Do Material Weaknesses in
Information-Technology Related
Internal Controls Affect Firms’ 8-K
Filing Timeliness and Compliance?
October 1 - 3, 2015
Symposium 2015
Ray Henrickson CA, CPA, CISA
• Recently retired VP Information Systems &
Technology Audit at Scotiabank
• + 35 years as an IT auditor
October 1 - 3, 2015
Symposium 2015
The Premise
• The relative strength of a firm’s internal controls,
especially those surrounding IT-related components
(e.g., access, processing, reporting), play a leading
role in affecting the timeliness and four day
compliance requirement for the Form 8-K.
• The focus is on understanding the roles played by a
firm’s AIS
October 1 - 3, 2015
Symposium 2015
My Challenges - AIS
• Difference between ICMW and ITMW?
• What is a material IT control weakness?
•
•
•
•
Impact on financial reporting
Time/cost to remediate
Customer disruption
Relationship to risk
• Is the definition consistent across the sample
population?
• Are we really only dealing with reported control
weaknesses?
• Is there a difference between one or multiple reported
weaknesses?
October 1 - 3, 2015
Symposium 2015
IT Control Environment
Web page
Emergency changes
Web page
Updated Master file
Logic Changes
Master file
Communications link
Application
Processing
Input
Production line
Output
Communications link
Security validation
Job schedule
Parameters
Calendars
October 1 - 3, 2015
Symposium 2015
What’s an 8-K
• Corporate Governance and Management
• Registrant's Business and Operations
–
–
–
–
–
–
Entry into a Material Definitive Agreement
Termination of a Material Definitive Agreement
Bankruptcy or Receivership
Mine Safety - Reporting of Shutdowns and Patterns of Violations
–
• Financial Information
–
–
–
–
–
–
Completion of Acquisition or Disposition of Assets
Results of Operations and Financial Condition
Creation of a Direct Financial Obligation or an Obligation under an
Off-Balance Sheet Arrangement of a Registrant
Triggering Events That Accelerate or Increase a Direct Financial
Obligation or an Obligation under an Off-Balance Sheet
Arrangement
Costs Associated with Exit or Disposal Activities
Material Impairments
–
–
–
–
–
• Asset-Backed Securities
–
–
–
–
–
• Securities and Trading Markets
–
–
–
Notice of Delisting or Failure to Satisfy a Continued Listing Rule or
Standard; Transfer of Listing
Unregistered Sales of Equity Securities
Material Modification to Rights of Security Holders
• Matters Related to Accountants and Financial Statements
–
–
Changes in Registrant's Certifying Accountant
Non-Reliance on Previously Issued Financial Statements or a
Related Audit Report or Completed Interim Review
Changes in Control of Registrant
Departure of Directors or Certain Officers; Election of Directors;
Appointment of Certain Officers; Compensatory Arrangements of
Certain Officers
Amendments to Articles of Incorporation or Bylaws; Change in
Fiscal Year
Temporary Suspension of Trading Under Registrant's Employee
Benefit Plans
Amendment to Registrant's Code of Ethics, or Waiver of a
Provision of the Code of Ethics
Change in Shell Company Status
Submission of Matters to a Vote of Security Holders
Shareholder Director Nominations
ABS Informational and Computational Material
Change of Servicer or Trustee
Change in Credit Enhancement or Other External Support
Failure to Make a Required Distribution
Securities Act Updating Disclosure
• Regulation FD
–
Regulation FD Disclosure
• Other Events
–
Other Events (The registrant can use this Item to report events
that are not specifically called for by Form 8-K, that the registrant
considers to be of importance to security holders.)
• Financial Statements and Exhibits
October 1 - 3, 2015
Symposium 2015
My Challenges – 8-K
• Difference between timeliness and compliance?
Does it matter?
• How is the 8-K produced?
• In-house compliance/legal department
• Outside third party
• How do controls in the IT environment relate to 8-K
reporting?
• End user computing vs corporate systems
October 1 - 3, 2015
Symposium 2015
Typical 8-K Preparation
8-K Template
October 1 - 3, 2015
Symposium 2015
COSO Control Framework
October 1 - 3, 2015
Symposium 2015
COSO Control Framework
October 1 - 3, 2015
Symposium 2015
The Relationship
Operations
Compliance
IT Control Activities
How long it takes to do
8-K Reporting
Non-IT Control
Activities
October 1 - 3, 2015
Symposium 2015
The Analysis
Complicated
Events
NonComplicated
Events
Internal Control
Internal Control Material Weakness
IT Material Weakness
Other Material Weakness
IT Control Improvement
IT Control Weakness continues
Firm Characteristics
Size
Leverage
Return On Assets
Annual Abnormal Return
Age of the firm
Big 4 Audit Firm
Financial Health
Loss
Rate of growth
Operation Complexity
Number of operational or geographic segments
Foreign Transaction
Restructure
October 1 - 3, 2015
Symposium 2015
Surprise Events
Non-Surprise
Events
Conclusions
• For internal control weaknesses
• Firms that reported a material weakness in internal control submitted
their 8-K filing later in the four-day timeframe.
• For IT-related internal control weaknesses
• For complicated events, firms that reported IT-related material
weaknesses in internal controls submitted their 8-K filing later in the
four-day timeframe.
• For non-complicated events, there was no statistical relationship
between IT-related material weaknesses in internal controls and the
8-K reporting timeliness.
• Remediation (deterioration) in the quality of IT-related internal
controls had no impact.
• Overall
• 14,422 firms
• 118,863 reports
• 127 non-compliant reports
October 1 - 3, 2015
Symposium 2015
What’s Missing
• Fundamental difference between AIS processes and
8-K event reporting
• The degree of independence and autonomy between
AIS and Compliance Reporting processes, controls
and IT
• Whether the reported control weaknesses were
pervasive or situational
• No consideration of the influence of the Control
Environment / Governance / “Tone at the Top”
October 1 - 3, 2015
Symposium 2015
Practical Application
• No foreseeable practical application of this study to
the planning and execution of financial, IT or
compliance audits
October 1 - 3, 2015
Symposium 2015