critical research analysis on the effectiveness of it auditing for corporate governance

8/8/2019 Critical Research Analysis on the Effectiveness of IT Auditing for Corporate Governance

1/41

Critical Research Analysis On The Effectiveness Of IT Auditing For

Corporate Governance

Chapter 1: Introduction

1.1 Introduction

Auditing is one of the essential elements for the successful functioning of the business and helps an

organization to face the external world with precise information on its business and issues related to

accountability. Also, it is universally accepted that any business organization irrespective of its nature

of business must provide relevant documentation to the government and other legal authorities with

respect to their income and expenditure in order to meet the rules and regulations on tax. In the initial

years of its introduction, auditing was primarily concerned with only the finance and finance related

activities within the business that is accounted for in the business. Apparently, the revenue generated

by the company and the costs associated are the major contributing factors for decision making on the

tax and shareholder benefits. Alongside, the growth of information technology and the increase in the

public awareness has further intensified the need for conducting an efficient auditing process to

provide accountability for their business activities.

It is intriguing to note that information technology has become an integral part of every business

organization making information as a critical element for the effective operation of the business itself.

Thus the need for auditing the information and IT based activities that account for the finance for the

organization both revenue and expenses are imperative. This report is focused on the effective role of

information technology audit in the corporate governance in the UK business organizations. The fact

that the corporate governance is the portrait of the a company to the external world both in terms of

performance as well as financial information makes it a critical element for the success of an

organization.

It is also imperative that the corporate governance of an organization is essential not only for the

benefit of the stakeholders but also for the economic stability in the business market as well as the

entire nation. This report is aimed to present a critical research analysis on the effectiveness of IT

auditing for corporate governance in UK. The report will throw light on the various aspects relate to

achieving effectiveness in through IT audit as part of corporate governance and critically analyses the

Sarbanes Oxley Act on IT audit and information transparency.

1.2: Aim and Objectives

The aim of this dissertation is to critically analyse the efficiency of IT audit in the corporate

governance among the UK business organizations. This is achieved by embracing the research upon the

following objectives.


2/41

To critically analyse the concept of corporate governance and its importance for an

organization both internal and external to the business.

To analyse the critical nature of information in business and the growth of information systems

in corporate governance.

To analyse the corporate financial reporting frauds and the role of information technology in

such cases through critically analysing examples from various industries.

To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to

be implemented by corporate organizations in the UK.

To provide case study analysis with examples from banking sector and Energy sector in the UK

on the application of the Sarbanes Oxley Act-section 404.

1.3: Research Definition

The research in this report is accomplished using secondary information resources only. This is mainly

because of the fact that a public opinion on the IT auditing is totally irrelevant and the business

organizations will not reveal their corporate information other than that is published in the annualreports due to data protection and privacy issues. Hence the research analysis in the case study is

entirely qualitative in nature (i.e.) the research is based upon the journals and white papers published

rather than using first had data for quantifying the analysis.

The case study analysis is conducted upon the energy and banking sector of the UK. Whilst a critical

analysis on HSBC bank Plc is presented under the banking sector, National Grid Transco, Plc is the

company of interest in the Energy sector of the UK. The case study analysis on these organizations will

provide critical information on the use of section 404 of Sarbanes Oxley Act and the company's strive to

accomplish IT audit that support financial results for corporate governance. The research analyses only

those areas of information systems that directly contribute to the financial results of a company ratherthan the entire information technology infrastructure of the company.

1.4: Justification for the research

The fact that information plays a critical role in every sphere of a business in the twenty-first century

as argued by Efraim Turban et al (2004) has apparently increased the role of IT from just an

operational support element to a strategic element of the entire business itself. Furthermore, the

fraud detected in the ENRON and WorldCom cases (discussed in later chapters) were predominantly

because of the frauds in information that attributes to the financial performance of the company.

Hence, this research is conducted in order to throw light on the critical nature of information in the

auditing process. The fact that energy (electricity and gas) and banking sectors are major business

sectors that directly deal with the general public on a day-to-day basis apart from the increased

interests of the stakeholders is the major reason for embracing the research on these two sectors of

business in the UK.

1.5: Chapter overview


3/41

Chapter 1: Introduction

This is the current chapter, which introduces the reader with the aim and objectives of the research

and the research definition.

Chapter 2: Literature Review - Corporate Governance

In this chapter a critical overview of corporate governance and the need for auditing and financial

performance is discussed in the light of business environments in the UK. The discussion throws light on

the need for achieving corporate governance and the essential elements of the business that

contributes to corporate governance of a company are discussed with focus upon the entire business.

Chapter 3: Information systems and corporate governance

This chapter critically analyses the role of information technology in business organizations and the

critical nature of information in supporting corporate governance. This is followed by the criticalanalysis of the corporate financial frauds by providing false information with examples from Enron and

WorldCom cases.

Chapter 4: Sarbanes Oxley Act

This chapter begins with an overview of the Sarbanes Oxley Act. This is followed by the critical analysis

of the section 404 of the Sarbanes Oxley Act, which was published by Securities and Exchange

Commission to be followed in the UK since June 2003.

Chapter 5: Case Study 1: Banking Sector

This chapter initially analyses the banking sector as a whole and establishes the critical nature of

information in the corporate governance of the competing organizations. This is then followed by the

analysis of HSBC Bank Plc one of the potential competitors in the banking sector both within the UK

and across the globe. The analysis throws light on the adherence of the Sarbanes Oxley Act section 404

by the company and the policies followed by the company to accomplish information transparency and

consistency.

Chapter 6: Case Study 2: Energy Business

This chapter presents a critical analysis of the energy sector in the UK. This overview is followed by the

critical analysis of the Energy transmission and Distribution conglomerate National Grid Transco Plc.

The analysis throws light on the company's strategies and policies to achieve information transparency

and reliability in the business. The research also establishes the critical nature of information in the

business of the company.

Chapter 7: Discussion and Conclusion


4/41

The research conducted in the above two case studies are discussed in the light of corporate

governance and the Sarbanes Oxley Act section 404. The analysis will provide a comprehensive review

of the research conducted so far and establishes the coherence between the academic theories and the

real-world scenarios. This is followed by the critical analysis of the objectives of the research followed

by conclusion for the dissertation.

Chapter 2: Literature Review - Corporate Governance

2.1: Background Information

Gerry Johnson and Kevan Scholes (2001) say, Corporate Governance is an essential element for any

business organization mainly because of the fact that the corporate governance is the message

conveyed by the company to the external world including the general public and stakeholders.

Alongside, it is also interesting to note that the corporate governance of an organization not only

communicates to the external world but mainly provide a one-stop information resource to anyone who

is interested in the organization. The corporate governance of the company is essential for not onlyeffectively communicating to the external world but mainly to attract potential customers in the

general public both for the business as well as identify potential investors to the company.

Furthermore, the fact that corporate governance is also the comprehensive analysis of the entire

organization performance by taking the first chapter of every company's annual report makes it critical

for an organization to effectively maintain and achieve a high level of corporate governance as argued

by Gerry Johnson and Kevan Scholes (2002).

