ABSTRACT: This paper examines internal controls, from both an information technology (IT) and non‐IT perspective, in relation to the five components of the Committee of Sponsoring Organization's Internal Control‐Integrated Framework (COSO 1992), as well as the achievement of one of COSO's three objectives‐reporting reliability. Our sample consists of 490 firms with material weaknesses reported under Sarbanes‐Oxley Section 404 during the first year of compliance. We classify the weaknesses by COSO component and as IT‐related or non‐IT‐related. Our results support the interrelationships of the COSO Framework. The results also show that the number of misstated accounts is positively related to the number of weak COSO components (i.e., scope) and certain weak COSO components (i.e., existence). Firms with IT‐related weak components report more material weaknesses and misstatements than firms without IT‐related weak components, providing evidence on the pervasive negative impact of weak IT controls, especially in control environment, risk assessment, and monitoring.
SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology
- Views Icon Views
- Share Icon Share
- Search Site
Bonnie K. Klamm, Marcia Weidenmier Watson; SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology. Journal of Information Systems 1 September 2009; 23 (2): 1–23. doi: https://doi.org/10.2308/jis.2009.23.2.1
Download citation file: