The Impact of SOX Information Technology Material Weaknesses on Corporate
Governance: Evidence from CEO, CFO and BOD Turnover and Changes in IT
Knowledge
Abstract We examine the impact of information technology (IT) internal control material
weaknesses on CEO,CFO and director turnover, CEOs’, CFOs’ and directors’ IT knowledge
improvements, and upgrades to the company’s financial reporting IT. Consistent with the
hypothesis that, relative to non-IT material weaknesses, IT-related material weaknesses have a
more pervasive negative impact on the reliability of internal controls over financial reporting,
we document that IT material weakness firms experience higher CEO, CFO and director
turnover rates. We also find that IT material weakness firms are more likely to replace
executives and board members with professionals possessing higher degrees of IT knowledge,
and are more likely to upgrade their financial reporting IT. Finally, we find that IT material
weakness firms that replace the CFO with individuals possessing IT knowledge, are more likely
to reduce the number internal control weaknesses in future periods.
1
I.
Introduction
Information technology (IT) serves as the foundation of an effective system of internal
controls over financial reporting (Hunton et al. 2008; Kobelsky et al. 2008; Li et al. 2010a; Masli
et al 2010). IT provides the platform that integrates financial transactions and internal controls to
increase the likelihood of a properly functioning financial reporting process. Despite its
importance, there is a notion that Chief Executive Officers (CEO) and Chief Financial Officers
(CFO) have not placed enough attention to IT as a critical component of the financial reporting
system process (Deloitte 2005). Regulators seem to share this sentiment and suggest that boards
of directors need to do a better job providing oversight over their organizations’ IT functions,
especially those pertaining to internal controls and financial reporting (Nolan and McFarlan
2005; Klamm and Watson 2009; Bart and Turel 2010).
Recent research (Klamm and Watson 2009) finds that firms with significant IT
deficiencies are more likely to issue misstated financial statements (relative to firms with regular
material weaknesses), further increasing the awareness of the importance of IT on the overall
financial reporting system.1 In this paper, we examine two related questions. First, we examine
the impact of IT material weaknesses on CEO, CFO, and board of director turnover. We focus
on the CEO and CFO because they are primarily responsible for the reliability and accountability
of internal controls over financial reporting. Section 302 of the Sarbanes-Oxley Act of 2002
(SOX) requires these executives to sign off on financial statements and to report on the quality of
the internal controls surrounding financial reporting. Recent research also emphasizes the
important role that directors play in monitoring internal controls, and the consequences they face
in the event of a failure (Goh 2009; Johnstone et al. 2010). Consequently, we examine whether
1
IT weaknesses are considered more detrimental than standard weaknesses because they often affect the reliability
of all financial data that is processed within the firm. See Appendix A for definitions of these weaknesses and
Appendix B for examples.
2
board members face penalties (in the form of an increased likelihood of turnover) for “IT
failures” that relate to internal control over financial reporting. This examination is important
because while extant research (Srinivasan 2005; Desai et al. 2006; Collins et al. 2009) documents
the consequences of financial misstatements on a firm’s governance structure (e.g., executive
and director turnover), little is known about the consequences of IT deficiencies on changes in
corporate governance.
Second, we examine how firms with IT material weaknesses remediate their deficiencies.
Specifically, we examine two distinct areas of remediation. Given the emerging call for greater
IT oversight among executives and board members, we first determine whether IT weakness
firms replace outgoing CEOs, CFOs, and directors with professionals who possess greater levels
of IT knowledge. Replacing the CEO, CFO and/or board members with individuals with greater
IT knowledge would be a signal about the seriousness of a firm’s commitment to remediating the
IT governance environment. Finally, we examine whether firms with IT weaknesses
subsequently make other major IT changes, including upgrades specifically targeted to the
financial and accounting system. These changes include upgrading the IT, hiring an executive
(beyond the CEO or CFO) dedicated to the oversight and management of IT, or adding a
technology committee to the board. All of these changes are expected to help remediate
problems associated with the IT material weakness.
We rely on a sample of IT material weakness firms identified by reading SOX 404
reports issued from 2004 through 2006. We gather additional information on these firms using
Audit Analytics, Annual COMPUSTAT, CRSP, I/B/E/S, and Thomson Reuters. After
eliminating any observations that are missing necessary data, we have a final sample of 578 firm
year observations, 289 of which are IT material weakness firm-year observations. As a control
3
group, we rely on a random sample of non-IT material weakness firms from the same period
(more details on this in the research design section).
Consistent with our expectations, we find that the likelihood of turnover of CEOs, CFOs,
and directors is greater for IT weakness firms compared to non-IT weakness firms. After
controlling for economic determinants of turnover, including the incidence of restatements, we
find that, IT weakness firms have a 13.3%, 22.2%, and 16.1% greater likelihood of CEO, CFO,
and director turnover, respectively. These results imply that weak IT controls have a more
pervasive and negative impact on the financial reporting process and consequently result in
greater penalties for the executives primarily responsible for internal controls. Furthermore, the
results suggest that directors are held accountable for breakdowns in IT related controls, thus
providing support for the notion that board members are now challenged to extend their
monitoring and oversight duties to IT functions.
When we contrast the turnover rates between IT and non-IT firms conditioning on inside
vs. outside directors, we find that the probability of turnover is greater for outside directors.
When we focus on the audit committee; however, we find that the turnover rate is not
significantly different between IT and non-IT weakness firms. In contrast, when we focus on the
turnover rates of the chairperson of the board, we find that the likelihood of turnover is 12.8%
higher in IT weakness firms. These results indicate that the firm eliminates the professional with
the most authority on the board as part of the remediation of the problems in the financial
reporting process. On balance, these results show that firms do make changes that are more
significant to the governance structure for IT weaknesses compared to non-IT weaknesses.
With respect to the remediation, we find that IT weakness firms are more likely to replace
(appoint) outgoing CEOs and CFOs, (directors) with executives (directors) that have greater
4
levels of IT knowledge.2 This result should be of interest to academics and practitioners alike,
because although IT is considered a central component of internal controls, little evidence to date
speaks to the association between IT expertise at the executive/board level and the quality of
internal controls over financial reporting. Our findings support the notion that IT weakness firms
are more likely to obtain the services of executives and directors with IT knowledge, expecting
that such appointments can contribute to improvements in internal controls over financial
reporting. We also find that IT weakness firms are more likely to make upgrades to the
accounting and financial reporting IT. On some cases, the IT weakness is so pervasive
throughout the system that firms opt to scraping the entire financial reporting system.3 On other
cases, the IT weakness affected targeted areas, leading to changes only to specific modules,
Accounts Payable or Fixed Assets for example.4
In additional analysis, we examine whether the remediation efforts that IT weakness
firms undertake (replacement and appointment of IT knowledge executives and directors; IT
upgrades, etc.) result in successful improvements to the internal control process. We find
evidence suggesting that IT weakness firms that replace (fill) their CFO (board seats) with
individuals possessing IT knowledge (compared to IT weakness firms that do not) are more
likely to reduce the number of internal control weaknesses by the second year after the initial IT
We determine that a professional has IT knowledge if their biography from the firm’ proxy statement (DEF 14A)
states that they previously worked in an IT/technology firm or have IT related degrees such as computer science or
management information systems. Please see Appendix C for examples of IT knowledge biographies.
3
For example in 2005 Castle & Co stated, “The Company started a business system replacement initiative in the
third quarter of 2005. The project scope includes a replacement of the Company’s financial systems as a first phase
of the overall project plan. The Company is currently performing parallel testing and expects to be in production
with its new financial systems in mid-2006. In conjunction with the business systems replacement initiative, the
Company has invested in new report writing technology that will automate and expedite the creation of its key
financial and other business reports. This program is also expected to be installed by mid-2006. Management
believes this investment in technology will allow for a more thorough and timely review of its financial statements
by its financial staff, thereby enhancing its internal control over financial reporting.”
4
For example in 2005 Covansys Corp stated, “Implementation of the fixed asset module in the Company’s ERP
system in the third quarter of 2005 to facilitate in the tracking and accounting of fixed assets. This implementation
eliminates the use of multiple spreadsheets and systems which significantly streamlines the process while injecting
more preventative automated controls into the control environment.”
2
5
weakness year. This result implies that replacements appointments of CFOs and/or directors with
IT knowledge are the most effective remediation strategies for IT weakness firms.
Our study offers various contributions to the accounting information systems (AIS)
literature that examines the importance of IT in financial reporting and auditing. The IT-related
auditing literature focuses on the use of IT by auditors and how it can affect auditor judgment
(e.g., Messier 1995; O’Donnell and David 2000; Brazel et al. 2004; O’Donnell and Schultz 2003;
Bible et al.2005; Bedard et al. 2007; Dowling and Leech 2007; Dowling 2009). The accounting
literature also focuses on the benefits firms derive from IT within financial reporting and internal
controls (e.g., Dehning and Richardson 2002; Hunton et al. 2003; Kobelsky et al. 2008; Masli et
al. 2010). Our paper extends this literature by showing the detrimental effects of a breakdown
within the controls surrounding IT on a firms’ governance environment.
Prior literature focuses on the importance of financial accounting expertise of executives
and board members as it relates to the financial reporting process (Beasley 1996; DeFond et al.
2004; Hennes et al. 2008; Li et al. 2010b; Johnstone et al. 2010). We extend this literature by
documenting that firms also value the IT expertise of executives and directors when remediating
internal control issues. Furthermore, a stream of literature investigates the characteristics of
firms that report material weaknesses and the consequences the firms face in regard to the
weaknesses (Ge and McVay 2005; Doyle et al. 2007; Hammersley et al. 2008; Johnstone et al.
2010; Li et al. 2010b). We extend this literature by examining a unique type of internal control
material weakness we show to be a greater detriment to the financial reporting process. Finally,
our results provide support for the recommendations within the COSO and COBIT frameworks
as well as the PCAOB standards that advocate management and board oversight and
accountability over IT controls
6
We organize the rest of the paper as follows: Section 2 explores the related literature and
develops our testable hypotheses. Section 3 describes the sample used to test the hypotheses.
Section 4 presents the research design. Section 5 details the empirical results. Finally, Section 6
summarizes and concludes the paper.
II.
Background and Hypothesis Development
Sections 302 and 404 of SOX require management and auditors to report on the quality
of the firms’ internal controls over financial reporting. Through this process, firms identify and
reveal internal control material weaknesses, which the Public Company Accounting Oversight
Board (PCAOB) defines as “a significant deficiency, or a combination of significant
deficiencies, that results in more than a remote likelihood that a material misstatement of the
annual or interim financial statements will not be prevented or detected” (PCAOB 2004).
Therefore, a material weakness indicates that there is a major problem with a firm’s financial
reporting process, potentially highlighting the possibility of misstated financial statements.
In a report discussing the importance of the role of IT in the design and implementation
of internal controls, the IT Governance Institute (ITGI) states that IT is the foundation of an
effective system of internal controls over financial reporting (ITGI 2006). The Committee of
Sponsoring Organizations of the Treadway Commission (COSO 2009) makes a similar case, but
goes on to emphasize the importance of properly monitoring the effectiveness of the IT. The
PCAOB also recognizes the importance of IT in the internal controls of financial reporting.
Auditing Standard No. 2 (and the superseding Standard No. 5) specifically states that IT controls
have a “pervasive effect on the achievement of many overall objectives of the control criteria”
(PCAOB 2004), so auditors should understand how IT affects the firm’s flow of transactions and
examine the use of IT within the processes and controls. Overall, the regulatory perspective
7
suggests that IT plays an important role within the financial reporting system and the internal
controls within that system.
Since IT often permeates through the entire financial reporting structure, we predict that
IT material weaknesses have a more pervasive impact on the financial reporting process than
non-IT material weaknesses. In addition, IT weakness firms will have greater incentives to
correct IT material weaknesses. Common IT material weaknesses (as reported within SOX 404
reports) include lack of controls over who can initiate and approve journal entries, accounting
systems that are unable to process complicated transactions, and a lack of training to use the
accounting system software. The severity of these weaknesses can lead to the misstatement of
any account, and therefore cause a significant problem in financial reporting. Therefore, firms
should remediate these problems to improve the quality of financial reporting. In the next
section, we develop expectations that firms make significant changes to the firms’ governance
and IT structure following the discovery of an IT material weakness.
The Relation between IT Weaknesses and Executive Turnover
Extant literature provides evidence of executive and director turnover following financial
reporting failures. For example, Desai et al. (2006) find that restatements are associated with an
increased likelihood of CEO turnover, and that terminated executives have difficulty finding
similar positions at other firms following the turnover. Collins et al. (2009) show similar results
for CFOs, but also show that the labor market penalties (i.e., inability to find comparable
position) are more severe in a post-Sarbanes-Oxley Act (SOX) era. Srinivasan (2005) shows that
directors lose a significant number of directorships following the announcement of earningsdecreasing restatements. More recent research, including Li et al. (2010b) and Johnstone et al.