Denzil Watson and Tony head (1998) further argue that the corporate governance of a company is not

only a one page message conveyed by the chairman of the organization but also concerns with the

relationship between the company management and its owners in the entire structure of theorganization. Apart from the relationship with the owners and stakeholders, the corporate governance

is also an essential element for the effective management of the human resource of the company itself

mainly because of the fact that not only the interests of the existing workforce should be nurtured but

the company should also maintain a positive corporate governance to attract new employees to the

organization in order to achieve long-term organic growth as argued by Denzil Watson and Tony head

(1998).

Another interesting fact identified by Denzil Watson and Tony head (1998) is that the corporate

governance is a critical element in determining the remuneration for the senior executives in many

organizations within the UK, which apparently means that the corporate governance is the mechanismthat is used by the owners to govern the management of the company. Also, it is interesting to note

that the corporate governance in the UK companies has been traditionally stressed upon the

importance of internal control and importance of the role of financial reporting and accountability in

the organization to its stakeholders and general public.

2.2: Need for corporate governance


5/41

Corporate governance of an organization is not only a message that is being conveyed to the

stakeholders or the method of managing the management by the owners of the company but essentially

the way of monitoring the company's growth and its position in the entire business market it is

operating. The corporate governance is also important for achieving competitive advantage in the

target market because of the fact that the customers in the target market are keen in identifying the

attributes of the organization that sells the products to them. This includes every form of business

including consumer industry, retail sector and even power and energy management sector as identified

by Sebastian Nokes (2001). Furthermore, the corporate governance in an organization is also essential

for efficiently monitoring and deploying the infrastructure of the company itself.

Chris Brown (2005) argues that the corporate governance of an organization is essential for not only

increasing the productivity of the organization but also to become an inspiring element for the

employees in the organization to achieve higher level of performance within the organization.

Furthermore, it is also interesting to note that the corporate governance of a company is essential to

manage the senior management of the organization for not only monitoring the productivity but also

for deploying the revenue for further business development. It is imperative that finance is the heartof the entire corporate governance mainly because of the fact that a company's performance is

determined based upon its financial performance both by the stakeholders as well as the general

public.

T.C. Melewar (2003) further argues that the corporate governance of the organization is essential for

not only the efficient management of the organization but also for identifying any potential issues that

should be verified in order to achieve coherent results during the process of auditing in the company.

Following the fall of the Enron and WorldCom which was mainly because of the failure of the

management of the company to provide coherent information for audit process and fraud activities inthe financial information, the Securities and Exchange Commission of United States of America has

made it a rule that the corporate governance of a company must also include non-executive directors

who are responsible stakeholders and people of social respect who would validate the activities of the

company itself. Furthermore, the Securities and Exchange Commission has also made it mandatory that

the auditing committee of the company must contain at least three non-executive directors mainly to

facilitate the validation and approval of the results from the audit committee.

The Legal and Regulatory exchange of the UK (2002) has also justified that even though the non-

executive directors cannot fulfil all the expectations, they can help achieve the company to effectively

perform in the business through continuously monitoring the activities of the entire organization andproviding valuable guidance to the board of executive directors in the form of suggestions. Alongside,

the Department of Trade and Industry has also justified the fact that even though, the non-executive

directors in the company do not involve themselves in the day-to-day business of the organization, they

are the responsible for the efficiency and overall effectiveness of the organization with respect to the

organization's performance and reliability of the results.


6/41

Furthermore, the fact that the corporate governance in an organization also contributes to the

economic stability of the entire business market itself since the revenue generated from a business

sector in a nation is obviously the summation of the revenue generated by the individual organization

competing in the business and fraud in the corporate governance will eventually affect the economic

stability of the business sector itself as argued by Malcolm McDonald (1996).

2.3: Essential elements of corporate governance

Even though it is clear that the financial performance and the financial statements are critical to the

corporate governance itself, Denzil Watson and Tony Head (1998) have identified the following

elements as the major contributing elements to achieve efficient corporate governance in any business

organization.

2.3.1: Human Resource

Michael Armstrong (2003) argues, Human resource is the most indispensable resource for anyorganization. Apparently this is because of the fact that the costs associated with the recruitment and

training of new staff in an organization is very high when compared to retaining the existing workforce

and effectively nurturing their performance to increase productivity s well as stabilize the costs as

identified by Denzil Watson and Tony Head (1998). Furthermore it is imperative that only the effective

performance of the human resource of the organization without encouraging any errors and

maintaining the transparency in their work related activities would provide accuracy and consistency in

the business activities across the entire organization right from the operational level. It is also clear

that even though the corporate governance concept is entirely strategic in nature, the business

generates revenue only from the very en of the operational staff and hence the need to achieve

accuracy and reliability at operational level is imperative for the efficient corporate governance in anorganization.

Derek Torrington and Laura Hall (1995) argue that the human resource of an organization not only

contribute to the efficiency or performance of the organization, but also contribute to the overall

reliability of the organization which is an essential element to achieve corporate governance in the

organization. This is mainly because of the fact that the staff right from the operational level to the

top level management must have the commitment in achieving the standards set by the company in

performing the business which is essential for the corporate governance itself mainly because of the

fact that corporate governance is increasingly being treated as a factor of reliability on the company

rather than a information resource to judge the performance of the company. Alongside, DerekTorrington and Laura Hall (1995) further argue that the efficiency of the human resource of an

organization is the primary contributing factor for the accuracy and reliability of the company's

performance in the external world. This also explains that the human resource of an organization not

only contribute to the efficiency and revenue generation of the company but also for the corporate

governance of the organization itself.


7/41

The above arguments justify that the human resource management and efficiency is essential for

corporate governance in any business organization in UK.

2.3.2: Finance

As argued before finance is the backbone for any business since every organization operating in the

commercial environment are focused in generating revenue and the increase in competition in the

business due to globalisation and innovative business methods has apparently increased the need to

focus on generating revenue with minimal costs as argued by Gerry Johnson and Kevan Scholes, 2001).

The above statement clearly justifies that finance is the critical element for the corporate governance

in every business organization. Alongside, it is also essential to mention that the financial results are

the end-product that is being analysed by the auditors even though the way in which the revenue is

generated and the process of maintaining the cash flow are other critical elements of the business

itself.

Denzil Watson and Tony Head (1998) further argue that the corporate governance is predominantlybased upon the fundamental issues of resource and finance allocation is addressed through the

corporate governance only. This further makes it clear that even though accounting is a critical

element of the finance, the output of which is actually being audited, the resource allocation and the

finance management are the critical ingredients for the corporate governance in the organization

which makes finance as the backbone of the corporate governance to any business organization. It is

further intriguing to note that finance is not just the way of managing the allocation of money and

financial resources but essentially the accountability to the allocations is the major factor that is

analysed in the corporate governance of any organization apart from the corporate finance itself.

Hence, accountability in terms of financial performance and management are the critical factors that

contribute to the corporate governance of an organization.

