The Impact of Information Technology Material Weaknesses on Corporate Governance: Evidence from Executive and Director Turnover, and

IT Governance Changes

Jacob Z. Haislip Adi Masli Vernon J. Richardson Juan Manuel Sanchez

University of Arkansas

August 2011

Keywords: Internal control material weakness, corporate governance, information technology Data Availability: The data used are publicly available from the sources cited in the text.

The Impact of Information Technology Material Weaknesses on Corporate Governance: Evidence from Executive and Director Turnover, and IT Governance Changes

Abstract We provide a comprehensive examination of the impact of information technology (IT) internal control material weaknesses on changes in corporate governance. Specifically, we examine the impact of IT weaknesses on CEO, CFO and director turnover, CEOs, CFOs and directors IT knowledge improvements, and upgrades to the companys financial reporting system. We find results consistent with our hypothesis that, because IT-related material weaknesses have a more pervasive negative impact on the reliability of internal controls over financial reporting (relative to non-IT material weaknesses), IT material weakness firms experience higher CEO, CFO and director turnover rates. We also find that IT material weakness firms are more likely to replace executives with professionals possessing higher degrees of IT knowledge, and are more likely to upgrade their financial reporting IT. Finally, we find that in IT material weakness firms that experience CFO turnover, the CFO replacement possesses additional IT knowledge, and remediate internal control weaknesses in a more timely fashion.

I.

Introduction Information technology (IT) serves as the foundation of an effective system of internal

controls over financial reporting (Hunton et al. 2008; Li et al. 2010a; Masli et al. 2010). IT provides the platform that integrates financial transactions and internal controls to increase the likelihood of a properly functioning financial reporting process. Despite its importance, there is a notion that Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) have not placed enough attention to IT as a critical component of the financial reporting system process (Deloitte 2005). Regulators seem to share this sentiment and suggest that boards of directors need to do a better job providing oversight over their organizations IT functions, especially those pertaining to internal controls and financial reporting (Nolan and McFarlan 2005; Klamm and Watson 2009; Bart and Turel 2010). Recent research (Klamm and Watson 2009) finds that firms with significant IT deficiencies are more likely to issue misstated financial statements (relative to firms with regular material weaknesses), further increasing the awareness of the importance of IT on the overall financial reporting system.1 In this paper, we examine two related questions. First, we examine the impact of IT material weaknesses on CEO, CFO, and board of director turnover. We focus on the CEO and CFO because they are primarily responsible for the reliability and accountability of internal controls over financial reporting. Section 302 of the Sarbanes-Oxley Act of 2002 (SOX) requires these executives to sign off on financial statements and to report on the quality of the internal controls surrounding financial reporting. Recent research also emphasizes the important role that directors play in monitoring internal controls, and the consequences they face in the event of a failure (Goh 2009; Johnstone et al. 2010). Consequently, we examine whether board

IT weaknesses are considered more detrimental than standard weaknesses because they often affect the reliability of all financial data that are processed within the firm. See Appendix A for definitions of these weaknesses and Appendix B for examples.
1

members face penalties (in the form of an increased likelihood of turnover) for IT failures that relate to internal control over financial reporting. This examination is important because while extant research (Srinivasan 2005; Desai et al. 2006; Collins et al. 2009) documents the consequences of financial misstatements on a firms governance structure (e.g., executive and director turnover), little is known about the consequences of IT deficiencies on changes in corporate governance. Second, we examine how firms with IT material weaknesses remediate their deficiencies. Specifically, we examine two distinct areas of remediation. Given the emerging call for greater IT oversight among executives and board members, we first determine whether IT weakness firms replace outgoing CEOs, CFOs, and directors with professionals who possess greater levels of IT knowledge. Replacing the CEO, CFO and/or board members with individuals with greater IT knowledge would signal the seriousness of a firms commitment to remediating the IT governance environment. Finally, we examine whether firms with IT weaknesses subsequently make other major IT changes, including upgrades specifically targeted to the financial and accounting system. These changes include upgrading the IT, hiring an executive (beyond the CEO or CFO) dedicated to the oversight and management of IT, or adding a technology committee to the board. All of these changes are expected to help remediate problems associated with the IT material weakness. We rely on a sample of 289 IT material weakness firms identified by reading SOX 404 reports issued from 2004 through 2006. As a control group, we rely on a random sample of nonIT material weakness firms from the same period (more details on this appear in the research design section). Consistent with our expectations, we find that the likelihood of turnover of CEOs, CFOs, and directors is greater for IT weakness firms compared to non-IT weakness firms.

After controlling for economic determinants of turnover, including the number of weaknesses reported and the incidence of restatements, we find that, IT weakness firms have a 8.2%, 16.3%, and 19.4% greater likelihood of CEO, CFO, and director turnover than non-IT weakness firms, respectively. These results imply that weak IT controls have a more pervasive and negative impact on the financial reporting process and consequently result in greater penalties for the executives primarily responsible for internal controls. Furthermore, the results suggest that directors are held accountable for breakdowns in IT-related controls, thus providing support for the idea that board members are now challenged to extend their monitoring and oversight duties to IT functions. When we contrast the turnover rates between IT and non-IT firms conditioning on inside vs. outside directors, we find that the probability of turnover is greater for outside directors. When we focus on the audit committee, however, we find that the turnover rate is not significantly different between IT and non-IT weakness firms. In contrast, when we focus on the turnover rates of the chairperson of the board, we find that the likelihood of turnover is 12.5% higher in IT weakness firms. These results suggest that the firm eliminates the professional with the most authority on the board as part of the remediation of the problems in the financial reporting process. On balance, these results show that IT weakness firms make changes that are more significant to the governance structure as compared to non-IT weakness firms. With respect to the remediation, we find that IT weakness firms are more likely to replace outgoing CEOs and CFOs, with executives that have greater levels of IT knowledge.2 This result should be of interest to academics and practitioners alike, because although IT is considered a central component of internal controls, little evidence to date speaks to the association between

We determine that a professional has IT knowledge if his/her biography from the firms proxy statement (DEF 14A) includes previous work in an IT/technology firm or IT related degrees such as computer science or management information systems. See Appendix C for examples of IT knowledge biographies.

IT expertise at the executive level and the quality of internal controls over financial reporting. Our findings support the notion that IT weakness firms are more likely to obtain the services of executives with IT knowledge, expecting that such appointments can contribute to improvements in internal controls over financial reporting. We also find that IT weakness firms are more likely to make upgrades to the accounting and financial reporting IT. In some cases, the IT weakness is so pervasive throughout the system that firms opt to scrap the entire financial reporting system.3 On other cases, the IT weakness affected targeted areas, leading to changes only to specific modules, such as Accounts Payable or Fixed Assets.4 In additional analysis, we examine the remediation efforts that IT weakness firms undertake and find evidence suggesting that those IT weakness firms that replace (fill) their CFO (board seats) with individuals possessing IT knowledge (compared to IT weakness firms that do not) are more likely to experience a reduction in the number of internal control weaknesses reported by the second year after the initial IT weakness year. This result implies that replacement appointments of CFOs and/or directors with IT knowledge are among the most effective remediation strategies for IT weakness firms. Our study offers various contributions to the accounting information systems (AIS) literature that examines the importance of IT in financial reporting and auditing. The IT-related auditing literature focuses on the use of IT by auditors and how it can affect auditor judgment

For example in 2005 Castle & Co stated, The Company started a business system replacement initiative in the third quarter of 2005. The project scope includes a replacement of the Companys financial systems as a first phase of the overall project plan. The Company is currently performing parallel testing and expects to be in production with its new financial systems in mid-2006. In conjunction with the business systems replacement initiative, the Company has invested in new report writing technology that will automate and expedite the creation of its key financial and other business reports. This program is also expected to be installed by mid-2006. Management believes this investment in technology will allow for a more thorough and timely review of its financial statements by its financial staff, thereby enhancing its internal control over financial reporting. 4 For example in 2005 Covansys Corp stated, Implementation of the fixed asset module in the Companys ERP system in the third quarter of 2005 to facilitate in the tracking and accounting of fixed assets. This implementation eliminates the use of multiple spreadsheets and systems which significantly streamlines the process while injecting more preventative automated controls into the control environment.
3

(e.g., Messier 1995; ODonnell and David 2000; Brazel et al. 2004; ODonnell and Schultz 2003; Bible et al. 2005; Bedard et al. 2007; Dowling and Leech 2007; Dowling 2009). The IT-related accounting literature also focuses on the firm performance and internal control benefits firms derive from IT (e.g., Dehning and Richardson 2002; Hunton et al. 2003; Kobelsky et al. 2008; Masli et al. 2010). Our paper extends this literature by showing the detrimental effects of a breakdown within the controls surrounding IT on a firms governance environment. Prior literature focuses on the importance of financial accounting expertise of executives and board members as it relates to the financial reporting process (Beasley 1996; DeFond et al. 2004; Hennes et al. 2008; Li et al. 2010b; Johnstone et al. 2010). We extend this literature by documenting that firms also value the IT expertise of executives and directors when remediating internal control issues. Furthermore, a stream of literature investigates the characteristics of firms that report material weaknesses and the consequences the firms face in regard to the weaknesses (Ge and McVay 2005; Doyle et al. 2007; Hammersley et al. 2008; Johnstone et al. 2010; Li et al. 2010b). We extend this literature by examining a unique type of internal control material weakness we show to be a greater detriment to the financial reporting process. Finally, our results provide support for the recommendations within the COSO and COBIT frameworks as well as the PCAOB standards that advocate management and board oversight and accountability over IT controls. We organize the rest of the paper as follows: Section 2 explores the related literature and develops our testable hypotheses. Section 3 describes the sample used to test the hypotheses. Section 4 presents the research design. Section 5 details the empirical results. Finally, Section 6 summarizes and concludes the paper. II. Background and Hypothesis Development

Sections 302 and 404 of SOX require management and auditors to report on the quality of firms internal controls over financial reporting. Through this process, firms identify and reveal internal control material weaknesses, which the Public Company Accounting Oversight Board (PCAOB) defines as a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected (PCAOB 2004). Therefore, a material weakness indicates that there is a major problem with a firms financial reporting process, potentially highlighting the possibility of misstated financial statements. In a report discussing the importance of the role of IT in the design and implementation of internal controls, the IT Governance Institute (ITGI) states that IT is the foundation of an effective system of internal controls over financial reporting (ITGI 2006). The Committee of Sponsoring Organizations of the Treadway Commission (COSO 2009) makes a similar case, but further emphasizes the importance of properly monitoring the effectiveness of IT. The PCAOB also recognizes the importance of IT in the internal controls of financial reporting. Auditing Standard No. 2 (and the superseding Standard No. 5) specifically states that IT controls have a pervasive effect on the achievement of many overall objectives of the control criteria (PCAOB 2004), so auditors should understand how IT affects the firms flow of transactions and examine the use of IT within the processes and controls. Overall, the regulatory perspective suggests that IT plays an important role within the financial reporting system and the internal controls within that system. Since IT often permeates through the entire financial reporting structure, we predict that IT material weaknesses have a more pervasive impact on the financial reporting process than non-IT material weaknesses. In addition, IT weakness firms will have greater incentives to

correct IT material weaknesses. Common IT material weaknesses (as reported within SOX 404 reports) include lack of controls over who can initiate and approve journal entries, accounting systems that are unable to process complicated transactions, and a lack of training to use the accounting system software. The severity of these weaknesses can lead to the misstatement of any account, and therefore cause a significant problem in financial reporting. The Relation between IT Weaknesses and Executive Turnover Extant literature provides evidence of executive and director turnover following financial reporting failures. For example, Desai et al. (2006) find that restatements are associated with an increased likelihood of CEO turnover, and that terminated executives have difficulty finding similar positions at other firms following the turnover. Collins et al. (2009) show similar results for CFOs, but also show that the labor market penalties (i.e., inability to find comparable position) are more severe in a post-SOX era. Srinivasan (2005) shows that directors lose a significant number of directorships following the announcement of earnings-decreasing restatements. More recent research, including Li et al. (2010b) and Johnstone et al. (2010), shows increased executive and director turnover in firms that report internal control material weaknesses. While material internal control weaknesses are associated with significant costs (Ashbaugh-Skaife et al. 2009; Hammersley et al. (2008); Hogan and Wilkins 2008; Ye and Krishnan 2008), it is likely that these costs are particularly great for IT material weaknesses (relative to regular material weakness firms). For example, Klamm and Watson (2009) find that firms with IT material weaknesses report more misstated accounts than firms with non-IT related weaknesses. Li et al. (2010a) find that weak IT internal controls produce low information quality, leading to management forecasts that are less accurate for firms with IT material

weaknesses than for firms with non-IT material weaknesses. Based on this evidence of the impact of IT material weaknesses on the firm coupled with the evidence of executive turnover around restatements and all types of material weaknesses, we, in turn, predict that there is a greater likelihood of executive (CEO or CFO) and director turnover for IT weakness firms. Therefore, our first hypothesis is as follows: Hypothesis 1: The likelihood of CEO, CFO, and director turnover is greater for firms that report IT material weaknesses in internal control than for firms that report non-IT material weaknesses. The Relation between IT Weaknesses and IT Governance Changes It is important to understand how corporate governance can affect financial reporting. Bowen et al. (2008) find that weak governance allows management to use more discretion in accounting information, which in turn leads to poor future performance. Farber (2005) finds an association between the likelihood of fraud and characteristics commonly associated with weak governance, such as few independent board members, a lack of financial expertise on the board, and few audit committee meetings. Klein (2002) finds that firms with more independent boards report lower levels of discretionary accruals. Larcker et al. (2007) find a positive association between strong governance attributes and future firm performance. Finally, Krishnan (2005) and Hoitash et al. (2009) both show that strong corporate governance decreases the likelihood of material weaknesses in internal controls. These papers are important because they show that strong corporate governance helps firms avoid internal control material weaknesses, thus strengthening the financial reporting process. It is also important to examine how remediation of financial reporting breakdowns can improve the financial reporting process. For example, Farber (2005) shows that following the revelation of fraud, firms take corrective actions to improve corporate governance. These actions

include hiring more independent directors and directors with financial expertise. The author shows that following these corrective actions the firms experience in increase in stock performance suggesting, investors appear to value governance improvements. Extant research provides strong evidence on the consequences internal control weakness remediation. For example, Ashbaugh-Skaife et al. (2009) find that when firms address deficiencies in internal controls their cost of equity decreases, and Goh (2009) shows that the timeliness of remediation is positively associated with the severity of the weakness. Goh (2009) states that remediation is key to improving financial reporting quality and restoring investor confidence. Li et al. (2010b) and Johnstone et al. (2010) document ways that firms attempt to remediate material weaknesses, including replacing the CFO with a different one of higher quality and hiring more independent directors. Following this line of research, in the case of IT material weaknesses, we predict that firms also improve the characteristics of corporate governance. However, we predict that not only do they try to improve the specific financial knowledge of the firm, but since these weaknesses are IT related they will increase IT characteristics of the firm as well. Our second hypothesis is as follows: Hypothesis 2: Firms that report IT internal control material weaknesses are more likely to make IT governance changes than firms that report non-IT internal control material weaknesses. We are also interested in the different types of IT governance changes these firms are likely to make. First, we examine if these firms hire executives and directors with characteristics that will improve financial reporting. Beasley (1996) shows that firms with more independent directors are less likely to experience fraud. DeFond et al. (2004) find that the market reacts positively when firms announce the appointment of a financial expert to the board of directors, especially if the financial expertise is accounting specific. In the case of internal control material

weaknesses, Li et al. (2010b) and Johnstone et al. (2010) find that following the weaknesses firms hire executives and directors that are more qualified to remediate the weaknesses to improve financial reporting quality. Li et al. (2010b) specifically show that firms hire CFOs with more financial expertise and experience. We expect that firms hire executives and directors with the right skill set to remediate any internal control material weaknesses. For that reason we predict that firms that report IT related internal control weaknesses are more likely to hire executives and directors with IT knowledge to remediate the IT weaknesses and improve financial reporting quality. Specifically, our third hypothesis is as follows: Hypothesis 3: Firms that report IT internal control material weaknesses are more likely to hire executives and directors with IT knowledge than firms that report non-IT internal control material weaknesses. We also suggest that these firms proceed with other IT initiatives to improve financial reporting. These initiatives include upgrading the IT financial reporting system, hiring an IT executive, adding a technology committee to the board, or increasing the importance of the role of the Chief Information Officer (CIO). The extant literature discusses how these different initiatives can improve financial reporting. For example, Hunton et al. (2008) find that using IT for continuous monitoring can decrease the level of real earnings management of firms. Li et al. (2010a) find that better quality IT financial reporting systems provide higher quality information to management. Kobelsky et al. (2008) find a positive association between IT budgets and firm performance and shareholder returns. Finally, Masli et al. (2010) show that implementing technology specifically used in monitoring the effectiveness of internal controls decreases the likelihood of internal control material weaknesses. Overall, this evidence suggests that improving IT can decrease the likelihood of material weaknesses, and therefore improve the quality of financial reporting. Therefore, we predict that IT weakness firms will make IT

10

initiative changes to improve the quality of the internal control environment and financial reporting. Specifically our fourth hypothesis is as follows: Hypothesis 4: Firms that report IT internal control material weaknesses are more likely to make IT initiative changes than firms that report non-IT internal control material weaknesses. Following Li et al. (2010a) in our final hypothesis we examine different types of IT material weaknesses to determine how they differently affect the governance structure of firms. These three different categories are Data Processing Integrity, Access and Security, and Structure and Usage. Li et al (2010a) show that the Data Processing Integrity weaknesses are the most directly aligned with the accurate and reliable production of data and find these weaknesses to cause the greatest detriment to the information quality. Following this line of reason, we expect the impact on the corporate governance of the firm for Data Processing Integrity weaknesses to be greater than the Access and Security and the Structure and Usage IT weaknesses. Specifically our fifth hypothesis is as follows: Hypothesis 5: The turnover and remediation efforts are greatest for firms reporting Data Processing Integrity internal control material weaknesses. III. Sample Selection Our sample is constructed using data from Audit Analytics, Annual COMPUSTAT (financial statement variables), CRSP, I/B/E/S, Thomson Reuters, and SEC filings (DEF 14A, 10-K, etc.). We used Audit Analytics to identify firms that report material weaknesses in their internal controls over financial reporting. We then used the SOX 404 reports within 10-K filings to identify IT-related material weaknesses from 2004 through 2006. Using this procedure, we identified 301 SOX 404 reports that indicate IT-related material weaknesses. Using Audit Analytics, we identified a random sample of firms that reported a non-IT material weakness. Using the random number generator, we selected 301 non-IT weakness firms from the
11

population of material weakness firms. This gives a total sample of 602 firm-year observations where the firm reports an internal control material weakness (IT related and non-IT related). We then collected data on management and the board of directors from proxy statements (DEF-14A) and 10-K filings from 12 months before the year of the weakness to 24 months after the year of the weakness. Additionally, we collected information for our control variables from COMPUSTAT, CRSP, Thomson Reuters, and I/B/E/S. After eliminating observations with missing information, our final sample included 578 firm year observations, 289 of which are IT material weakness firm year observations. See Panel A of Table 1 for the sample reconciliation. Panel B of Table 1 presents the industry classification (by two-digit SIC codes) across our sample firms. In general, firms in our sample are from a broad spectrum of industries. Specifically, they appear more often in the Services, Financial Institutions, and Electrical industries. Finally, Panel C of Table 1 provides the distribution of the sample firms across years. With the exception of 2006, the number of observations by year is around 200 and uniform across time. IV. Research Design Hypothesis 1 posits a positive association between IT material weakness firms and turnover for executives and directors. To test our first hypothesis, we run variations of the following logistic regression model (See Table 2 for variable definitions): Turnoveri = 0 + 1 IT Weaknessi,t + 2 Number of Weaknesses + 3LnAssets i,t + 4Leveragei,t + 5BTMi,t + 6ROAi,t + 7Lossi,t + 8Institutional Holdingsi,t + 9Analysti,t + 10Restatementi,t-1,t,t+1 + 11Board Sizei,t + 12Board Independencei,t + 13CEO Chairman + 14Automatei,t + 15Transformi,t + 16High Techi,t + 17Low Tech. (1) We run the above regression using different dependent variables for turnover. For all of our turnover variables we measure turnover if it occurs in the year of the weakness or within of the

12

two years following the weakness. We first examine the turnover for CEOs and CFOs. We then run the model on different director positions: directors, chairman of the board, independent directors, and audit committee members. Our variable of interest is IT Weakness, which is coded 1 if the firm is an IT weakness firm, and 0 otherwise. We expect the coefficient on this variable to be positive and significant indicating that the likelihood of turnover is greater for IT weakness firms than for non-IT weakness firms. We include a set of control variables that prior literature shows can affect director and management turnover. Ferris et al. (2003) show that the likelihood of turnover increases with firm size, therefore we predict LnAssets to be positively associated with Turnover. We include the total Number of Weaknesses because firms with more material weaknesses reported are more likely to have an IT weakness. We include Leverage because greater debt levels translate into additional monitoring by creditors, who could influence the dismissal of poor performing management and directors (Agrawal and Cooper 2007). We therefore predict Leverage to be positively associated with Turnover. Since firms with low valuations experience a greater level of turnover we expect BTM to be positively associated with Turnover. Prior literature also shows that turnover is more likely for firms with poor operating performance (Weisbach 1988 and Yermack 2004). Therefore, we expect ROA to be negatively associated and Loss to be positively associated with Turnover. Following Johnstone et al. (2010), we include the variables Institutional Holdings and Analyst as a control that outsiders provide additional monitoring for the firm. Therefore, we predict both to be positively associated with Turnover. Prior research shows that restatements increase the likelihood of executive and director turnover (Desai et al. 2006; Srinivasan 2005; Collins et al. 2009). We therefore predict that Restatement is positively associated with

13

Turnover. Extant literature provides mixed evidence regarding how the size of the board affects corporate governance (Jensen 1993), so we make no prediction about the direction of Board Size. Research also argues that independent boards are more likely to remove poor performers from both management and the board (Jensen 1993); thus, we expect Board Independence to be positively associated with all measures of Turnover. We include CEO Chairman because as discussed by Jensen (1993), when the CEO also serves as the board chair they are more entrenched, so we expect this variable to be negatively associated with management turnover and positively associated with director turnover. Finally, we include a set of control variables that represent different high and low technology industries to control for any effects these IT intensive industries have on our results (Kobelsky et al. 2008). These variables are Automate, Transform, High Tech, and Low Tech. In additional analysis, we investigate whether certain types of IT SOX 404 material weaknesses will have a greater impact on turnover. Therefore, following Li et al. (2010a), we categorize IT material weaknesses across three dimensions: a) Data Processing Integrity, b) System Access and Security, and c) System Structure and Usage. As discussed by Li et al. (2010a), the three categories were developed by integrating the prior data quality literature, auditing standards (i.e., AS5), and IT professional guidance. Detailed examples of the IT controls and the coding of the categories appear in Appendices A and B. When examining the association of the IT material weakness categories and turnover, we include the following independent variables: Data Processing Integrity, System Access and Security, and System Structure and Usage.

14

Hypothesis 2 posits a positive association between IT material weakness firms and IT governance changes. To test our second hypothesis, we run variations of the following logistic regression model (See Table 2 for variable definitions): IT Governance Changei = 0 + 1 IT Weaknessi,t + 2 Number of Weaknesses + 3 LnAssets i,t + 4ROAi,t + 5Avg Sales Growthi,t + 6Leveragei,t + 7Uncertaintyi,t + 8Automatei,t + 9Transformi,t + 10High Techi,t + 11Low Techi,t + 12Foreigni,t + 13Merger i,t + 14Restructuringi,t + 15Product Differentiationi,t + 16Cost Leadershipi,t. (2) In this model, we examine the probability of a firm making changes to its IT governance structure. We use two different dependent variables. First, IT Governance Change is defined as an indicator variable set equal to 1 if the firm made any changes to its IT governance, and 0 otherwise. Second, Count of IT Governance Changes represents the number of changes the firm makes to the IT governance. The specific IT governance changes that we examine include the following: replacement of CEO with IT knowledge (CEO IT Knowledge); replacement of CFO with IT knowledge (CFO IT Knowledge); hiring of chairman of the board of directors with IT knowledge (Chairman IT Knowledge); hiring of audit committee members with IT knowledge (Audit Committee IT Knowledge); hiring of directors with IT knowledge (Director IT Knowledge); upgrading the IT (IT Upgrade); and upgrading IT management (IT Management). We ascertain if an executive or board members possess IT knowledge by reading their biographies in the firms proxy statements (form DEF 14A). An executive (board member) is said to have IT Knowledge if he/she has prior experience as a CIO (or other IT-related management positions), has previously worked in an IT/technology firm, or has IT-related degrees such as computer science or management information systems. Furthermore, IT initiative changes include upgrades to the IT and IT management. An upgrade to the IT would entail improvements made to the overall IT (financial and non-financial related systems), while

15

an upgrade to IT management includes hiring an IT specific executive, adding a technology committee to the board, or promoting the CIO position to become one of the top-five paid executives of the firm. Our variable of interest is again IT Weakness. We expect the coefficient to be positive and significant because we expect firms to make more IT governance changes in response to the IT material weaknesses to remediate the IT control problems within the financial reporting process. When examining the association between IT material weakness categories and IT governance changes, we substitute IT Weakness with the following independent variables: Data Processing Integrity, System Access and Security, and System Structure and Usage. We include a set of control variables that we expect will influence IT governance changes. We include LnAssets because we predict that size affects a firms ability or desire to make IT governance changes. We do not make a sign prediction for size. We expect ROA to be positively associated with IT changes, because profitable companies have more resources to invest in IT changes. Dewan et al. (1998) find that firms with higher sales growth tend to underinvest in IT, and we therefore expect Avg Sales Growth to be negatively associated with IT governance changes. High debt levels can constrain a firms resources, so we therefore predict a negative association for Leverage. We include Uncertainty, because we expect firms with higher levels of risk to use more IT to help mitigate some of the risk. We therefore expect a positive sign on the coefficient for Uncertainty. We follow Chatterjee et al. (2001) in using the Automate and Transform variables determined at the industry level. These indicator variables provide information as to how firms intend to use IT strategically within its business structure. We expect both of these variables to be positively associated with IT changes because firms that fall in to the categories tend to use more IT in their business processes. We also use a classification

16

scheme similar to Francis and Schipper (1999) to designate High Tech and Low Tech firms. We expect High Tech firms to be more likely to make IT changes since these companies are more likely to use IT in every day operations. We make no prediction for Low Tech firms because it is not obvious whether these firms will avoid IT changes because they feel they are unnecessary, or they will make the changes because they are obviously lacking IT. Finally, prior research suggests that enterprise IT initiatives and IT management structure often require alignment with the firms business strategies (e.g., Floyd and Wooldridge 1990; Banker et al. 2010). Therefore, we include the following set of variables to control for business strategies that companies may employ: Foreign, Merger Restructuring, Product Differentiation, and Cost Leadership. We make no directional predictions about these variables. Hypothesis 3 posits a positive association between IT material weakness firms and the replacement (hiring) of executives (directors) with IT knowledge. To test our third hypothesis, we run variations of the following logistic regression model (See Table 2 for variable definitions)5: IT Knowledgei = 0 + 1 IT Weaknessi,t + 2Number of Weaknesses + 3 LnAssets i,t + 4ROAi,t + 5Avg Sales Growthi,t + 6Leveragei,t + 7Uncertaintyi,t + 8Automatei,t + 9Transformi,t + 10High Techi,t + 11Low Techi,t + 12Foreigni,t + 13Merger i,t + 14Restructuringi,t + 15Product Differentiationi,t + 16Cost Leadershipi,t.

(3) Equation 3 follows the model in Equation 2, except we are specifically examining the changes in IT knowledge for executives and directors. We run Equation 3 five different times to examine the various changes in IT knowledge within the firm. We first run the model examining changes in CEO and CFO IT knowledge. We specifically examine whether firms change from having an executive that did not have IT knowledge before the internal control weakness to hiring an executive that does have IT knowledge in response to the material weakness. We then examine

In some models the Automate variable is exactly identified. When this occurs the variable is excluded from the model and thus no results are reported in the tables.
5

17

the IT knowledge for Chairman of the Board, directors in general, and audit committee members. We measure Chairman IT knowledge similar to the executives in that we are only interested in firms that changed from not having IT knowledge before the internal control weakness to hiring a person with IT knowledge in response to the material weakness. We consider director (audit committee) IT knowledge change to be positive if after the material weakness, the firm employs additional directors (audit committee members) with IT knowledge than they did before the material weakness. Find examples of biographies of executives and directors that possess IT knowledge in Appendix C. IT Weakness is again our variable of interest, and we expect it to be positive and significant. We predict that IT material weakness firms will hire executives and directors with IT knowledge in an effort to remediate problems that IT weaknesses generate within the financial reporting process. When examining the association between IT material weakness categories and IT knowledge changes, we substitute IT Weakness with the following independent variables: Data Processing Integrity, System Access and Security, and System Structure and Usage.Finally, we include the same control variables used in Equation 2 for Equation 3. Hypothesis 4 posits a positive association between IT material weakness firms and IT initiative changes. To test our fourth hypothesis, we run variations of the following logistic regression model (See Table 2 for variable definitions)5: Major IT Initiativesi = 0 + 1 IT Weaknessi,t + 2Number of Weaknesses + 3 Sum of IT Knowledge Score i,t + 4LnAssets i,t + 5ROAi,t + 6Avg Sales Growthi,t + 7Leveragei,t + 8Uncertaintyi,t + 9Automatei,t + 10Transformi,t + 11High Techi,t + 12Low Techi,t + 13Foreigni,t + 14Merger i,t + 15Restructuringi,t + 16Product Differentiationi,t + 17Cost Leadershipi,t. (4)

18

Equation 4 follows the model in Equation 2. However, in Equation 4, we are interested in examining IT governance changes related to IT upgrades and IT management. We examine four categories of IT upgrades, which include General IT (IT Upgrade), Financial (Financial IT Upgrade), Accounting (Accounting IT Upgrade), and Non-Financial (Non-Financial IT Upgrade). Any upgrade to the IT is included in the general IT upgrade. Upgrades specific to the financial functions of the firm are included in the Financial upgrades. Accounting upgrades are financial upgrades that specifically mention changes to the AIS. All other IT upgrades are included in the Non-Financial upgrades. We include examples of IT upgrades and its categories in Appendix D. Finally, we define an IT management upgrade to be present when the firm hires an IT specific executive, adds a technology committee to the board, or promotes the CIO to become one of the top five paid executives. We again use IT Weakness as our variable of interest, and we expect it to be positive and significant. When examining the association between IT material weakness categories and IT knowledge changes, we substitute IT Weakness with the three categories of IT material weaknesses (Data Processing Integrity, System Access and Security, and System Structure and Usage).Finally, in Equation 4, we include the same control variables used in Equation 2 with the exception of Sum of IT Knowledge Score. This variable is a count of the total number of IT knowledge changes the firm has undertaken. We include this variable because it is likely that the new IT knowledge executive or director will make other IT changes to the firm. V. Results

Summary Statistics Table 3, Panel A, presents univariate statistics for the IT material weakness categories and control variables. As Panel A shows, 71.6%, 51.2%, and 20.8% of IT material weakness firms have issues relating to data processing integrity, system access and security, and system
19

structure and usage, respectively.6 For the control variables, compared to control firms, IT material weakness firms are generally smaller, less profitable, have lower institutional holdings, have less analyst following, have less independent directors, less likely to have the CEO as chairman of the board, have a greater cost leadership, and have a higher sum of IT knowledge score. Table 3, Panel B, presents the univariate statistics for the executive and director turnover variables. As Panel B shows, the CEO and CFO turnover rates in IT material weakness firms (49.1% and 75.4%) are significantly higher (p< 0.01) than the control-firm CEO and CFO turnover rates (34.9% and 52.2%). In addition, IT material weakness firms experienced significantly higher (p<0.01) chairman of the board turnover (22.5%) than control firms (10.4%). With regard to turnover for the board of directors, we find that the director and independent director turnover rates are higher for IT material weakness firms relative to control firms. During the turnover period, 75.1% and 63.7% of IT material weakness firms experienced at least one director and independent director turnover, respectively. In contrast, 59.5% and 49.5% of control firms experienced at least one director and independent director turnover, respectively, during the same time period. These turnover differences are significant at the p<0.01 value. Interestingly, we find that audit committee turnover rates are roughly identical (approximately 32%) between IT material weakness firms and control firms suggesting there is no differentiation from the audit committee between IT and non-IT material weaknesses. In Panel C of Table 3, we examine differences in the change to IT governance between IT material weakness firms and control firms. As Panel B shows, 67.5% (34.9%) of IT material weakness firms (control firms) carry out at least one change to their IT governance (p<0.01 for

We note that firms with IT material weaknesses may have a material weakness in one or more of the IT material weakness categories.

20

difference). Moreover, IT material weakness (control) firms complete changes to 1.179 (0.502) components of their IT governance (p<0.01 for difference). In examining the individual components of IT governance changes, it appears that IT material weakness firms, compared to control firms, are significantly more likely (p<0.05) to replace their CEOs, CFOs, and chairmen of the board with individuals with IT knowledge. IT material weakness firms, compared to control firms, are also more likely (p<0.05) to hire a director with IT knowledge, but not more likely to hire an audit committee member with IT knowledge. With regard to IT upgrades, we find that IT material weakness firms, compared to control firms, are more likely (p<0.01) to undergo IT upgrades, financial IT upgrades, and accounting IT upgrades. However, there are no material differences in the likelihood of undergoing non-financial IT upgrades between IT material weakness and control firms. Finally, contrary to our expectations, we find that IT management is not significantly different (p=0.117) between IT material weakness and control firms. Multivariate Analyses In Table 4, we report the results of estimation of Equation 1.Panel A presents the results of the CEO, CFO, and director turnover models. The coefficient for IT Weakness is positive and significant (p<0.05) for models 1, 2, and 3. Thus, the tests imply that IT material weakness firms are more likely to experience CEO, CFO, and director turnover relative to control firms. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms have a 8.2%, 16.3%, and 19.4% greater likelihood of CEO, CFO, and director turnover, respectively. In models 4, 5, and 6, rather than using an indicator variable for IT material weakness firms, we use our three classifications of IT material weaknesses. As Panel A shows, the coefficient for Data Processing Integrity is

21

positive and significant (p<0.05) for models 4, 5, and 6, suggesting that IT material weaknesses related to data processing integrity issues increase the firms likelihood of CEO, CFO, and director turnover. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing integrity issues (relative to IT weakness and Non-IT weakness firms without data processing integrity issues) have a 10.7%, 13.5%, and 14% greater likelihood of CEO, CFO, and director turnover, respectively. Panel B of Table 4 presents the results of the type of director turnover models. Specifically, we examine chairman of the board, independent director, and audit committee turnover. The coefficient for IT Weakness is positive and significant (p<0.01) for models 1 and 2. Thus, the tests indicate that IT material weakness firms are more likely to experience chairman of the board and independent director turnover relative to control firms. Interestingly, the coefficient for IT Weakness Firm is insignificant for model 3, suggesting that the likelihood of audit committee turnover does not increase with IT material weakness firms. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms have a 12.5% and 22.4% greater likelihood of chairman of the board and independent director turnover, respectively. In models 4, 5, and 6, we again use our three classifications of IT material weaknesses. The coefficient for Data Processing Integrity is positive and significant (p<0.01) for models 4 and 5, suggesting that IT material weaknesses related to data processing integrity issues increase the likelihood of chairman of the board and independent director turnover. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing integrity issues (relative to IT weakness and Non-

22

IT weakness firms without data processing integrity issues) have a 16.9% and 15.8% greater likelihood of chairman of the board and independent director turnover, respectively. In addition the coefficient for System Structure and Usage in regards to audit committee turnover is significant (p<0.10). When we estimate the marginal effects (dy/dx), our results suggest that IT material weakness firms with system structure and usage issues have an 11.17% greater likelihood of audit committee member turnover. In Table 5, we report results of our change to IT governance and count of IT governance change models. The coefficient for IT Weakness is positive and significant (p<0.01) for models 1 and 2. Thus, the results indicate that IT material weakness firms are more likely to undergo at least one change to their IT governance and are positively associated with the total number of IT governance changes. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms are 29.4% more likely to perform at least one change to their IT governance. In models 3 and 4 of Table 5, we use our three classification measures of IT material weaknesses. The coefficients for Data Processing Integrity is positive and significant (p<0.01) for models 3 and 4, suggesting that firms with IT material weaknesses related to data processing integrity issues are more likely to pursue a change to IT governance and have higher total counts of IT governance changes. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing integrity issues are 20.5% more likely to perform at least one change to their IT governance. Table 6 reports the results of estimation of the change in CEO and CFO IT knowledge models. The coefficient for IT Weakness is positive and significant (p<0.10) for models 1 and 2.