8
(2010), show increased executive and director turnover in firms that report internal control
material weaknesses.
Prior research also document significant costs associated with material weakness
(Ashbaugh Skaife et al. 2009; Hammersley et al. (2008); Hogan and Wilkins 2008; Ye and
Krishnan 2008). Hammersley et al. (2008) find a negative stock market reaction to the
announcement of certain material weaknesses and Ashbaugh-Skaife et al. (2009) find that firms
that report deficiencies in internal controls face a higher cost of equity. Additionally, Hogan and
Wilkins (2008) show an increase in auditor fees following internal control deficiencies. It is
likely that these costs for IT material weaknesses (relative to regular material weakness firms)
are higher because they have a greater detriment to the firm. For example, Klamm and Watson
(2009) find that firms with IT material weaknesses report more misstated accounts than firms
with non-IT related weaknesses, providing evidence on the pervasive negative impact of weak IT
controls. Consistent with this notion, Li et al. (2010a) find that weak IT internal controls produce
low information quality, leading to management forecasts that are less accurate for firms with IT
material weaknesses than for other firms. Based on this evidence, we predict that there is a
greater likelihood of executive (CEO or CFO) and director turnover for IT weakness firms.
Therefore, our first hypothesis is as follows:
Hypothesis 1: The likelihood of CEO, CFO, and director turnover is greater for firms
that report IT material weaknesses in internal control than for firms that report non-IT
material weaknesses.
The Relation between IT Weaknesses and IT Governance Changes
It is important to understand how corporate governance can affect financial reporting.
Bowen et al. (2008) find that weak governance allows management to use more discretion in
accounting information, which in turn leads to poor future performance. Farber (2005) finds an
9
association between the likelihood of fraud and characteristics commonly associated with weak
governance, such as few independent board members, a lack of financial expertise on the board,
and few audit committee meetings. Klein (2002) finds that firms with more independent boards
report lower levels of discretionary accruals. Larcker et al. (2007) find a positive association
between strong governance attributes and future firm performance. Finally, Krishnan (2005) and
Hoitash et al. (2009) both show that strong corporate governance decreases the likelihood of
material weaknesses in internal controls. These papers are important because they show that
strong corporate governance helps firms avoid internal control material weaknesses, thus
strengthening the financial reporting process.
It is also important to examine how remediation of financial reporting breakdowns can
improve the financial reporting process. For example, Farber (2005) shows that following the
revelation of fraud, firms take corrective actions to improve corporate governance. These
actions include hiring more independent directors and directors with financial expertise. The
author shows that following these corrective actions the firms experience in increase in stock
performance suggesting, “investors appear to value governance improvements.”
Extant research provides strong evidence on the consequences internal control weakness
remediation. For example, Ashbaugh-Skaife et al. (2009) find that when firms address
deficiencies in internal controls their cost of equity decreases, and Goh (2009) shows that the
timeliness of remediation is positively associated with the severity of the weakness. The author
states that remediation is “key to improving financial reporting quality and restoring investor
confidence.” Li et al. (2010b) and Johnstone et al. (2010) document a ways that firms attempt to
remediate material weaknesses, including replacing the CFO with a different one of “higher
quality” and hiring more independent directors. Following this line of research, in the case of IT
10
material weaknesses, we predict that firms also improve the characteristics of corporate
governance. However, we predict that not only do they try to improve the specific financial
knowledge of the firm, but since these weaknesses are IT related they will increase IT
characteristics of the firm as well. Our second hypothesis is as follows:
Hypothesis 2: Firms that report IT internal control material weaknesses are more likely
to make IT governance changes than firms that report non-IT internal control material
weaknesses.
We are also interested in the different types of IT governance changes these firms are
likely to make. First, we examine if these firms hire executives and directors with characteristics
that will improve financial reporting. Beasley (1996) shows that firms with more independent
directors are less likely to have fraud. DeFond et al. (2004) find that the market reacts positively
when firms announce the appointment of a financial expert to the board of directors, especially if
the financial expertise is accounting specific. In the case of internal control material weaknesses,
Li et al. (2010b) and Johnstone et al. (2010) find that following the weaknesses firms hire
executives and directors that are more qualified to remediate the weaknesses to improve financial
reporting quality. Li et al. (2010b) specifically show that firms hire CFOs with more financial
expertise and more experience. We expect that firms hire executives and directors with the right
skill set to remediate any internal control material weaknesses. For that reason we predict that
firms that report IT related internal control weaknesses are more likely to hire executives and
directors with IT knowledge to remediate the IT weaknesses and improve financial reporting
quality. Specifically, our third hypothesis is as follows:
Hypothesis 3: Firms that report IT internal control material weaknesses are more likely
to hire executives and directors with IT knowledge than firms that report non-IT internal
control material weaknesses.
11
We also suggest that these firms proceed with other IT initiatives to improve financial
reporting. These initiatives include upgrading the IT financial reporting system, hiring an IT
executive, adding a technology committee to the board, or increasing the importance of the role
of the Chief Information Officer (CIO). The extant literature discusses how these different
initiatives can improve financial reporting. For example, Hunton et al. (2008) find that using IT
for continuous monitoring can decrease the level of real earnings management of firms. Li et al.
(2010a) find that better quality IT financial reporting systems provide higher quality information
to management. Kobelsky et al. (2008) find a positive association between IT budgets and firm
performance and shareholder returns. Finally, Masli et al. (2010) show that implementing
technology specifically used in monitoring the effectiveness of internal controls decreases the
likelihood of internal control material weaknesses. Overall, this evidence suggests that
improving IT can decrease the likelihood of material weaknesses, and therefore improve the
quality of financial reporting. Therefore, we predict that IT weakness firms will make IT
initiative changes to improve the quality of the internal control environment and financial
reporting. Specifically our fourth hypothesis is as follows:
Hypothesis 4: Firms that report IT internal control material weaknesses are more likely
to make IT initiative changes than firms that report Non-IT internal control material
weaknesses.
Following Li et al. (2010a) in our final hypothesis we examine different types of IT
material weaknesses to determine how they differently affect the governance structure of firms.
These three different categories are Data Processing Integrity, Access and Security, and Structure
and Usage. Li et al (2010a) show that the Data Processing Integrity weaknesses are the most
directly aligned with the accurate and reliable production of data and find these weaknesses to
cause the greatest detriment to the information quality. Following this line of reason, we expect
12
the impact on the corporate governance of the firm for Data Processing Integrity weaknesses to
be greater than the Access and Security and the Structure and Usage IT weaknesses. Specifically
our fifth hypothesis is as follows:
Hypothesis 5: The turnover and remediation efforts are greatest for firms reporting Data
Processing Integrity internal control material weaknesses.
III.
Sample Selection
Our sample is constructed using data from Audit Analytics, Annual COMPUSTAT
(financial statement variables), CRSP, I/B/E/S, Thomson Reuters, and SEC filings (DEF 14A,
10-K, etc.). We used Audit Analytics to identify firms that report material weaknesses in their
internal controls over financial reporting. We then used the SOX 404 reports within 10-K filings
to identify IT-related material weaknesses from 2004 through 2006. Using this procedure, we
identified 301 SOX 404 reports that indicate IT-related material weaknesses. Using Audit
Analytics, we identified a random sample of firms that reported a non-IT material weakness.
Using the random number generator, we selected 301 non-IT weakness firms from the
population of material weakness firms. This gives a total sample of 602 firm-year observations
where the firm reports an internal control material weakness (IT related and non-IT related). We
then collected data on management and the board of directors from proxy statements (DEF-14A)
and 10-K filings from 12 months before the year of the weakness to 24 months after the year of
the weakness. Additionally, we collected information for our control variables from
COMPUSTAT, CRSP, Thomson Reuters, and I/B/E/S. After eliminating observations with
missing information, our final sample included 578 firm year observations, 289 of which are IT
material weakness firm year observations. Please see Panel A of Table 1 for the sample
reconciliation.
13
Panel B of Table 1 presents the industry classification (by two-digit SIC codes) across
our sample firms. In general, firms in our sample are from a broad spectrum of industries.
Specifically, they appear more often in the Services, Financial Institutions, and Electrical
industries. Finally, Panel C of Table 1 provides the distribution of the sample firms across years.
With the exception of 2006, the number of observations by year is around 200 and uniform
across time.
IV.
Research Design
Hypothesis 1 posits a positive association between IT material weakness firms and
turnover for executives and directors. To test our first hypothesis, we run variations of the
following logistic regression model (please see Table 2 for variable definitions):
Turnoveri = β0 + β1 IT Weaknessi,t + β2 LnAssets i,t + β3Leveragei,t + β4BTMi,t + β5ROAi,t
+ β6Lossi,t + β7Institutional Holdingsi,t + β8Analysti,t + β9Restatementi,t-1,t,t+1 + β10Board
Sizei,t + β11Board Independencei,t + β12CEO Chairman + β13Automatei,t + β14Transformi,t
+ β15High Techi,t + β16Low Tech.
(1)
We run the above regression using different dependent variables for turnover. For all of our
turnover variables we measure turnover if it occurs in the year of the weakness or within of the
two years following the weakness. We first examine the turnover for CEOs and CFOs. We then
run the model on different director positions: directors, chairman of the board, independent
directors, and audit committee members. Our variable of interest is IT Weakness, which is coded
1 if the firm is an IT weakness firms, and 0 otherwise. We expect the coefficient on this variable
to be positive and significant indicating that the likelihood of turnover is greater for IT weakness
firms than for non-IT weakness firms.
We include a set of control variables that prior literature shows can affect director and
management turnover. Ferris et al. (2003) show that the likelihood of turnover increases with
14
firm size, therefore we predict LnAssets to be positively associated with Turnover. We include
Leverage because greater debt levels translate into additional monitoring by creditors, who could
influence the dismissal of poor performing management and directors (Agrawal and Cooper
2007). We therefore predict Leverage to be positively associated with Turnover. Since firms
with low valuations experience a greater level of turnover we expect BTM to be positively
associated with Turnover. Prior literature also shows that turnover is more likely for firms with
poor operating performance (Weisbach 1998 and Yermack 2004). Therefore, we expect ROA to
be negatively associated and Loss to be positively associated with Turnover.
Following Johnstone et al. (2010), we include the variables Institutional Holdings and
Analyst as a control that outsiders provide additional monitoring for the firm. Therefore, we
predict both to be positively associated with Turnover. Prior research shows that restatements
increase the likelihood of executive and director turnover (Desai et al. 2006; Srinivasan 2005;
Collins et al. 2009). We therefore predict that Restatement is positively associated with
Turnover. Extant literature provides mixed evidence regarding how the size of the board affects
corporate governance (Jensen 1993), so we make no prediction about the direction of Board Size.
Research also argues that independent boards are more likely to remove poor performers from
both management and the board (Jensen 1993); thus, we expect Board Independence to be
positively associated with all measures of Turnover. We include CEO Chairman because as
discussed by Jensen (1993), when the CEO also serves as the board chair they are more
entrenched, so we expect this variable to be negatively associated with management turnover and
positively associated with director turnover. Finally, we include a set of control variables that
represent different high and low technology industries to control for any effects these IT
15
intensive industries have on our results (Kobelsky et al. 2008). These variables are Automate,
Transform, High Tech, and Low Tech.
In additional analysis, we investigate whether certain types of IT SOX 404 material
weaknesses will have a greater impact on turnover. Therefore, following Li et al (2010a), we
categorize IT material weaknesses across three dimensions: a) Data Processing Integrity, b)
System Access and Security, and c) System Structure and Usage. As discussed by Li et al.
(2010a), the three categories were developed by integrating the prior data quality literature,
auditing standards (i.e., AS5), and IT professional guidance. Detailed examples of the IT controls
and the coding of the categories appear in Appendices A and B. When examining the association
of the IT material weakness categories and turnover, we include the following independent
variables: Data Processing Integrity, System Access and Security, and System Structure and
Usage.
Hypothesis 2 posits a positive association between IT material weakness firms and IT
governance changes. To test our second hypothesis, we run variations of the following logistic
regression model (please see Table 2 for variable definitions):
IT Governance Changei = α0 + α1 IT Weaknessi,t + α2 LnAssets i,t + α3ROAi,t + α4Avg
Sales Growthi,t + α5Leveragei,t + α6Uncertaintyi,t + α7Automatei,t + α8Transformi,t +
α9High Techi,t + α10Low Techi,t + α11Foreigni,t + α12Merger i,t + α13Restructuringi,t +
α14Product Differentiationi,t + α15Cost Leadershipi,t.