The rule passed by Securities and Exchange Commission of the UK that the financial statements must

be disclosed not only in the annual reports but periodically published for public notice in order to

enable the investors and stakeholders to critically judge the organization performance has made it

clear that corporate governance embraces finance of the organization.

Alongside, it is also clear from the Bank of Credit and Commerce International (BCCI) that the

companies must disclose their financial information and also provide accountability for all the revenue

generated and costs incurred not only in the annual balance sheet but also in a periodic fashion further

justifies that the corporate governance is critically dependant on finance.

2.3.3: Infrastructure

The infrastructure in this context is not just the furniture and desktop computers that are used to

accomplish the day-to-day business process but mainly the infrastructure that handles the finance and

finance related information and activities. These include the software and hardware systems that hold

the information on the finance and also those infrastructure elements that contribute to the


8/41

generation of revenue in the first place. Denzil Watson and Tony Head (1998) further argue that the

infrastructure in a corporate governance context also includes those that accomplish the effective

auditing process and also the infrastructure elements that contain critical information on the finance

and billing.

Alongside, the infrastructure not only provides support to the finance and billing in an organization but

also mainly contributes to the efficient retrieval and storage of the information (discussed in next

chapter) and also supports the financial decision b=making in terms of corporate communication and

deciding upon the allocation of finance for further development within the organization.

This further justifies the fact that infrastructure in a corporate governance context not only includes

the storage and retrieval system (electronic) but also includes those infrastructure that actually

processing the payments made by the customers to the organization and the expenses of the

organization in order to run the day-to-day business.

2.2.4: Communication

Communication is critical for corporate governance because of the fact that only through the effective

communication of the information to the audit committee, the organization can gain reliability and

provide concrete information in their corporate governance. Since the corporate governance is

predominantly the managing of the senior management of the organization and is derived from the

process of auditing and verifying the activities of the company in every segment of the organization

(including Human Resource and Finance) makes the communication a critical element for the smooth

operation of the business. Furthermore, the communication also plays the vital role of communicating

the information to the external world.

2.3: Committees

The aforementioned elements of the corporate governance are mainly in line with the day-to-day

business process of the company itself. In order to maintain the accuracy of the corporate governance

and increase the transparency as well abide by the regulations of the Securities and Exchange

Commission, corporate governance consists of the following committees as identified by The Business

Roundtable of UK (2004).

2.3.1: Audit Committee

According to the Securities and Exchange Commission it is mandatory for every publicly owned

company to have an audit committee comprised of solely independent directors. This makes it clear

that auditing is the heart of corporate governance and the accuracy of the entire business process will

be accountable to the audit committee. Furthermore, the audit committee is also responsible for

verifying and checking every aspect contributing to the business and the financial performance of the

organization hence making it a critical element of the entire corporate governance itself. Alongside, it

is also imperative that the independent directors belong to various segments of the business and also


9/41

that the committee should comprise of non-executive directors for the purpose of accomplishing the

consistency in the operation itself.

This further justifies that that audit committee is responsible for justifying the accountability of the

organization.

The Securities and Exchange Commission clearly states that the audit committee should comprise of at

least three members (directors) of the audit committee should be independent of the entire

organization and should not participate in the management of the business directly or indirectly. These

directors are called the non-executive directors as discussed above and they are appointed mainly to

provide unbiased assessment on the business operations so as to clearly establish the business process

and accountability for corporate governance of the organization.

Denzil Watson and Tony Head (1998) say that even though it is not expected out of an independent

director to have comprehensive financial knowledge it is essential for the non-executive directors to

possess the fundamental knowledge on finance and its relevance to the business itself. They furtherargue that the directors in the audit committee should be able to conduct the auditing process with a

critical eye to identify any flaws in the business process or the methodology of the organization in

order to judge the company's financial performance.

Even though, auditing is predominantly related to the finance and revenue of an organization, the

other elements like information technology, human resource and infrastructure discussed above are

also judged by the audit committee which is the reason for accommodating the directors in the

committee from various fields of specialization in order to provide critical suggestions and provide

accurate assessments upon the performance of the organization itself.

In order to accomplish the aforementioned tasks the audit committee comprises of the following

Risk Profile: The risk profile is maintained to monitor the corporate risks as well as the risks local to

the committee itself. The Business Roundtable (2004) argues that the risk management is essential for

the committee mainly to identify the risks associated with the business itself in order to efficiently

manage the committee itself. The risks in this contest is mainly the risk associated with a committee

member providing a biased judgement or an inaccurate judgement due to his consideration will

eventually affect the entire auditing process itself. This is the main reason for the presence of non-

executive directors who are expected to review every decision made by the committee.

Outside Auditors: The outside auditors are employed mainly to accomplish auditing process in an

unbiased fashion in specialist areas like information technology etc where the external auditor

employed will be accountable for the auditing of specific segment of the business. The audit

committee is responsible for monitoring the efficient performance of the auditors and also manage the

overall process of auditing in the organization. The decision of the audit committee is based upon the

results produced by the outside auditors with respect to the areas they were employed to audit within

the organization and hence the choice of the auditor is decided by the committee itself.


10/41

Independent operation: The audit committee operates independent of the entire organization. This is

primarily to accomplish unbiased judgement by the committee and also enable the committee to

perform effectively without being disturbed by the day-to-day business issues.

2.3.2: Corporate governance Committee

Apart from the process of auditing which is very essential for corporate governance, it is also essential

to have a corporate governance committee, which is central to the entire board of the organization.

The Securities and Exchange Commission also states that it is mandatory for every publicly owned

company to have a corporate governance committee that makes the decision and performs the overall

management and accountability of the corporate governance for the organization itself. The corporate

governance committee is also called the nominating committee that is responsible for nominating the

directors under various committees that support the corporate governance like the audit committee

discussed above. Also, the corporate governance committee is responsible for the nomination and

management of the directors of the company itself who are accountable to the audit committee during

the audit process. Like the audit committee, the corporate governance committee must also compriseof independent directors only. The Securities and Exchange Commission further expects the corporate

governance committee to comprise of non-executive directors like the audit committee for the same

reason as in the case of the audit committee. The Business Roundtable (2004) further argues that the

fact the independent directors in the corporate governance committee reinforce the idea that the

governance process of the organization is unbiased and reliable.

Apart from the above functions the corporate governance committee also has the responsibility of

safeguarding the independence of the board in order to effectively assess the performance of the

company against the set norms and also establish the accountability for the activities of the

organization. Another major function of the corporate governance committee is to oversee thecorporation and review the organization's process of providing information to the board in order to

conduct the auditing process effectively.

2.3.3: Compensation Committee

The compensation committee performs the critical part for monitoring the compensation provided to

the board and the senior management of the company. Like the audit committee and the corporate

governance committee, the compensation committee should also comprise of independent directors

are it is essential for any publicly owned company as stated y the Securities and Exchange Commission.

The committee not only decides the compensation for the senior management but also decides the

allocation of revenue for compensation to the entire company itself that comprises of all the staff

members other than the directors and senior management.

The committee also performs the essential action of monitoring the compensation for the senior

management based upon the results from the auditing and corporate governance committees.