23

Thus, the results imply that IT material weakness firms, compared to control firms, are more likely replace their CEOs and CFOs with executives that possess IT knowledge. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms are 1.3% and 4.9% more likely to replace their CEOs and CFOs, respectively, with individuals possessing IT knowledge. In models 3 and 4 of Table 6, we use our three classification measures of IT material weaknesses. The results show no significance on any of the tree classification measures. Table 7 reports the results of estimation of the change in chairman of the board, director, and audit committee IT knowledge models. The coefficient for IT Weakness is positive and significant (p<0.05) for model 1. Thus, the results imply that IT material weakness firms are more likely to replace their chairman of the board with individuals that possess IT knowledge. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms are 5.7% more likely to replace their chairman of the board with individuals possessing IT knowledge. Interestingly, we do not find that IT material weakness firms, relative to control firms, are more likely to hire directors or audit committee directors with IT knowledge. In models 4, 5, and 6 of Table 7, we use our three classification measures of IT material weaknesses. The coefficient for Data Processing Integrity is positive and significant (p<0.10) for model 4, suggesting that IT material weaknesses related to data processing issues increase the likelihood of the firm replacing the chairman of the board with an IT knowledge individual. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing

24

integrity issues are 4.49% more likely to replace their chairman of the board with an individual having IT knowledge In Table 8, we estimate several variations of our major IT initiative models. The coefficient for IT Weakness is positive and significant (p<0.01) for models 1, 2, and 3. Thus, the results are consistent with the notion that IT material weakness firms, compared to control firms, are more likely to upgrade their IT in general. Furthermore, after classifying IT upgrades into financial, accounting, and non-financial IT upgrades, we find that IT material weakness firms are more likely to upgrade their financial and accounting IT. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms are 35.2%, 36.5%, and 23.3% more likely to upgrade their IT, financial IT, and accounting IT, respectively. In models 6 through 10 of Table 8, we use our three classification measures of IT material weaknesses. The coefficients for Data Processing Integrity and System Access and Security are positive and significant (p<0.05) for model 6 and 7, suggesting that IT material weakness firms with data processing integrity and system access and security issues are more likely to upgrade their IT and specifically, their financial IT. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing integrity issues (relative to IT weakness and Non-IT weakness firms without data processing integrity issues) are 24.7% (25.4%) more likely to upgrade their IT (financial IT). In addition, IT material weakness firms with system access and security issues (relative to IT weakness and Non-IT weakness firms without system access and security issues) are 12% (10.7%) more likely to upgrade their IT (financial IT). The coefficient for Data Processing Integrity is positive and significant (p<0.01)

25

for model 8, suggesting that IT material weakness firms with data processing integrity issues are more likely to upgrade their accounting IT. When we estimate the marginal effects (dy/dx), our results suggest that, after controlling for other important economic determinants, IT material weakness firms with data processing integrity issues are 18.9% more likely to upgrade their accounting IT. Additional Analysis We find that IT material weakness firms, compared to control firms, are more likely to replace executives with individuals with IT knowledge as well as make major IT initiative changes. In subsequent analysis, we examine whether IT weakness firms that undergo such remediation efforts are better able to remediate their internal control weaknesses. Table 9 reports results of OLS models that regress the change in the total count of material weaknesses from t to t+2 on IT knowledge changes, major IT initiative changes, and control variables.7 As shown in Model 1 of Table 9, the coefficient of Any IT Knowledge Change is negative and significant (p<0.05), suggesting that any change to IT knowledge (within CEO/CFO/board of directors) is associated with a reduction of counts of material weaknesses from t to t+2. However, only the coefficients for CFO IT Knowledge and Director IT Knowledge are negative and significant (p<0.10) for models 2, 3, and 4. Thus, suggesting that IT weakness firms that replace (fill) their CFO (board seats) with individuals possessing IT knowledge, compared to IT weakness firms that do not, are more likely to reduce the number of internal control weaknesses by year t+2. VI. Conclusion The extant literature examines the effects of financial reporting breakdowns on companies. Many studies document turnover and other forms of remediation in response to

For our control variables, we include changes to firm size, leverage, performance, complexity, governance, and industry characteristics (Doyle et al. 2007; Johnstone et al. 2010; Masli et al. 2010).
7

26

accounting restatements and material weaknesses in internal control over financial reporting. Our study extends this literature by examining a unique failure of the financial reporting system. Specifically we examine IT related internal control material weaknesses, because the evidence suggests these weaknesses can be more detrimental to firms than other weaknesses. In this study, we compare the remediation efforts of firms that report IT material weaknesses to firms that report non-IT weaknesses. We find that the IT weakness firms have higher levels of turnover of both executives and directors. This suggests that the firms are punishing these executives and directors for the problems that IT weaknesses cause within the financial reporting process. We also find that these firms follow this turnover with greater remediation efforts by making changes to the corporate governance structure. Specifically, we document that these firms replace (add) outgoing executives (directors) with individuals possessing IT knowledge, and thus should have a better understanding of the IT weaknesses. In addition, the IT weakness firms are more likely to upgrade their financial reporting IT and make other IT initiative changes. However, we find evidence suggesting that IT weakness firms that replace their CFO (and add directors) with IT knowledge are associated with successful remediation of internal control weaknesses. Overall, the evidence suggests that firms do recognize the importance of the role IT plays within the financial reporting process. In the event of a failure, firms go to great lengths to remediate the problems. We urge officers and directors of the firm to understand the importance of IT in the financial reporting process and suggest they maintain strong oversight not just in responding to IT failure, but also in preventing IT failure in financial reporting systems to occur.

27

References Agrawal, A., and T. Cooper. 2007. Corporate governance consequences of accounting scandals: Evidence from top management, CFO and auditor turnover. Working paper, University of Alabama. Ashbaugh-Skaife, H., D. Collins, W. Kinney, and R. LaFond. 2009. The effect of SOX internal control deficiencies on firm risk and cost of equity. Journal of Accounting Research 47 (1): 1-43. Banker, R. D., N. Hu, J. Luftman, and P. Pavlou. 2010. CIO reporting structure, strategic positioning, and firm performance: To whom should the CIO report? Working paper, Temple University, University of Wisconsin, and Stevens Institute of Technology. Bart, C., and O. Turel. 2010. IT and the board of directors: An empirical investigation into the governance questions Canadian board members ask about IT. Journal of Information Systems 24 (2): 147-172. Beasley, M. S. 1996. An empirical analysis of the relation between the board of director composition and financial statement fraud. The Accounting Review 71 (4): 443-465. Bedard, J. C., M. L. Ettredge, and K. M. Johnstone. 2007. Using electronic audit workpaper systems in audit practice: Task analysis, learning, and resistance. Advances in Accounting Behavioral Research 10: 29 53. Bible, L., L. Graham, and A. Rosman. 2005. Comparing auditors performance in paper and electronic work environments. Journal of Accounting, Auditing & Finance (March): 27-42. Bowen, R., S. Rajgopal, and M. Venkatachalam. 2008. Accounting discretion, corporate governance, and firm performance. Contemporary Accounting Research 25 (2): 351-405. Brazel, J. F., C. P. Agoglia, and R. C. Hatfield. 2004. Electronic versus face-to-face review: The effects of alternative forms of review on auditors performance. The Accounting Review 79 (4): 949-966. Chatterjee, D. C., V. J. Richardson, and R. Zmud. 2001. Examining the shareholder effects of new CIO position announcements. Management Information Systems Quarterly 25 (1): 43-70. Collins, D., A. Masli, A. L. Reitenga, and J. M. Sanchez. 2009. Earnings restatements the Sarbanes-Oxley Act and the disciplining of Chief Financial Officers. The Journal of Accounting, Auditing, and Finance 24 (1): 1-34. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal ControlIntegrated Framework. New York, NY: AICPA. . 2009a. Guidance. Guidance on Monitoring Internal Control Systems, Vol. I. Durham, NC: COSO. . 2009b. Application. Guidance on Monitoring Internal Control Systems, Vol. II. Durham, NC: COSO. . 2009c. Examples. Guidance on Monitoring Internal Control Systems, Vol. III. Durham, NC: COSO.

28

DeFond, M. L., R. N. Hann, and X. Hu. 2004. Does the market value financial expertise on audit committees of boards of directors? Journal of Accounting Research 43 (2): 153-193. Dehning, B., and V. J. Richardson. 2002. Returns on investments in information technology: A research synthesis. Journal of Information Systems 16 (1): 7-30. Deloitte & Touche LLP. Why information technology controls can't be ignored. 2005 [cited May 10 2011]. Available from http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/article/2b21cb79791fb110VgnVCM1 00000ba42f00aRCRD.htm. Desai, H., C. Hogan, and M. Wilkins. 2006. The reputational penalty for aggressive accounting: earnings restatements and management turnover. The Accounting Review 81 (1): 83-112. Dewan, S., S. C. Michael, and C. Min. 1998. Firm characteristics and investments in information technology: Scale and scope effects. Information Systems Research 9 (3): 219-232. Dowling, C. 2009. Appropriate audit support system use: The influence of auditor, audit team and firm factors. The Accounting Review 84 (3): 771-810. , and S. A. Leech. 2007. Audit support system design and decision aids: Current practice and opportunities for future research. International Journal of Accounting Information Systems 8: 92-116. Doyle, J., W. Ge, and S. McVay. 2007. Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics 44: 193-223. Farber, D. B. 2005. Restoring trust after fraud: Does corporate governance matter? The Accounting Review 80 (2): 539-561. Ferris, S., M. Jagannathan, and A. Pritchard. 2003. Too busy to mind the business? Monitoring by directors with multiple board appointments. Journal of Finance 48: 1087-1112. Floyd, S. W., and B. Wooldridge. 1990. Path analysis of the relationship between competitive strategy, information technology, and financial performance. Journal of Management Information Systems 7 (1): 47-64. Francis, J., and K. Schipper. 1999. Have financial statements lost their relevance? Journal of Accounting Research 37 (2): 319-352. Ge, W., and S. McVay. 2005. The disclosure of material weaknesses in internal control after the SarbanesOxley Act. Accounting Horizons 19 (3): 137-158. Goh, B. W. 2009. Audit committees, boards of directors, and remediation of material weaknesses in internal control. Contemporary Accounting Research, Forthcoming. Hammersley, J., L. Myers, and C. Shakespeare. 2008. Market reactions to the disclosure of internal control weakness and to the characteristics of those weaknesses under Section 302 of the Sarbanes Oxley Act of 2002. Review of Accounting Studies 13: 141-165.