(2)
In this model, we examine the probability of a firm making changes to its IT governance
structure. We use two different dependent variables. First, IT Governance Change is defined as
an indicator variable set equal to one if the firm made any changes to its IT governance, and 0
otherwise. Second, Count of IT Governance Changes represents the number of changes the firm
makes to the IT governance. The specific IT governance changes that we examine include the
16
following: replacement of CEO with IT knowledge (CEO IT Knowledge); replacement of CFO
with IT knowledge (CFO IT Knowledge); hiring of chairman of the board of directors with IT
knowledge (Chairman IT Knowledge); hiring of audit committee members with IT knowledge
(Audit Committee IT Knowledge); hiring of directors with IT knowledge (Director IT
Knowledge); upgrading the IT (IT Upgrade); and upgrading IT management (IT Management).
We ascertain if an executive or board members possess IT knowledge by reading their
biographies in the firm’s proxy statements (form DEF 14A). An executive (board member) is
said to have IT Knowledge if he/she has prior experience as a CIO (or other IT related
management positions), has previously worked in an IT/technology firm, or has IT related
degrees such as computer science or management information systems. Furthermore, IT
initiative changes include upgrades to the IT and IT management. An upgrade to the IT would
entail improvements made to the overall IT (financial and non-financial related systems), while
an upgrade to IT management includes hiring an IT specific executive, adding a technology
committee to the board, or promoting the CIO position to become one of the top five paid
executives.
Our variable of interest is again IT Weakness. We expect the coefficient to be positive
and significant because we expect firms to make more IT governance changes in response to the
IT material weaknesses to remediate the IT control problems within the financial reporting
process. When examining the association between IT material weakness categories and IT
governance changes, we substitute IT Weakness with the following independent variables: Data
Processing Integrity, System Access and Security, and System Structure and Usage.
We include a set of control variables that we expect will influence IT governance
changes. We include LnAssets because we predict that size affects a firm’s ability or desire to
17
make IT governance changes. We do not make a sign prediction for size. We expect ROA to be
positively associated with IT changes, because profitable companies have more resources to
invest in IT changes. Dewan et al. (1998) find that firms with higher sales growth tend to underinvest in IT, and we therefore expect Avg Sales Growth to be negatively associated with IT
governance changes. High debt levels can constrain a firm’s resources, so we therefore predict a
negative association for Leverage. We include Uncertainty, because we expect firms with higher
levels of risk to use more IT to help mitigate some of the risk. We therefore expect a positive
sign on the coefficient for Uncertainty. We follow Chatterjee et al. (2001) in using the Automate
and Transform variables. These indicator variables provide information as to how firms intend
to strategically use IT within its business structure. We expect both of these variables to be
positively associated with IT changes because firms that fall in to the categories tend to use more
IT in their business processes. We also use a classification scheme similar to Francis and
Schipper (1999) to designate High Tech and Low Tech firms. We expect High Tech firms to be
more likely to make IT changes since these companies are more likely to use IT in every day
operations. We make no prediction for Low Tech firms because it is not obvious whether these
firms will avoid IT changes because they feel they are unnecessary, or they will make the
changes because they are obviously lacking IT. Finally, prior research suggests that enterprise IT
initiatives and IT management structure often require alignment with the firm’s business
strategies (e.g., Floyd and Wooldridge 1990; Banker et al. 2010). Therefore, we include the
following set of variables to control for business strategies that companies may employ: Foreign,
Merger Restructuring, Product Differentiation, and Cost Leadership. We make no directional
predictions about these variables.
18
Hypothesis 3 posits a positive association between IT material weakness firms and the
replacement (hiring) of executives (directors) with IT knowledge. To test our third hypothesis,
we run variations of the following logistic regression model (please see Table 2 for variable
definitions):
IT Knowledgei = γ0 + γ1 IT Weaknessi,t + γ2 LnAssets i,t + γ3ROAi,t + γ4Avg Sales
Growthi,t + γ5Leveragei,t + γ6Uncertaintyi,t + γ7Automatei,t + γ8Transformi,t + γ9High
Techi,t + γ10Low Techi,t + γ11Foreigni,t + γ12Merger i,t + γ13Restructuringi,t + γ14Product
Differentiationi,t + γ15Cost Leadershipi,t.
(3)
Equation 3 follows the model in equation 2, except we are specifically examining the changes in
IT knowledge for executives and directors. We run equation 3 five different times to examine
the various changes in IT knowledge within the firm. We first run the model examining changes
in CEO and CFO IT knowledge. We specifically examine whether firms change from having an
executive that did not have IT knowledge before the internal control weakness to hiring an
executive that does have IT knowledge in response to the material weakness. We then examine
the IT knowledge for Chairman of the Board, directors in general, and audit committee members.
We measure Chairman IT knowledge similar to the executives in that we are only interested in
firms that changed from not having IT knowledge before the internal control weakness to hiring
a person with IT knowledge in response to the material weakness. We consider director (audit
committee) IT knowledge change to be positive if after the material weakness, the firm employs
additional directors (audit committee members) with IT knowledge than they did before the
material weakness. Please find examples of biographies of executives and directors that possess
IT knowledge in Appendix C.
IT Weakness is again our variable of interest, and we expect it to be positive and
significant. We predict that IT material weakness firms will hire executives and directors with
IT knowledge in an effort to remediate problems that IT weaknesses generate within the financial
19
reporting process. When examining the association between IT material weakness categories and
IT knowledge changes, we substitute IT Weakness with the following independent variables:
Data Processing Integrity, System Access and Security, and System Structure and Usage. Finally,
we include the same control variables used in equation 2 for equation 3.
Hypothesis 4 posits a positive association between IT material weakness firms and IT
initiative changes. To test our fourth hypothesis, we run variations of the following logistic
regression model (please see Table 2 for variable definitions):
Major IT Initiativesi = ψ0 + ψ1 IT Weaknessi,t + ψ2 Sum of IT Knowledge Score i,t +
ψ3LnAssets i,t + ψ4ROAi,t + ψ5Avg Sales Growthi,t + ψ6Leveragei,t + ψ7Uncertaintyi,t +
ψ8Automatei,t + ψ9Transformi,t + ψ10High Techi,t + ψ11Low Techi,t + ψ12Foreigni,t +
ψ13Merger i,t + ψ14Restructuringi,t + ψ15Product Differentiationi,t + ψ16Cost Leadershipi,t.
(4)
Equation 4 follows the model in equation 2. However, in equation 4, we are interested in
examining IT governance changes related to IT upgrades and IT management. We examine four
categories of IT upgrades, which include General IT (IT Upgrade), Financial (Financial IT
Upgrade), Accounting (Accounting IT Upgrade), and Non-Financial (Non-Financial IT
Upgrade). Any upgrade to the IT is included in the general IT upgrade. Upgrades specific to the
financial functions of the firm are included in the Financial upgrades. Accounting upgrades are
financial upgrades that specifically mention changes to the accounting information systems. All
other IT upgrades are included in the Non-Financial upgrades. We include examples of IT
upgrades and its categories in Appendix D. Finally, we define an IT management upgrade to be
present when the firm hires an IT specific executive, adds a technology committee to the board,
or promotes the CIO to become one of the top five paid executives.
We again use IT Weakness as our variable of interest, and we expect it to be positive and
significant. When examining the association between IT material weakness categories and IT
20
knowledge changes, we substitute IT Weakness with the three categories of IT material
weaknesses (Data Processing Integrity, System Access and Security, and System Structure and
Usage). Finally, in equation 4, we include the same control variables used in equation 2 with the
exception of Sum of IT Knowledge Score. This variable is a count of the total number of IT
knowledge changes the firm has undertaken. We include this variable because it is likely that the
new IT knowledge executive or director will make other IT changes to the firm.
V.
Results
V.1.
Summary Statistics
Table 3, Panel A, presents univariate statistics for the IT material weakness categories
and control variables. As Panel A shows, 71.6%, 51.2%, and 20.8% of IT material weakness
firms have issues relating to data processing integrity, system access and security, and system
structure and usage, respectively.5 For the control variables, compared to control firms, IT
material weakness firms are generally smaller, less profitable, have lower institutional holdings,
have less analyst following, have less independent directors, less likely to have the CEO as
chairman of the board, have a greater cost leadership, and have a higher sum of IT knowledge
score.
Table 3, Panel B, presents the univariate statistics for the executive and director turnover
variables. As Panel B shows, the CEO and CFO turnover rates in IT material weakness firms
(49.1% and 75.4%) are significantly higher (p< 0.01) than the control-firm CEO and CFO
turnover rates (34.9% and 52.2%). In addition, IT material weakness firms experienced
significantly higher (p<0.01) chairman of the board turnover (22.5%) than control firms (10.4%).
With regard to turnover for the board of directors, we find that the director and independent
5
We note that firms with IT material weaknesses may have a material weakness in one or more of the IT material
weakness categories.
21
director turnover rates are higher for IT material weakness firms relative to control firms. During
the turnover period, 75.1% and 63.7% of IT material weakness firms experienced at least one
director and independent director turnover, respectively. In contrast, 59.5% and 49.5% of control
firms experienced at least one director and independent director turnover, respectively, during
the same time period. These turnover differences are significant at the p<0.01 value.
Interestingly, we find that audit committee turnover rates are roughly identical (approximately
32%) between IT material weakness firms and control firms.
In Panel C of Table 3, we examine differences in the change to IT governance between
IT material weakness firms and control firms. As Panel B shows, 67.5% (34.9%) of IT material
weakness firms (control firms) carry out at least one change to their IT governance (p<0.01 for
difference). Moreover, IT material weakness (control) firms complete changes to 1.179 (0.502)
components of their IT governance (p<0.01 for difference).
In examining the individual components of IT governance changes, it appears that IT
material weakness firms, compared to control firms, are significantly more likely (p<0.05) to
replace their CEOs, CFOs, and chairmen of the board with individuals with IT knowledge. IT
material weakness firms, compared to control firms, are also more likely (p<0.05) to hire a
director with IT knowledge, but not more likely to hire an audit committee member with IT
knowledge. With regard to IT upgrades, we find that IT material weakness firms, compared to
control firms, are more likely (p<0.01) to undergo IT upgrades, financial IT upgrades, and
accounting IT upgrades. However, there are no material differences in the likelihood of
undergoing non-financial IT upgrades between IT material weakness and control firms. Finally,
contrary to our expectations, we find that IT management is not significantly different (p=0.117)
between IT material weakness and control firms.
22
V.2.
Multivariate Analyses
In Table 4, we report the results of estimation of equation 1. Panel A presents the results
of the CEO, CFO, and director turnover models. The coefficient for IT Weakness is positive and
significant (p<0.01) for models 1, 2, and 3. Thus, the tests imply that IT material weakness firms
are more likely to experience CEO, CFO, and director turnover relative to control firms. When
we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other
important economic determinants, IT material weakness firms have a 13.3%, 22.2%, and 16.1%
greater likelihood of CEO, CFO, and director turnover, respectively. In models 4, 5, and 6, rather
than using an indicator variable for IT material weakness firms, we use our three classifications
of IT material weaknesses. As Panel A shows, the coefficient for Data Processing Integrity is
positive and significant (p<0.05) for models 4, 5, and 6, suggesting that IT material weaknesses
related to data processing integrity issues increase the firm’s likelihood of CEO, CFO, and
director turnover. When we estimate the marginal effects (dy/dx), our results suggest that, after
controlling for other important economic determinants, IT material weakness firms with data
processing integrity issues have a 14.2%, 17.3%, and 12.6% greater likelihood of CEO, CFO,
and director turnover, respectively.
Panel B of Table 4 presents the results of the type of director turnover models.
Specifically, we examine chairman of the board, independent director, and audit committee
turnover. The coefficient for IT Weakness is positive and significant (p<0.01) for models 1 and 2.
Thus, the tests indicate that IT material weakness firms are more likely to experience chairman
of the board and independent director turnover relative to control firms. Interestingly, the
coefficient for IT Weakness Firm is insignificant for model 3, suggesting that the likelihood of
audit committee turnover does not increase with IT material weakness firms. When we estimate
23
the marginal effects (dy/dx), our results suggest that, after controlling for other important
economic determinants, IT material weakness firms have a 12.8% and 17.9% greater likelihood
of chairman of the board and independent director turnover, respectively. In models 4, 5, and 6,
we again use our three classifications of IT material weaknesses. The coefficient for Data
Processing Integrity is positive and significant (p<0.05) for models 4 and 5, suggesting that IT
material weaknesses related to data processing integrity issues increase the likelihood of
chairman of the board and independent director turnover. When we estimate the marginal effects
(dy/dx), our results suggest that, after controlling for other important economic determinants, IT
material weakness firms with data processing integrity issues have a 17.9% and 13.6% greater
likelihood of chairman of the board and independent director turnover, respectively.