11/41

The committee is expected to work closely with the other two committees for gathering the

information to decide upon the compensation for the senior management but the decision of the

committee is not influenced by the other committees of corporate governance in a publicly owned

organization as stated by The Business Roundtable (2004).

The committee also creates the overall compensation structure for the entire organization and the

decision made by the committee is completely independent.

Alongside, the members of the committee should also comprise of non-executive directors like the

audit committee and the corporate governance committee. It is also argued by The Business

Roundtable (2004) that the compensation committee should understand the incentives structure

independent of the industry and also provide a comprehensive compensation structure through

efficient allocation of the resources (finance) to various levels of the company right from the senior

management up to the operational level.

2.4: Conclusion

The above overview clearly explains the critical nature of corporate governance in an organization and

its importance for achieving harmonic business operation. The overview on the committees and the

various elements of corporate governance have proved that the corporate governance is not merely a

tool for assessing the company's performance but essentially to judge the company's activities and

establish accountability for the revenue generated and the expenses of the company.

The next chapter provides a critical overview on Information systems and its role the process of

auditing and contribution to corporate governance.

Chapter 3: Information systems and corporate governance

3.1: Background information

Information systems is the term used to identify the comprehensive deployment of Information

technology and IT related products to accomplish the processing of information and presenting the

right information for the decision makers. John Ward and Joe Peppard (2002) argue that the

information systems in an organization not only includes the technology and technology related

products but also those segments of the business the actually process and generate output from the

information like the billing, revenue and purchasing departments of a corporation. Furthermore, theyargue that the strategic use of information to facilitate effective decision making by the senior

management of the organization apparently increases the need to identify critical information as well

as maintain integrity of the information to accomplish accuracy and reliability. Information technology

has seen tremendous growth in every sphere of business with the increase in the competition and the

innovative methods of business like Customer Relationship Marketing and buyer behaviour modelling.


12/41

The use of information by the external entities like the stakeholders, and governing authorities has also

increased with the increase in the companies utilizing the information technology to accomplish their

business process. It is interesting to note that the information technology in an organization not only

provides operational support but also helps accomplish the decision making by the senior management

efficiently.

3.2: Role of information technology in business

The increase in globalisation and the presence of foreign players in the business organizations has

apparently increased the competition in the UK business markets. The increase in the outsourcing and

the need to reduce costs has further increased the need for the organizations to deploy innovative

methods to identify areas where they can eliminate costs as well as identify new areas for potential

business.

Alongside, the fact that information technology has increased the speed of processing information and

reduced the level o errors associated with the business has apparently increased its popularity amongthe competitors. Efraim Turban et al (2004) further argue that the companies participating the

business process within the UK are increasingly facing competition from electronic commerce issues

and the need to increase the revenue is increasing with the increasing costs as well as the continuous

competition by reducing the price of products. The above statement may be applicable for

organizations dealing with general public or the consumer industry but for organizations in the Banking

sector and the energy transmission sector where the service is offered to the customers and the pricing

is not a critical part, the information technology essentially plays the vital role of identifying new

customers as well as providing ability to serve the customers effectively.

3.2.1: Business-to-Business perspective

In a business-to-business perspective, information technology has not only increased the speed of

communication but also essentially increased the accuracy of the information being processed between

two organizations. Alongside, information technology has also accomplished the ability to conduct

video conferencing and other forms of communication eventually reducing the costs for the business

and at the same time increasing the productivity of the staff in the company.

Apart from the above-mentioned points, in a business-to-business perspective, the organizations are

increasingly leveraging information technology to achieve secure transaction of information critical to

the business. The increased use of Internet by the organizations and the deployment of electroniccommerce have further increased the speed with which the decision is being made by the different

business organizations involved in a specific deal. The market review on the business-to-business

marketing in the year 2004 has revealed that the industries are increasingly using the information

technology to quickly make their decisions in order to meet the competition in the business markets

they are competing. Furthermore, Isla Gower (2004) argues that in a Business-to-business environment

the information being transferred is critical and requires to be of high accuracy levels mainly because

of the fact that the information so processed contributes directly to the decision making of the


13/41

involved parties and hence can have a severe impact on the business in case of in accurate information

being sent to the involved parties.

Alongside, in a business-to-business environment, the information processed is not only strategic in

nature but also serves as ingredient for critical analysis and forecasting by the decision makers in order

to analyse a given business market and trend of the business in the target market.

The above argument clearly establishes the vital nature of information in a business-to-business

perspective. It is clear that the information being processed is not only critical but also essential for

maintaining harmonic relationship between the involved organizations.

3.1.2: Business-to-consumer Perspective

Unlike the business-to-business situation discussed above the business-to-consumer case is more critical

in nature because of the fact that it not only involves high density of information being processed but

also the business faces the customers in the general public. Apparently the public opinion upon theorganization will change and can have potential impact on the entire business if the information being

processed is not accurate.

Alongside, the information technology has not only revolutionised the process of business by

accomplishing electronic commerce but also accomplished quick and timely communication to the

customers through various forms of electronic communication like e mails, Internet publications, news

letters etc., The fact that the people in the general public also comprise the stakeholders in the

organization has further made it critical for the requirement of presenting accurate information to the

customers in order to increase their market share and leverage competitive advantage.

Since this report is focused upon the corporate governance where the information is mainly used for

the decision making and providing reliable information to the stakeholders a detailed analysis of the

advancements in information technology to leverage business development are not discussed.

3.2: Information Technology as part of the business process

Many organizations are increasingly using the information technology to increase their speed of the

day-to-day business process itself on top of utilizing information technology to produce effective

reports and conduct complex calculations. National Grid Transco, the company under analysis is one

such organization to have deployed the information technology on a nationwide basis across its variousbranches and third parties involved in the business process. The company processes large amount of

information everyday, as part of the business process and most of the information is sensitive in nature

that could affect the revenue generated by the company itself. With reference to the concept of

corporate governance this information that is being processed must be verified and validated in order

to account for the billing and payment from the customers for the company. A detailed analysis is

presented in chapter 6 of this report.


14/41

Alongside, the banking sector which is another industry under consideration is increasingly depending

upon information technology not only to attract customers but mainly to conduct their business process

effectively and support the financial decision making both at branch level for issues related to money

lending and opening new accounts as well as at corporate level to decision making on investments and

business development. Alongside, the leading conglomerates like Barclays and HSBC in the banking

sector leverage information technology for not only processing of the information but also for the

communication of critical information like foreign exchange rates, share prices, and other critical

information which has o be validated before being published for the shareholders to view.

The above two brief examples clearly identify that the information that is being processed by the

companies are the main contributing factors for the actual revenue generation in the company itself.

National Grid Transco, Plc for example is a company that is completely dealing with energy where

revenue is being generated based upon the energy transferred to the customers. In this case an error in

the processing of the information related to the energy will directly impact upon the billing, which will

eventually hinder the corporate governance of the company itself.