29

Hennes, K., A. Leone, and B. Miller. 2008. The importance of distinguishing errors from irregularities in restatement research: The case of restatements and CEO/CFO turnover. The Accounting Review 83 (6): 1487-1519. Hogan, C., and M. Wilkins. 2008. Evidence on the audit risk model: Do auditors increase audit fees in the presence of internal control deficiencies? Contemporary Accounting Research 25: 219-242. Hoitash, U., R. Hoitash, and J. Bedard. 2009. Corporate governance and internal control over financial reporting: A comparison of regulatory regimes. The Accounting Review 84 (3): 839-867. Hunton, J. E., B. Lippincott, and J. L. Reck. 2003. Enterprise resource planning systems: Comparing firm performance of adopters and nonadopters. International Journal of Accounting Information Systems 4: 165-184. , E. G. Mauldin, and P. R. Wheeler. 2008. Potential functional and dysfunctional effects of continuous monitoring. The Accounting Review 83 (6): 1551-1569. Information Technology Governance Institute (ITGI). 2006. ISACA/ITGI Response to SEC Concept Release. Rolling Meadows, IL: Information Systems Assurance and Control Association (ISACA). . 2007. COBIT 4.1. Rolling Meadows, IL. Available on-line on March 28, 2008 at: http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cf m&TPLID=55&ContentID=7981 Jensen, M. 1993. The modern industrial revolution, exit and the failure of internal control systems. Journal of Finance 48: 831-880. Johnstone, K, C. Li, and K. Rupley. 2010. Changes in corporate governance associated with the revelation of internal control material weaknesses and their subsequent remediation. Contemporary Accounting Research, Forthcoming. Klamm, B. K., and M. W. Watson. 2009. SOX 404 reported internal control weaknesses: A test of COSO framework components and information technology. Journal of Information Systems 23 (2) Fall: 1-23. Klein, A. 2002. Audit committees, board of director characteristics, and earnings management. Journal of Accounting and Economics 33: 375-400. Kobelsky, K., V. J. Richardson, R. E. Smith, and R. W. Zmud. 2008. Determinants and consequences of firm information technology budgets. The Accounting Review 83 (4): 957-995. Krishnan, J. 2005. Audit committee quality and internal control: An empirical analysis. The Accounting Review 72: 539-560. Larcker, D., S. Richardson and I. Tuna. 2007. Corporate governance, accounting outcomes, and organizational performance. The Accounting Review 82 (4): 963-1008.

30

Li, C., G. Peters, V. J. Richardson, and M. W. Watson. 2010a. The consequences of information technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports. Management Information Systems Quarterly, Forthcoming. , L. Sun, and M. Ettredge. 2010b. Financial executive quality, financial executive turnover, and adverse SOX 404 opinions. Journal of Accounting and Economics, Forthcoming. Masli, A., G. Peters, V. J. Richardson, and J. M. Sanchez. 2010. Examining the potential benefits of internal control monitoring technology. The Accounting Review 85 (3): 1001-1034. Messier, W. 1995. Research in and development of audit-decision aids. In Judgment and Decision-Making Research in Accounting and Auditing, edited by Ashton, R., and A. Ashton, 207-230. New York, NY: Cambridge University Press. Nolan, R. and F. W. McFarlan. 2005. Information technology and the board of directors. Harvard Business Review October 2005: 1-11. ODonnell, E., and J. David. 2000. How information systems influence user decisions: A research framework and literature review. International Journal of Accounting Information Systems 1 (3): 178-203. , and J. J. Schultz. 2003. The influence of business-process-focused audit support software on analytical procedures judgments. Auditing: A Journal of Practice & Theory 22 (2): 265-279. Public Company Accounting Oversight Board (PCAOB). 2004. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 2. Washington, D.C.: PCAOB. . 2007. An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: PCAOB. Srinivasan, S. 2005. Consequences of financial reporting failure for outside directors: Evidence from accounting restatements and audit committee members. Journal of Accounting Research 43 (2): 291-334. Weisbach, M. 1988. Outside directors and CEO Turnover. Journal of Financial Economics 20: 431-460. Ye, Z. and J. Krishnan. 2008. Weak internal controls, auditor fees, and shareholder dissatisfaction. Working paper, Kennesaw State University. Yermack, D. 2004. Remuneration: Retention and reputation incentives for outside directors. Journal of Finance 59: 2281-2308.

31

Table 1 Sample Selection and Distribution Panel A: Sample reconciliation Firm year observations identified with IT Material Weaknesses Less: Firms for which no DEF 14A or 10-K was found Less: Firms not in the Compustat Database Final # of IT Material Weakness firm year observations Random sample of non-IT Material Weakness firm year observations Final # of firm year observations Panel B: Industry representation Industry Chemicals Electrical Equipment Financial Institutions Healthcare Media Oil Retail Sales Services All Others Total Panel C: Year distribution Year 2004 2005 2006 Total 2-Digit SIC Code 28-29 36, 38 35 60-65, 67 80, 82 27, 48 13, 46 50-59 70-79 All Others n 36 77 33 84 25 27 18 51 118 109 578 n 205 201 172 578 % Total 6.23% 13.32% 5.71% 14.53% 4.33% 4.67% 3.11% 8.82% 20.42% 18.86% 100% % of Total 35.47% 34.78% 29.76% 100% 305 9 7 289 289 578

32

Table 2. Variable Definitions Panel A: Turnover Dependent Variable Definitions Variable Definition CEO Turnover Equals one if there is CEO turnover in year t, t+1, or t+2; zero otherwise. CFO Turnover Equals one if there is CFO turnover in year t, t+1, or t+2; zero otherwise. Equals one if there is Chairman of the board of directors turnover in year t, t+1, or Chairman Turnover t+2; zero otherwise. Director Turnover Equals one if there is any director turnover in year t, t+1, or t+2; zero otherwise. Independent Director Equals one if there is any independent director turnover in year t, t+1, or t+2; zero Turnover otherwise. Audit Committee Equals one if there is any audit committee turnover in year t, t+1, or t+2; zero Turnover otherwise. Panel B: IT Governance Change Dependent Variable Definitions Variable Definition Any IT Governance Equals one if the firm hires any managers or directors with IT knowledge or makes Change an IT Initiative Change in year t, t+1, or t+2; zero otherwise. Count of IT Equals a count of the number of IT changes made in year t, t+1, or t+2. This Governance Changes variable can range from 0 to 7. Equals one if the firm replaced a NON-IT knowledge CEO with an IT Knowledge CEO IT Knowledge CEO in year t, t+1, or t+2 ; zero otherwise. Equals one if the firm replaced a NON-IT knowledge CFO with an IT Knowledge CFO IT Knowledge CFO in year t, t+1, or t+2 ; zero otherwise. Chairman IT Equals one if the firm replaced a NON-IT knowledge BOD Chairman with an IT Knowledge Knowledge BOD Chairman in year t, t+1, or t+2 ; zero otherwise. Director IT Equals one if the firm hired at least one director with IT knowledge in year t,t+1, or Knowledge t+2 ; zero otherwise. Audit Committee IT Equals one if the firm hired at least one audit committee member with IT Knowledge knowledge in year t,t+1, or t+2 ; zero otherwise. IT Upgrade Equals one if the firm upgraded their IT; zero otherwise Financial IT Upgrade Equals one if the firm upgraded their financial reporting IT; zero otherwise Accounting IT Equals one if the firm upgraded their accounting IT; zero otherwise Upgrade Non-Financial IT Equals one if the firm upgraded their non-financial reporting IT; zero otherwise Upgrade Equals one hired an IT executive, added a technology committee, or moved the CIO IT Management to be a top 5 executive in year t,t+1, or t+2; zero otherwise.

33

Panel C: Independent Variables Variable Definition Main Independent Variables Equals one if the firm reported and IT material weakness in internal controls in year IT Weakness Firm t; zero otherwise. Data Processing Integrity Equals one if a firm has ITMW related to data processing integrity; zero otherwise. System Access and Equals one if a firm has ITMW in the data quality dimension of access; zero Security otherwise. System Structure and Usage Equals one if a firm has ITMW in IT structure quality dimensions; zero otherwise. Control Variables Number of Equal to the total number of SOX 404 material weaknesses in internal control Weaknesses report by the firm in year t. LnAssets Equal to the natural log of total assets in year t. Leverage Equals to total debt divided by total assets in year t. BTM Equals to the book to market ratio in year t. Equals to the return on assets calculated as net income divided by total assets in ROA year t. Loss Equals one if the company reports a net loss in year t; zero otherwise. Equals to the proportion of institutional shareholdings of common stock in the firm Institutional Holdings in year t. Analyst Equals to the average number of analysts following the firm in year t. Equals one if the company reports a restatement in year t-1, t, or t+1; zero Restatement otherwise. Board Size Equals to the number of directors serving on the board in year t. Board Independence Equals to the proportion of independent directors serving on the board in year t. CEO Chairman Equals one if the CEO is also the chairman of the board in year t; zero otherwise. Equals average sales growth for t-1 and t. (sales growth is calculated as sales in year Avg Sales Growth t/ sales in year t-1) Equals the standard deviation of earnings before extraordinary items for previous Uncertainty five years scaled by sales Automate Equals one if automate industry IT role, zero otherwise. Transform Equals one if transform industry IT role, zero otherwise. High Tech Equals one if high-tech industry, zero otherwise. Low Tech Equals one if low-tech industry, zero otherwise. Foreign Equals one if the firm engaged in foreign transactions, zero otherwise. Merger Equals one if the firm engaged in mergers and acquisitions, zero otherwise. Restructuring Equals one if the firm engaged in restructuring activity, zero otherwise. Growth Equals sales in year t divided by sales in year t-1 Product Differentiation Equals to operating income over sales Cost Leadership Equals to sales over assets Sum of IT Knowledge Equals the sum of CEO IT Knowledge, CFO IT Knowledge, Chairman IT Score Knowledge, Director IT Knowledge, & Audit Committee IT Knowledge variables.

34

Table 3. Selected Summary Statistics for IT Material Weakness and Non-IT Material Weakness Firms
Panel A: Descriptive statistics for control variables IT Weakness Firms N= 289 Mean Median 0.716 1 0.512 1 0.208 0 3.888 3 6.027 5.813 0.231 0.157 -0.067 0.406 -0.162 0.002 0.484 0 0.398 0.374 3.913 1 0.63 1 8.232 8 0.71 0.714 0.114 0 1.298 1.327 0.031 0.142 0.269 0.035 0.363 0.048 0.318 -0.354 0.991 0.678 1.141 0.169 0 0 0 0 0 0 0 0.063 0.815 0 Non-IT Weakness Firms N= 289 Mean Median p-value Diff

Variables Data Processing Integrity System Access and Security System Structure and Usage Number of Weaknesses LnAssets Leverage BTM ROA Loss Institutional Holdings Analyst Restatement Board Size Board Independence CEO Chairman Avg Sales Growth Uncertainty Automate Transform High Tech Low Tech Foreign Merger Restructuring Product Differentiation Cost Leadership Sum of IT Knowledge Score

1.594 6.311 0.211 0.46 -0.034 0.332 0.478 5.671 0.63 8.384 0.755 0.187 1.272 2.601 0.044 0.149 0.311 0.038 0.339 0.045 0.301 -0.264 0.864 0.371

1 6.144 0.141 0.416 0.019 0 0.498 4 1 8 0.778 0 1.123 0.173 0 0 0 0 0 0 0 0.101 0.689 0

<0.001 0.047 0.399 0.107 0.014 <0.001 0.008 0.008 0.932 0.468 <0.001 0.015 0.628 0.107 0.385 0.814 0.272 0.824 0.543 0.844 0.719 0.631 0.047 <0.001

Panel B: Descriptive statistics for executive and director turnover IT Weakness Firms n= 289 Variables Mean Median CEO Turnover 0.491 0 CFO Turnover 0.754 1 Chairman Turnover 0.225 0 Director Turnover 0.751 1 Independent Director Turnover 0.637 1 Audit Committee Turnover 0.322 0 35

Non-IT Weakness Firms n= 289 Mean Median 0.349 0 0.522 1 0.104 0 0.595 1 0.495 0 0.315 0

p-value Diff 0.001 <0.001 <0.001 <0.001 0.001 0.859

Panel C: Descriptive statistics for change in IT governance variables IT Weakness Firms n= 289 Variables Mean Median Any Change to IT Governance 0.675 1 Count of IT Governance Changes 1.179 1 CEO IT Knowledge 0.059 0 CFO IT Knowledge 0.142 0 Chairman IT Knowledge 0.17 0 Director IT Knowledge 0.197 0 Audit Committee IT Knowledge 0.111 0 IT Upgrade 0.491 0 Financial IT Upgrade 0.474 0 Accounting IT Upgrade 0.304 0 Non-Financial IT Upgrade 0.052 0 IT Management 0.093 0

