critical research analysis on the effectiveness of it auditing for corporate governance
TRANSCRIPT
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
1/41
Critical Research Analysis On The Effectiveness Of IT Auditing For
Corporate Governance
Chapter 1: Introduction
1.1 Introduction
Auditing is one of the essential elements for the successful functioning of the business and helps an
organization to face the external world with precise information on its business and issues related to
accountability. Also, it is universally accepted that any business organization irrespective of its nature
of business must provide relevant documentation to the government and other legal authorities with
respect to their income and expenditure in order to meet the rules and regulations on tax. In the initial
years of its introduction, auditing was primarily concerned with only the finance and finance related
activities within the business that is accounted for in the business. Apparently, the revenue generated
by the company and the costs associated are the major contributing factors for decision making on the
tax and shareholder benefits. Alongside, the growth of information technology and the increase in the
public awareness has further intensified the need for conducting an efficient auditing process to
provide accountability for their business activities.
It is intriguing to note that information technology has become an integral part of every business
organization making information as a critical element for the effective operation of the business itself.
Thus the need for auditing the information and IT based activities that account for the finance for the
organization both revenue and expenses are imperative. This report is focused on the effective role of
information technology audit in the corporate governance in the UK business organizations. The fact
that the corporate governance is the portrait of the a company to the external world both in terms of
performance as well as financial information makes it a critical element for the success of an
organization.
It is also imperative that the corporate governance of an organization is essential not only for the
benefit of the stakeholders but also for the economic stability in the business market as well as the
entire nation. This report is aimed to present a critical research analysis on the effectiveness of IT
auditing for corporate governance in UK. The report will throw light on the various aspects relate to
achieving effectiveness in through IT audit as part of corporate governance and critically analyses the
Sarbanes Oxley Act on IT audit and information transparency.
1.2: Aim and Objectives
The aim of this dissertation is to critically analyse the efficiency of IT audit in the corporate
governance among the UK business organizations. This is achieved by embracing the research upon the
following objectives.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
2/41
To critically analyse the concept of corporate governance and its importance for an
organization both internal and external to the business.
To analyse the critical nature of information in business and the growth of information systems
in corporate governance.
To analyse the corporate financial reporting frauds and the role of information technology in
such cases through critically analysing examples from various industries.
To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to
be implemented by corporate organizations in the UK.
To provide case study analysis with examples from banking sector and Energy sector in the UK
on the application of the Sarbanes Oxley Act-section 404.
1.3: Research Definition
The research in this report is accomplished using secondary information resources only. This is mainly
because of the fact that a public opinion on the IT auditing is totally irrelevant and the business
organizations will not reveal their corporate information other than that is published in the annualreports due to data protection and privacy issues. Hence the research analysis in the case study is
entirely qualitative in nature (i.e.) the research is based upon the journals and white papers published
rather than using first had data for quantifying the analysis.
The case study analysis is conducted upon the energy and banking sector of the UK. Whilst a critical
analysis on HSBC bank Plc is presented under the banking sector, National Grid Transco, Plc is the
company of interest in the Energy sector of the UK. The case study analysis on these organizations will
provide critical information on the use of section 404 of Sarbanes Oxley Act and the company's strive to
accomplish IT audit that support financial results for corporate governance. The research analyses only
those areas of information systems that directly contribute to the financial results of a company ratherthan the entire information technology infrastructure of the company.
1.4: Justification for the research
The fact that information plays a critical role in every sphere of a business in the twenty-first century
as argued by Efraim Turban et al (2004) has apparently increased the role of IT from just an
operational support element to a strategic element of the entire business itself. Furthermore, the
fraud detected in the ENRON and WorldCom cases (discussed in later chapters) were predominantly
because of the frauds in information that attributes to the financial performance of the company.
Hence, this research is conducted in order to throw light on the critical nature of information in the
auditing process. The fact that energy (electricity and gas) and banking sectors are major business
sectors that directly deal with the general public on a day-to-day basis apart from the increased
interests of the stakeholders is the major reason for embracing the research on these two sectors of
business in the UK.
1.5: Chapter overview
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
3/41
Chapter 1: Introduction
This is the current chapter, which introduces the reader with the aim and objectives of the research
and the research definition.
Chapter 2: Literature Review - Corporate Governance
In this chapter a critical overview of corporate governance and the need for auditing and financial
performance is discussed in the light of business environments in the UK. The discussion throws light on
the need for achieving corporate governance and the essential elements of the business that
contributes to corporate governance of a company are discussed with focus upon the entire business.
Chapter 3: Information systems and corporate governance
This chapter critically analyses the role of information technology in business organizations and the
critical nature of information in supporting corporate governance. This is followed by the criticalanalysis of the corporate financial frauds by providing false information with examples from Enron and
WorldCom cases.
Chapter 4: Sarbanes Oxley Act
This chapter begins with an overview of the Sarbanes Oxley Act. This is followed by the critical analysis
of the section 404 of the Sarbanes Oxley Act, which was published by Securities and Exchange
Commission to be followed in the UK since June 2003.
Chapter 5: Case Study 1: Banking Sector
This chapter initially analyses the banking sector as a whole and establishes the critical nature of
information in the corporate governance of the competing organizations. This is then followed by the
analysis of HSBC Bank Plc one of the potential competitors in the banking sector both within the UK
and across the globe. The analysis throws light on the adherence of the Sarbanes Oxley Act section 404
by the company and the policies followed by the company to accomplish information transparency and
consistency.
Chapter 6: Case Study 2: Energy Business
This chapter presents a critical analysis of the energy sector in the UK. This overview is followed by the
critical analysis of the Energy transmission and Distribution conglomerate National Grid Transco Plc.
The analysis throws light on the company's strategies and policies to achieve information transparency
and reliability in the business. The research also establishes the critical nature of information in the
business of the company.
Chapter 7: Discussion and Conclusion
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
4/41
The research conducted in the above two case studies are discussed in the light of corporate
governance and the Sarbanes Oxley Act section 404. The analysis will provide a comprehensive review
of the research conducted so far and establishes the coherence between the academic theories and the
real-world scenarios. This is followed by the critical analysis of the objectives of the research followed
by conclusion for the dissertation.
Chapter 2: Literature Review - Corporate Governance
2.1: Background Information
Gerry Johnson and Kevan Scholes (2001) say, Corporate Governance is an essential element for any
business organization mainly because of the fact that the corporate governance is the message
conveyed by the company to the external world including the general public and stakeholders.
Alongside, it is also interesting to note that the corporate governance of an organization not only
communicates to the external world but mainly provide a one-stop information resource to anyone who
is interested in the organization. The corporate governance of the company is essential for not onlyeffectively communicating to the external world but mainly to attract potential customers in the
general public both for the business as well as identify potential investors to the company.
Furthermore, the fact that corporate governance is also the comprehensive analysis of the entire
organization performance by taking the first chapter of every company's annual report makes it critical
for an organization to effectively maintain and achieve a high level of corporate governance as argued
by Gerry Johnson and Kevan Scholes (2002).