This justifies that the extensive use of information technology in business process has apparently

increased the extent to which errors can occur in the business process itself, which will affect the

company's corporate governance drastically.

3.3: IT audit in corporate governance

The discussion in the previous section throws light upon the use of information technology as part of

the business process by many organizations. Christopher Barnatt (2000) argues that the corporate

governance in an organization even though embraces the auditing of the finance and revenue

establishing accountability, mainly depends upon the information that is underlying the revenuegenerated or the cost incurred since the financial quantification by the company is based upon the

actual information on their day-to-day business. This further makes it clear that information not only

plays a critical role in managing the audit data but also essentially plays a vital role in validating the

raw data that is actually used to account for the revenue within the organization.

The above statement clearly explains that the information technology in critical for the business

process and revenue generation apart from the aspects of customer relationship etc., John Ward (2000)

further argues that the information technology in a business environment with reference to corporate

governance of the organization provides the initial input for the actual revenue accountability of the

organization. Furthermore, he argues that the possibility to provide false information in order to coverany major issues within the organization will eventually affect the corporate governance of the

organization. Alongside, it is clear from the above argument that the technology behind the processing

of the information itself needs to be validated n terms of access control and security measures in order

to prevent unauthorised access to the information.

Enron, a leading company in the energy sector of the United States of America actually published false

information on the amount of energy generated and transferred to the customers which eventually


15/41


16/41

the transparency of information in the financial reporting and the need for internal control of the

information being processed in order to increase information security as well as consistency of

information.

Although there are established compliance rules for financial accounting itself, the Sarbanes Oxley Act

is being critically evaluated in this report mainly because of the fact that the research is upon the IT

audit for achieving corporate governance which implies that the information consistency and accuracy

with respect to the financial reporting is the key issue being addressed by the company.

Even though Sarbanes Oxley Act is an American law passed by the Securities and Exchange Commission

of United States of America, the law is also internationally applicable because of the fact that the

corporate governance of a publicly quoted company is essential for the stable operation of the

economy as well as to nurture the investor confidence which is critical for a free range economy as

identified by the Institute of Internal Auditors UK. Furthermore, the fact that many leading companies

are quoted in the New York Stock exchange since the globalisation has increased the investment in

foreign nations and increased the need for presence in the United States of America has apparentlycreated the need for the companies to comply with the Sarbanes Oxley Act.

4.1: Overview of Sarbanes Oxley Act

The Sarbanes Oxley Act was passed by the US government in order to restore the investor confidence in

the United States of America as well as to increase the transparency in the business process itself so as

to prevent further financial frauds like that of Enron and WorldCom due to the misinterpretation or

providing false information etc., The Sarbanes Oxley Act comprises of eleven sections that presents

comprehensive information about he compliance for an organizations in using the information to

accomplish efficient financial reporting within the organization.

The management responsibilities identified by the Sarbanes Oxley Act section 404 which was approved

by the Securities and Exchange Commission to be followed by the companies are

Accept responsibility for internal control over financial reporting

Evaluate the effectiveness of internal control using suitable criteria

Support the evaluation with sufficient evidence and documentation

The aforementioned points clearly justify the fact that information is the critical element for the

entire process of financial reporting and hence it is essential to control the financial reporting and the

information related to financial reporting.

Furthermore, the Sarbanes Oxley Act emphasise on the internal control of the information and the

finance reporting methods in order to maintain coherence in the information being processed and

achieve effective corporate governance for the company.


17/41

Alongside, the Sarbanes Oxley Act also protects the interests of the employees and their rights when

they were involved in providing vital information on a fraud being continued within the organization

against the company. The provision in the Sarbanes Oxley Act that the employer has to pay a fine of up

to $250,000 for terminating the employment of an employee for providing correct information on a

fraud within the organization for financial reporting or other areas which would potentially affect the

corporate governance of the company resulting in false reporting.

4.2: Section 404 of Sarbanes Oxley Act

The section 404 of the Sarbanes Oxley Act, which was approved by the Securities and Exchange

Commission as a rule to be adhered by the publicly owned organizations, expects the following to be

accomplished by all the organizations in their financial reporting and control

Strict Standards for Corporate accountability with respect to the established and approved

methods of the governing bodies in the respective countries. This apparently means that the

organizations in the United States of America for example must provide its financial reports inline with the standards laid by the IRS (Inland revenue service) of United States of America

whilst the companies in UK must adhere the standards laid by the Inland Revenue Service of

UK. The soc section 404 further provides the provision for following a single method of

accounting for financial reporting that is internationally accredited in order to meet the

requirements by multinational companies.

Present a written assessment as of the year-end every year. This means that the companies

must provide a comprehensive documentation of all the information resources and the

processes being followed by the companies in order to accomplish the transparency level

within the organization. Also the written assessment in this context is purely internal since a

comprehensive documentation of all the process must be prepared and controlled internally inorder to enable speedy retrieval as well as quick and accurate processing of the information by

the company for financial reporting.

Written assessment by the external auditor. The written assessment by the external auditor is

not only to be accomplished on the traditional accounting and financial reports but right from

the first elements that fed information into the system that eventually provides input to the

financial report either for income or expense. This is argued by Ian P. Dewing and Peter O.

Russell (2004) that even though the internal auditing is necessary to be comprehensive by

including every aspect of the information systems that account for the financial reporting, it is

more important for an external body to approve the auditing so accomplished mainly because

of the fact that the external audit will justify the internal audit which is essential for thecompleteness of the entire system of the auditing.

Declaratory statement in the year annual report and accounts. This is in line with the corporate

governance statement released by the company it is annual report. The company should

include the details of the internal auditing and the verification from the external auditor upon

the completion of the auditing in order to establish the consistency and increase the reliability

of the investors upon the corporate organizations. The fall in the stock markets in United

States of America after the fall of Enron and WorldCom has apparently led to a situation where


18/41

the investors are not ready to rely upon any big organizations and hesitated to invest upon the

shares eventually leading the economic instability in United States of America. This was the

major reason for the government of United States of America to quickly pass the section 404 of

the Sarbanes Oxley Act as a rule through Securities and Exchange Commission in order to

increase reliability among investors as well as increase the stock market performance.

4.3: Internal control deficiencies

As discussed before the Sarbanes Oxley Act section 404 is mainly to accomplish the internal control of

the information relating to the financial reporting in order to leverage investor reliability. Any

deficiency in the control will obviously lead to a loss of certain material value. This deficiency is

classified into three categories as mentioned in Table 1

Table 1: Internal Control Deficiencies and their material value as identified by Sarbanes Oxley Act

Type of Internal ControlDeficiency Material Value Reported

Inconsequential 0.5% and 5% profit or around 70 millionof the net profit value

Shareholders (i.e.) public.

From the above table it is very clear that the Sarbanes Oxley Act is keen in capturing any potential

financial losses even in the initial stages through internal control and the reporting actions stated in

Table 1 further justifies the importance given to gaining investor reliability.

