The number of companies with financially material weaknesses in their internal controls over information technology is steadily decreasing, though not quite as fast as the number of those with other types of internal-control weaknesses.
In an analysis of data provided by research firm Audit Analytics, CFO found that among accelerated filers (companies with a public float of at least $75 million), only 41 companies, or less than 1% of the total, had IT-control weaknesses in fiscal 2009. That was down from 66 companies (1.5%) in 2008 and 102 companies (3.6%) in 2004, the first year covered by the Audit Analytics database (see chart below).
(The database search results included not only companies where inadequate IT controls created a weakness but also those that made IT implementations specifically to address other types of weaknesses. The rationale for aggregating the two scenarios is that the absence of such technology solutions contributed to the weaknesses, Audit Analytics says.)
Indeed, all internal-control weaknesses are becoming rarer. In 2004 15.8% of accelerated filers exhibited some type of weakness; by 2008 only 5.8% did, and last year the incidence fell by almost half, to 3.3%. “It shows that Sarbanes-Oxley is working,” says Dan Schroeder, a partner with accounting firm Habif, Arogeti & Wynne. “Anecdotally, fraud and forensic examiners are getting less work.”
However, among accelerated filers with internal-control weaknesses, the proportion with IT-related ones reached a six-year high of 29.1% in 2009, up from 25.2% in 2008 and a low of 18.5% in 2005. That suggests companies have more successfully addressed non-IT weaknesses.
“IT exposure continues to be an issue,” says Joel Lanz, an independent IT auditor. “Financial managers now have a very good hold on accounting controls, but many don’t understand what the IT controls are or should be.”
Most IT-control weaknesses are rooted in poor management rather than the technology itself, says Lanz. He lists some common problematic management behaviors that change-management controls don’t always fully mitigate:
• Imposing an unrealistic deadline for implementing a new system, leading to inadequate testing
• Not using controls that come packaged with many systems or not reviewing automatically generated control reports
• Providing inadequate training on new systems
• Failing to ensure that system access privileges reflect segregation-of-duties mandates
• Allowing excessive customization of systems, which can damage their integrity
Still, the overall decrease in IT-control weaknesses may be due to not only Sarbanes-Oxley but also management’s increasing appreciation for higher-tech replacements for spreadsheets, suggests Schroeder.
“I wonder how much of the weakness that’s still out there is related to Excel and people doing manual convolutions to prepare financial statements,” he says. “As you eliminate the manual interfaces and user-built applications, and as reporting and budgeting-and-planning applications become more integrated into general-ledger and [enterprise resource planning] systems, you’re lessening the risks.”
One, perhaps overlooked, risk is the likelihood that material IT weaknesses will lead to greater errors in earnings forecasts. That is the conclusion of a new paper slated to be published in an upcoming issue of MIS Quarterly, a scholarly journal.
The paper’s authors examined companies that made earnings forecasts from 2004 through 2008. Compared with companies with no material weaknesses of any kind, those with IT weaknesses had triple the forecasting error, 3.6% versus 1.2%. And more than half of that differential remained even when controlling for other variables known to influence forecasting error, such as company size, profitability, earnings volatility, growth rate, CFO turnover, and use of a Big Four auditor. “An error that big is definitely significant,” says co-author Vernon Richardson, accounting department chair at the University of Arkansas.
In addition, forecasting error attributable to IT-control weaknesses was three times greater than that associated with other types of weaknesses, after controlling for the variables.
Finally, IT material weaknesses related to data-processing integrity produced three times greater forecasting error than did those related to system access and security, while weaknesses related to system structure and usage did not have a statistically significant effect on forecasting error.