Denzil Watson and Tony head (1998) further argue that the corporate governance of a company is not
only a one page message conveyed by the chairman of the organization but also concerns with the
relationship between the company management and its owners in the entire structure of theorganization. Apart from the relationship with the owners and stakeholders, the corporate governance
is also an essential element for the effective management of the human resource of the company itself
mainly because of the fact that not only the interests of the existing workforce should be nurtured but
the company should also maintain a positive corporate governance to attract new employees to the
organization in order to achieve long-term organic growth as argued by Denzil Watson and Tony head
(1998).
Another interesting fact identified by Denzil Watson and Tony head (1998) is that the corporate
governance is a critical element in determining the remuneration for the senior executives in many
organizations within the UK, which apparently means that the corporate governance is the mechanismthat is used by the owners to govern the management of the company. Also, it is interesting to note
that the corporate governance in the UK companies has been traditionally stressed upon the
importance of internal control and importance of the role of financial reporting and accountability in
the organization to its stakeholders and general public.
2.2: Need for corporate governance
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
5/41
Corporate governance of an organization is not only a message that is being conveyed to the
stakeholders or the method of managing the management by the owners of the company but essentially
the way of monitoring the company's growth and its position in the entire business market it is
operating. The corporate governance is also important for achieving competitive advantage in the
target market because of the fact that the customers in the target market are keen in identifying the
attributes of the organization that sells the products to them. This includes every form of business
including consumer industry, retail sector and even power and energy management sector as identified
by Sebastian Nokes (2001). Furthermore, the corporate governance in an organization is also essential
for efficiently monitoring and deploying the infrastructure of the company itself.
Chris Brown (2005) argues that the corporate governance of an organization is essential for not only
increasing the productivity of the organization but also to become an inspiring element for the
employees in the organization to achieve higher level of performance within the organization.
Furthermore, it is also interesting to note that the corporate governance of a company is essential to
manage the senior management of the organization for not only monitoring the productivity but also
for deploying the revenue for further business development. It is imperative that finance is the heartof the entire corporate governance mainly because of the fact that a company's performance is
determined based upon its financial performance both by the stakeholders as well as the general
public.
T.C. Melewar (2003) further argues that the corporate governance of the organization is essential for
not only the efficient management of the organization but also for identifying any potential issues that
should be verified in order to achieve coherent results during the process of auditing in the company.
Following the fall of the Enron and WorldCom which was mainly because of the failure of the
management of the company to provide coherent information for audit process and fraud activities inthe financial information, the Securities and Exchange Commission of United States of America has
made it a rule that the corporate governance of a company must also include non-executive directors
who are responsible stakeholders and people of social respect who would validate the activities of the
company itself. Furthermore, the Securities and Exchange Commission has also made it mandatory that
the auditing committee of the company must contain at least three non-executive directors mainly to
facilitate the validation and approval of the results from the audit committee.
The Legal and Regulatory exchange of the UK (2002) has also justified that even though the non-
executive directors cannot fulfil all the expectations, they can help achieve the company to effectively
perform in the business through continuously monitoring the activities of the entire organization andproviding valuable guidance to the board of executive directors in the form of suggestions. Alongside,
the Department of Trade and Industry has also justified the fact that even though, the non-executive
directors in the company do not involve themselves in the day-to-day business of the organization, they
are the responsible for the efficiency and overall effectiveness of the organization with respect to the
organization's performance and reliability of the results.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
6/41
Furthermore, the fact that the corporate governance in an organization also contributes to the
economic stability of the entire business market itself since the revenue generated from a business
sector in a nation is obviously the summation of the revenue generated by the individual organization
competing in the business and fraud in the corporate governance will eventually affect the economic
stability of the business sector itself as argued by Malcolm McDonald (1996).
2.3: Essential elements of corporate governance
Even though it is clear that the financial performance and the financial statements are critical to the
corporate governance itself, Denzil Watson and Tony Head (1998) have identified the following
elements as the major contributing elements to achieve efficient corporate governance in any business
organization.
2.3.1: Human Resource
Michael Armstrong (2003) argues, Human resource is the most indispensable resource for anyorganization. Apparently this is because of the fact that the costs associated with the recruitment and
training of new staff in an organization is very high when compared to retaining the existing workforce
and effectively nurturing their performance to increase productivity s well as stabilize the costs as
identified by Denzil Watson and Tony Head (1998). Furthermore it is imperative that only the effective
performance of the human resource of the organization without encouraging any errors and
maintaining the transparency in their work related activities would provide accuracy and consistency in
the business activities across the entire organization right from the operational level. It is also clear
that even though the corporate governance concept is entirely strategic in nature, the business
generates revenue only from the very en of the operational staff and hence the need to achieve
accuracy and reliability at operational level is imperative for the efficient corporate governance in anorganization.
Derek Torrington and Laura Hall (1995) argue that the human resource of an organization not only
contribute to the efficiency or performance of the organization, but also contribute to the overall
reliability of the organization which is an essential element to achieve corporate governance in the
organization. This is mainly because of the fact that the staff right from the operational level to the
top level management must have the commitment in achieving the standards set by the company in
performing the business which is essential for the corporate governance itself mainly because of the
fact that corporate governance is increasingly being treated as a factor of reliability on the company
rather than a information resource to judge the performance of the company. Alongside, DerekTorrington and Laura Hall (1995) further argue that the efficiency of the human resource of an
organization is the primary contributing factor for the accuracy and reliability of the company's
performance in the external world. This also explains that the human resource of an organization not
only contribute to the efficiency and revenue generation of the company but also for the corporate
governance of the organization itself.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
7/41
The above arguments justify that the human resource management and efficiency is essential for
corporate governance in any business organization in UK.
2.3.2: Finance
As argued before finance is the backbone for any business since every organization operating in the
commercial environment are focused in generating revenue and the increase in competition in the
business due to globalisation and innovative business methods has apparently increased the need to
focus on generating revenue with minimal costs as argued by Gerry Johnson and Kevan Scholes, 2001).
The above statement clearly justifies that finance is the critical element for the corporate governance
in every business organization. Alongside, it is also essential to mention that the financial results are
the end-product that is being analysed by the auditors even though the way in which the revenue is
generated and the process of maintaining the cash flow are other critical elements of the business
itself.
Denzil Watson and Tony Head (1998) further argue that the corporate governance is predominantlybased upon the fundamental issues of resource and finance allocation is addressed through the
corporate governance only. This further makes it clear that even though accounting is a critical
element of the finance, the output of which is actually being audited, the resource allocation and the
finance management are the critical ingredients for the corporate governance in the organization
which makes finance as the backbone of the corporate governance to any business organization. It is
further intriguing to note that finance is not just the way of managing the allocation of money and
financial resources but essentially the accountability to the allocations is the major factor that is
analysed in the corporate governance of any organization apart from the corporate finance itself.
Hence, accountability in terms of financial performance and management are the critical factors that
contribute to the corporate governance of an organization.
