IT internal control weaknesses and firm performance: An organizational liability lens

Abstract

The information systems literature and the public press have called for organizations to more closely scrutinize their information technology (IT) controls; however, little more than anecdotal evidence exists on the business value of quality IT internal control, beyond regulatory compliance. In this paper, we (a) advance an organizational liability perspective to the question of IT internal control value; and (b) use the unique setting provided by the enactment of the Sarbanes–Oxley Act of 2002 (SOX) to investigate the relationship between IT internal control weaknesses (ICWs) and both accounting earnings (a contemporaneous measure of firm performance) and market value (a forward looking, risk-adjusted measure of firm performance). Using a data set that provides audited annual assessments of the effectiveness of both IT and non-IT internal controls for a cross-section of companies as mandated by SOX, we find that firms that report an IT ICW have lower accounting earnings compared to firms with strong IT internal controls. We also find that IT ICW moderates the association between accounting earnings and market valuation, with firms reporting weak IT internal controls having a lower earnings multiple. These results are sustained even after controlling for non-IT ICWs and firm-specific factors that are known determinants of ICWs, and are reinforced using an inter-temporal changes analysis in which we use each firm as its own control at a different point in time. Overall, our results provide empirical evidence which suggests that IT internal controls are a strategic necessity and that information systems risk is priced by the capital markets. The implications of these findings for theory and practice are discussed.