In Table 5, we report results of our change to IT governance and count of IT governance
change models. The coefficient for IT Weakness is positive and significant (p<0.01) for models 1
and 2. Thus, the results indicate that IT material weakness firms are more likely to undergo at
least one change to their IT governance and are positively associated with the total number of IT
governance changes. When we estimate the marginal effects (dy/dx), our results suggest that,
after controlling for other important economic determinants, IT material weakness firms are
34.4% more likely to perform at least one change to their IT governance.
In models 3 and 4 of Table 5, we use our three classification measures of IT material
weaknesses. The coefficients for Data Processing Integrity and System Access and Security are
positive and significant (p<0.05) for models 3 and 4, suggesting that firms with IT material
weaknesses related to data processing integrity and system access and security issues are more
likely to pursue a change to IT governance and have higher total counts of IT governance
changes. The tests of whether the coefficient for Data Processing Integrity is statistically
24
different from the coefficient for System Access and Security suggest that they are not
statistically different from one another (p=0.213 for model 3 and p=0.374 for model 4). When
we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other
important economic determinants, IT material weakness firms with data processing integrity
(system access and security) issues are 24.6% (11.0%) more likely to perform at least one change
to their IT governance.
Table 6 reports the results of estimation of the change in CEO and CFO IT knowledge
models. The coefficient for IT Weakness is positive and significant (p<0.05) for models 1 and 2.
Thus, the results imply that IT material weakness firms, compared to control firms, are more
likely replace their CEOs and CFOs with executives that possess IT knowledge. When we
estimate the marginal effects (dy/dx), our results suggest that, after controlling for other
important economic determinants, IT material weakness firms are 1.7% and 7.6% more likely to
replace their CEOs and CFOs, respectively, with individuals possessing IT knowledge. In
models 3 and 4 of Table 6, we use our three classification measures of IT material weaknesses.
The coefficient for System Access and Security is positive and significant (p<0.10) for model 4,
suggesting that firms with IT material weaknesses related to system access and security issues
have a higher likelihood of replacing the CFO with an IT knowledge individual. When we
estimate the marginal effects (dy/dx), our results suggest that, after controlling for other
important economic determinants, IT material weakness firms with system access and security
issues are 6.2% more likely to replace their CFO with an individual having IT knowledge.
Table 7 reports the results of estimation of the change in chairman of the board, director,
and audit committee IT knowledge models. The coefficient for IT Weakness is positive and
significant (p<0.05) for models 1 and 2. Thus, the results imply that IT material weakness firms
25
are more likely replace their chairman of the board and add members to the board with
individuals that possess IT knowledge. When we estimate the marginal effects (dy/dx), our
results suggest that, after controlling for other important economic determinants, IT material
weakness firms are 7.2% (5.2%) more likely to replace their chairman of the board (add
members to the board) with individuals possessing IT knowledge. Interestingly, we do not find
that IT material weakness firms, relative to control firms, are more likely to hire audit committee
directors with IT knowledge.
In models 4, 5, and 6 of Table 7, we use our three classification measures of IT material
weaknesses. The coefficients for Data Processing Integrity and System Structure and Usage are
positive and significant (p<0.10) for model 4, suggesting that IT material weaknesses related to
data processing integrity and system structure and usage issues increase the likelihood of the
firm replacing the chairman of the board with an IT knowledge individual. The tests of whether
the coefficient for Data Processing Integrity is statistically different from the coefficient for
System Structure and Usage suggest that they are not statistically different from one another
(p=0.783 for model 4). When we estimate the marginal effects (dy/dx), our results suggest that,
after controlling for other important economic determinants, IT material weakness firms with
data processing integrity (system structure and usage issues) are 6.40% (5.30%) more likely to
replace their chairman of the board with an individual having IT knowledge. As model 5 of
Table 7 shows, the coefficients for System Access and Security is positive and significant
(p<0.10), suggesting that IT material weaknesses related system access and security issues
increase the likelihood of the firm adding members to the board with IT knowledge directors.
When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for
26
other important economic determinants, IT material weakness firms with system access and
security issues are 6.60% more likely to hire board members with IT knowledge.
In Table 8, we estimate several variations of our major IT initiative models. The
coefficient for IT Weakness is positive and significant (p<0.01) for models 1, 2, and 3. Thus, the
results are consistent with the notion that IT material weakness firms, compared to control firms,
are more likely upgrade their IT in general. Furthermore, after classifying IT upgrades into
financial, accounting, and non-financial IT upgrades, we find that IT material weakness firms are
more likely to upgrade their financial and accounting IT. When we estimate the marginal effects
(dy/dx), our results suggest that, after controlling for other important economic determinants, IT
material weakness firms are 38.9%, 40.3%, and 25.9% more likely to upgrade their IT, financial
IT, and accounting IT, respectively.
In models 6 through 10 of Table 8, we use our three classification measures of IT
material weaknesses. The coefficients for Data Processing Integrity and System Access and
Security are positive and significant (p<0.01) for model 6 and 7, suggesting that IT material
weakness firms with data processing integrity and system access and security issues are more
likely to upgrade their IT and specifically, their financial IT. When we estimate the marginal
effects (dy/dx), our results suggest that, after controlling for other important economic
determinants, IT material weakness firms with data processing integrity issues are 27.7%
(28.7%) more likely to upgrade their IT (financial IT). In addition, IT material weakness firms
with system access and security issues are 14.7% (13.6%) more likely to upgrade their IT
(financial IT). The coefficient for Data Processing Integrity is positive and significant (p<0.01)
for model 8, suggesting that IT material weakness firms with data processing integrity issues are
more likely to upgrade their accounting IT. When we estimate the marginal effects (dy/dx), our
27
results suggest that, after controlling for other important economic determinants, IT material
weakness firms with data processing integrity issues are 22.0% more likely to upgrade their
accounting IT.
Finally, as model 5 of Table 8 shows, we do not find that IT material weakness firms are
more likely to upgrade their IT management relative to control firms. However, the coefficient of
System Access and Security is positive and significant (p<0.10) for model 10, thus suggesting
that IT material weakness firms with system access and security issues are more likely to
upgrade their IT management. When we estimate the marginal effects (dy/dx), our results suggest
that, after controlling for other important economic determinants, IT material weakness firms
with system access and security issues are 4.0% more likely to upgrade their IT management.
V.3.
Additional Analyses
Klamm and Watson (2009) find that firms with IT-related weaknesses report more
material weaknesses than those with non-IT related weaknesses. Thus, it is possible that our
results are not driven by our classification of IT versus non-IT material weakness firms, but
rather by the total number of material weaknesses that are reported for the firm. As a further
sensitivity test, we re-estimate our models by including a control variable that captures the count
of material weaknesses identified in the auditor’s assessment of internal controls. Inclusion of the
additional control variable in our models does not change our primary results.
We find that IT material weakness firms, compared to control firms, are more likely to
replace (add) executives (board members) with individuals with IT knowledge as well as make
major IT initiative changes. In subsequent analysis, we examine whether IT weakness firms that
undergo such remediation efforts are better able to remediate their internal control weaknesses.
Table 9 reports results of OLS models that regresses the change in the total count of material
28
weaknesses from t to t+2 on IT knowledge changes, major IT initiative changes, and control
variables.6 As shown in Model 1 of Table 9, the coefficient of Any IT Knowledge Change is
negative and significant (p<0.05), suggesting that any change to IT knowledge (within
CEO/CFO/board of directors) is associated with a reduction of counts of material weaknesses
from t to t+2. However, only the coefficients for CFO IT Knowledge and Director IT Knowledge
are negative and significant (p<0.10) for models 2, 3, and 4. Thus, suggesting that IT weakness
firms that replace (fill) their CFO (board seats) with individuals possessing IT knowledge,
compared to IT weakness firms that do not, are more likely to reduce the number of internal
control weaknesses by year t+2.
VI.
Conclusion
The extant literature examines the effects of financial reporting breakdowns on
companies. Many studies document turnover and other forms of remediation in response to
accounting restatements and material weaknesses in internal control over financial reporting.
Our study extends this literature by examining a unique failure of the financial reporting system.
Specifically we examine IT related internal control material weaknesses, because the evidence
suggests these weaknesses can be more detrimental to firms than other weaknesses.
In this study, we compare the remediation efforts of firms that report IT material
weaknesses to firms that report non-IT weaknesses. We find that the IT weakness firms have
higher levels of turnover of both executives and directors. This suggests that the firms are
punishing these executives and directors for the problems that IT weaknesses cause within the
financial reporting process. We also find that these firms follow this turnover with greater
remediation efforts by making different changes to the corporate governance structure.
6
For our control variables, we include changes to firm size, leverage, performance, complexity, governance, and
industry characteristics (Doyle et al. 2007; Johnstone et al. 2010; Masli et al. 2010)
29
Specifically, we document that these firms replace (add) outgoing executives (directors) with
individuals possessing IT knowledge, and thus should have a better understanding of the IT
weaknesses. In addition, the IT weakness firms are more likely to upgrade their financial
reporting IT and make other IT initiative changes. However, we find evidence suggesting that IT
weakness firms that replace their CFO (and add directors) with IT knowledge are associated with
successful remediation of internal control weaknesses.
Overall, the evidence suggests that firms do recognize the importance of the role IT plays
within the financial reporting process. In the event of a failure, firms go to great lengths to
remediate the problems. We urge officers and directors of the firm to understand the importance
of information technology in the financial reporting process and suggest they maintain strong
oversight over it to prevent failure.
30
References
Agrawal, A. and T. Cooper. 2007. Corporate governance consequences of accounting scandals:
evidence from top management, CFO and auditor turnover. Working paper, University of
Alabama.
Ashbaugh-Skaife, H., D. Collins, W. Kinney, and R. LaFond. 2009. The effect of SOX internal
control deficiencies on firm risk and cost of equity. Journal of Accounting Research 47
(1): 1-43.
Banker, R. D., N. Hu, J. Luftman, and P. Pavlou. 2010. CIO reporting structure, strategic
positioning, and firm performance: to whom should the CIO report? Working paper,
Temple University, University of Wisconsin, and Stevens Institute of Technology.
Bart, C., and O. Turel. 2010. IT and the board of directors: an empirical investigation into the
“governance questions” Canadian board members ask about IT. Journal of Information
Systems 24 (2): 147-172
Beasley, M. S. 1996. An empirical analysis of the relation between the board of director
composition and financial statement fraud. The Accounting Review 71 (4): 443-465.
Bedard, J. C., M. L. Ettredge, and K. M. Johnstone. 2007. Using electronic audit workpaper
systems in audit practice: Task analysis, learning, and resistance. Advances in
Accounting Behavioral Research 10: 29–53.
Bible, L., L. Graham, and A. Rosman. 2005. Comparing auditors’ performance in paper and
electronic work environments. Journal of Accounting, Auditing & Finance (March): 27–
42.
Bowen, R., S. Rajgopal, and M. Venkatachalam. 2008. Accounting discretion, corporate
governance, and firm performance. Contemporary Accounting Research 25 (2): 351-405.
Brazel, J. F., C. P. Agoglia, and R. C. Hatfield. 2004. Electronic versus face-to-face review: The
effects of alternative forms of review on auditors’ performance. The Accounting Review
79 (4): 949–966.
Chatterjee, D. C., V. J. Richardson, and R. Zmud. 2001. Examining the shareholder effects of
new CIO position announcements. Management Information Systems Quarterly 25 (1):
43–70.
Collins, D., A. Masli, A. L. Reitenga, and J. M. Sanchez. 2009. Earnings restatements the
Sarbanes-Oxley Act and the disciplining of Chief Financial Officers. The Journal of
Accounting, Auditing, and Finance 24 (1): 1-34.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal
Control-Integrated Framework. New York, NY: AICPA.
31
——–. 2009a. Guidance. Guidance on Monitoring Internal Control Systems, Vol. I. Durham,
NC: COSO.
——–. 2009b. Application. Guidance on Monitoring Internal Control Systems, Vol. II. Durham,
NC: COSO.
——–. 2009c. Examples. Guidance on Monitoring Internal Control Systems, Vol. III. Durham,
NC: COSO.
DeFond, M. L., R. N. Hann, and X. Hu. 2004. Does the market value financial expertise on
audit committees of boards of directors? Journal of Accounting Research 43 (2): 153193.
Dehning, B., and V. J. Richardson. 2002. Returns on investments in information technology: A
research synthesis. Journal of Information Systems 16 (1): 7–30.
Deloitte & Touche LLP. Why information technology controls can't be ignored. 2005 [cited May
10 2011]. Available from
http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/article/2b21cb79791fb
110VgnVCM100000ba42f00aRCRD.htm.
Desai, H., C. Hogan, and M. Wilkins. 2006. The reputational penalty for aggressive accounting:
earnings restatements and management turnover. The Accounting Review 81 (1): 83-112.
Dewan, S., S. C. Michael, and C. Min. 1998. Firm characteristics and investments in
information technology: Scale and scope effects. Information Systems Research 9 (3):
219-232.