The rule passed by Securities and Exchange Commission of the UK that the financial statements must
be disclosed not only in the annual reports but periodically published for public notice in order to
enable the investors and stakeholders to critically judge the organization performance has made it
clear that corporate governance embraces finance of the organization.
Alongside, it is also clear from the Bank of Credit and Commerce International (BCCI) that the
companies must disclose their financial information and also provide accountability for all the revenue
generated and costs incurred not only in the annual balance sheet but also in a periodic fashion further
justifies that the corporate governance is critically dependant on finance.
2.3.3: Infrastructure
The infrastructure in this context is not just the furniture and desktop computers that are used to
accomplish the day-to-day business process but mainly the infrastructure that handles the finance and
finance related information and activities. These include the software and hardware systems that hold
the information on the finance and also those infrastructure elements that contribute to the
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
8/41
generation of revenue in the first place. Denzil Watson and Tony Head (1998) further argue that the
infrastructure in a corporate governance context also includes those that accomplish the effective
auditing process and also the infrastructure elements that contain critical information on the finance
and billing.
Alongside, the infrastructure not only provides support to the finance and billing in an organization but
also mainly contributes to the efficient retrieval and storage of the information (discussed in next
chapter) and also supports the financial decision b=making in terms of corporate communication and
deciding upon the allocation of finance for further development within the organization.
This further justifies the fact that infrastructure in a corporate governance context not only includes
the storage and retrieval system (electronic) but also includes those infrastructure that actually
processing the payments made by the customers to the organization and the expenses of the
organization in order to run the day-to-day business.
2.2.4: Communication
Communication is critical for corporate governance because of the fact that only through the effective
communication of the information to the audit committee, the organization can gain reliability and
provide concrete information in their corporate governance. Since the corporate governance is
predominantly the managing of the senior management of the organization and is derived from the
process of auditing and verifying the activities of the company in every segment of the organization
(including Human Resource and Finance) makes the communication a critical element for the smooth
operation of the business. Furthermore, the communication also plays the vital role of communicating
the information to the external world.
2.3: Committees
The aforementioned elements of the corporate governance are mainly in line with the day-to-day
business process of the company itself. In order to maintain the accuracy of the corporate governance
and increase the transparency as well abide by the regulations of the Securities and Exchange
Commission, corporate governance consists of the following committees as identified by The Business
Roundtable of UK (2004).
2.3.1: Audit Committee
According to the Securities and Exchange Commission it is mandatory for every publicly owned
company to have an audit committee comprised of solely independent directors. This makes it clear
that auditing is the heart of corporate governance and the accuracy of the entire business process will
be accountable to the audit committee. Furthermore, the audit committee is also responsible for
verifying and checking every aspect contributing to the business and the financial performance of the
organization hence making it a critical element of the entire corporate governance itself. Alongside, it
is also imperative that the independent directors belong to various segments of the business and also
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
9/41
that the committee should comprise of non-executive directors for the purpose of accomplishing the
consistency in the operation itself.
This further justifies that that audit committee is responsible for justifying the accountability of the
organization.
The Securities and Exchange Commission clearly states that the audit committee should comprise of at
least three members (directors) of the audit committee should be independent of the entire
organization and should not participate in the management of the business directly or indirectly. These
directors are called the non-executive directors as discussed above and they are appointed mainly to
provide unbiased assessment on the business operations so as to clearly establish the business process
and accountability for corporate governance of the organization.
Denzil Watson and Tony Head (1998) say that even though it is not expected out of an independent
director to have comprehensive financial knowledge it is essential for the non-executive directors to
possess the fundamental knowledge on finance and its relevance to the business itself. They furtherargue that the directors in the audit committee should be able to conduct the auditing process with a
critical eye to identify any flaws in the business process or the methodology of the organization in
order to judge the company's financial performance.
Even though, auditing is predominantly related to the finance and revenue of an organization, the
other elements like information technology, human resource and infrastructure discussed above are
also judged by the audit committee which is the reason for accommodating the directors in the
committee from various fields of specialization in order to provide critical suggestions and provide
accurate assessments upon the performance of the organization itself.
In order to accomplish the aforementioned tasks the audit committee comprises of the following
Risk Profile: The risk profile is maintained to monitor the corporate risks as well as the risks local to
the committee itself. The Business Roundtable (2004) argues that the risk management is essential for
the committee mainly to identify the risks associated with the business itself in order to efficiently
manage the committee itself. The risks in this contest is mainly the risk associated with a committee
member providing a biased judgement or an inaccurate judgement due to his consideration will
eventually affect the entire auditing process itself. This is the main reason for the presence of non-
executive directors who are expected to review every decision made by the committee.
Outside Auditors: The outside auditors are employed mainly to accomplish auditing process in an
unbiased fashion in specialist areas like information technology etc where the external auditor
employed will be accountable for the auditing of specific segment of the business. The audit
committee is responsible for monitoring the efficient performance of the auditors and also manage the
overall process of auditing in the organization. The decision of the audit committee is based upon the
results produced by the outside auditors with respect to the areas they were employed to audit within
the organization and hence the choice of the auditor is decided by the committee itself.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
10/41
Independent operation: The audit committee operates independent of the entire organization. This is
primarily to accomplish unbiased judgement by the committee and also enable the committee to
perform effectively without being disturbed by the day-to-day business issues.
2.3.2: Corporate governance Committee
Apart from the process of auditing which is very essential for corporate governance, it is also essential
to have a corporate governance committee, which is central to the entire board of the organization.
The Securities and Exchange Commission also states that it is mandatory for every publicly owned
company to have a corporate governance committee that makes the decision and performs the overall
management and accountability of the corporate governance for the organization itself. The corporate
governance committee is also called the nominating committee that is responsible for nominating the
directors under various committees that support the corporate governance like the audit committee
discussed above. Also, the corporate governance committee is responsible for the nomination and
management of the directors of the company itself who are accountable to the audit committee during
the audit process. Like the audit committee, the corporate governance committee must also compriseof independent directors only. The Securities and Exchange Commission further expects the corporate
governance committee to comprise of non-executive directors like the audit committee for the same
reason as in the case of the audit committee. The Business Roundtable (2004) further argues that the
fact the independent directors in the corporate governance committee reinforce the idea that the
governance process of the organization is unbiased and reliable.
Apart from the above functions the corporate governance committee also has the responsibility of
safeguarding the independence of the board in order to effectively assess the performance of the
company against the set norms and also establish the accountability for the activities of the
organization. Another major function of the corporate governance committee is to oversee thecorporation and review the organization's process of providing information to the board in order to
conduct the auditing process effectively.
2.3.3: Compensation Committee
The compensation committee performs the critical part for monitoring the compensation provided to
the board and the senior management of the company. Like the audit committee and the corporate
governance committee, the compensation committee should also comprise of independent directors
are it is essential for any publicly owned company as stated y the Securities and Exchange Commission.
The committee not only decides the compensation for the senior management but also decides the
allocation of revenue for compensation to the entire company itself that comprises of all the staff
members other than the directors and senior management.