Non-IT Weakness Firms n= 289 Mean Median 0.349 0 0.502 0 0.02 0 0.045 0 0.045 0 0.135 0 0.09 0 0.093 0 0.058 0 0.031 0 0.052 0 0.058 0

p-value Diff <0.001 <0.001 0.019 <0.001 0.001 0.044 0.407 <0.001 <0.001 <0.001 1.000 0.117

36

Table 4. IT Material Weaknesses and Turnover The sample consists of IT and non-IT material weakness firm-year observations. The dependent variable is an indicator variable set equal to one if there was turnover in the specified position in any of the years t, t+1, and t+2. Panel A. Executive and director turnover Model 1 Variables IT Weakness IT Weakness Classification Data Processing Integrity System Access and Security System Structure and Usage Pred + Model 2 Model 3 Model 4 Model 5 Model 6 CEO CFO Director CEO CFO Director Turnover Turnover Turnover Turnover Turnover Turnover 0.338** 0.738*** 0.982*** (0.047) (0.000) (0.000)

0.438** (0.047) -0.516 (0.968) 0.156 (0.318)

0.629** (0.014) -0.021 (0.528) -0.258 (0.738)

0.733*** (0.005) 0.014 (0.481) 0.082 (0.408)

(Note:Controlvariablesincludedintheregressionappearonthenextpage)

37

Table 4 Panel A continued Variables

Control Variables Number of Weaknesses LnAssets Leverage BTM ROA Loss Institutional Holdings Analyst Restatement Board Size Board Independence CEO Chairman Automate Transform High Tech Low tech Intercept Year Indicator Number of observations Model 2 Pseudo R2 Correctly Classified

Model 1 Model 2 Model 3 Model 4 Model 5 Model 6 CEO CFO Director CEO CFO Director Pred Turnover Turnover Turnover Turnover Turnover Turnover
+ + + + + + + + ? + -/+ ? ? ? ? 0.103*** (0.006) -0.094 (0.904) 0.139 (0.352) 0.022* (0.089) 0.155 (0.786) 0.384** (0.027) -0.408 (0.885) 0.010 (0.314) -0.094 (0.687) 0.167*** (0.000) -0.627 (0.836) 0.147 (0.702) -0.053 (0.904) 0.753*** (0.006) 0.306 (0.168) 0.225 (0.669) -1.590** (0.018) Included 578 42.29 0.067 0.634 0.164*** (0.002) -0.045 (0.717) -0.533 (0.891) 0.032** (0.019) -0.082 (0.386) 0.494** (0.012) -0.612 (0.959) 0.034** (0.049) 0.391** (0.027) -0.022 (0.607) -0.047 (0.529) -0.177 (0.278) 0.999* (0.058) 0.184 (0.520) -0.115 (0.628) 0.007 (0.989) -0.196 (0.766) Included 578 61.35 0.111 0.692 -0.079 (0.973) -0.076 (0.831) -0.565 (0.912) -0.559 (0.999) 0.225 (0.841) 0.069 (0.374) 0.482* (0.086) -0.004 (0.578) 0.614*** (0.001) 0.136*** (0.009) -0.729 (0.853) 0.918*** (0.004) 0.153 (0.753) -0.016 (0.957) -0.248 (0.293) 0.316 (0.578) 0.175 (0.809) Included 578 65.47 0.101 0.688 0.128*** (0.002) -0.092 (0.897) 0.113 (0.379) 0.025* (0.085) 0.132 (0.750) 0.363** (0.035) -0.440 (0.899) 0.010 (0.314) -0.162 (0.794) 0.167*** (0.000) -0.816 (0.902) 0.153 (0.709) -0.055 (0.897) 0.725*** (0.008) 0.256 (0.255) 0.179 (0.729) -1.311** (0.050) Included 578 43.58 0.069 0.634 0.193*** (0.001) -0.035 (0.669) -0.578 (0.908) 0.032** (0.018) -0.092 (0.377) 0.483** (0.014) -0.613 (0.962) 0.032* (0.054) 0.352** (0.042) -0.021 (0.624) -0.245 (0.647) -0.175 (0.272) 0.965* (0.074) 0.143 (0.610) -0.138 (0.556) -0.102 (0.833) 0.013 (0.984) Included 578 55.00 0.104 0.697 -0.059 (0.911) -0.056 (0.760) -0.629 (0.932) -0.597 (0.999) 0.214 (0.833) 0.054 (0.400) 0.494* (0.080) -0.005 (0.599) 0.564*** (0.003) 0.133** (0.011) -0.995 (0.930) 0.855*** (0.006) 0.132 (0.780) -0.055 (0.845) -0.289 (0.215) 0.229 (0.685) 0.472 (0.515) Included 578 54.51 0.087 0.689

note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

38

Panel B. Type of director turnover Model 1 Variables IT Weakness IT Weakness Classification Data Processing Integrity System Access and Security System Structure and Usage

Model 2

Model 3

Model 4 Chairman of BOD Turnover

Model 5

Model 6

Pred +

Chairman Independent Audit of BOD Director Committee Turnover Turnover Turnover 0.966*** 0.951*** 0.216 (0.001) (0.000) (0.155)

Independent Audit Director Committee Turnover Turnover

1.169*** (0.000)

0.679*** (0.004) 0.132 (0.315) 0.009 (0.489)

0.107 (0.351) -0.002 (0.502) 0.486* (0.071)

-0.476 (0.922)

-0.199 (0.687)

39

Table 4 Panel B Continued Model 1 Chairman of BOD Turnover

0.017 (0.347) 0.029 (0.379) 0.024 (0.480) -0.414 (0.996) -0.120 (0.314) 0.185 (0.234) 0.177 (0.348) 0.013 (0.307) 0.460* (0.051) 0.111** (0.040) 1.329 (0.121) 0.088 (0.410) 0.208 (0.712) -0.105 (0.775) 0.118 (0.679) 0.457 (0.456) -5.205*** (0.000)

Variables Control Variables Number of Weaknesses LnAssets Leverage BTM ROA Loss Institutional Holdings Analyst Restatement Board Size Board Independence CEO Chairman Automate Transform High Tech Low tech Intercept

Pred + + + + + + + + ? + + ? ? ? ?

Model 2 Independent Director Turnover

-0.088 (0.989) -0.025 (0.631) -0.352 (0.798) -0.474 (0.979) 0.253 (0.805) 0.243 (0.120) 0.680** (0.021) -0.004 (0.583) 0.395** (0.021) 0.171*** (0.000) 1.714*** (0.005) 0.518** (0.042) -0.193 (0.669) 0.316 (0.248) -0.125 (0.579) 0.206 (0.700) -2.902*** (0.000)

Model 3 Audit Committee Turnover

-0.079 (0.969) -0.001 (0.505) -0.142 (0.631) -0.254 (0.983) 0.081 (0.643) 0.034 (0.436) -0.153 (0.669) -0.012 (0.717) 0.469** (0.011) 0.079* (0.063) 0.618 (0.189) 0.524** (0.038) -0.483 (0.378) 0.325 (0.227) 0.204 (0.373) 0.355 (0.488) -2.040*** (0.004)

Model 4 Chairman of BOD Turnover

0.038 (0.217) 0.063 (0.260) -0.062 (0.550) -0.444 (0.995) -0.148 (0.271) 0.174 (0.251) 0.175 (0.348) 0.014 (0.299) 0.400* (0.077) 0.113** (0.042) 0.946 (0.195) 0.073 (0.427) 0.195 (0.732) -0.087 (0.814) 0.072 (0.804) 0.351 (0.589) -4.932*** (0.000)

Model 5 Independent Director Turnover

-0.072 (0.965) -0.003 (0.518) -0.430 (0.846) -0.507 (0.984) 0.231 (0.797) 0.221 (0.139) 0.691** (0.019) -0.004 (0.584) 0.361** (0.032) 0.169*** (0.000) 1.415** (0.013) 0.452* (0.064) -0.223 (0.618) 0.278 (0.301) -0.161 (0.473) 0.146 (0.782) -2.615*** (0.000)

Model 6 Audit Committee Turnover

-0.085 (0.973) 0.005 (0.524) -0.146 (0.634) -0.237 (0.973) 0.064 (0.620) -0.001 (0.503) -0.174 (0.690) -0.011 (0.699) 0.469** (0.011) 0.078* (0.064) 0.530 (0.222) 0.506** (0.042) -0.474 (0.395) 0.306 (0.261) 0.175 (0.446) 0.390 (0.447) -1.974*** (0.006)

Year Indicator Included Included Included Included Included Number of observations 578 578 578 578 578 38.73 57.36 25.89 43.13 50.26 Model 2 Pseudo R2 0.098 0.099 0.042 0.101 0.087 Correctly Classified 0.847 0.643 0.689 0.846 0.657 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

Included 578 27.09 0.045 0.694

40

Table 5. IT Material Weaknesses and Changes to IT Governance

The sample consists of IT and non-IT material weakness firm-year observations. The dependent variable Any Change to IT Governance is an indicator variable set equal to one if there were any changes to IT Governance made in any of the years t, t+1, or t+2. The dependent variable Count of IT Governance Changes is a count of the total number of changes made to IT Governance made in the years t, t+1, and t+2. These IT Governance changes include hiring or appointing a CEO, CFO, director, chairman, or audit committee member with IT knowledge, upgrading the Financial IT, or making an IT management Change. Model 1 Model 2 Model 3 Model 4 Any Change Count of IT Any Change Count of IT Variables Pred to IT Governance to IT Governance Governance Changes Governance Changes IT Weakness Firm + 1.211*** 1.157*** (0.000) (0.000) IT Weakness Classification Data Processing Integrity + 0.840*** 0.610*** (0.001) (0.004) System Access and Security + 0.303 0.282 (0.132) (0.125) System Structure and Usage + -0.310 -0.103 (0.808) (0.635) Control Variables Number of Weaknesses + 0.108*** 0.108*** 0.133*** 0.130*** (0.006) (0.000) (0.002) (0.000) LnAssets ? -0.132** -0.100 -0.113 -0.091 (0.049) (0.145) (0.102) (0.190) ROA + 0.199 -0.017 0.185 -0.022 (0.163) (0.533) (0.172) (0.545) Avg Sales Growth -0.284* -0.147 -0.268* -0.136 (0.093) (0.225) (0.097) (0.231) Leverage -0.461 -0.429 -0.500* -0.430 (0.119) (0.128) (0.100) (0.123) Uncertainty + 0.023** 0.012* 0.021* 0.010 (0.044) (0.085) (0.056) (0.126) Automate + 0.363 0.143 0.308 0.074 (0.237) (0.363) (0.274) (0.432) Transform + -0.463 -0.131 -0.499 -0.169 (0.943) (0.671) (0.962) (0.726) High Tech + 0.114 0.465** 0.070 0.419** (0.314) (0.017) (0.383) (0.029) Low Tech ? -0.499 -0.405 -0.634 -0.490 (0.342) (0.401) (0.205) (0.284) Foreign ? 0.468** 0.603*** 0.487** 0.610*** (0.025) (0.001) (0.018) (0.001) Merger ? -0.156 0.126 -0.072 0.145 (0.755) (0.808) (0.874) (0.760) Restructuring ? 0.620*** 0.459** 0.596*** 0.466** (0.006) (0.021) (0.007) (0.019) Product Differentiation ? -0.059 -0.006 -0.060 -0.008 (0.253) (0.871) (0.272) (0.827) Cost Leadership ? 0.182 0.287** 0.207 0.307** (0.168) (0.024) (0.124) (0.019) Intercept -0.338 -0.309 (0.546) (0.580) Year Indicator Included Included Included Included Number of observations 578 578 578 578 102.46 145.03 86.60 120.08 Model 2 Pseudo R2 0.149 0.095 0.129 0.079 Correctly Classified 0.676 0.659 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

