Measuring the pervasiveness of IT general controls: A model and empirical validation

IF 4.1 3区管理学 Q2 BUSINESS

International Journal of Accounting Information Systems Pub Date : 2025-06-23 DOI:10.1016/j.accinf.2025.100752

Michel Benaroch

{"title":"Measuring the pervasiveness of IT general controls: A model and empirical validation","authors":"Michel Benaroch","doi":"10.1016/j.accinf.2025.100752","DOIUrl":null,"url":null,"abstract":"<div><div>Auditing IT general controls (ITGC) for Sarbanes-Oxley (SOX) compliance is challenging because all ITGCs are presumed to be pervasive and in need of detailed testing. However, some ITGCs are more pervasive than others and have a greater impact on financial reporting. We developed a network model of ITGCs embedded in a system of enterprise information systems (IS) processes and used network centrality metrics to score the pervasiveness of an ITGC based on its connectivity and its implied disruptive influence on the information flow needed for the IS process system to function as intended. We tested our pervasiveness scores by examining the equity market reactions to revelations of specific ITGC deficiencies that led to cyber incidents (e.g., data breaches, cyberattacks). We found a direct relationship between ITGC pervasiveness and equity market reactions, suggesting that equity market participants attach greater value-relevance to more pervasive ITGCs. Our pervasiveness scores also explained equity market reactions better than the “priority” scores senior IT auditors assign to testing (auditing) specific ITGCs based on their importance to SOX compliance. Our findings are robust and hold for 17-day event windows and for the pre- and post-SOX periods.</div></div>","PeriodicalId":47170,"journal":{"name":"International Journal of Accounting Information Systems","volume":"56 ","pages":"Article 100752"},"PeriodicalIF":4.1000,"publicationDate":"2025-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Accounting Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1467089525000284","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"BUSINESS","Score":null,"Total":0}

引用次数: 0

Abstract

Auditing IT general controls (ITGC) for Sarbanes-Oxley (SOX) compliance is challenging because all ITGCs are presumed to be pervasive and in need of detailed testing. However, some ITGCs are more pervasive than others and have a greater impact on financial reporting. We developed a network model of ITGCs embedded in a system of enterprise information systems (IS) processes and used network centrality metrics to score the pervasiveness of an ITGC based on its connectivity and its implied disruptive influence on the information flow needed for the IS process system to function as intended. We tested our pervasiveness scores by examining the equity market reactions to revelations of specific ITGC deficiencies that led to cyber incidents (e.g., data breaches, cyberattacks). We found a direct relationship between ITGC pervasiveness and equity market reactions, suggesting that equity market participants attach greater value-relevance to more pervasive ITGCs. Our pervasiveness scores also explained equity market reactions better than the “priority” scores senior IT auditors assign to testing (auditing) specific ITGCs based on their importance to SOX compliance. Our findings are robust and hold for 17-day event windows and for the pre- and post-SOX periods.

查看原文本刊更多论文

衡量IT通用控制的普遍性：一个模型和经验验证

审核IT通用控制（ITGC）以符合Sarbanes-Oxley （SOX）是一项挑战，因为所有ITGC都被认为是普遍存在的，并且需要详细的测试。然而，一些itgc比其他的更普遍，对财务报告的影响更大。我们开发了一个嵌入在企业信息系统（IS）流程系统中的ITGC网络模型，并使用网络中心性指标根据ITGC的连通性及其对IS流程系统按预期运行所需信息流的潜在破坏性影响，对ITGC的普遍性进行评分。我们通过考察股票市场对导致网络事件（如数据泄露、网络攻击）的特定ITGC缺陷披露的反应来测试我们的普遍性得分。我们发现ITGC的普遍性与股票市场反应之间存在直接关系，这表明股票市场参与者对更普遍的ITGC具有更大的价值相关性。我们的普遍性分数也比高级IT审计员根据测试（审计）特定的itgc对SOX遵从性的重要性分配的“优先级”分数更好地解释了股票市场的反应。我们的发现是稳健的，适用于17天的事件窗口以及sox之前和之后的时期。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Accounting Information Systems Multiple-

CiteScore

9.00

自引率

6.50%

发文量

期刊介绍： The International Journal of Accounting Information Systems will publish thoughtful, well developed articles that examine the rapidly evolving relationship between accounting and information technology. Articles may range from empirical to analytical, from practice-based to the development of new techniques, but must be related to problems facing the integration of accounting and information technology. The journal will address (but will not limit itself to) the following specific issues: control and auditability of information systems; management of information technology; artificial intelligence research in accounting; development issues in accounting and information systems; human factors issues related to information technology; development of theories related to information technology; methodological issues in information technology research; information systems validation; human–computer interaction research in accounting information systems. The journal welcomes and encourages articles from both practitioners and academicians.