The committee also performs the essential action of monitoring the compensation for the senior
management based upon the results from the auditing and corporate governance committees.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
11/41
The committee is expected to work closely with the other two committees for gathering the
information to decide upon the compensation for the senior management but the decision of the
committee is not influenced by the other committees of corporate governance in a publicly owned
organization as stated by The Business Roundtable (2004).
The committee also creates the overall compensation structure for the entire organization and the
decision made by the committee is completely independent.
Alongside, the members of the committee should also comprise of non-executive directors like the
audit committee and the corporate governance committee. It is also argued by The Business
Roundtable (2004) that the compensation committee should understand the incentives structure
independent of the industry and also provide a comprehensive compensation structure through
efficient allocation of the resources (finance) to various levels of the company right from the senior
management up to the operational level.
2.4: Conclusion
The above overview clearly explains the critical nature of corporate governance in an organization and
its importance for achieving harmonic business operation. The overview on the committees and the
various elements of corporate governance have proved that the corporate governance is not merely a
tool for assessing the company's performance but essentially to judge the company's activities and
establish accountability for the revenue generated and the expenses of the company.
The next chapter provides a critical overview on Information systems and its role the process of
auditing and contribution to corporate governance.
Chapter 3: Information systems and corporate governance
3.1: Background information
Information systems is the term used to identify the comprehensive deployment of Information
technology and IT related products to accomplish the processing of information and presenting the
right information for the decision makers. John Ward and Joe Peppard (2002) argue that the
information systems in an organization not only includes the technology and technology related
products but also those segments of the business the actually process and generate output from the
information like the billing, revenue and purchasing departments of a corporation. Furthermore, theyargue that the strategic use of information to facilitate effective decision making by the senior
management of the organization apparently increases the need to identify critical information as well
as maintain integrity of the information to accomplish accuracy and reliability. Information technology
has seen tremendous growth in every sphere of business with the increase in the competition and the
innovative methods of business like Customer Relationship Marketing and buyer behaviour modelling.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
12/41
The use of information by the external entities like the stakeholders, and governing authorities has also
increased with the increase in the companies utilizing the information technology to accomplish their
business process. It is interesting to note that the information technology in an organization not only
provides operational support but also helps accomplish the decision making by the senior management
efficiently.
3.2: Role of information technology in business
The increase in globalisation and the presence of foreign players in the business organizations has
apparently increased the competition in the UK business markets. The increase in the outsourcing and
the need to reduce costs has further increased the need for the organizations to deploy innovative
methods to identify areas where they can eliminate costs as well as identify new areas for potential
business.
Alongside, the fact that information technology has increased the speed of processing information and
reduced the level o errors associated with the business has apparently increased its popularity amongthe competitors. Efraim Turban et al (2004) further argue that the companies participating the
business process within the UK are increasingly facing competition from electronic commerce issues
and the need to increase the revenue is increasing with the increasing costs as well as the continuous
competition by reducing the price of products. The above statement may be applicable for
organizations dealing with general public or the consumer industry but for organizations in the Banking
sector and the energy transmission sector where the service is offered to the customers and the pricing
is not a critical part, the information technology essentially plays the vital role of identifying new
customers as well as providing ability to serve the customers effectively.
3.2.1: Business-to-Business perspective
In a business-to-business perspective, information technology has not only increased the speed of
communication but also essentially increased the accuracy of the information being processed between
two organizations. Alongside, information technology has also accomplished the ability to conduct
video conferencing and other forms of communication eventually reducing the costs for the business
and at the same time increasing the productivity of the staff in the company.
Apart from the above-mentioned points, in a business-to-business perspective, the organizations are
increasingly leveraging information technology to achieve secure transaction of information critical to
the business. The increased use of Internet by the organizations and the deployment of electroniccommerce have further increased the speed with which the decision is being made by the different
business organizations involved in a specific deal. The market review on the business-to-business
marketing in the year 2004 has revealed that the industries are increasingly using the information
technology to quickly make their decisions in order to meet the competition in the business markets
they are competing. Furthermore, Isla Gower (2004) argues that in a Business-to-business environment
the information being transferred is critical and requires to be of high accuracy levels mainly because
of the fact that the information so processed contributes directly to the decision making of the
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
13/41
involved parties and hence can have a severe impact on the business in case of in accurate information
being sent to the involved parties.
Alongside, in a business-to-business environment, the information processed is not only strategic in
nature but also serves as ingredient for critical analysis and forecasting by the decision makers in order
to analyse a given business market and trend of the business in the target market.
The above argument clearly establishes the vital nature of information in a business-to-business
perspective. It is clear that the information being processed is not only critical but also essential for
maintaining harmonic relationship between the involved organizations.
3.1.2: Business-to-consumer Perspective
Unlike the business-to-business situation discussed above the business-to-consumer case is more critical
in nature because of the fact that it not only involves high density of information being processed but
also the business faces the customers in the general public. Apparently the public opinion upon theorganization will change and can have potential impact on the entire business if the information being
processed is not accurate.
Alongside, the information technology has not only revolutionised the process of business by
accomplishing electronic commerce but also accomplished quick and timely communication to the
customers through various forms of electronic communication like e mails, Internet publications, news
letters etc., The fact that the people in the general public also comprise the stakeholders in the
organization has further made it critical for the requirement of presenting accurate information to the
customers in order to increase their market share and leverage competitive advantage.
Since this report is focused upon the corporate governance where the information is mainly used for
the decision making and providing reliable information to the stakeholders a detailed analysis of the
advancements in information technology to leverage business development are not discussed.
3.2: Information Technology as part of the business process
Many organizations are increasingly using the information technology to increase their speed of the
day-to-day business process itself on top of utilizing information technology to produce effective
reports and conduct complex calculations. National Grid Transco, the company under analysis is one
such organization to have deployed the information technology on a nationwide basis across its variousbranches and third parties involved in the business process. The company processes large amount of
information everyday, as part of the business process and most of the information is sensitive in nature
that could affect the revenue generated by the company itself. With reference to the concept of
corporate governance this information that is being processed must be verified and validated in order
to account for the billing and payment from the customers for the company. A detailed analysis is
presented in chapter 6 of this report.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
14/41
Alongside, the banking sector which is another industry under consideration is increasingly depending
upon information technology not only to attract customers but mainly to conduct their business process
effectively and support the financial decision making both at branch level for issues related to money
lending and opening new accounts as well as at corporate level to decision making on investments and
business development. Alongside, the leading conglomerates like Barclays and HSBC in the banking
sector leverage information technology for not only processing of the information but also for the
communication of critical information like foreign exchange rates, share prices, and other critical
information which has o be validated before being published for the shareholders to view.
The above two brief examples clearly identify that the information that is being processed by the
companies are the main contributing factors for the actual revenue generation in the company itself.
National Grid Transco, Plc for example is a company that is completely dealing with energy where
revenue is being generated based upon the energy transferred to the customers. In this case an error in
the processing of the information related to the energy will directly impact upon the billing, which will
eventually hinder the corporate governance of the company itself.
This justifies that the extensive use of information technology in business process has apparently
increased the extent to which errors can occur in the business process itself, which will affect the
company's corporate governance drastically.