Dowling, C. 2009. Appropriate audit support system use: The influence of auditor, audit team
and firm factors. The Accounting Review 84 (3): 771–810.
——–, and S. A. Leech. 2007. Audit support system design and decision aids: Current practice
and opportunities for future research. International Journal of Accounting Information
Systems 8: 92–116.
Doyle, J., W. Ge, and S. McVay. 2007. Determinants of weaknesses in internal control over
financial reporting. Journal of Accounting and Economics 44: 193–223.
Farber, D. B. 2005. Restoring Trust after Fraud: Does Corporate Governance Matter? The
Accounting Review 80 (2): 539-561.
Floyd, S. W. and B. Wooldridge. 1990. Path analysis of the relationship between competitive
strategy, information technology, and financial performance. Journal of Management
Information Systems 7 (1): 47-64.
32
Ferris, S., M. Jagannathan, and A. Pritchard. 2003. Too busy to mind the business? Monitoring
by directors with multiple board appointments. Journal of Finance 48: 1087-1112.
Francis, J. and K. Schipper. 1999. Have financial statements lost their relevance? Journal of
Accounting Research 37 (2): 319-352.
Ge, W., and S. McVay. 2005. The disclosure of material weaknesses in internal control after the
Sarbanes-Oxley Act. Accounting Horizons 19 (3): 137-158.
Goh, B. W. 2009. Audit committees, boards of directors, and remediation of material weaknesses
in internal control. Contemporary Accounting Research, Forthcoming.
Hammersley, J., L. Myers, and C. Shakespeare. 2008. Market reactions to the disclosure of
internal control weakness and to the characteristics of those weaknesses under Section
302 of the Sarbanes Oxley Act of 2002. Review of Accounting Studies 13: 141–165.
Hennes, K., A. Leone, and B. Miller. 2008. The importance of distinguishing errors from
irregularities in restatement research: The case of restatements and CEO/CFO turnover.
The Accounting Review 83 (6): 1487-1519.
Hogan, C. and M. Wilkins. 2008. Evidence on the audit risk model: do auditors increase audit
fees in the presence of internal control deficiencies? Contemporary Accounting Research
25: 219–242.
Hoitash, U. and R. Hoitash, and J. Bedard. 2009. Corporate governance and internal control over
financial reporting: a comparison of regulatory regimes. The Accounting Review 84 (3):
839-867.
Hunton, J. E., B. Lippincott, and J. L. Reck. 2003. Enterprise resource planning systems:
Comparing firm performance of adopters and nonadopters. International Journal of
Accounting Information Systems 4:165–184.
——–, E. G. Mauldin, and P. R. Wheeler. 2008. Potential functional and dysfunctional effects of
continuous monitoring. The Accounting Review 83 (6): 1551–1569.
Information Technology Governance Institute (ITGI). 2006. ISACA/ITGI Response to SEC
Concept Release. Rolling Meadows, IL: Information Systems Assurance and Control
Association (ISACA).
——–. 2007. COBIT® 4.1. Rolling Meadows, IL. Available on-line on March 28, 2008 at:
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/Tagged
PageDisplay.cfm&TPLID=55&ContentID=7981
Jensen, M. 1993. The modern industrial revolution, exit and the failure of internal control
systems. Journal of Finance 48: 831-880.
33
Johnstone, K, C. Li, and K. Rupley. 2010. Changes in corporate governance associated with the
revelation of internal control material weaknesses and their subsequent remediation.
Contemporary Accounting Research, Forthcoming.
Klamm, B. K., and Watson, M. W. 2009. “SOX 404 Reported Internal Control Weaknesses: A
Test of COSO Framework Components and Information Technology,” Journal of
Information Systems 23 (2) Fall: 1-23.
Klein, A. 2002. Audit committees, board of director characteristics, and earnings management.
Journal of Accounting and Economics 33: 375-400.
Kobelsky, K., V. J. Richardson, R. E. Smith, and R. W. Zmud. 2008. Determinants and
consequences of firm information technology budgets. The Accounting Review 83 (4):
957-995.
Krishnan, J. 2005. Audit committee quality and internal control: an empirical analysis.
The Accounting Review 72: 539-560.
Larcker, D., S. Richardson and I. Tuna. 2007. Corporate governance, accounting outcomes, and
organizational performance. The Accounting Review 82 (4): 963-1008.
Li, C., G. Peters, V. J. Richardson, and M. W. Watson. 2010. The consequences of information
technology control weaknesses on management information systems: the case of
Sarbanes-Oxley internal control reports. Management Information Systems Quarterly,
Forthcoming.
——–, L. Sun, and M. Ettredge. 2010. Financial executive quality, financial executive turnover,
and adverse SOX 404 opinions. Journal of Accounting and Economics, Forthcoming.
Masli, A., G. Peters, V. J. Richardson, and J. M. Sanchez. 2010. Examining the potential
benefits of internal control monitoring technology. The Accounting Review 85 (3):
1001-1034.
Messier, W. 1995. Research in and development of audit-decision aids. In Judgment and
Decision-Making Research in Accounting and Auditing, edited by Ashton, R., and A.
Ashton, 207–230. New York, NY: Cambridge University Press.
Nolan, R. and F. W. McFarlan. 2005. Information technology and the board of directors.
Harvard Business Review October 2005: 1-11.
O’Donnell, E., and J. David. 2000. How information systems influence user decisions: A
research framework and literature review. International Journal of Accounting
Information Systems 1 (3): 178–203.
34
——–, and J. J. Schultz. 2003. The influence of business-process-focused audit support software
on analytical procedures judgments. Auditing: A Journal of Practice & Theory 22 (2):
265–279.
Public Company Accounting Oversight Board (PCAOB). 2004. An Audit of Internal Control
over Financial Reporting Performed in Conjunction with an Audit of Financial
Statements. Auditing Standard No. 2. Washington, D.C.: PCAOB.
——–. 2007. An Audit of Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: PCAOB.
Srinivasan, S. 2005. Consequences of financial reporting failure for outside directors: evidence
from accounting restatements and audit committee members. Journal of Accounting
Research 43 (2): 291-334.
Trites, G. 2004. Director responsibility for IT governance. International Journal of Accounting
Information Systems 5 (2): 105-107.
Weisbach, M. 1988. Outside directors and CEO Turnover. Journal of Financial Economics 20:
431-460.
Ye, Z. and J. Krishnan. 2008. Weak internal controls, auditor fees, and shareholder
dissatisfaction. Working paper, Kennesaw State University.
Yermack, D. 2004. Remuneration: retention and reputation incentives for outside directors.
Journal of Finance 59: 2281-2308.
35
Table 1
Sample Selection and Distribution
Panel A: Sample reconciliation
Firm year observations identified with IT Material Weaknesses
Less: Firms for which no DEF 14A or 10-K was found
Less: Firms not in the Compustat Database
Final # of IT Material Weakness firm year observations
305
9
7
289
Random sample of non-IT Material Weakness firm year observations
Final # of firm year observations
289
578
Panel B: Industry representation
2-Digit SIC
Code
28-29
36, 38
35
60-65, 67
80, 82
27, 48
13, 46
50-59
70-79
All Others
Industry
Chemicals
Electrical
Equipment
Financial Institutions
Healthcare
Media
Oil
Retail Sales
Services
All Others
Total
Panel C: Year distribution
Year
2004
2005
2006
Total
36
n
36
77
33
84
25
27
18
51
118
109
578
% Total
6.23%
13.32%
5.71%
14.53%
4.33%
4.67%
3.11%
8.82%
20.42%
18.86%
100%
n
205
201
172
578
% of Total
35.47%
34.78%
29.76%
100%
Table 2. Variable Definitions
Panel A: Turnover Dependent Variable Definitions
Variable
Definition
CEO Turnover
Equals one if there is CEO turnover in year t, t+1, or t+2; zero otherwise.
CFO Turnover
Equals one if there is CFO turnover in year t, t+1, or t+2; zero otherwise.
Equals one if there is Chairman of the board of directors turnover in year t, t+1, or
Chairman Turnover
t+2; zero otherwise.
Director Turnover
Equals one if there is any director turnover in year t, t+1, or t+2; zero otherwise.
Independent Director
Equals one if there is any independent director turnover in year t, t+1, or t+2; zero
Turnover
otherwise.
Audit Committee
Equals one if there is any audit committee turnover in year t, t+1, or t+2; zero
Turnover
otherwise.
Panel B: IT Governance Change Dependent Variable Definitions
Variable
Definition
Any IT Governance
Equals one if the firm hires any managers or directors with IT knowledge or makes
Change
an IT Initiative Change in year t, t+1, or t+2; zero otherwise.
Count of IT
Equals a count of the number of IT changes made in year t, t+1, or t+2. This
Governance Changes
variable can range from 0 to 7.
Equals one if the firm replaced a NON-IT knowledge CEO with an IT Knowledge
CEO IT Knowledge
CEO in year t, t+1, or t+2 ; zero otherwise.
Equals one if the firm replaced a NON-IT knowledge CFO with an IT Knowledge
CFO IT Knowledge
CFO in year t, t+1, or t+2 ; zero otherwise.
Chairman IT
Equals one if the firm replaced a NON-IT knowledge BOD Chairman with an IT
Knowledge
Knowledge BOD Chairman in year t, t+1, or t+2 ; zero otherwise.
Director IT
Equals one if the firm hired at least one director with IT knowledge in year t,t+1, or
Knowledge
t+2 ; zero otherwise.
Audit Committee IT
Equals one if the firm hired at least one audit committee member with IT
Knowledge
knowledge in year t,t+1, or t+2 ; zero otherwise.
IT Upgrade
Equals one if the firm upgraded their IT; zero otherwise
Financial IT Upgrade
Equals one if the firm upgraded their financial reporting IT; zero otherwise
Accounting IT
Equals one if the firm upgraded their accounting IT; zero otherwise
Upgrade
Non-Financial IT
Equals one if the firm upgraded their non-financial reporting IT; zero otherwise
Upgrade
Equals one hired an IT executive, added a technology committee, or moved the CIO
IT Management
to be a top 5 executive in year t,t+1, or t+2; zero otherwise.
37
Panel C: Independent Variables
Variable
Definition
Main Independent
Variables
Equals one if the firm reported and IT material weakness in internal controls in year
IT Weakness Firm
t; zero otherwise.
Data Processing
Integrity
Equals one if a firm has ITMW related to data processing integrity; zero otherwise.
System Access and
Equals one if a firm has ITMW in the data quality dimension of access; zero
Security
otherwise.
System Structure and
Usage
Equals one if a firm has ITMW in IT structure quality dimensions; zero otherwise.
Control Variables
LnAssets
Equal to the natural log of total assets in year t.
Leverage
Equals to total debt divided by total assets in year t.
BTM
Equals to the book to market ratio in year t.
Equals to the return on assets calculated as net income divided by total assets in
ROA
year t.
Loss
Equals one if the company reports a net loss in year t; zero otherwise.
Equals to the proportion of institutional shareholdings of common stock in the firm
Institutional Holdings
in year t.
Analyst
Equals to the average number of analysts following the firm in year t.
Equals one if the company reports a restatement in year t-1, t, or t+1; zero
Restatement
otherwise.
Board Size
Equals to the number of directors serving on the board in year t.
Board Independence
Equals to the proportion of independent directors serving on the board in year t.
CEO Chairman
Equals one if the CEO is also the chairman of the board in year t; zero otherwise.
Equals average sales growth for t-1 and t. (sales growth is calculated as sales in year
Avg Sales Growth
t/ sales in year t-1)
Equals the standard deviation of earnings before extraordinary items for previous
Uncertainty
five years scaled by sales
Automate
Equals one if automate industry IT role, zero otherwise.
Transform
Equals one if transform industry IT role, zero otherwise.
High Tech
Equals one if high-tech industry, zero otherwise.
Low Tech
Equals one if low-tech industry, zero otherwise.
Foreign
Equals one if the firm engaged in foreign transactions, zero otherwise.
Merger
Equals one if the firm engaged in mergers and acquisitions, zero otherwise.
Restructuring
Equals one if the firm engaged in restructuring activity, zero otherwise.
Growth
Equals sales in year t divided by sales in year t-1
Product Differentiation Equals to operating income over sales
Cost Leadership
Equals to sales over assets
Sum of IT Knowledge Equals the sum of CEO IT Knowledge, CFO IT Knowledge, Chairman IT
Score
Knowledge, Director IT Knowledge, & Audit Committee IT Knowledge variables.