4.4: External Auditing

As stated before, the Sarbanes Oxley Act has made it mandatory for strict internal controls andauditing of the procedures, which in turn must be audited by an external auditor. The responsibilities

of the external auditor so appointed are listed below

Audits of internal control and financial statements are integrated (i.e.) every potential

deficiency and financial loss in the internal control are appropriately mentioned in the

financial statements of the company.


19/41

Evaluate the management's assessment process, including the documentation procedure. The

section 404 of the Sarbanes Oxley Act which is being established as the rule expects the

organisations to maintain all the electronic documentation using a defined naming convention

and also establish version control for all the critical documents that serve as the input for

various analysis and queries of the company that have potential financial impact. The

documentation and version control will not only ease the process of auditing but also mainly

increase the accuracy with which the organization manipulates the information. Alongside, the

fact that the information related to financial reporting are being communicated between

various levels of the organization internally makes it imperative to maintain a single copy of

the document or information sent electronically to the personnel involved. This increases the

consistency of information being viewed as well as increases the reliability of the information

being processed.

Test both design and operating effectiveness of controls for all relevant assertions related to

all significant accounts and disclosures. This mainly evaluates the way in which the information

is actually being processed by the company (i.e.) the internal policies, billing methodologies,

exceptional circumstances and how they are handled by the company etc., The fact that manypublicly owned organizations deal with queries and disputes related to financial reporting like

disputing in the amount billed etc., has made it necessary for the organization to follow a

unified code of practise to the achieve consistent results every time in handling financial

information. Furthermore the design in this context is predominantly the structured approach

to manipulating information in order to gain consistency in the financial reporting which will

eliminate any errors and flaws in the corporate governance of the company.

Evaluate the results of the testing by the management and others such as the internal audit

and consider whether to use the internal audit results for the auditing purposes. From this

statement it is clear that it is under the discretion of the auditor to use the results of the

internal audit systems of the company. This further emphasise that even though theorganization is expected to adapt strict internal control and auditing policies as mentioned

before, it is the duty of the external auditor to validate the methods followed by the company

and the accuracy prior to using the results from the internal audit for their auditing purpose

itself. From this statement, it is clear that the Sarbanes Oxley Act not only aims to achieve

investor confidence but mainly to eliminate any flaws leading to potential economic threats to

the industry itself.

Evaluate the severity of all identified internal control deficiencies and consider the evidence

from all sources to reach a conclusion. This again explains that the external auditor is

accountable for any discrepancy in the information being processed towards financial reporting

since, the external auditor is expected to review and verify all internal deficienciesirrespective of their severity and provide their individual conclusion upon the deficiency after

analysing the evidence. This makes it clear that Sarbanes Oxley Act treats the external auditor

as the key element in the corporate governance of an organization even though it equally

emphasises of the internal control and auditing.

Report on the management's assessment and on the effectiveness of internal control over

financial reporting. From this statement it is clear that the external auditor is the person


20/41

responsible for the overall auditing of the company even though the internal auditing and

control are necessary.

4.5: Communication and Reporting

As discussed in the literature review, the corporate governance of an organization embraces effective

communication and reporting of the information for auditing. This makes it imperative that the

management communicates effectively with the external auditing team as well as maintains effective

internal communication between various sections of the management.

The Sarbanes Oxley Act has laid the following norms for communication and reporting

Communication of all deficiencies: This approach of the Sarbanes Oxley Act was criticised by

many critics since the reporting of minor deficiencies were considered as unnecessary. The fact

that a company can categorise a potential issue as a inconsequential deficiency due to

misinterpretation of the information as in the case of WorldCom where the companycategorised all its major expenses as investment justifies the demand of Sarbanes Oxley Act to

report all the identified internal deficiencies irrespective of their severity within the

management or external o the business.

The significant deficiencies should be identified by the external auditors and then reported to

the audit committee in order to derive on a concrete conclusion of whether or not to

categorise the deficiency identified as inconsequential or severe. This approach by the

Sarbanes Oxley Act to report the identified deficiencies to the audit committee and arrive upon

a unified decision apparently makes it clear that the information being deployed by the

company in the organization as well as the technology being used should be verified for any

potential deficiencies and these deficiencies should be verified and evaluated by the externalauditing team. This eventually increases the transparency of the information and the entire

business process itself eventually increasing the investor confidence.

Sarbanes Oxley Act further allows the company not to disclose any significant deficiencies

identified as such in their annual report but provide accountability in their financial statement

of the annual report. This statement apparently protects the company's business process itself

since any potential deficiencies disclosed in the published annual report will eventually hinder

the company's growth because of the fact that the deficiency in the business process will

eventually discourage the investors from purchasing their shares eventually reducing the

market value of the company itself. Hence in order to prevent the company from loosing its

market share through revealing the actual deficiency, the Sarbanes Oxley Act has made it clear

thither company must account for every deficiency in their financial report but still need not

disclose the actual deficiency identified in the published annual report. Alongside, it is also

interesting to note that the communications of the deficiencies to the external audit or and

the joint decision of the audit committee and the external auditor will eliminate any errors in

justifying a deficiency in the internal control as inconsequential or vice versa.

Unqualified opinion: The Sarbanes Oxley Act strictly prohibits the unqualified opinions in the

corporate governance of the company. It is essential to state that the Sarbanes Oxley Act


21/41

expects documentary evidence for all the deficiencies as well as the information related to the

deficiency that lead to potential impact on the financial report. Since the Sarbanes Oxley Act is

primarily concerned with the process of maintaining information integrity and accuracy to

achieve investor confidence through eliminating financial reporting frauds, it is essential for

the organization to provide evidence for every deficiency identified in order to justify whether

it is inconsequential or not. Alongside, the Sarbanes Oxley Act authorises the external auditor

to categorise any deficiency without ample supporting documentation as a potential material

weakness. Hence it is essential for the companies to adhere to strict procedures for

information storage and retrieval as well as maintaining the electronic filing systems itself

within the organization.

Periodic reporting of any material changes to the internal auditing and control methods. The

Sarbanes Oxley Act expects the management to report any potential changes made to the

internal controls as well as the material changes to the external auditors. This is mainly

effective when an organization undergoes any changes with respect to its trivial methods of

reporting and process of information as well as in cases of any new software or hardware

installation. The Sarbanes Oxley Act strictly requires the organization to provide concretedocumentary evidence to any changes in the technology being used as well as the changes to

the methods of reporting regularly in order to establish consistency in the information being

analysed by the audit committee and the senior management. This apparently increases the

consistency of information as well as ease the process of auditing itself since the external

auditor can effectively perform the audit process when the management communicates him

effectively.

Scope Limitation and management responsibilities: The Sarbanes Oxley Act authorises the

auditor to disqualify any opinion of the management when the communication of the

information related to a deficiency is not appropriate and have not met the standards. This

statement authorises the external auditor to disqualify a specific internal control method ordisapprove the entire internal control method when the deficiency identified is not properly

justified with ample documentary evidence. This approach of the Sarbanes Oxley Act towards

the information that is contributing for the financial reporting apparently increases the

consistency and accuracy with which the information is being processed as well as controlled

by the management in order to successfully pass the external auditor's demand.