3.3: IT audit in corporate governance
The discussion in the previous section throws light upon the use of information technology as part of
the business process by many organizations. Christopher Barnatt (2000) argues that the corporate
governance in an organization even though embraces the auditing of the finance and revenue
establishing accountability, mainly depends upon the information that is underlying the revenuegenerated or the cost incurred since the financial quantification by the company is based upon the
actual information on their day-to-day business. This further makes it clear that information not only
plays a critical role in managing the audit data but also essentially plays a vital role in validating the
raw data that is actually used to account for the revenue within the organization.
The above statement clearly explains that the information technology in critical for the business
process and revenue generation apart from the aspects of customer relationship etc., John Ward (2000)
further argues that the information technology in a business environment with reference to corporate
governance of the organization provides the initial input for the actual revenue accountability of the
organization. Furthermore, he argues that the possibility to provide false information in order to coverany major issues within the organization will eventually affect the corporate governance of the
organization. Alongside, it is clear from the above argument that the technology behind the processing
of the information itself needs to be validated n terms of access control and security measures in order
to prevent unauthorised access to the information.
Enron, a leading company in the energy sector of the United States of America actually published false
information on the amount of energy generated and transferred to the customers which eventually
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
15/41
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
16/41
the transparency of information in the financial reporting and the need for internal control of the
information being processed in order to increase information security as well as consistency of
information.
Although there are established compliance rules for financial accounting itself, the Sarbanes Oxley Act
is being critically evaluated in this report mainly because of the fact that the research is upon the IT
audit for achieving corporate governance which implies that the information consistency and accuracy
with respect to the financial reporting is the key issue being addressed by the company.
Even though Sarbanes Oxley Act is an American law passed by the Securities and Exchange Commission
of United States of America, the law is also internationally applicable because of the fact that the
corporate governance of a publicly quoted company is essential for the stable operation of the
economy as well as to nurture the investor confidence which is critical for a free range economy as
identified by the Institute of Internal Auditors UK. Furthermore, the fact that many leading companies
are quoted in the New York Stock exchange since the globalisation has increased the investment in
foreign nations and increased the need for presence in the United States of America has apparentlycreated the need for the companies to comply with the Sarbanes Oxley Act.
4.1: Overview of Sarbanes Oxley Act
The Sarbanes Oxley Act was passed by the US government in order to restore the investor confidence in
the United States of America as well as to increase the transparency in the business process itself so as
to prevent further financial frauds like that of Enron and WorldCom due to the misinterpretation or
providing false information etc., The Sarbanes Oxley Act comprises of eleven sections that presents
comprehensive information about he compliance for an organizations in using the information to
accomplish efficient financial reporting within the organization.
The management responsibilities identified by the Sarbanes Oxley Act section 404 which was approved
by the Securities and Exchange Commission to be followed by the companies are
Accept responsibility for internal control over financial reporting
Evaluate the effectiveness of internal control using suitable criteria
Support the evaluation with sufficient evidence and documentation
The aforementioned points clearly justify the fact that information is the critical element for the
entire process of financial reporting and hence it is essential to control the financial reporting and the
information related to financial reporting.
Furthermore, the Sarbanes Oxley Act emphasise on the internal control of the information and the
finance reporting methods in order to maintain coherence in the information being processed and
achieve effective corporate governance for the company.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
17/41
Alongside, the Sarbanes Oxley Act also protects the interests of the employees and their rights when
they were involved in providing vital information on a fraud being continued within the organization
against the company. The provision in the Sarbanes Oxley Act that the employer has to pay a fine of up
to $250,000 for terminating the employment of an employee for providing correct information on a
fraud within the organization for financial reporting or other areas which would potentially affect the
corporate governance of the company resulting in false reporting.
4.2: Section 404 of Sarbanes Oxley Act
The section 404 of the Sarbanes Oxley Act, which was approved by the Securities and Exchange
Commission as a rule to be adhered by the publicly owned organizations, expects the following to be
accomplished by all the organizations in their financial reporting and control
Strict Standards for Corporate accountability with respect to the established and approved
methods of the governing bodies in the respective countries. This apparently means that the
organizations in the United States of America for example must provide its financial reports inline with the standards laid by the IRS (Inland revenue service) of United States of America
whilst the companies in UK must adhere the standards laid by the Inland Revenue Service of
UK. The soc section 404 further provides the provision for following a single method of
accounting for financial reporting that is internationally accredited in order to meet the
requirements by multinational companies.
Present a written assessment as of the year-end every year. This means that the companies
must provide a comprehensive documentation of all the information resources and the
processes being followed by the companies in order to accomplish the transparency level
within the organization. Also the written assessment in this context is purely internal since a
comprehensive documentation of all the process must be prepared and controlled internally inorder to enable speedy retrieval as well as quick and accurate processing of the information by
the company for financial reporting.
Written assessment by the external auditor. The written assessment by the external auditor is
not only to be accomplished on the traditional accounting and financial reports but right from
the first elements that fed information into the system that eventually provides input to the
financial report either for income or expense. This is argued by Ian P. Dewing and Peter O.
Russell (2004) that even though the internal auditing is necessary to be comprehensive by
including every aspect of the information systems that account for the financial reporting, it is
more important for an external body to approve the auditing so accomplished mainly because
of the fact that the external audit will justify the internal audit which is essential for thecompleteness of the entire system of the auditing.
Declaratory statement in the year annual report and accounts. This is in line with the corporate
governance statement released by the company it is annual report. The company should
include the details of the internal auditing and the verification from the external auditor upon
the completion of the auditing in order to establish the consistency and increase the reliability
of the investors upon the corporate organizations. The fall in the stock markets in United
States of America after the fall of Enron and WorldCom has apparently led to a situation where
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
18/41
the investors are not ready to rely upon any big organizations and hesitated to invest upon the
shares eventually leading the economic instability in United States of America. This was the
major reason for the government of United States of America to quickly pass the section 404 of
the Sarbanes Oxley Act as a rule through Securities and Exchange Commission in order to
increase reliability among investors as well as increase the stock market performance.
4.3: Internal control deficiencies
As discussed before the Sarbanes Oxley Act section 404 is mainly to accomplish the internal control of
the information relating to the financial reporting in order to leverage investor reliability. Any
deficiency in the control will obviously lead to a loss of certain material value. This deficiency is
classified into three categories as mentioned in Table 1
Table 1: Internal Control Deficiencies and their material value as identified by Sarbanes Oxley Act
Type of Internal ControlDeficiency Material Value Reported
Inconsequential 0.5% and 5% profit or around 70 millionof the net profit value
Shareholders (i.e.) public.
From the above table it is very clear that the Sarbanes Oxley Act is keen in capturing any potential
financial losses even in the initial stages through internal control and the reporting actions stated in
Table 1 further justifies the importance given to gaining investor reliability.