38
Table 3. Selected Summary Statistics for IT Material Weakness and Non-IT Material Weakness Firms
Panel A: Descriptive statistics for control variables
Variables
Data Processing Integrity
System Access and Security
System Structure and Usage
LnAssets
Leverage
BTM
ROA
Loss
Institutional Holdings
Analyst
Restatement
Board Size
Board Independence
CEO Chairman
Avg Sales Growth
Uncertainty
Automate
Transform
High Tech
Low Tech
Foreign
Merger
Restructuring
Product Differentiation
Cost Leadership
Sum of IT Knowledge Score
IT Weakness Firms
N= 289
Mean
Median
0.716
1
0.512
1
0.208
0
6.027
5.813
0.231
0.157
-0.067
0.406
-0.162
0.002
0.484
0
0.398
0.374
3.913
1
0.63
1
8.232
8
0.71
0.714
0.114
0
1.298
1.327
0.031
0.142
0.269
0.035
0.363
0.048
0.318
-0.354
0.991
0.678
1.141
0.169
0
0
0
0
0
0
0
0.063
0.815
0
Panel B: Descriptive statistics for executive and director turnover
IT Weakness Firms
n= 289
Variables
Mean
Median
CEO Turnover
0.491
0
CFO Turnover
0.754
1
Chairman Turnover
0.225
0
Director Turnover
0.751
1
Independent Director Turnover
0.637
1
Audit Committee Turnover
0.322
0
39
Non-IT Weakness Firms
N= 289
Mean
Median
p-value
Diff
6.311
0.211
0.46
-0.034
0.332
0.478
5.671
0.63
8.384
0.755
0.187
6.144
0.141
0.416
0.019
0
0.498
4
1
8
0.778
0
0.047
0.399
0.107
0.014
<0.001
0.008
0.008
0.932
0.468
<0.001
0.015
1.272
2.601
0.044
0.149
0.311
0.038
0.339
0.045
0.301
-0.264
0.864
0.371
1.123
0.173
0
0
0
0
0
0
0
0.101
0.689
0
0.628
0.107
0.385
0.814
0.272
0.824
0.543
0.844
0.719
0.631
0.047
<0.001
Non-IT Weakness Firms
n= 289
Mean
Median
0.349
0
0.522
1
0.104
0
0.595
1
0.495
0
0.315
0
p-value
Diff
0.001
<0.001
<0.001
<0.001
0.001
0.859
Panel C: Descriptive statistics for change in IT governance variables
IT Weakness Firms
n= 289
Variables
Mean
Median
Any Change to IT Governance
0.675
1
Count of IT Governance Changes
1.179
1
CEO IT Knowledge
0.059
0
CFO IT Knowledge
0.142
0
Chairman IT Knowledge
0.17
0
Director IT Knowledge
0.197
0
Audit Committee IT Knowledge
0.111
0
IT Upgrade
0.491
0
Financial IT Upgrade
0.474
0
Accounting IT Upgrade
0.304
0
Non-Financial IT Upgrade
0.052
0
IT Management
0.093
0
40
Non-IT Weakness Firms
n= 289
Mean
Median
0.349
0
0.502
0
0.02
0
0.045
0
0.045
0
0.135
0
0.09
0
0.093
0
0.058
0
0.031
0
0.052
0
0.058
0
p-value
Diff
<0.001
<0.001
0.019
<0.001
0.001
0.044
0.407
<0.001
<0.001
<0.001
1.000
0.117
Table 4. IT Material Weaknesses and Turnover
Panel A. Executive and director turnover
Variables
Pred
IT Weakness
+
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
LnAssets
+
Leverage
+
BTM
+
ROA
-
Loss
+
Institutional Holdings
+
Analyst
+
Restatement
+
Board Size
?
Board Independence
+
CEO Chairman
-/+
Automate
?
Transform
?
High Tech
?
Low tech
?
Intercept
Year Indicator
Number of observations
Model 2
Pseudo R2
Correctly Classified
note: *** p<0.01, ** p<0.05, * p<0.10
Model 1
Model 2
Model 3
Model 4
Model 5
Model 6
CEO
Turnover
0.554***
(0.001)
CFO
Turnover
1.005***
(0.000)
Director
Turnover
0.806***
(0.000)
CEO
Turnover
CFO
Turnover
Director
Turnover
0.583**
(0.012)
-0.338
(0.898)
0.245
(0.224)
0.806***
(0.002)
0.170
(0.271)
-0.102
(0.605)
0.656***
(0.010)
-0.090
(0.623)
0.040
(0.455)
-0.070
(0.839)
0.101
(0.389)
0.021*
(0.093)
0.128
(0.750)
0.464***
(0.010)
-0.461
(0.916)
0.007
(0.373)
-0.065
(0.636)
0.159***
(0.000)
-0.726
(0.876)
0.042
(0.561)
-0.044
(0.918)
0.681**
(0.012)
0.250
(0.264)
0.239
(0.626)
-1.197*
(0.070)
Included
578
38.21***
0.057
0.640
-0.013
(0.567)
-0.543
(0.905)
0.031**
(0.035)
-0.102
(0.353)
0.597***
(0.003)
-0.596
(0.961)
0.027*
(0.090)
0.485***
(0.007)
-0.026
(0.545)
-0.170
(0.606)
-0.323
(0.133)
0.926*
(0.084)
0.103
(0.711)
-0.122
(0.595)
0.011
(0.983)
0.200
(0.760)
Included
578
53.68***
0.083
0.682
-0.062
(0.788)
-0.648
(0.938)
-0.602
(0.999)
0.221
(0.836)
0.062
(0.383)
0.529*
(0.066)
-0.005
(0.590)
0.494***
(0.006)
0.137***
(0.008)
-1.129
(0.955)
0.904***
(0.004)
0.128
(0.783)
-0.050
(0.860)
-0.296
(0.204)
0.183
(0.751)
0.502
(0.485)
Included
578
54.88***
0.086
0.695
-0.083
(0.879)
0.141
(0.350)
0.021*
(0.098)
0.152
(0.785)
0.481***
(0.007)
-0.427
(0.901)
0.007
(0.366)
-0.019
(0.540)
0.161***
(0.000)
-0.533
(0.753)
0.068
(0.598)
-0.038
(0.931)
0.720***
(0.008)
0.304
(0.171)
0.284
(0.572)
-1.485**
(0.026)
Included
578
39.41***
0.058
0.642
-0.036
(0.675)
-0.490
(0.885)
0.031**
(0.033)
-0.088
(0.364)
0.604***
(0.003)
-0.600
(0.959)
0.029*
(0.078)
0.509***
(0.005)
-0.027
(0.518)
0.065
(0.459)
-0.287
(0.167)
0.954*
(0.062)
0.163
(0.563)
-0.089
(0.702)
0.112
(0.815)
-0.028
(0.966)
Included
578
62.97***
0.096
0.669
41
-0.081
(0.855)
-0.592
(0.924)
-0.570
(0.999)
0.234
(0.848)
0.051
(0.405)
0.536*
(0.064)
-0.003
(0.553)
0.540***
(0.003)
0.140***
(0.007)
-0.911
(0.909)
0.970***
(0.002)
0.158
(0.742)
-0.004
(0.989)
-0.251
(0.284)
0.273
(0.642)
0.177
(0.805)
Included
578
63.56***
0.097
0.696
Panel B. Type of director turnover
Variables
IT Weakness Firm
Pred
+
Model 1
Chairman
of BOD
Turnover
0.998***
(0.000)
Model 2
Independent
Director
Turnover
0.756***
(0.000)
Model 3
Audit
Committee
Turnover
0.060
(0.378)
Model 4
Chairman
of BOD
Turnover
Model 5
Independent
Director
Turnover
Model 6
Audit
Committee
Turnover
1.229***
(0.000)
-0.408
(0.900)
-0.185
(0.676)
0.580**
(0.011)
0.005
(0.492)
-0.042
(0.551)
0.002
(0.497)
-0.678
(0.355)
0.427*
(0.096)
0.070
(0.236)
-0.077
(0.563)
-0.464
(0.997)
-0.150
(0.268)
0.192
(0.229)
0.160
(0.360)
0.013
(0.306)
0.445**
(0.049)
0.111**
(0.043)
0.998
(0.179)
0.038
(0.461)
0.220
(0.705)
-0.087
(0.814)
0.077
(0.791)
0.397
(0.531)
-4.949***
(0.000)
Included
578
42.47***
0.101
0.848
-0.010
(0.556)
-0.448
(0.855)
-0.499
(0.978)
0.238
(0.800)
0.226
(0.134)
0.743**
(0.013)
-0.004
(0.585)
0.274*
(0.073)
0.171***
(0.000)
1.238**
(0.024)
0.506**
(0.041)
-0.236
(0.598)
0.277
(0.298)
-0.170
(0.449)
0.078
(0.885)
-2.549***
(0.000)
Included
578
47.17***
0.083
0.648
-0.010
(0.551)
-0.158
(0.643)
-0.210
(0.949)
0.069
(0.628)
-0.023
(0.544)
-0.166
(0.683)
-0.009
(0.662)
0.386**
(0.026)
0.084**
(0.049)
0.451
(0.253)
0.576**
(0.024)
-0.478
(0.389)
0.311
(0.248)
0.164
(0.474)
0.322
(0.535)
-1.994***
(0.005)
Included
578
23.870
0.040
0.696
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
LnAssets
+
0.030
(0.378)
Leverage
+
0.018
(0.480)
BTM
+
-0.426
(0.997)
ROA
-0.122
(0.362)
Loss
+
0.194
(0.222)
Institutional Holdings
+
0.177
(0.397)
Analyst
+
0.013
(0.309)
Restatement
+
0.492**
(0.035)
Board Size
?
0.111**
(0.041)
Board Independence
+
1.340
(0.114)
CEO Chairman
+
0.078
(0.421)
Automate
?
0.231
(0.686)
Transform
?
-0.092
(0.801)
High Tech
?
0.128
(0.655)
Low tech
?
0.490
(0.417)
Intercept
-5.204***
(0.000)
Year Indicator
Included
Number of observations
578
Model c2
38.90***
Pseudo R2
0.099
Correctly Classified
0.849
note: *** p<0.01, ** p<0.05, * p<0.10
-0.029
(0.650)
-0.385
(0.819)
-0.474
(0.972)
0.253
(0.806)
0.220
(0.193)
0.751**
(0.012)
-0.003
(0.565)
0.305*
(0.053)
0.173***
(0.000)
1.481**
(0.011)
0.568**
(0.027)
-0.200
(0.661)
0.318
(0.241)
-0.131
(0.559)
0.144
(0.794)
-2.862***
(0.000)
Included
578
53.11***
0.093
0.656
42
-0.009
(0.543)
-0.176
(0.658)
-0.235
(0.970)
0.080
(0.643)
0.004
(0.493)
-0.136
(0.652)
-0.010
(0.676)
0.395**
(0.023)
0.085**
(0.047)
0.518
(0.224)
0.580**
(0.024)
-0.485
(0.375)
0.326
(0.223)
0.191
(0.403)
0.292
(0.575)
-2.087***
(0.003)
Included
578
23.300
0.038
0.694
Table 5. IT Material Weaknesses and Changes to IT Governance
Variables
Pred
IT Weakness Firm
+
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
LnAssets
?
ROA
+
Avg Sales Growth
-
Leverage
-
Uncertainty
+
Automate
+
Transform
+
High Tech
+
Low Tech
?
Foreign
?
Merger
?
Restructuring
?
Product Differentiation
?
Cost Leadership
?
Intercept
Year Indicator
Number of observations
Model 2
Pseudo R2
Correctly Classified
note: *** p<0.01, ** p<0.05, * p<0.10
Model 1
Any Change
to IT
Governance
1.436***
(0.000)
-0.133**
(0.049)
0.173
(0.184)
-0.297*
(0.079)
-0.406
(0.144)
0.022**
(0.049)
0.405
(0.205)
-0.376
(0.902)
0.186
(0.209)
-0.378
(0.451)
0.260
(0.193)
-0.210
(0.676)
0.644***
(0.004)
-0.059
(0.255)
0.201
(0.119)
-0.125
(0.822)
Included
578
91.00***
0.136
0.685
43
Model 2
Count of IT
Governance
Changes
1.399***
(0.000)
-0.108
(0.116)
-0.036
(0.572)
-0.154
(0.206)
-0.389
(0.183)
0.011
(0.102)
0.252
(0.257)
-0.089
(0.616)
0.499**
(0.011)
-0.234
(0.618)
0.436**
(0.018)
0.081
(0.871)
0.493**
(0.013)
-0.004
(0.908)
0.324***
(0.008)
Included
578
117.90***
0.084
Model 3
Any Change
to IT
Governance
Model 4
Count of IT
Governance
Changes
1.014***
(0.000)
0.447**
(0.047)
-0.150
(0.667)
0.791***
(0.000)
0.428**
(0.036)
0.078
(0.393)
-0.102
(0.144)
0.153
(0.204)
-0.292*
(0.077)
-0.445
(0.125)
0.020*
(0.062)
0.344
(0.251)
-0.428
(0.936)
0.128
(0.289)
-0.509
(0.281)
0.257
(0.194)
-0.127
(0.777)
0.639***
(0.003)
-0.061
(0.270)
0.249*
(0.058)
-0.106
(0.849)
Included
578
76.07***
0.112
0.652
-0.091
(0.196)
-0.044
(0.592)
-0.150
(0.199)
-0.393
(0.158)
0.009
(0.151)
0.168
(0.341)
-0.134
(0.681)
0.452**
(0.019)
-0.305
(0.482)
0.411**
(0.024)
0.098
(0.822)
0.522***
(0.007)
-0.007
(0.853)
0.367***
(0.003)
Included
578
89.69***
0.064
Table 6. IT Material Weaknesses and Executive IT Knowledge
Variables
Pred
IT Weakness Firm
+
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
LnAssets
?