4.6: Information management and control

As argued before, the Sarbanes Oxley Act as passed by the Securities and Exchange Commission mainly

to increase the clarity f information being processed that contributes to the financial reporting so as to

increase the investor confidence. This apparently means that the entire Sarbanes Oxley Act is

concerned mainly with the information management, control on the information and the deficiencies

associated with the control of the information and reporting that contributes to the financial reporting.

The Sarbanes Oxley Act emphasises the following specific areas with respect to the information systems

within an organization in order to increase the transparency as well as reduce deficiency in the control.


22/41

Management and control of the technology: The Sarbanes Oxley Act has made it mandatory for

every organization to provide a comprehensive and coherent documentation on the technology

being deployed by the company in managing its information (.e.) the technology behind the

information system used by the organization. The Sarbanes Oxley Act emphasises that the

organization must maintain consistent documentation and reports for the technology and

software installed in the company for performing the day-to-day business process that accounts

for the financial reporting within the organization. This is mainly because of the arguments in

the previous chapters that the software or hardware technology that is behind the information

is the primary element that contributes to the manipulating of the data to provide the right

information. For example, in an FMCG (Fast Moving Consumer Goods) organization, the

company should not only account for the unit sales for every item but also mainly provide

information on how the financial value with respect to the units sold is being calculated by the

system they deploy in order to verify the consistency of the information. This makes it clear

that the Sarbanes Oxley Act emphasise the technical design of the software system being

deployed should be reported and precisely related to the business process of the organization.

Reporting and communication: The section 404 of the Sarbanes Oxley Act emphasises on thecompanies to report any changes made to the design of the software system (i.e.) changes

made to the technical design of the system in order to efficiently control the flow of

information within the organization. This is also essential in terms of reporting mainly because

of the fact that the company can provide concrete documentary evidence on consistent use of

the information and accuracy only when it can provide an effective report on the technical

design of the information system being deployed by the company.

Access Control and security: One of the key issues faced by the information technology in any

organization is to prevent unauthorised access to sensitive information. The fact that many

organizations fail the IT audit mainly because of the lack of efficient access control

management explains that information security is essential to justify the accuracy andconsistency of the information being processed by the company. The section 404 of the

Sarbanes Oxley Act has further emphasised that the organizations should adhere to an

established access control techniques like Role Based Access Control in order to efficiently

control the access to information by users without any biased decision. Furthermore, the

external auditor is expected to verify the access control methods deployed and identify any

deficiency in the technique with respect to the impact on the financial information.

Reporting of Control flow, information storage and retrieval: Even though access control is one

of the critical elements for the Sarbanes Oxley Act compliance, a much more critical issue is

mainly to establish the flow of the control between various elements of the information

technology being deployed within the organization itself in order to establish the accuracy ofinformation. John Ward and Joe Peppard (2002) argue that information can be justified as

accurate and consistent only when the flow of the control (i.e.) the flow of information and

their efficient mapping within the system is justified and clearly identified and verified. For

example when an organization provides a refund to the customer or provides compensation to

one of its staff under exceptional circumstances, this must be quantified and clearly mapped

with the actual financial reporting of the organization itself in order to effectively manage the

information. Alongside, the storage and retrieval techniques and the flow of control in these


23/41

cases must also be quantified by the company in order to efficiently justify its information flow

and management of the information consistency. The Sarbanes Oxley Act emphasises that the

companies should not only report the aforementioned but also mainly provide ample

documentary support in order to meet the demands of the external auditor.

4.7: Conclusion

From the above arguments, it is clear that the Sarbanes Oxley Act aims to establish information

transparency within the organization and thus increase the investor confidence. This is mainly required

in order to maintain a free-range economy and nurture the competition in the business market.

Alongside the Sarbanes Oxley Act compliance has become mandatory for foreign organizations and the

deadline for achieving this compliance I laid as Jun 2006 for the UK based public organizations. The

above research thus is imperative for any organization that is publicly quoted and aims to gain foreign

investment in the form of shares. The case study analysis in the chapter 5 and chapter 6 will throw

light on the critical nature of information in the business sectors and the need for information

technology audit. The analysis on specific organization in each case study will throw light on theorganization's initiative to comply with Sarbanes Oxley Act and the internal controls established by the

organizations.

Chapter 5: Case Study 1: Banking Sector

5.1: Background Information

The banking sector is one of the major business sectors of the UK with big players like HSBC, Barclays,

etc., The Keynote Market analysis on the banking sector (2004) has revealed that the banking sector

accounts for more than 30% of the entire revenue generated by the UK economy. Furthermore, thebanking sector in the UK is increasingly facing competition from the non-financial organizations like the

retail sector players (TESCO


24/41

services it is essential for the bank to monitor and control the effective flow of information as well as

maintain the integrity of the information being processed. This is highly critical as argued by Tim

McCollum (2004) who says that information technology has not only reached the core business process

but also accounts for the actual existence and validity of the information being processed.

Furthermore, since the banking sector is dealing with finance and money related products as a business

itself, the need to effectively distinguish between the revenue and investments is essential to provide

consistency in the information being processed by the company. The increase in the acquisitions and

mergers by the competitors like the HSBC the bank that grew through constant mergers and

acquisitions, it is essential for the banking sector organizations to maintain consistency in the

information as well as provide concrete evidence on the process of the technology itself.

The banking industry profile (2005) further argues that auditing in a banking sector organization is not

only a difficult process but also mainly a sensitive process to both the information being manipulated

as well as the information related to the financial services. The intriguing fact in the banking sector is

that the information related to expenses and investment can be easily misinterpreted because of thefact that in both the cases the bank records the information as a debit. It is further interesting to note

that the information technology in the banking sector is utilised to thoroughly in order to maintain

efficient services and access to the accounts by the customers whilst incorporating efficient security

and access control techniques.

From the above arguments it is clear that the information technology is not only part of the operational

process but mainly forms the backbone for the banking sector organization to establish their financial

reporting as well as contribute to the corporate governance of the organization itself. Hence it is

essential for performing effective IT audit in the banking sector organization, which is evident from the

above arguments. The analysis on HSBC Bank Plc in the next section will throw light upon the variousmethods utilised by the company to perform effective auditing and maintain information consistency to

contribute to the corporate governance of the bank.

5.3: HSBC Case Study

HSBC Bank Plc is the leading organization in the banking sector with global presence in all Asia,

America, Europe and Africa. A critical analysis on the company by Tim McCollum (2004) in his report on

the banking sector and IT Auditing reveals that the company has grown mainly through investing upon

acquisitions and mergers since the 1990s when it initially entered the entered the UK banking sector by

purchasing a percentage of the shares from Midland Bank UK. The company profile also states that thecompany has not only grown in size but also utilised information technology to deploy its entire

business process in order to gain competitive advantage in the business market.

Since the company is also listed in the New York Stock Exchange, it is imperative for the company to

adhere to the Sarbanes Oxley Act in order to establish effective corporate governance and gain investor

confidence in the business market.


