1

Discussion of“The Importance of the COBIT Framework IT Processes For Effective

Internal Control over the Reliability of Financial Reporting: An International Survey”

by David S. Kerr and Uday S. Murthy

ByBrad Tuttle

Moore School of BusinessUniversity of South Carolina

Presented to UWCISAToronto, CA

October 12, 2007

2

I like this study because

• Potential to influence practice• Potential to aid in developing theory of

internal control in IT setting

3

MotivationPresent state of knowledge:• IC is ill-defined• Unclear how IT affects IC• COBIT should help get us started

Research Questions:• Which IT processes are important to internal

control in a financial audit context?• What affects consensus?

4

Method

Participants:• 189 members of ISACA respond to survey

– Drawn from 21 different countries• Familiarity with COBIT is less important

than– Familiarity with IT processes (see Table 1)– Familiarity with financial statement audits

5

Suggestion

International Participants:• Countries with Investor focus (n=138)

– Australia 26– Canada 3– USA 95– S. Africa? 14

• Countries with non-investor focus (n=51)

6

Method

• On-line survey asks participants to– Rate 34 COBIT processes for their “…

perception of the importance of each IT process to achieving effective internal control over the reliability of financial reporting…”

– Indicate which 10 processes are most important …

– Implementation measures (problematic, not reported)

7

Research Question 1

In the context of the reliability of financial reporting, what is the relative importance of each of the 34 IT control and security processes?

8

Table 1aCOBIT Processes Sorted by Mean Importance Ratings

COBITVersion 3Process Description of process

Ranked by KW Import. Rating

Ranked by TV Risk

RatingDS5 Ensure System Security 1 2

AI6 Manage Changes 2 1

PO9 Assess Risk 3 4

DS11 Manage Data 4 6

M2 Assess Internal Control Adequacy 5 5

PO8 Ensure Compliance with External Requirements 6 3

DS10 Manage Problems and Incidents 7 8

AI4 Develop and Maintain Procedures 8 11

M1 Monitor the Process 9 12

PO11 Manage Quality 10 10

9John RadyErnst & Young LLP

404 IT: Changes to Compliance and Cutting Cost$ (Webcast 2005)

M2

AI6

AI4

DS5M1

?

??

?

?

10

Tuttle and Vandervelde (2007)

• Question posed to IT auditors (n=29): “consider the risk to the typical organization associated with an unsatisfactory outcome in each of the following CobiT processes.”

• Rank correlation = 0.862 with KM importance ratings

11

Table 1aCOBIT Processes Sorted by Mean Importance Ratings

COBITVersion 3Process Description of process

Ranked by KM Import. Rating

Ranked by TV Risk

RatingDS5 Ensure System Security 1 2

AI6 Manage Changes 2 1

PO9 Assess Risk 3 4

DS11 Manage Data 4 6

M2 Assess Internal Control Adequacy 5 5

PO8 Ensure Compliance with External Requirements 6 3

DS10 Manage Problems and Incidents 7 8

AI4 Develop and Maintain Procedures 8 11

M1 Monitor the Process 9 12

PO11 Manage Quality 10 10

12

COBITVersion 3Process Description of process

Ranked by KM Import.

Rating

Ranked by TV RiskRating

DS4 Ensure Continuous Service 11 17

M4 Provide for Independent Audit 12 20

DS7 Educate and Train Users 13 13

PO10 Manage Projects 14 22

M3 Obtain Independent Assurance 15 16

DS9 Manage the Configuration 16 14

PO2 Define the Information Architecture 17 29

DS13 Manage Operations 18 18

PO1 Define a strategic IT plan 19 9

AI5 Install and Accredit Systems 20 7

Table 1aCOBIT Processes Sorted by Mean Importance Ratings

13

14

15

Table 2CobiT v.4 Importance RatingsFor the Ten Most Important IT Processes per Kerr and Murthy

CobiT Process Descriptsion

Mean KM Importance

RatingCobiT

ImportanceDS5 Ensure System Security 4.661 HighAI6 Manage Changes 4.487 HighPO9 Assess Risk 4.413 MedimDS11 Manage Data 4.333 HighM2 Assess Internal Control Adequacy 4.328 MediumPO8 Ensure Compliance with External

Requirements (version 4=ME 3)4.222 High

DS10 Manage Problems and Incidents 4.101 MediumAI4 Develop and Maintain Procedures 4.085 LowM1 Monitor the Process 4.079 HighPO11 Manage Quality (version 4=PO8) 4.074 Medium

16

Table 2CobiT v.4 Importance RatingsFor the Ten Most Important IT Processes per Kerr and Murthy

Importance Level CountMean Importance

RankingHigh 5 4.356

Medium 4 4.229

Low 1 4.085

17

18

COSO and COBIT AnalysisDependent Variable:• KM importance ratings

Independent Variables (coded P=1):• Control Evaluation• Risk Assessment• Control Activities• Information and Communication• Monitoring

19

Research Question 2

In the context of the reliability of financial reporting, to what extent does the relative importance of each of the 34 IT control and security processes vary as a function of characteristics of the IT professionals within the organization?

20

Better Questions

AIS serve multiple informational purposes within organizations:

• How does importance differ for financial audits compared to IT in general?

• How do perceptions differ between management, IT personnel, and auditors?

• Pre versus Post SOX experience?

21

Table 3Exploratory Factor Analysis of Ten Most Important IT ProcessesUsing Tuttle and Vandervelde 2007 Data

CobiT Process Description Factor 1 Factor 2

Eigenvalue 2.51633 1.12175

M2 Assess Internal Control Adequacy 0.88126 -0.25542M1 Monitor the Process 0.79890 -0.07157PO9 Assess Risk 0.58994 -0.25609AI4 Develop and Maintain Procedures 0.56487 0.07633DS10 Manage Problems and Incidents 0.22103 0.59395DS11 Manage Data 0.31144 0.42021DS5 Ensure System Security 0.39274 0.37887AI6 Manage Changes 0.06452 0.33182PO11 Manage Quality (version 4=PO8) 0.30254 0.13523PO8 Ensure Compliance with External

Requirements (version 4=ME 3)0.19647 -0.42272

22

Nitpicks

• CobiT version 4 drops the term “best practices”

• Some COBIT processes change from version 3 to version 4

• Tables 7, 8, and 9 not related to research questions

23

I like this study because

• Potential to influence practice– What is and isn’t important– What is the relationship between IT and

COSO• Potential to aid in developing theory of

internal control in IT setting– What constitutes IC– COBIT = framework (theory) of IT control