ROA
+
Avg Sales Growth
-
Leverage
-
Uncertainty
+
Automate
+
Transform
+
High Tech
+
Low Tech
?
Foreign
?
Merger
?
Restructuring
?
Product Differentiation
?
Cost Leadership
?
Intercept
Year Indicator
Number of observations
Model 2
Pseudo R2
Correctly Classified
note: *** p<0.01, ** p<0.05, * p<0.10
Model 1
CEO IT
Knowledge
1.029**
(0.025)
-0.157
(0.464)
-0.355
(0.860)
-1.182*
(0.052)
-0.772
(0.223)
-0.001
(0.514)
1.478*
(0.096)
1.121**
(0.030)
0.228
(0.353)
1.270
(0.231)
0.466
(0.295)
1.060
(0.226)
1.483***
(0.005)
0.044
(0.721)
0.631**
(0.026)
-3.269*
(0.065)
Included
578
45.62***
0.187
0.961
Model 2
CFO IT
Knowledge
1.201***
(0.000)
-0.196
(0.187)
0.390
(0.135)
0.048
(0.578)
-0.491
(0.256)
-0.001
(0.527)
0.089
(0.458)
-0.947
(0.958)
-0.936
(0.990)
-1.065
(0.365)
0.188
(0.584)
0.461
(0.446)
0.876**
(0.011)
-0.136
(0.150)
0.188
(0.292)
-2.118**
(0.032)
Included
578
46.20***
0.113
0.906
44
Model 3
CEO IT
Knowledge
Model 4
CFO IT
Knowledge
0.553
(0.178)
-0.139
(0.597)
0.140
(0.418)
0.109
(0.413)
0.781*
(0.054)
0.093
(0.427)
-0.154
(0.485)
-0.370
(0.871)
-1.107*
(0.055)
-0.780
(0.211)
-0.005
(0.546)
1.313
(0.111)
1.078**
(0.043)
0.210
(0.269)
1.151
(0.289)
0.442
(0.328)
1.052
(0.221)
1.483***
(0.004)
0.039
(0.741)
0.629**
(0.029)
-2.900*
(0.096)
Included
578
54.32***
0.171
0.961
-0.188
(0.219)
0.351
(0.156)
0.051
(0.586)
-0.448
(0.289)
-0.002
(0.536)
-0.040
(0.519)
-0.943
(0.962)
-0.914
(0.990)
-1.110
(0.346)
0.177
(0.606)
0.555
(0.353)
0.884***
(0.010)
-0.118
(0.175)
0.234
(0.176)
-1.854*
(0.055)
Included
578
36.83***
0.095
0.911
Table 7. IT Material Weaknesses and Board of Directors IT Knowledge
Model 1
Variables
Pred
IT Weakness Firm
+
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
LnAssets
?
ROA
+
Avg Sales Growth
-
Leverage
-
Uncertainty
+
Automate
+
Transform
+
High Tech
+
Low Tech
?
Foreign
?
Merger
?
Restructuring
?
Product Differentiation
?
Cost Leadership
?
Intercept
Year Indicator
Number of observations
Model 2
Pseudo R2
Correctly Classified
note: *** p<0.01, ** p<0.05, * p<0.10
Chairman
IT
Knowledge
0.877***
(0.002)
-0.484***
(0.000)
0.539**
(0.015)
-0.145
(0.256)
0.824
(0.931)
0.007
(0.313)
(dropped)
.
0.390
(0.142)
0.612**
(0.026)
-0.385
(0.730)
0.687**
(0.023)
0.141
(0.805)
1.010***
(0.001)
-0.017
(0.770)
-0.268
(0.250)
-0.588
(0.529)
Included
556
62.54***
0.152
0.879
Model 2
Model 3
Audit
Director
Committee
IT
IT
Knowledge
Knowledge
0.431**
0.366
(0.039)
(0.117)
-0.071
(0.522)
-0.505
(0.982)
-0.126
(0.332)
-1.054**
(0.026)
0.006
(0.392)
0.069
(0.466)
0.510*
(0.068)
1.003***
(0.000)
0.443
(0.501)
0.521**
(0.051)
-0.088
(0.880)
0.282
(0.290)
0.097
(0.175)
0.006
(0.975)
-1.667**
(0.031)
Included
578
46.60***
0.093
0.829
45
0.075
(0.476)
-0.426
(0.958)
0.018
(0.527)
-1.258*
(0.054)
-0.188
(0.968)
-0.332
(0.622)
0.453
(0.149)
1.428***
(0.000)
-0.044
(0.965)
-0.017
(0.959)
-1.567
(0.144)
-0.391
(0.253)
0.183
(0.142)
-0.099
(0.660)
-3.092***
(0.001)
Included
578
33.25**
0.095
0.899
Model 4
Model 5
Model 6
Audit
Chairman
Director
Committee
IT
IT
IT
Knowledge Knowledge
Knowledge
0.722**
(0.028)
-0.315
(0.798)
0.543*
(0.092)
-0.191
(0.398)
0.499*
(0.089)
0.223
(0.295)
0.225
(0.300)
0.377
(0.196)
-0.523
(0.834)
-0.479***
(0.000)
0.502**
(0.015)
-0.138
(0.270)
0.783
(0.943)
0.004
(0.398)
(dropped)
.
0.351
(0.164)
0.542**
(0.044)
-0.330
(0.764)
0.662**
(0.028)
0.213
(0.716)
1.013***
(0.000)
-0.032
(0.605)
-0.272
(0.231)
-0.406
(0.666)
Included
556
62.93***
0.151
0.872
-0.064
(0.566)
-0.520
(0.987)
-0.133
(0.327)
-1.082**
(0.022)
0.006
(0.391)
0.055
(0.463)
0.506*
(0.070)
1.002***
(0.000)
0.470
(0.475)
0.507*
(0.057)
-0.070
(0.905)
0.317
(0.234)
0.099
(0.159)
0.031
(0.862)
-1.629**
(0.038)
Included
578
48.59***
0.092
0.836
0.093
(0.395)
-0.439
(0.965)
0.001
(0.502)
-1.310**
(0.047)
-0.178
(0.963)
-0.378
(0.636)
0.452
(0.148)
1.444***
(0.000)
-0.103
(0.919)
-0.023
(0.945)
-1.546
(0.146)
-0.374
(0.268)
0.173
(0.137)
-0.086
(0.699)
-3.153***
(0.001)
Included
578
38.01***
0.098
0.903
Table 8. IT Material Weaknesses and other Major IT Initiatives
Model 1
Model 2
Model 3
Model 4
IT
Management
0.324
(0.176)
Pred
IT Upgrade
Financial
IT Upgrade
Accounting
IT Upgrade
NonFinancial
IT Upgrade
IT Weakness Firm
+
2.249***
(0.000)
2.714***
(0.000)
2.821***
(0.000)
0.040
(0.458)
IT Weakness Classification
Data Processing Integrity
+
System Access and Security
+
System Structure and Usage
+
Control Variables
Sum of IT Knowledge Score
+
LnAssets
?
ROA
+
Avg Sales Growth
-
Leverage
-
Uncertainty
+
Automate
+
Transform
+
High Tech
+
Low Tech
?
Foreign
?
Merger
?
Restructuring
?
Product Differentiation
?
Variables
0.317***
(0.004)
0.034
(0.648)
0.175
(0.195)
0.137
(0.766)
0.302
(0.778)
0.008
(0.334)
0.976**
(0.012)
-0.251
(0.768)
-0.010
(0.514)
-0.177
(0.770)
0.385*
(0.087)
0.123
(0.794)
0.134
(0.595)
-0.025
0.350***
(0.002)
0.049
(0.538)
0.132
(0.259)
0.223
(0.869)
0.355
(0.802)
0.011
(0.285)
1.291***
(0.003)
-0.265
(0.774)
0.042
(0.443)
-0.751
(0.259)
0.469**
(0.051)
0.333
(0.521)
0.122
(0.642)
-0.022
0.383***
(0.005)
0.124
(0.137)
0.249
(0.161)
0.356
(0.969)
0.218
(0.677)
0.013
(0.265)
2.070***
(0.000)
0.156
(0.393)
0.461*
(0.077)
-1.408
(0.187)
0.430
(0.120)
0.272
(0.616)
-0.660**
(0.023)
-0.028
-0.149
(0.703)
-0.128
(0.288)
2.196**
(0.022)
-0.580
(0.192)
-0.045
(0.481)
0.004
(0.437)
-0.333
(0.714)
-0.745
(0.868)
0.097
(0.892)
-0.762*
(0.089)
1.119*
(0.071)
0.644
(0.132)
0.008
46
Model 5
0.394**
(0.025)
-0.107
(0.369)
0.386
(0.212)
-1.333**
(0.017)
-0.429
(0.261)
0.052*
(0.075)
-0.214
(0.582)
-1.154
(0.982)
-0.050
(0.547)
-1.059
(0.244)
0.123
(0.742)
1.023*
(0.082)
-0.057
(0.871)
0.319
Model 6
Model 7
Model 8
Model 9
Model 10
IT
Management
IT Upgrade
Financial
IT Upgrade
Accounting
IT Upgrade
NonFinancial
IT Upgrade
1.368***
(0.000)
0.722***
(0.005)
-0.131
(0.658)
1.535***
(0.000)
0.735***
(0.006)
-0.148
(0.674)
1.729***
(0.000)
0.310
(0.158)
-0.191
(0.705)
0.417
(0.189)
0.188
(0.348)
-0.757
(0.824)
-0.510
(0.856)
0.722*
(0.053)
0.313
(0.286)
0.410***
(0.001)
0.095
(0.217)
0.153
(0.210)
0.124
(0.750)
0.232
(0.733)
0.005
(0.387)
0.772**
(0.038)
-0.361
(0.861)
-0.098
(0.639)
-0.462
(0.442)
0.324
(0.136)
0.230
(0.665)
0.132
(0.592)
-0.030
0.450***
(0.000)
0.117
(0.161)
0.105
(0.291)
0.201
(0.866)
0.271
(0.760)
0.006
(0.356)
0.966**
(0.013)
-0.393
(0.878)
-0.060
(0.587)
-1.112
(0.110)
0.396*
(0.079)
0.448
(0.426)
0.123
(0.631)
-0.030
0.491***
(0.000)
0.197**
(0.027)
0.182
(0.208)
0.320
(0.976)
0.136
(0.618)
0.006
(0.360)
1.652***
(0.000)
-0.012
(0.514)
0.315
(0.156)
-1.768*
(0.086)
0.403
(0.118)
0.342
(0.577)
-0.651**
(0.027)
-0.040
-0.159
(0.708)
-0.129
(0.293)
2.393**
(0.014)
-0.603
(0.163)
0.024
(0.511)
0.007
(0.398)
0.385**
(0.023)
-0.100
(0.416)
0.301
(0.274)
-1.390**
(0.019)
-0.345
(0.302)
0.042
(0.188)
-0.282
(0.607)
-1.146
(0.983)
-0.054
(0.552)
-1.070
(0.232)
0.115
(0.756)
1.032*
(0.068)
-0.066
(0.850)
0.259
-0.337
(0.712)
-0.738
(0.868)
0.046
(0.947)
-0.750*
(0.104)
1.132*
(0.071)
0.696
(0.111)
0.012
Cost Leadership
?
