چشم انداز کنترل داخلی در مورد عواقب ارزش بازار رویدادهای ریسک عملیاتیIT

IT internal controls are an important component of an organization's arsenal of internal controls. Upon conceptualizing failures of operational IT systems, or what we call IT operational risk events, as signals of IT internal control weaknesses, we theorize about these events' impact on internal control objectives in general and about how this impact is influenced by the regulatory environment in particular. We then perform an event study to examine the economic impact of a diversified sample of IT operational risk events from the U.S. financial services industry during 1985–2009. We specifically test the impact of contextual factors on the degree of this effect, including the events' target (confidentiality, integrity, or availability of IT assets), the source of disclosure (regulatory or voluntary), the enactment of the Sarbanes–Oxley Act, and firm-specific attributes. We find that investors penalize firms most strongly for experiencing events that compromise the availability of IT systems, consistent with our prediction that these events more negatively impact the reliability of financial reporting and the efficiency and effectiveness of operations.

A growing research stream on information technology (IT) internal controls is motivated by the 2002 Sarbanes–Oxley Act (SOX), which requires firms to disclose internal control weaknesses (ICWs) over financial reporting. Broadly, IT controls refer to “the management, operational and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information” ( NIST, 2010, p. 3). The importance of IT controls has come hand in hand with greater dependence of business processes on IT systems and a tendency to build into these systems' automated managerial controls. Indeed, studies of SOX-disclosed IT control weaknesses find that many of the causes of financial misstatements relate to ineffective IT controls ( Messier et al., 2004), that firms with IT control weaknesses have less accurate management forecasts ( Li et al., 2008),

Beyond the broad finding that IT operational risk events are value-relevant, our examination of IT operational risk events in U.S. financial services firms arrives at two major findings. The first finding pertains to the event types that have been least studied to date, availability and integrity events. We find that firms experiencing availability IT operational risk events suffer substantially more negative abnormal returns than firms experiencing integrity or confidentiality events, and that investors' reaction to integrity events is comparable to that of confidentiality events. One conclusion is that investors view availability events as signaling the presence of more severe IT control weaknesses than those signaled by confidentiality and integrity events. As we discussed earlier, IT operational risk events signal the presence of IT control weaknesses that impact two main aspects of a firm's function: financial reporting and operational efficiency and effectiveness.