25/41

5.4: Critical analysis of the IT Audit procedures in HSBC

The IT audit in the HSBC is a very elaborate and intricate process as mentioned by Tim McCollum (2004)

who justified that the company not only has established controls for every element of the business

process but also established external auditing for all the controls.

5.4.1: Internal Controls

The internal controls in the HSBC Bank Plc comprise of three levels

Operational Level internal control: in this level the line managers and the supervisors perform

the validating process of the information being processed by the specific branch on a day-to-

day basis. This control is mainly to identify any errors in the processing of the business in the

first instance itself in order to effectively establish the information accuracy in the business

process. Alongside, the operational level control also accounts for the day-to-day credit and

debit of the bank including all the elements like the ATM cash machines, cheque withdrawalsand other transactions like loans mortgage, etc. The interesting fact in this level of control is

that not only the information is being checked for validity; the organization has a set

procedure to escalate any discrepancy and provide paperwork or documentary evidence for any

amendments made on a day-to-day basis. This approach to the control in the operational level

apparently reduces the error in the information to a large extent even though the limitations

like processing times and cheque collection time cannot be accounted by the bank at

operational level.

Middle management control: This level of control to the auditing and information is established

mainly to verify the information and validate the process periodically in order to reduce the

amount of information being processed at the corporate level whilst performing the auditingprocess for the annual report. This level of the control mainly focuses on the integration and

control of the operational branches as clusters so that the operational limitations like the time

taken for the realisations of funds etc., can be overseen by this level of control. This level of

control further monitors the branches and performs any intermediate auditing and verifications

in the information being processed in order to maintain information accuracy. The fact that he

individual accounts are not verified but mainly the information related to the financial

transactions made on a given calendar date are checked for their validity and verified for

accuracy since this information is the input for the financial reporting for the company at both

the periodic and annual levels. The Group Annual Report of the company published in the April

2005 reveals that the company is not only involved in the process of IT Auditing but has alsomentioned it in the corporate governance report section of the annual report. Furthermore,

the middle management control also emphasise on the information consistency and addresses

any potential issues that are identified in the process of auditing the information that is being

processed for the financial reporting itself. The fact that the information that is being

processed is again the financial information of customers makes it critical for the bank to

efficiently manage and distinguish the information and provide accurate input to financial

reporting.


26/41

Senior Management Level control: the HSBC company profile (Data monitor, 2004) has clearly

stated that the senior management level of the control performs the process of verifying the

information processed by the company and establish accountability for any discrepancies in the

information. Alongside, this level of control also performs the process of identifying the

deficiencies in the internal controls and establishes their severity. This further justifies that

this level of the internal control is the actual team that faces the eternal auditor whilst

performing the external audit. This clearly justifies that the internal controls in the bank itself

are being monitored and accounted for their deficiencies by the Senior Management level of

the internal control who not only verify the information for their accuracy but also account for

any deficiency identified in the internal control system itself.

The aforementioned arguments clearly justify that the internal control of the information flow for the

financial reporting is highly structured as well as robust in nature. Furthermore, it is also interesting to

note that the company has established the internal control in line with the Sarbanes Oxley Act

compliance (company Profile, 2004) after the rule of Securities and Exchange Commission to follow the

Sarbanes Oxley Act section 404 by the all the publicly quoted companies in United States of America by2004.

A critical analysis of James Weber And Dana Fortun (2005) upon the internal control and IT audit has

revealed that the HSBC bank Plc is not only utilizing the internal control for the purpose of verifying

and establishing the information accuracy but also for the purpose of establishing a proactive method

of verifying the information right from the operational level in order to eliminate the occurrence of

deficiency in the material weakness when identified at a later instance. Alongside, the strict methods

of maintaining documentary evidence for any amendments in the information and any discrepancy

being verified proves that the company is maintaining high levels of information consistency right from

the operational level in order to avoid any material weakness in the deficiency in the internal control.Furthermore, the entire company structure of the HSB bank embraces the auditing personnel at all

levels of the management in order to establish the consistency and information accuracy prior to

financial reporting in the corporate governance of the annual report.

Internal Control Deficiencies identified in HSBC:

Even though the bank has a robust system for internal control of the information, the following

deficiencies were identified by Time Steel (2005):

The bank does not maintain accurate information on the number of customers being answered on a

given calendar date and there is no satisfactory paper evidence for the bank to justify a loan lent to a

customer or an account opened. The Even though the bank holds copies of passport and other personal

information of the customers, the fact that many international customers who have not lived in the

country for long are also successful in securing a loan with minimal information. This risk was identified

and categorised as significant deficiency in the annual audit for the year ending April 2005.


27/41

The bank does not hold clear information upon the conversations with a customer even though the

information related to rejection or acceptance of a specific application is recorded in the system.

Alongside, the fact that the customers can easily change their address for correspondence over the

Internet as well as by filling in a form in the branch is also questionable for accuracy and hence this

was categorised as a significant deficiency of the system.

5.5: External Auditing

The company's external auditors in the United States of America have verified the aforementioned

deficiencies and concluded that the internal control is functioning effectively apart from these

deficiencies. Alongside, the external auditors also agreed with the internal control standards and

approved the level of accuracy maintained even though in the year ending 2004 the external auditing

for the HSBC faced a very had time because of the irregularity in compliance to the Sarbanes Oxley

Act. Alongside, the increase in the control level in the year 2004 as well as the increased level of

marinating documentary evidence is the primary reasons for the successful approval of the internal

control by the external auditors in the year ending April 2005.

5.6: Communications and reporting

The communication of the information within the HSBC bank is strictly though the internal e-mails

maintained at high levels of security. The information being communicated and reported are all

documented and maintained for evidence in order to establish the accuracy and consistency of the

information. Alongside, the communications of the deficiencies identified follows a structured pattern

as argued by Time Steel (2005). Furthermore, the communications between various levels of the

organization as well as the internal control further increases the level of accuracy of the information

being processed.

Alongside, the reporting of the information to various levels of the organization follows a structured

pattern and the periodic reporting of any identified deficiency as well as highlighting any potential

information deficiency that might lead to a material weakness is promptly communicated to the senior

management as well as the corporate directors periodically in order to eliminate any errors and

inconsistency in the information that contributes to the financial reporting of the company in the

corporate governance. This method of the company to strictly report every discrepancy irrespective of

the critically in the control or the financial impact is in tandem with the reporting and communication

expectations of the Sarbanes Oxley Act.

5.7: IT Auditing

The above arguments are predominantly concerned with the quality of the information and its impact

on the financial reporting on the company. But it is also mandatory to conduct comprehensive auditing

upon the technology being deployed and the control flow of the information that provides the

information the quality of which is analysed in the internal control. The various methods adopted by


28/41

HSBC in the light of IT audit are presented here. These are extracted form the company profile

published in January 2005.

Technical Documentation:

The HSBC Bank deploys state of art information technology systems to manage the entire operations of

the banking services offered by the company. The company utilises the IBM Mainframe architecture and

Tivoli Storage Management for the purpose of maintaining an

critical research analysis on the effectiveness of it auditing for corporate governance

Documents