • Opportunity – the situation that enables fraud to occur • Thinking about the various elements of the model in this context may reveal additional insights * - According to Wikipedia this concept was first coined by Donald R. Cressey

  18. Thank you

More Related