4.4: External Auditing
As stated before, the Sarbanes Oxley Act has made it mandatory for strict internal controls andauditing of the procedures, which in turn must be audited by an external auditor. The responsibilities
of the external auditor so appointed are listed below
Audits of internal control and financial statements are integrated (i.e.) every potential
deficiency and financial loss in the internal control are appropriately mentioned in the
financial statements of the company.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
19/41
Evaluate the management's assessment process, including the documentation procedure. The
section 404 of the Sarbanes Oxley Act which is being established as the rule expects the
organisations to maintain all the electronic documentation using a defined naming convention
and also establish version control for all the critical documents that serve as the input for
various analysis and queries of the company that have potential financial impact. The
documentation and version control will not only ease the process of auditing but also mainly
increase the accuracy with which the organization manipulates the information. Alongside, the
fact that the information related to financial reporting are being communicated between
various levels of the organization internally makes it imperative to maintain a single copy of
the document or information sent electronically to the personnel involved. This increases the
consistency of information being viewed as well as increases the reliability of the information
being processed.
Test both design and operating effectiveness of controls for all relevant assertions related to
all significant accounts and disclosures. This mainly evaluates the way in which the information
is actually being processed by the company (i.e.) the internal policies, billing methodologies,
exceptional circumstances and how they are handled by the company etc., The fact that manypublicly owned organizations deal with queries and disputes related to financial reporting like
disputing in the amount billed etc., has made it necessary for the organization to follow a
unified code of practise to the achieve consistent results every time in handling financial
information. Furthermore the design in this context is predominantly the structured approach
to manipulating information in order to gain consistency in the financial reporting which will
eliminate any errors and flaws in the corporate governance of the company.
Evaluate the results of the testing by the management and others such as the internal audit
and consider whether to use the internal audit results for the auditing purposes. From this
statement it is clear that it is under the discretion of the auditor to use the results of the
internal audit systems of the company. This further emphasise that even though theorganization is expected to adapt strict internal control and auditing policies as mentioned
before, it is the duty of the external auditor to validate the methods followed by the company
and the accuracy prior to using the results from the internal audit for their auditing purpose
itself. From this statement, it is clear that the Sarbanes Oxley Act not only aims to achieve
investor confidence but mainly to eliminate any flaws leading to potential economic threats to
the industry itself.
Evaluate the severity of all identified internal control deficiencies and consider the evidence
from all sources to reach a conclusion. This again explains that the external auditor is
accountable for any discrepancy in the information being processed towards financial reporting
since, the external auditor is expected to review and verify all internal deficienciesirrespective of their severity and provide their individual conclusion upon the deficiency after
analysing the evidence. This makes it clear that Sarbanes Oxley Act treats the external auditor
as the key element in the corporate governance of an organization even though it equally
emphasises of the internal control and auditing.
Report on the management's assessment and on the effectiveness of internal control over
financial reporting. From this statement it is clear that the external auditor is the person
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
20/41
responsible for the overall auditing of the company even though the internal auditing and
control are necessary.
4.5: Communication and Reporting
As discussed in the literature review, the corporate governance of an organization embraces effective
communication and reporting of the information for auditing. This makes it imperative that the
management communicates effectively with the external auditing team as well as maintains effective
internal communication between various sections of the management.
The Sarbanes Oxley Act has laid the following norms for communication and reporting
Communication of all deficiencies: This approach of the Sarbanes Oxley Act was criticised by
many critics since the reporting of minor deficiencies were considered as unnecessary. The fact
that a company can categorise a potential issue as a inconsequential deficiency due to
misinterpretation of the information as in the case of WorldCom where the companycategorised all its major expenses as investment justifies the demand of Sarbanes Oxley Act to
report all the identified internal deficiencies irrespective of their severity within the
management or external o the business.
The significant deficiencies should be identified by the external auditors and then reported to
the audit committee in order to derive on a concrete conclusion of whether or not to
categorise the deficiency identified as inconsequential or severe. This approach by the
Sarbanes Oxley Act to report the identified deficiencies to the audit committee and arrive upon
a unified decision apparently makes it clear that the information being deployed by the
company in the organization as well as the technology being used should be verified for any
potential deficiencies and these deficiencies should be verified and evaluated by the externalauditing team. This eventually increases the transparency of the information and the entire
business process itself eventually increasing the investor confidence.
Sarbanes Oxley Act further allows the company not to disclose any significant deficiencies
identified as such in their annual report but provide accountability in their financial statement
of the annual report. This statement apparently protects the company's business process itself
since any potential deficiencies disclosed in the published annual report will eventually hinder
the company's growth because of the fact that the deficiency in the business process will
eventually discourage the investors from purchasing their shares eventually reducing the
market value of the company itself. Hence in order to prevent the company from loosing its
market share through revealing the actual deficiency, the Sarbanes Oxley Act has made it clear
thither company must account for every deficiency in their financial report but still need not
disclose the actual deficiency identified in the published annual report. Alongside, it is also
interesting to note that the communications of the deficiencies to the external audit or and
the joint decision of the audit committee and the external auditor will eliminate any errors in
justifying a deficiency in the internal control as inconsequential or vice versa.
Unqualified opinion: The Sarbanes Oxley Act strictly prohibits the unqualified opinions in the
corporate governance of the company. It is essential to state that the Sarbanes Oxley Act
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
21/41
expects documentary evidence for all the deficiencies as well as the information related to the
deficiency that lead to potential impact on the financial report. Since the Sarbanes Oxley Act is
primarily concerned with the process of maintaining information integrity and accuracy to
achieve investor confidence through eliminating financial reporting frauds, it is essential for
the organization to provide evidence for every deficiency identified in order to justify whether
it is inconsequential or not. Alongside, the Sarbanes Oxley Act authorises the external auditor
to categorise any deficiency without ample supporting documentation as a potential material
weakness. Hence it is essential for the companies to adhere to strict procedures for
information storage and retrieval as well as maintaining the electronic filing systems itself
within the organization.
Periodic reporting of any material changes to the internal auditing and control methods. The
Sarbanes Oxley Act expects the management to report any potential changes made to the
internal controls as well as the material changes to the external auditors. This is mainly
effective when an organization undergoes any changes with respect to its trivial methods of
reporting and process of information as well as in cases of any new software or hardware
installation. The Sarbanes Oxley Act strictly requires the organization to provide concretedocumentary evidence to any changes in the technology being used as well as the changes to
the methods of reporting regularly in order to establish consistency in the information being
analysed by the audit committee and the senior management. This apparently increases the
consistency of information as well as ease the process of auditing itself since the external
auditor can effectively perform the audit process when the management communicates him
effectively.
Scope Limitation and management responsibilities: The Sarbanes Oxley Act authorises the
auditor to disqualify any opinion of the management when the communication of the
information related to a deficiency is not appropriate and have not met the standards. This
statement authorises the external auditor to disqualify a specific internal control method ordisapprove the entire internal control method when the deficiency identified is not properly
justified with ample documentary evidence. This approach of the Sarbanes Oxley Act towards
the information that is contributing for the financial reporting apparently increases the
consistency and accuracy with which the information is being processed as well as controlled
by the management in order to successfully pass the external auditor's demand.