41

Table 6. IT Material Weaknesses and Executive IT Knowledge

The sample consists of IT and non-IT material weakness firm-year observations. The dependent variable is an indicator variable set equal to one if the company replaced an executive lacking IT knowledge with an IT knowledge executive in any of the years t, t+1, or t+2. Model 1 Model 2 Model 3 Model 4 CEO IT CFO IT CEO IT CFO IT Variables Pred Knowledge Knowledge Knowledge Knowledge IT Weakness Firm + 0.821* 0.845** (0.075) (0.011) IT Weakness Classification Data Processing Integrity + 0.437 -0.154 (0.249) (0.620) System Access and Security + -0.215 0.554 (0.646) (0.133) System Structure and Usage + 0.152 -0.040 (0.411) (0.532) Control Variables Number of Weaknesses + 0.059 0.149*** 0.094* 0.174*** (0.185) (0.002) (0.092) (0.001) LnAssets ? -0.171 -0.190 -0.170 -0.195 (0.444) (0.215) (0.464) (0.214) ROA + -0.358 0.487* -0.362 0.442 (0.864) (0.090) (0.877) (0.111) Avg Sales Growth -1.061** 0.083 -0.989* 0.093 (0.048) (0.639) (0.056) (0.655) Leverage -0.810 -0.551 -0.840 -0.517 (0.216) (0.217) (0.202) (0.246) Uncertainty + 0.002 -0.000 -0.001 -0.001 (0.477) (0.508) (0.514) (0.518) Automate + 1.492 -0.081 1.368 -0.179 (0.104) (0.535) (0.117) (0.576) Transform + 1.231** -1.041 1.213** -1.025 (0.019) (0.971) (0.026) (0.973) High Tech + 0.328 -0.990** 0.310 -0.973** (0.297) (0.991) (0.312) (0.991) Low Tech ? 1.351 -1.410 1.240 -1.346 (0.209) (0.280) (0.267) (0.291) Foreign ? 0.623 0.290 0.578 0.327 (0.162) (0.393) (0.202) (0.339) Merger ? 1.159 0.569 1.178 0.644 (0.179) (0.343) (0.165) (0.291) Restructuring ? 1.373*** 0.978*** 1.382*** 0.969*** (0.007) (0.006) (0.007) (0.006) Product Differentiation ? 0.049 -0.152 0.039 -0.136 (0.687) (0.117) (0.751) (0.137) Cost Leadership ? 0.539* 0.193 0.525* 0.209 (0.064) (0.309) (0.075) (0.278) Intercept -3.459** -2.583** -3.273* -2.320** (0.048) (0.016) (0.060) (0.027) Year Indicator Included Included Included Included Number of observations 578 578 578 578 51.16 50.75 58.47 42.52 Model 2 Pseudo R2 0.183 0.140 0.174 0.129 Correctly Classified 0.962 0.909 0.961 0.911 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

42

Table 7. IT Material Weaknesses and Board of Directors IT Knowledge The sample consists of IT and non-IT material weakness firm-year observations. The dependent variable is an indicator variable set equal to one if the company replaced a chairman lacking IT knowledge with an IT knowledge chairman or increased the total number of IT knowledge directors in any of the years t, t+1, or t+2. Model 1 Model 2 Model 3 Model 4 Model 5 Model 6 Audit Audit Chairman Director Chairman Director Committee Committee IT IT Variables Pred IT IT IT IT Knowledge Knowledge Knowledge Knowledge Knowledge Knowledge IT Weakness Firm + 0.725** 0.211 0.303 (0.011) (0.217) (0.188) IT Weakness Classification Data Processing Integrity + 0.581* -0.358 0.234 (0.065) (0.824) (0.300) System Access and Security + -0.471 0.400 0.407 (0.884) (0.142) (0.186) System Structure and Usage + 0.449 0.143 -0.531 (0.142) (0.367) (0.833) Control Variables Number of Weaknesses + 0.072* 0.083** 0.012 0.097** 0.095** 0.003 (0.063) (0.036) (0.409) (0.025) (0.022) (0.482) LnAssets ? -0.484*** -0.066 0.065 -0.491*** -0.066 0.085 (0.000) (0.546) (0.535) (0.000) (0.549) (0.435) ROA + 0.539** -0.493 -0.422 0.500** -0.507 -0.436 (0.011) (0.978) (0.954) (0.012) (0.983) (0.962) Avg Sales Growth -0.162 -0.127 0.068 -0.146 -0.129 0.040 (0.229) (0.333) (0.602) (0.254) (0.334) (0.565) Leverage 0.765 -1.081** -1.233 0.717 -1.099** -1.283* (0.933) (0.022) (0.94) (0.940) (0.020) (0.052) Uncertainty + 0.009 0.007 -0.181* 0.006 0.007 -0.169* (0.269) (0.376) (0.966) (0.352) (0.377) (0.960) Automate + -0.031 -0.277 -0.038 -0.297 (0.516) (0.601) (0.519) (0.607) Transform + 0.332 0.451* 0.483 0.309 0.457* 0.494 (0.178) (0.092) (0.132) (0.189) (0.090) (0.124) High Tech + 0.555** 0.955*** 1.437*** 0.472* 0.964*** 1.467*** (0.041) (0.001) (0.000) (0.074) (0.001) (0.000) Low Tech ? -0.514 0.322 0.021 -0.504 0.375 -0.021 (0.639) (0.625) (0.983) (0.650) (0.566) (0.983) Foreign ? 0.839*** 0.581** 0.144 0.831*** 0.582** 0.152 (0.004) (0.026) (0.671) (0.006) (0.026) (0.656) Merger ? 0.170 -0.039 -1.555 0.233 -0.020 -1.531 (0.767) (0.948) (0.144) (0.686) (0.973) (0.148) Restructuring ? 1.019*** 0.309 -0.363 1.017*** 0.337 -0.357 (0.001) (0.253) (0.294) (0.001) (0.214) (0.299) Product Differentiation ? -0.016 0.099 0.191 -0.030 0.101 0.180 (0.783) (0.178) (0.139) (0.617) (0.161) (0.134) Cost Leadership ? -0.315 -0.036 -0.111 -0.336 -0.024 -0.101 (0.187) (0.852) (0.639) (0.160) (0.899) (0.667) Intercept -0.675 -1.796** -3.234*** -0.451 -1.770** -3.326*** (0.473) (0.023) (0.001) (0.632) (0.027) (0.001) Year Indicator Included Included Included Included Included Included Number of observations 556 578 578 556 578 578 65.92 50.03 34.47 64.19 51.99 38.91 Model 2 Pseudo R2 0.163 0.102 0.098 0.103 0.104 0.103 Correctly Classified 0.873 0.826 0.901 0.875 0.831 0.904 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

43

Table 8. IT Material Weaknesses and other Major IT Initiatives

The sample consists of IT and non-IT material weakness firm-year observations. The dependent variable is an indicator variable set equal to one if the company upgraded the IT or made a change to the IT management in any of the years t, t+1, or t+2. IT management changes include hiring a person in to a newly announced IT position, creating and IT committee on the board, or the CIO becoming one of the top 5 paid executives of the firm.
Model 1 Variables IT Weakness Firm IT Weakness Classification Data Processing Integrity System Access and Security System Structure and Usage Control Variables Sum of IT Knowledge Score Number of Weaknesses LnAssets ROA Avg Sales Growth Leverage Uncertainty Automate Transform High Tech Low Tech Foreign Merger Pred + IT Upgrade 2.036*** (0.000) Model 2 Financial IT Upgrade 2.484*** (0.000) Model 3 Accounting IT Upgrade 2.617*** (0.000) Model 4 NonFinancial IT Upgrade 0.101 (0.347) Model 5 IT Management 0.222 (0.279) 1.237*** (0.000) 0.600** (0.017) -0.274 (0.793) 0.242** (0.025) 0.109*** (0.004) 0.039 (0.602) 0.203 (0.163) 0.145 (0.765) 0.283 (0.759) 0.008 (0.365) 0.899** (0.021) -0.335 (0.833) -0.009 (0.513) -0.342 (0.594) 0.480** (0.038) 0.191 (0.697) 0.268** (0.019) 0.120*** (0.003) 0.056 (0.488) 0.165 (0.213) 0.230 (0.863) 0.351 (0.792) 0.012 (0.266) 1.210*** (0.006) -0.371 (0.850) 0.052 (0.431) -1.006 (0.155) 0.545** (0.027) 0.428 (0.426) 0.346** (0.014) 0.092** (0.019) 0.124 (0.134) 0.290 (0.143) 0.364 (0.967) 0.156 (0.630) 0.015 (0.235) 2.004*** (0.000) 0.029 (0.472) 0.382 (0.118) -1.613 (0.127) 0.666** (0.017) 0.390 (0.485) -0.144 (0.692) -0.018 (0.602) -0.150 (0.210) 2.302** (0.016) -0.523 (0.211) 0.077 (0.535) 0.003 (0.453) 0.437** (0.015) 0.052 (0.187) -0.079 (0.501) 0.409 (0.206) -1.364** (0.015) -0.509 (0.229) 0.051* (0.085) -0.301 (0.615) -1.212 (0.985) -0.059 (0.552) -1.193 (0.199) -0.083 (0.832) 1.055* (0.073) 0.314*** (0.006) 0.123*** (0.004) 0.086 (0.276) 0.177 (0.177) 0.143 (0.778) 0.196 (0.697) 0.005 (0.370) 0.725** (0.046) -0.409 (0.887) -0.077 (0.607) -0.569 (0.362) 0.466** (0.039) 0.306 (0.574) 1.393*** (0.000) 0.599** (0.021) -0.319 (0.821) 0.346*** (0.003) 0.142*** (0.002) 0.106 (0.220) 0.135 (0.242) 0.224 (0.884) 0.241 (0.726) 0.007 (0.339) 0.918** (0.017) -0.459 (0.909) -0.032 (0.545) -1.289* (0.070) 0.526** (0.025) 0.558 (0.333) 1.556*** (0.000) 0.171 (0.297) -0.355 (0.834) 0.430*** (0.002) 0.116*** (0.008) 0.179** (0.047) 0.212 (0.185) 0.346 (0.980) 0.069 (0.562) 0.007 (0.333) 1.578*** (0.000) -0.109 (0.612) 0.253 (0.209) -1.954* (0.061) 0.678*** (0.010) 0.492 (0.432) 0.465 (0.176) 0.208 (0.338) -0.757 (0.821) -0.140 (0.684) -0.041 (0.697) -0.154 (0.202) 2.462*** (0.010) -0.545 (0.181) 0.166 (0.572) 0.006 (0.406) -0.625 (0.911) 0.590 (0.102) 0.274 (0.316) 0.426** (0.016) 0.064 (0.158) -0.081 (0.504) 0.308 (0.274) -1.407** (0.017) -0.438 (0.256) 0.039 (0.166) -0.363 (0.638) -1.191** (0.985) -0.061 (0.555) -1.170 (0.197) -0.069 (0.861) 1.078* (0.060) Model 6 IT Upgrade Model 7 Financial IT Upgrade Model 8 Accounting IT Upgrade Model 9 NonFinancial IT Upgrade Model 10 IT Management

+ + +

+ + ? + + + + + ? ? ?

