Upload
nigel-stewart
View
215
Download
0
Embed Size (px)
DESCRIPTION
3 Motivation Present state of knowledge: IC is ill-defined Unclear how IT affects IC COBIT should help get us started Research Questions: Which IT processes are important to internal control in a financial audit context? What affects consensus?
Citation preview
1
Discussion of“The Importance of the COBIT Framework IT Processes For Effective
Internal Control over the Reliability of Financial Reporting: An International Survey”
by David S. Kerr and Uday S. Murthy
ByBrad Tuttle
Moore School of BusinessUniversity of South Carolina
Presented to UWCISAToronto, CA
October 12, 2007
2
I like this study because
• Potential to influence practice• Potential to aid in developing theory of
internal control in IT setting
3
MotivationPresent state of knowledge:• IC is ill-defined• Unclear how IT affects IC• COBIT should help get us started
Research Questions:• Which IT processes are important to internal
control in a financial audit context?• What affects consensus?
4
Method
Participants:• 189 members of ISACA respond to survey
– Drawn from 21 different countries• Familiarity with COBIT is less important
than– Familiarity with IT processes (see Table 1)– Familiarity with financial statement audits
5
Suggestion
International Participants:• Countries with Investor focus (n=138)
– Australia 26– Canada 3– USA 95– S. Africa? 14
• Countries with non-investor focus (n=51)
6
Method
• On-line survey asks participants to– Rate 34 COBIT processes for their “…
perception of the importance of each IT process to achieving effective internal control over the reliability of financial reporting…”
– Indicate which 10 processes are most important …
– Implementation measures (problematic, not reported)
7
Research Question 1
In the context of the reliability of financial reporting, what is the relative importance of each of the 34 IT control and security processes?
8
Table 1aCOBIT Processes Sorted by Mean Importance Ratings
COBITVersion 3Process Description of process
Ranked by KW Import. Rating
Ranked by TV Risk
RatingDS5 Ensure System Security 1 2
AI6 Manage Changes 2 1
PO9 Assess Risk 3 4
DS11 Manage Data 4 6
M2 Assess Internal Control Adequacy 5 5
PO8 Ensure Compliance with External Requirements 6 3
DS10 Manage Problems and Incidents 7 8
AI4 Develop and Maintain Procedures 8 11
M1 Monitor the Process 9 12
PO11 Manage Quality 10 10
9John RadyErnst & Young LLP
404 IT: Changes to Compliance and Cutting Cost$ (Webcast 2005)
M2
AI6
AI4
DS5M1
?
??
?
?
10
Tuttle and Vandervelde (2007)
• Question posed to IT auditors (n=29): “consider the risk to the typical organization associated with an unsatisfactory outcome in each of the following CobiT processes.”
• Rank correlation = 0.862 with KM importance ratings
11
Table 1aCOBIT Processes Sorted by Mean Importance Ratings
COBITVersion 3Process Description of process
Ranked by KM Import. Rating
Ranked by TV Risk
RatingDS5 Ensure System Security 1 2
AI6 Manage Changes 2 1
PO9 Assess Risk 3 4
DS11 Manage Data 4 6
M2 Assess Internal Control Adequacy 5 5
PO8 Ensure Compliance with External Requirements 6 3
DS10 Manage Problems and Incidents 7 8
AI4 Develop and Maintain Procedures 8 11
M1 Monitor the Process 9 12
PO11 Manage Quality 10 10
12
COBITVersion 3Process Description of process
Ranked by KM Import.
Rating
Ranked by TV RiskRating
DS4 Ensure Continuous Service 11 17
M4 Provide for Independent Audit 12 20
DS7 Educate and Train Users 13 13
PO10 Manage Projects 14 22
M3 Obtain Independent Assurance 15 16
DS9 Manage the Configuration 16 14
PO2 Define the Information Architecture 17 29
DS13 Manage Operations 18 18
PO1 Define a strategic IT plan 19 9
AI5 Install and Accredit Systems 20 7
Table 1aCOBIT Processes Sorted by Mean Importance Ratings
13
14
15
Table 2CobiT v.4 Importance RatingsFor the Ten Most Important IT Processes per Kerr and Murthy
CobiT Process Descriptsion
Mean KM Importance
RatingCobiT
ImportanceDS5 Ensure System Security 4.661 HighAI6 Manage Changes 4.487 HighPO9 Assess Risk 4.413 MedimDS11 Manage Data 4.333 HighM2 Assess Internal Control Adequacy 4.328 MediumPO8 Ensure Compliance with External
Requirements (version 4=ME 3)4.222 High
DS10 Manage Problems and Incidents 4.101 MediumAI4 Develop and Maintain Procedures 4.085 LowM1 Monitor the Process 4.079 HighPO11 Manage Quality (version 4=PO8) 4.074 Medium
16
Table 2CobiT v.4 Importance RatingsFor the Ten Most Important IT Processes per Kerr and Murthy
Importance Level CountMean Importance
RankingHigh 5 4.356
Medium 4 4.229
Low 1 4.085
17
18
COSO and COBIT AnalysisDependent Variable:• KM importance ratings
Independent Variables (coded P=1):• Control Evaluation• Risk Assessment• Control Activities• Information and Communication• Monitoring
19
Research Question 2
In the context of the reliability of financial reporting, to what extent does the relative importance of each of the 34 IT control and security processes vary as a function of characteristics of the IT professionals within the organization?
20
Better Questions
AIS serve multiple informational purposes within organizations:
• How does importance differ for financial audits compared to IT in general?
• How do perceptions differ between management, IT personnel, and auditors?
• Pre versus Post SOX experience?
21
Table 3Exploratory Factor Analysis of Ten Most Important IT ProcessesUsing Tuttle and Vandervelde 2007 Data
CobiT Process Description Factor 1 Factor 2
Eigenvalue 2.51633 1.12175
M2 Assess Internal Control Adequacy 0.88126 -0.25542M1 Monitor the Process 0.79890 -0.07157PO9 Assess Risk 0.58994 -0.25609AI4 Develop and Maintain Procedures 0.56487 0.07633DS10 Manage Problems and Incidents 0.22103 0.59395DS11 Manage Data 0.31144 0.42021DS5 Ensure System Security 0.39274 0.37887AI6 Manage Changes 0.06452 0.33182PO11 Manage Quality (version 4=PO8) 0.30254 0.13523PO8 Ensure Compliance with External
Requirements (version 4=ME 3)0.19647 -0.42272
22
Nitpicks
• CobiT version 4 drops the term “best practices”
• Some COBIT processes change from version 3 to version 4
• Tables 7, 8, and 9 not related to research questions
23
I like this study because
• Potential to influence practice– What is and isn’t important– What is the relationship between IT and
COSO• Potential to aid in developing theory of
internal control in IT setting– What constitutes IC– COBIT = framework (theory) of IT control