4.6: Information management and control
As argued before, the Sarbanes Oxley Act as passed by the Securities and Exchange Commission mainly
to increase the clarity f information being processed that contributes to the financial reporting so as to
increase the investor confidence. This apparently means that the entire Sarbanes Oxley Act is
concerned mainly with the information management, control on the information and the deficiencies
associated with the control of the information and reporting that contributes to the financial reporting.
The Sarbanes Oxley Act emphasises the following specific areas with respect to the information systems
within an organization in order to increase the transparency as well as reduce deficiency in the control.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
22/41
Management and control of the technology: The Sarbanes Oxley Act has made it mandatory for
every organization to provide a comprehensive and coherent documentation on the technology
being deployed by the company in managing its information (.e.) the technology behind the
information system used by the organization. The Sarbanes Oxley Act emphasises that the
organization must maintain consistent documentation and reports for the technology and
software installed in the company for performing the day-to-day business process that accounts
for the financial reporting within the organization. This is mainly because of the arguments in
the previous chapters that the software or hardware technology that is behind the information
is the primary element that contributes to the manipulating of the data to provide the right
information. For example, in an FMCG (Fast Moving Consumer Goods) organization, the
company should not only account for the unit sales for every item but also mainly provide
information on how the financial value with respect to the units sold is being calculated by the
system they deploy in order to verify the consistency of the information. This makes it clear
that the Sarbanes Oxley Act emphasise the technical design of the software system being
deployed should be reported and precisely related to the business process of the organization.
Reporting and communication: The section 404 of the Sarbanes Oxley Act emphasises on thecompanies to report any changes made to the design of the software system (i.e.) changes
made to the technical design of the system in order to efficiently control the flow of
information within the organization. This is also essential in terms of reporting mainly because
of the fact that the company can provide concrete documentary evidence on consistent use of
the information and accuracy only when it can provide an effective report on the technical
design of the information system being deployed by the company.
Access Control and security: One of the key issues faced by the information technology in any
organization is to prevent unauthorised access to sensitive information. The fact that many
organizations fail the IT audit mainly because of the lack of efficient access control
management explains that information security is essential to justify the accuracy andconsistency of the information being processed by the company. The section 404 of the
Sarbanes Oxley Act has further emphasised that the organizations should adhere to an
established access control techniques like Role Based Access Control in order to efficiently
control the access to information by users without any biased decision. Furthermore, the
external auditor is expected to verify the access control methods deployed and identify any
deficiency in the technique with respect to the impact on the financial information.
Reporting of Control flow, information storage and retrieval: Even though access control is one
of the critical elements for the Sarbanes Oxley Act compliance, a much more critical issue is
mainly to establish the flow of the control between various elements of the information
technology being deployed within the organization itself in order to establish the accuracy ofinformation. John Ward and Joe Peppard (2002) argue that information can be justified as
accurate and consistent only when the flow of the control (i.e.) the flow of information and
their efficient mapping within the system is justified and clearly identified and verified. For
example when an organization provides a refund to the customer or provides compensation to
one of its staff under exceptional circumstances, this must be quantified and clearly mapped
with the actual financial reporting of the organization itself in order to effectively manage the
information. Alongside, the storage and retrieval techniques and the flow of control in these
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
23/41
cases must also be quantified by the company in order to efficiently justify its information flow
and management of the information consistency. The Sarbanes Oxley Act emphasises that the
companies should not only report the aforementioned but also mainly provide ample
documentary support in order to meet the demands of the external auditor.
4.7: Conclusion
From the above arguments, it is clear that the Sarbanes Oxley Act aims to establish information
transparency within the organization and thus increase the investor confidence. This is mainly required
in order to maintain a free-range economy and nurture the competition in the business market.
Alongside the Sarbanes Oxley Act compliance has become mandatory for foreign organizations and the
deadline for achieving this compliance I laid as Jun 2006 for the UK based public organizations. The
above research thus is imperative for any organization that is publicly quoted and aims to gain foreign
investment in the form of shares. The case study analysis in the chapter 5 and chapter 6 will throw
light on the critical nature of information in the business sectors and the need for information
technology audit. The analysis on specific organization in each case study will throw light on theorganization's initiative to comply with Sarbanes Oxley Act and the internal controls established by the
organizations.
Chapter 5: Case Study 1: Banking Sector
5.1: Background Information
The banking sector is one of the major business sectors of the UK with big players like HSBC, Barclays,
etc., The Keynote Market analysis on the banking sector (2004) has revealed that the banking sector
accounts for more than 30% of the entire revenue generated by the UK economy. Furthermore, thebanking sector in the UK is increasingly facing competition from the non-financial organizations like the
retail sector players (TESCO
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
24/41
services it is essential for the bank to monitor and control the effective flow of information as well as
maintain the integrity of the information being processed. This is highly critical as argued by Tim
McCollum (2004) who says that information technology has not only reached the core business process
but also accounts for the actual existence and validity of the information being processed.
Furthermore, since the banking sector is dealing with finance and money related products as a business
itself, the need to effectively distinguish between the revenue and investments is essential to provide
consistency in the information being processed by the company. The increase in the acquisitions and
mergers by the competitors like the HSBC the bank that grew through constant mergers and
acquisitions, it is essential for the banking sector organizations to maintain consistency in the
information as well as provide concrete evidence on the process of the technology itself.
The banking industry profile (2005) further argues that auditing in a banking sector organization is not
only a difficult process but also mainly a sensitive process to both the information being manipulated
as well as the information related to the financial services. The intriguing fact in the banking sector is
that the information related to expenses and investment can be easily misinterpreted because of thefact that in both the cases the bank records the information as a debit. It is further interesting to note
that the information technology in the banking sector is utilised to thoroughly in order to maintain
efficient services and access to the accounts by the customers whilst incorporating efficient security
and access control techniques.
From the above arguments it is clear that the information technology is not only part of the operational
process but mainly forms the backbone for the banking sector organization to establish their financial
reporting as well as contribute to the corporate governance of the organization itself. Hence it is
essential for performing effective IT audit in the banking sector organization, which is evident from the
above arguments. The analysis on HSBC Bank Plc in the next section will throw light upon the variousmethods utilised by the company to perform effective auditing and maintain information consistency to
contribute to the corporate governance of the bank.
5.3: HSBC Case Study
HSBC Bank Plc is the leading organization in the banking sector with global presence in all Asia,
America, Europe and Africa. A critical analysis on the company by Tim McCollum (2004) in his report on
the banking sector and IT Auditing reveals that the company has grown mainly through investing upon
acquisitions and mergers since the 1990s when it initially entered the entered the UK banking sector by
purchasing a percentage of the shares from Midland Bank UK. The company profile also states that thecompany has not only grown in size but also utilised information technology to deploy its entire
business process in order to gain competitive advantage in the business market.