-0.317 (0.704) -0.720 (0.862) 0.115 (0.873) -0.578 (0.174) 1.057* (0.079)

-0.325 (0.705) -0.708 (0.861) 0.084 (0.905) -0.558 (0.194) 1.061* (0.078)

44

Restructuring

0.125 0.119 -0.644** 0.697* (0.628) (0.661) (0.029) (0.097) Product Differentiation ? -0.028 -0.026 -0.031 -0.005 (0.588) (0.634) (0.653) (0.962) Cost Leadership ? 0.379*** 0.423*** 0.220 0.398 (0.008) (0.005) (0.189) (0.114) Intercept -4.073*** -4.934*** -6.018*** -1.726 (0.000) (0.000) (0.000) (0.230) Year Indicator Included Included Included Included Number of observations 578 578 578 556 114.21 117.81 78.28 29.66 Model 2 0.222 0.273 0.256 0.086 Pseudo R2 Correctly Classified 0.775 0.812 0.843 0.946 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

-0.144 (0.695) 0.309 (0.186) 0.682*** (0.001) -1.165 (0.355) Included 578 56.89 0.121 0.922

0.088 (0.729) -0.030 (0.528) 0.404*** (0.007) -3.899*** (0.000) Included 578 99.07 0.183 0.777

0.082 (0.758) -0.030 (0.539) 0.442*** (0.005) -4.494*** (0.000) Included 578 102.39 0.215 0.793

-0.655** (0.028) -0.039 (0.529) 0.239 (0.165) -5.355*** (0.000) Included 578 76.78 0.199 0.854

0.740* (0.084) 0.005 (0.965) 0.398 (0.117) -1.770 (0.203) Included 556 34.41 0.094 0.945

-0.159 (0.668) 0.243 (0.286) 0.686*** (0.001) -1.038 (0.411) Included 578 58.94 0.128 0.918

45

Table 9. Remediation of Weaknesses: The Influence of IT Governance Changes

The sample consists of IT material weakness firm-year observations. The dependent variable is the change in the total number of 404 material weaknesses reported from year t to t+2. Any IT Knowledge Change is defined as 1 if CEO IT Knowledge=1 OR CFO IT Knowledge=1 OR Chairman IT Knowledge=1 OR Director IT Knowledge=1 OR Audit Committee IT Knowledge=1, 0 otherwise. The changes in control variables represent changes from t to t+2. Please see Table 2 for other variable definitions. DV =Change in # of Weaknesses from t to t+2 Pred Model 1 Model 2 Model 3 Model 4 IT Knowledge Changes Any IT Knowledge Change -0.745** (0.048) CEO IT Knowledge -0.169 -0.064 -0.034 (0.391) (0.409) (0.484) CFO IT Knowledge -1.004* -0.930* -0.909* (0.070) (0.089) (0.072) Chairman IT Knowledge 0.426 0.423 0.409 (0.694) (0.695) (0.725) Director IT Knowledge -0.945* -0.913* -0.900** (0.058) (0.065) (0.045) Audit Committee IT Knowledge 0.885 0.915 0.911 (0.561) (0.560) (0.588) Major IT Initiatives Financial IT Upgrade -0.318 -0.314 (0.230) (0.225) IT management -0.234 (0.364) Control Variables Change in Ln Assets 0.451 0.332 0.327 0.332 (0.679) (0.757) (0.762) (0.740) Change in Leverage + -0.750 -0.719 -0.653 -0.650 (0.694) (0.711) (0.734) (0.775) Change in BTM + -0.002 0.002 0.001 0.001 (0.901) (0.794) (0.859) (0.921) Change in ROA 0.143 0.217 0.237 0.232 (0.809) (0.753) (0.736) (0.781) Change in Loss + 0.181 0.101 0.132 0.130 (0.620) (0.783) (0.723) (0.738) Change in Merger + -1.301 -1.417 -1.436 -1.468 (0.946) (0.961) (0.960) (0.962) Change in Foreign + -0.898 -0.952 -1.035 -1.038 (0.940) (0.944) (0.951) (0.964) Change in Restructuring + -0.612 -0.692 -0.702 -0.702 (0.943) (0.959) (0.960) (0.959) Change in Growth 0.003 -0.066 -0.059 -0.054 (0.995) (0.773) (0.801) (0.785) Change in Board Size + 0.124 0.108 0.114 0.119 (0.326) (0.398) (0.376) (0.290) Change in Board Independence -0.089 0.464 0.443 0.437 (0.965) (0.903) (0.908) (0.914) Change in Institutional Holdings -1.582* -1.585* -1.546* -1.558** (0.080) (0.082) (0.085) (0.042) Automate ? 0.128 0.230 0.330 0.299 (0.842) (0.725) (0.630) (0.773) Transform ? -0.343 -0.539 -0.586 -0.602 (0.631) (0.450) (0.414) (0.339) High Tech ? 0.130 -0.209 -0.213 -0.215 (0.821) (0.716) (0.712) (0.669) Low Tech ? -2.919** -2.897** -2.959** -2.991*** (0.028) (0.034) (0.029) (0.010) Intercept -2.892*** -2.889*** -2.783*** -2.758*** (0.000) (0.000) (0.000) (0.000) Year Indicator Included Included Included Included Number of observations 243 243 243 243 F Statistics 2.946 1.909 1.971 1.582 Adjusted R2 0.136 0.151 0.154 0.154 note: *** p<0.01, ** p<0.05, * p<0.10. The p-values are listed in parentheses under the coefficient.

46

Appendix A. IT Control Quality Dimensions (Adapted from Li et al. 2010a)

Quality Dimension Data processing integrity Identifier IT PROCESS Definitions* The extent to which data are correct and reliable. Examples from the SOX 404 Managements Report on Internal Control Ability to change closed accounting periods in system Ability to delete (used) accounts from the system Data or program changes lack user review/approval/authorization/testing Did not properly maintain master files (e.g., vendor, price, inventory) Inadequate development and maintenance (e.g., new system, updates) Inadequate IS/IT support staff Inadequate system to support business processes (includes manually intense processes) Integrity of computer data not verified (e.g., accuracy, validity, completeness) Lack of IS/IT controls Lack of IS/IT controls over subsidiary/foreign operations Lack of IT experience (inadequate skills) Program change controls missing or inadequate Programming errors Relying on systems of others (outsourcing) where controls not verified Spreadsheet(s), lack of controls over (Too) Functionally complex systems Weak application controls Weak general controls Weak IT Control Activities Weak IT Control Environment Weak IT Risk Assessment Weak IT Monitoring (Business user) Segregation of duties not implemented in system Inadequate records and storage retention Lack of disaster recovery plan for systems IS/IT personnel access not properly segregated Logical access issues Security issues Decentralized systems Disparate (non-integrated) systems Insufficient training on system Lack of system documentation, policies, procedures Weak Information & Communication

System Access and Security

IT SECURITY

The extent to which: data are available, or easily and quickly retrievable and access to data is restricted appropriately to maintain its security. The extent to which data are: easily comprehended presented format in the same

System Structure and Usage

IT STRUCTURE

47

Appendix B. SOX 404 Control Weakness Coding Examples Firm and Year
Online Resources Corporation 2007

Text from SOX 404 Report

the Companys procedures for the supervisory review of the performance by Company personnel of manual controls associated with account analysis and the verification of the accuracy of electronic spreadsheets that support financial reporting were ineffective. This material weakness resulted in deficiencies in the operation of controls not being detected timely and in multiple errors in the Companys preliminary 2007 financial statements, including errors in revenue, interest expense, and share based compensation. The Company did not adequately design controls to maintain appropriate segregation of duties in its manual and computer-based business processes which could affect the Companys purchasing controls, the limits on the delegation of authority for expenditures, and the proper review of manual journal entries. Implementation of the new accounting system also was flawed because some of our accounting, finance and operations employees were not properly trained in the use of the new accounting system.

Control Issue
Spreadsheet(s), controls over lack of

Control Category
Data Processing Integrity

TRC Companies 2006

Segregation of duties not implemented in system

Access and Security

Digimarc Co 2004

Insufficient system.

training

on

Structure and Usage

Appendix C. Examples of IT Knowledge for Executives and Directors CEO IT Knowledge (Vitria Technology)
M. Dale Skeen, Ph.D., is 51 years old, co-founded Vitria in 1994 and has been our Chief Executive Officer since April 2004. Dr. Skeen has also served as Chief Technology Officer and as a director since Vitrias inception. From 1986 to 1994, Dr. Skeen served as Chief Scientist at Teknekron Software Systems, now TIBCO, Inc., a software company. From 1984 to 1986, Dr. Skeen was a research scientist at IBMs Almaden Research Center. From 1981 to 1984, Dr. Skeen was on the faculty at Cornell University. Dr. Skeen holds a B.S. in Computer Science from North Carolina State University and a Ph.D. in Computer Science on Distributed Database Systems from the University of California, Berkeley.

CFO IT Knowledge (THQ INC)

Edward K. Zinser (age 49) was appointed our Executive Vice President and Chief Financial Officer in April 2004. Mr. Zinser is responsible for all of our financial activities, including financial reporting, information systems, internal controls and investor relations. From May 2001 to February 2004, Mr. Zinser served as Executive Vice President and Chief Financial Officer of Vivendi Universal Games, a developer, publisher and distributor of interactive software products across all major platforms including PCs, video game consoles and the Internet. In this role he was responsible for all worldwide finance, accounting, information systems, treasury and planning functions. From June 1999 to March 2001, he was at USA Networks where he was initially Senior Vice President and Chief Financial Officer of Internet Shopping Network, the e-commerce division. In June 2000, he became President and Chief Operating Officer of Styleclick, Inc., a public e-commerce services provider that was created through the acquisition of Styleclick.com. In this role he directed business development, sales, web site development, merchandising, creative services, operations, technology and the online auction business. From June 1993 to May 1998, Mr. Zinser served as Vice President and Chief Financial Officer / Chief Operating Officer of Disney Publishing, a $400 million division of The Walt

48

Disney Company. Mr. Zinsers experience also includes positions at leading consumer products companies such as The Franklin Mint, Pepsi-Cola and Campbell Soup. He holds a B.S. in management from Fairfield University in Connecticut and an MBA in Finance from the University of Chicago.

Director IT Knowledge (SVB Financial Group)

Mr. Benhamou is Chairman and CEO of Benhamou Global Ventures, LLC, which was formed in 2003. Benhamou Global Ventures, LLC invests and plays an active role in innovative high tech firms throughout the world. Mr. Benhamou is also the Chairman of the Boards of Directors of 3Com Corporation and Palm, Inc. He served as Chief Executive Officer of 3Com Corporation from September 1990 until December 2000, and served as interim Chief Executive Officer of Palm from November 2001 to November 2003. Previously, he held a variety of senior management positions at 3Com. In 1981, Mr. Benhamou co-founded Bridge Communications, an early networking pioneer, and was Vice President of Engineering until its merger with 3Com in 1987. In 2003, Mr. Benhamou was appointed to the Joint High Level Advisory Panel of the U.S.-Israel Science and Technology Commission by U.S. Commerce Secretary Donald Evans. He currently serves as Chairman of the Board of Directors of Cypress Semiconductor, which produces semiconductors (since 1993), and as a member of the Board of Directors of RealNetworks, Inc, a creator of digital media services and software (since 2003). He also serves as a member of the Boards of Directors of several privately held companies, including Atrica, a provider of Optical Ethernet solutions (since 2000), Go Networks, a wireless network hardware provider (since 2004), WisdomArk, Inc., a consumer web service company (since 2005), Finjan, a global provider of proactive web security solutions (since 2006), as well as the New America Foundation, a Washington DC-based think tank (since 2000). Mr. Benhamou serves on the executive committee of TechNet, the Computer Science and Telecommunications Board (CSTB), Stanford University School of Engineering and Ben Gurion University of Negev. Additionally, he is a visiting professor at the INSEAD Business School and the Chairman of the Israel Venture Network, a venture philanthropy organization for a stronger Israeli society. Mr. Benhamou holds a diplme dIngenieur de lEcole Nationale Suprieure dArts et Mtiers in Paris, France, a masters degree in Science from the School of Engineering at Stanford University and several honorary doctorates.

49

Appendix D. Examples of IT Upgrades IT Upgrade (Affirmative Insurance Holdings Inc.) To remediate the IT material weakness described above, we have implemented new policies and procedures to ensure proper access controls are maintained and monitored. We have increased the supervisory control over access controls, centralizing it for more direct monitoring. In some instances, we have adjusted system configurations and incorporated software tools where appropriate to limit and restrict the ability of system users to enter, change and view data and to provide a detailed history of changes to the applications and data. Financial IT Upgrade (Richardson Electronics LTD) The Company is in the application development stage of implementing certain modules of enterprise resource management software (PeopleSoft). Accounting IT Upgrade (Adelphia Communications) With respect to the access to financial applications and data material weakness described above, subsequent to December 31, 2004, we have substantially completed our remediation efforts. We have implemented controls, including policies and procedures that govern security and access to our IT systems, programs and data, including those supporting our financial data relating to property and equipment and our general ledger and financial reporting applications. Non-Financial IT Upgrade (Actividentity Corp.) To meet these challenges we implemented a new customer relationship management system in fiscal 2005, and are continuing the process of modifying and refining it to better meet our needs.

50