Intercept
Year Indicator
Number of observations
Model 2
Pseudo R2
Correctly Classified
note: *** p<0.01, ** p<0.05, * p<0.10
(0.639)
0.397***
(0.006)
-3.835***
(0.000)
Included
578
109.54***
0.211
0.775
(0.693)
0.440***
(0.004)
-4.656***
(0.000)
Included
578
111.18***
0.259
0.811
(0.684)
0.235
(0.156)
-5.872***
(0.000)
Included
578
70.44***
0.241
0.848
(0.939)
0.337
(0.197)
-1.640
(0.258)
Included
556
30.41**
0.089
0.946
47
(0.171)
0.680***
(0.001)
-1.056
(0.396)
Included
578
53.72***
0.113
0.922
(0.533)
0.452***
(0.002)
-3.693***
(0.000)
Included
578
97.37***
0.167
0.761
(0.543)
0.492***
(0.002)
-4.243***
(0.000)
Included
578
102.57***
0.195
0.791
(0.515)
0.280*
(0.103)
-5.257***
(0.000)
Included
578
72.93***
0.183
0.839
(0.914)
0.329
(0.212)
-1.747
(0.221)
Included
556
33.97**
0.097
0.946
(0.258)
0.691***
(0.000)
-0.973
(0.434)
Included
578
57.76***
0.119
0.918
Table 9. Remediation of Weaknesses: The Influence of IT Governance Changes
The sample consists of IT material weakness firm-year observations. The dependent variable is the change in the total
number of 404 material weaknesses reported from year t to t+2. Any IT Knowledge Change is defined as 1 if CEO IT
Knowledge=1 OR CFO IT Knowledge=1 OR Chairman IT Knowledge=1 OR Director IT Knowledge=1 OR Audit
Committee IT Knowledge=1, 0 otherwise. The changes in control variables represent changes from t to t+2. Please see
Table 2 for other variable definitions.
DV =Change in # of Weaknesses from t to t+2
Model 1
Model 2
Model 3
Model 4
Pred
IT Knowledge Changes
Any IT Knowledge Change
-
CEO IT Knowledge
-
CFO IT Knowledge
-
Chairman IT Knowledge
-
Director IT Knowledge
-
Audit Committee IT Knowledge
-
Major IT Initiatives
Financial IT Upgrade
-
IT management
-
Control Variables
Change in Ln Assets
-
Change in Leverage
+
Change in BTM
+
Change in ROA
-
Change in Loss
+
Change in Merger
+
Change in Foreign
+
Change in Restructuring
+
Change in Growth
-
Change in Board Size
+
Change in Board Independence
-
Change in Institutional Holdings
-
Automate
?
Transform
?
High Tech
?
-0.745**
(0.048)
-0.169
(0.391)
-1.004*
(0.070)
0.426
(0.694)
-0.945*
(0.058)
0.885
(0.561)
0.451
(0.679)
-0.750
(0.694)
-0.002
(0.901)
0.143
(0.809)
0.181
(0.620)
-1.301
(0.946)
-0.898
(0.940)
-0.612
(0.943)
0.003
(0.995)
0.124
(0.326)
-0.089
(0.965)
-1.582*
(0.080)
0.128
(0.842)
-0.343
(0.631)
0.130
(0.821)
48
0.332
(0.757)
-0.719
(0.711)
0.002
(0.794)
0.217
(0.753)
0.101
(0.783)
-1.417
(0.961)
-0.952
(0.944)
-0.692
(0.959)
-0.066
(0.773)
0.108
(0.398)
0.464
(0.903)
-1.585*
(0.082)
0.230
(0.725)
-0.539
(0.450)
-0.209
(0.716)
-0.064
(0.409)
-0.930*
(0.089)
0.423
(0.695)
-0.913*
(0.065)
0.915
(0.560)
-0.034
(0.484)
-0.909*
(0.072)
0.409
(0.725)
-0.900**
(0.045)
0.911
(0.588)
-0.318
(0.230)
-0.314
(0.225)
-0.234
(0.364)
0.327
(0.762)
-0.653
(0.734)
0.001
(0.859)
0.237
(0.736)
0.132
(0.723)
-1.436
(0.960)
-1.035
(0.951)
-0.702
(0.960)
-0.059
(0.801)
0.114
(0.376)
0.443
(0.908)
-1.546*
(0.085)
0.330
(0.630)
-0.586
(0.414)
-0.213
(0.712)
0.332
(0.740)
-0.650
(0.775)
0.001
(0.921)
0.232
(0.781)
0.130
(0.738)
-1.468
(0.962)
-1.038
(0.964)
-0.702
(0.959)
-0.054
(0.785)
0.119
(0.290)
0.437
(0.914)
-1.558**
(0.042)
0.299
(0.773)
-0.602
(0.339)
-0.215
(0.669)
Low Tech
?
-2.919**
(0.028)
-2.892***
(0.000)
Included
243
2.946
0.136
Intercept
Year Indicator
Number of observations
F Statistics
Adjusted R2
note: *** p<0.01, ** p<0.05, * p<0.10
49
-2.897**
(0.034)
-2.889***
(0.000)
Included
243
1.909
0.151
-2.959**
(0.029)
-2.783***
(0.000)
Included
243
1.971
0.154
-2.991***
(0.010)
-2.758***
(0.000)
Included
243
1.582
0.154
Appendix A. IT Control Quality Dimensions (Adapted from Li et al. 2010a)
Quality
Dimension
Identifier
Definitions*
Examples from the SOX 404 Management’s Report on Internal Control
Ability to change closed accounting periods in system
Ability to delete (used) accounts from the system
Data or program changes lack user review/approval/authorization/testing
Did not properly maintain master files (e.g., vendor, price, inventory)
Inadequate development and maintenance (e.g., new system, updates)
Inadequate IS/IT support staff
Inadequate system to support business processes (includes manually intense processes)
Integrity of computer data not verified (e.g., accuracy, validity, completeness)
Lack of IS/IT controls
Lack of IS/IT controls over subsidiary/foreign operations
Lack of IT experience (inadequate skills)
Program change controls missing or inadequate
Programming errors
Relying on systems of others (outsourcing) where controls not verified
Spreadsheet(s), lack of controls over
(Too) Functionally complex systems
Weak application controls
Weak general controls
Weak IT Control Activities
Weak IT Control Environment
Weak IT Risk Assessment
Weak IT Monitoring
(Business user) Segregation of duties not implemented in system
Inadequate records and storage retention
Lack of disaster recovery plan for systems
IS/IT personnel access not properly segregated
Logical access issues
Security issues
Data processing
integrity
IT PROCESS
The extent to which data is
correct and reliable.
System Access
and Security
IT SECURITY
The extent to which:
System Structure
and Usage
IT
STRUCTURE

data is available, or easily
and quickly retrievable and
 access to data is restricted
appropriately to maintain
its security.
The extent to which data is:

easily comprehended

presented
format
in
the
same
Decentralized systems
Disparate (non-integrated) systems
Insufficient training on system
Lack of system documentation, policies, procedures
Weak Information & Communication
50
Appendix B. SOX 404 Control Weakness Coding Examples
Firm and Year
Text from SOX 404 Report
Control Issue
Control Category
Online Resources
Corporation 2007
“the Company’s procedures for the supervisory review of the performance
by Company personnel of manual controls associated with account analysis
and the verification of the accuracy of electronic spreadsheets that support
financial reporting were ineffective. This material weakness resulted in
deficiencies in the operation of controls not being detected timely and in
multiple errors in the Company’s preliminary 2007 financial statements,
including errors in revenue, interest expense, and share based
compensation.”
Spreadsheet(s),
controls over
TRC Companies 2006
“The Company did not adequately design controls to maintain appropriate
segregation of duties in its manual and computer-based business processes
which could affect the Company’s purchasing controls, the limits on the
delegation of authority for expenditures, and the proper review of manual
journal entries”
Segregation of duties not
implemented in system
Access and Security
Digimarc Co 2004
“Implementation of the new accounting system also was flawed because
some of our accounting, finance and operations employees were not
properly trained in the use of the new accounting system.”
Insufficient
system.
Structure and Usage
51
lack
training
of
on
Data Processing Integrity
Appendix C. Examples of IT Knowledge for Executives and Directors
CEO IT Knowledge (Vitria Technology)
\M. Dale Skeen, Ph.D., is 51 years old, co-founded Vitria in 1994 and has been our Chief Executive Officer since April 2004. Dr. Skeen has also served as Chief Technology
Officer and as a director since Vitria’s inception. From 1986 to 1994, Dr. Skeen served as Chief Scientist at Teknekron Software Systems, now TIBCO, Inc., a software company.
From 1984 to 1986, Dr. Skeen was a research scientist at IBM’s Almaden Research Center. From 1981 to 1984, Dr. Skeen was on the faculty at Cornell University. Dr. Skeen
holds a B.S. in Computer Science from North Carolina State University and a Ph.D. in Computer Science on Distributed Database Systems from the University of California,
Berkeley.
CFO IT Knowledge (THQ INC)
Edward K. Zinser (age 49) was appointed our Executive Vice President and Chief Financial Officer in April 2004. Mr. Zinser is responsible for all of our financial activities,
including financial reporting, information systems, internal controls and investor relations. From May 2001 to February 2004, Mr. Zinser served as Executive Vice President and
Chief Financial Officer of Vivendi Universal Games, a developer, publisher and distributor of interactive software products across all major platforms including PCs, video game
consoles and the Internet. In this role he was responsible for all worldwide finance, accounting, information systems, treasury and planning functions. From June 1999 to
March 2001, he was at USA Networks where he was initially Senior Vice President and Chief Financial Officer of Internet Shopping Network, the e-commerce division. In
June 2000, he became President and Chief Operating Officer of Styleclick, Inc., a public e-commerce services provider that was created through the acquisition of Styleclick.com.
In this role he directed business development, sales, web site development, merchandising, creative services, operations, technology and the online auction business. From
June 1993 to May 1998, Mr. Zinser served as Vice President and Chief Financial Officer / Chief Operating Officer of Disney Publishing, a $400 million division of The Walt
Disney Company. Mr. Zinser’s experience also includes positions at leading consumer products companies such as The Franklin Mint, Pepsi-Cola and Campbell Soup. He holds a
B.S. in management from Fairfield University in Connecticut and an MBA in Finance from the University of Chicago.
Director IT Knowledge (SVB Financial Group)
Mr. Benhamou is Chairman and CEO of Benhamou Global Ventures, LLC, which was formed in 2003. Benhamou Global Ventures, LLC invests and plays an
active role in innovative high tech firms throughout the world. Mr. Benhamou is also the Chairman of the Boards of Directors of 3Com Corporation and Palm, Inc.
He served as Chief Executive Officer of 3Com Corporation from September 1990 until December 2000, and served as interim Chief Executive Officer of Palm
from November 2001 to November 2003. Previously, he held a variety of senior management positions at 3Com. In 1981, Mr. Benhamou co-founded Bridge
Communications, an early networking pioneer, and was Vice President of Engineering until its merger with 3Com in 1987. In 2003, Mr. Benhamou was
appointed to the Joint High Level Advisory Panel of the U.S.-Israel Science and Technology Commission by U.S. Commerce Secretary Donald Evans. He
currently serves as Chairman of the Board of Directors of Cypress Semiconductor, which produces semiconductors (since 1993), and as a member of the Board of
Directors of RealNetworks, Inc, a creator of digital media services and software (since 2003). He also serves as a member of the Boards of Directors of several
privately held companies, including Atrica, a provider of Optical Ethernet solutions (since 2000), Go Networks, a wireless network hardware provider (since
2004), WisdomArk, Inc., a consumer web service company (since 2005), Finjan, a global provider of proactive web security solutions (since 2006), as well as the
New America Foundation, a Washington DC-based think tank (since 2000). Mr. Benhamou serves on the executive committee of TechNet, the Computer Science
and Telecommunications Board (CSTB), Stanford University School of Engineering and Ben Gurion University of Negev. Additionally, he is a visiting professor
at the INSEAD Business School and the Chairman of the Israel Venture Network, a venture philanthropy organization for a stronger Israeli society.
Mr. Benhamou holds a diplôme d’Ingenieur de l’Ecole Nationale Supérieure d’Arts et Métiers in Paris, France, a master’s degree in Science from the School of
Engineering at Stanford University and several honorary doctorates.
52
Appendix D. Examples of IT Upgrades
IT Upgrade (Affirmative Insurance Holdings Inc.)
To remediate the information technology material weakness described above, we have implemented new policies and procedures to ensure proper
access controls are maintained and monitored. We have increased the supervisory control over access controls, centralizing it for more direct
monitoring. In some instances, we have adjusted system configurations and incorporated software tools where appropriate to limit and restrict the
ability of system users to enter, change and view data and to provide a detailed history of changes to the applications and data.
Financial IT Upgrade (Richardson Electronics LTD)
The Company is in the application development stage of implementing certain modules of enterprise resource management software (PeopleSoft).
Accounting IT Upgrade (Adelphia Communications)
With respect to the access to financial applications and data material weakness described above, subsequent to December 31, 2004, we have
substantially completed our remediation efforts. We have implemented controls, including policies and procedures that govern security and access to
our IT systems, programs and data, including those supporting our financial data relating to property and equipment and our general ledger and
financial reporting applications.
Non-Financial IT Upgrade (Actividentity Corp.)
To meet these challenges we implemented a new customer relationship management system in fiscal 2005, and are continuing the process of
modifying and refining it to better meet our needs.
53