Since the company is also listed in the New York Stock Exchange, it is imperative for the company to
adhere to the Sarbanes Oxley Act in order to establish effective corporate governance and gain investor
confidence in the business market.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
25/41
5.4: Critical analysis of the IT Audit procedures in HSBC
The IT audit in the HSBC is a very elaborate and intricate process as mentioned by Tim McCollum (2004)
who justified that the company not only has established controls for every element of the business
process but also established external auditing for all the controls.
5.4.1: Internal Controls
The internal controls in the HSBC Bank Plc comprise of three levels
Operational Level internal control: in this level the line managers and the supervisors perform
the validating process of the information being processed by the specific branch on a day-to-
day basis. This control is mainly to identify any errors in the processing of the business in the
first instance itself in order to effectively establish the information accuracy in the business
process. Alongside, the operational level control also accounts for the day-to-day credit and
debit of the bank including all the elements like the ATM cash machines, cheque withdrawalsand other transactions like loans mortgage, etc. The interesting fact in this level of control is
that not only the information is being checked for validity; the organization has a set
procedure to escalate any discrepancy and provide paperwork or documentary evidence for any
amendments made on a day-to-day basis. This approach to the control in the operational level
apparently reduces the error in the information to a large extent even though the limitations
like processing times and cheque collection time cannot be accounted by the bank at
operational level.
Middle management control: This level of control to the auditing and information is established
mainly to verify the information and validate the process periodically in order to reduce the
amount of information being processed at the corporate level whilst performing the auditingprocess for the annual report. This level of the control mainly focuses on the integration and
control of the operational branches as clusters so that the operational limitations like the time
taken for the realisations of funds etc., can be overseen by this level of control. This level of
control further monitors the branches and performs any intermediate auditing and verifications
in the information being processed in order to maintain information accuracy. The fact that he
individual accounts are not verified but mainly the information related to the financial
transactions made on a given calendar date are checked for their validity and verified for
accuracy since this information is the input for the financial reporting for the company at both
the periodic and annual levels. The Group Annual Report of the company published in the April
2005 reveals that the company is not only involved in the process of IT Auditing but has alsomentioned it in the corporate governance report section of the annual report. Furthermore,
the middle management control also emphasise on the information consistency and addresses
any potential issues that are identified in the process of auditing the information that is being
processed for the financial reporting itself. The fact that the information that is being
processed is again the financial information of customers makes it critical for the bank to
efficiently manage and distinguish the information and provide accurate input to financial
reporting.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
26/41
Senior Management Level control: the HSBC company profile (Data monitor, 2004) has clearly
stated that the senior management level of the control performs the process of verifying the
information processed by the company and establish accountability for any discrepancies in the
information. Alongside, this level of control also performs the process of identifying the
deficiencies in the internal controls and establishes their severity. This further justifies that
this level of the internal control is the actual team that faces the eternal auditor whilst
performing the external audit. This clearly justifies that the internal controls in the bank itself
are being monitored and accounted for their deficiencies by the Senior Management level of
the internal control who not only verify the information for their accuracy but also account for
any deficiency identified in the internal control system itself.
The aforementioned arguments clearly justify that the internal control of the information flow for the
financial reporting is highly structured as well as robust in nature. Furthermore, it is also interesting to
note that the company has established the internal control in line with the Sarbanes Oxley Act
compliance (company Profile, 2004) after the rule of Securities and Exchange Commission to follow the
Sarbanes Oxley Act section 404 by the all the publicly quoted companies in United States of America by2004.
A critical analysis of James Weber And Dana Fortun (2005) upon the internal control and IT audit has
revealed that the HSBC bank Plc is not only utilizing the internal control for the purpose of verifying
and establishing the information accuracy but also for the purpose of establishing a proactive method
of verifying the information right from the operational level in order to eliminate the occurrence of
deficiency in the material weakness when identified at a later instance. Alongside, the strict methods
of maintaining documentary evidence for any amendments in the information and any discrepancy
being verified proves that the company is maintaining high levels of information consistency right from
the operational level in order to avoid any material weakness in the deficiency in the internal control.Furthermore, the entire company structure of the HSB bank embraces the auditing personnel at all
levels of the management in order to establish the consistency and information accuracy prior to
financial reporting in the corporate governance of the annual report.
Internal Control Deficiencies identified in HSBC:
Even though the bank has a robust system for internal control of the information, the following
deficiencies were identified by Time Steel (2005):
The bank does not maintain accurate information on the number of customers being answered on a
given calendar date and there is no satisfactory paper evidence for the bank to justify a loan lent to a
customer or an account opened. The Even though the bank holds copies of passport and other personal
information of the customers, the fact that many international customers who have not lived in the
country for long are also successful in securing a loan with minimal information. This risk was identified
and categorised as significant deficiency in the annual audit for the year ending April 2005.
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
27/41
The bank does not hold clear information upon the conversations with a customer even though the
information related to rejection or acceptance of a specific application is recorded in the system.
Alongside, the fact that the customers can easily change their address for correspondence over the
Internet as well as by filling in a form in the branch is also questionable for accuracy and hence this
was categorised as a significant deficiency of the system.
5.5: External Auditing
The company's external auditors in the United States of America have verified the aforementioned
deficiencies and concluded that the internal control is functioning effectively apart from these
deficiencies. Alongside, the external auditors also agreed with the internal control standards and
approved the level of accuracy maintained even though in the year ending 2004 the external auditing
for the HSBC faced a very had time because of the irregularity in compliance to the Sarbanes Oxley
Act. Alongside, the increase in the control level in the year 2004 as well as the increased level of
marinating documentary evidence is the primary reasons for the successful approval of the internal
control by the external auditors in the year ending April 2005.
5.6: Communications and reporting
The communication of the information within the HSBC bank is strictly though the internal e-mails
maintained at high levels of security. The information being communicated and reported are all
documented and maintained for evidence in order to establish the accuracy and consistency of the
information. Alongside, the communications of the deficiencies identified follows a structured pattern
as argued by Time Steel (2005). Furthermore, the communications between various levels of the
organization as well as the internal control further increases the level of accuracy of the information
being processed.
Alongside, the reporting of the information to various levels of the organization follows a structured
pattern and the periodic reporting of any identified deficiency as well as highlighting any potential
information deficiency that might lead to a material weakness is promptly communicated to the senior
management as well as the corporate directors periodically in order to eliminate any errors and
inconsistency in the information that contributes to the financial reporting of the company in the
corporate governance. This method of the company to strictly report every discrepancy irrespective of
the critically in the control or the financial impact is in tandem with the reporting and communication
expectations of the Sarbanes Oxley Act.
5.7: IT Auditing
The above arguments are predominantly concerned with the quality of the information and its impact
on the financial reporting on the company. But it is also mandatory to conduct comprehensive auditing
upon the technology being deployed and the control flow of the information that provides the
information the quality of which is analysed in the internal control. The various methods adopted by
-
8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance
28/41
HSBC in the light of IT audit are presented here. These are extracted form the company profile
published in January 2005.
Technical Documentation:
The HSBC Bank deploys state of art information technology systems to manage the entire operations of
the banking services offered by the company. The company utilises the IBM Mainframe architecture and
Tivoli Storage Management for the purpose of maintaining an