Search results

The purpose of this paper is to analyze how the COBIT framework, integrated within the internal control framework, enables improvement in the quality of financial reporting while helping to reduce or eliminate the material weaknesses (MWs) of internal control over financial reporting (ICFR). The Control Objectives for Information and Related Technology (COBIT) model is a framework for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Preliminarily, the analysis in this paper illustrates how the Committee of Sponsoring Organizations (COSO) framework impacts on the MWs, highlighting strengths and weaknesses. This paper shows how these limits can be overcome with the use of the COBIT framework.

This is a conceptual paper that aims to highlight the relationship between COBIT and COSO, by illustrating how the IT processes reduce or eliminate the main MW categories.

The analysis indicates that the implementation of the COBIT framework, or more generally the adoption of effective IT controls, provides important benefits to the entire company or organization. IT control objectives have a direct impact on the IT control weaknesses and indirectly on the other categories of material weaknesses.

The adoption of the framework allows managers to implement effective ICFR. In particular, the COBIT approach provides managers with a more evolved tool in terms of compliance with the Sarbanes–Oxley Act requirements. This framework also improves the reliability of financial reporting in relation to the requirements of Public Company Accounting Oversight Board’s Auditing Standards No. 2 and 5.

The analysis provides an interdisciplinary approach, connecting accounting and information systems themes, and suggest solutions and tools than can help managers to address the internal control weaknesses. This paper addresses an area of relevance to both practitioners and academics and expands existing accounting literature.

The purpose of this paper is to illustrate how information technology (IT) governance supports the process of enterprise risk management (ERM). In particular, the paper illustrates how the Control Objectives for Information and related Technology (COBIT) framework helps a company reach its objectives by integrating and supporting the Enterprise Risk Management by the Committee of Sponsoring Organizations (COSO ERM) framework.

This paper explains how the integration between the two frameworks (COSO ERM and COBIT 5) can represent, for any organization, a good way to achieve the objectives of internal control and risk management and, more generally, corporate governance.

The paper identifies some gaps in the COSO ERM and illustrates how the COBIT framework facilitates the implementation of an adequate system of internal control.

The originality of the work presented here is in analyzing the COBIT 5 together with the COSO ERM framework. This paper highlights that is not enough to apply only an internal control framework for achieving the risk management and internal control system objectives. An IT governance framework, such as COBIT 5 is proposed as a tool that support risk management in order to develop an adequate system of internal control.

The purpose of this paper was to develop a comprehensive best practices checklist that can be used by governing bodies to identify and evaluate an enterprise’s risk exposure around cognitive systems (CSs) and formulate mitigating internal controls that can address these risks.

COBIT 5 was scrutinised to identify the processes which are necessary for the effective governance of CSs. The applicable processes were used to identify significant risks relating to cognitive computing (CC), as well as to develop a best practices control checklist.

The research output developed was a best practices checklist and executive summary that would assist enterprises in evaluating their CC risk exposure and assess the adequacy of existing controls. The first checklist highlights the incremental risk exposure which needs to be addressed. To evaluate the effectiveness of the cognitive computing control structure, a best practices checklist was developed that can be used by internal auditors and risk and audit committees. An executive summary was developed to highlight the key focus areas that governing bodies need to consider.

The checklist provides a tool to assess the enterprises’ risk exposure, evaluate the existing CC control mechanisms and identify areas that require management attention.

The checklists and executive summary developed provides enterprises with a comprehensive checklist that can be used, while at the same time allowing them to discharge their responsibility in terms of King IV.

An area of information technology (IT) in organizations is required to manage resources efficiently. For this, IT certifications are adopted by companies and sought by professionals. However, these have many requirements and to identify which are paramount to the performance of their activities and/or are much more important to IT managers is not a trivial task. The purpose of this study is to identify how the processes of the Information Technology Infrastructure Library (ITIL) v3 and Control Objectives for Information and Related Technology (CobiT) 5 certifications are analyzed by IT managers. Regarding the knowledge of professionals about the processes, which are more important, less important or indifferent in the manager’s view.

A survey is carried out with IT managers using questions elaborated according to the Kano model in which the processes of the analyzed certifications are related to classify according to the proposed model.

Of the 64 analyzed processes, 20 CobiT processes and 13 ITIL processes were classified as must-be requirements. Another 17 CobiT processes and 9 ITIL processes were classified as one-dimensional and 5 ITIL processes are present in more than one relationship with CobiT processes and, depending on the relationship, they were classified as must-be or one-dimensional requirements.

It is concluded that this study contributes in the discussion of the importance of the ITIL and CobiT implementations and analyzes the relevance of ITIL and CobiT certification processes in the view of IT managers, providing useful information for the professionals in terms of prioritization of the processes expected by the managers.

Risk management is an under-explored topic in information systems (IS) research that involves complex and interrelated activities. Consequently, the authors explore the importance of interrelated activities by examining how the maturity of one type of information technology risk management (ITRM) practice is influenced by the maturity of other types of ITRM practices. The purpose of this paper is to explore these relationships, the authors develop a model based on organizational strategy implementation theory and the COBIT framework. The model identifies four types of ITRM practices, namely, IT governance (ITG); communications; operations; and monitoring.

The authors use a survey methodology to collect data on senior information technology (IT) executives' perceptions on ITRM practices. The authors use an exploratory factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation model to observe the associations.

The survey of senior IT executives' perceptions suggests that the maturity of ITRM practices related to ITG, communications and monitoring positively influence the maturity of operations-related ITRM practices. Further, the maturity of communications-related ITRM practices mediates the relationship between ITG and operations-related ITRM practices. The aggregate results demonstrate the inter-relatedness of ITRM practices and highlight the importance of taking a holistic view of ITRM.

Given the content and complexity of the study, it is difficult to obtain senior executives’ responses in large firms. Therefore, this study did not use a separate sample to conduct the EFA to obtain the underlying four constructs. Also, the ITRM practices identified are perceptions. Even though the authors consider this to be a limitation, it also communicates the pressing areas that senior IT professionals are expected to focus given various external and internal pressures. This study focuses on large firms, hence, small to midsize firms are not well represented.

Given the demanding regulatory and financial reporting requirements and the complexity of IT, there is an increasing possibility that the accounting profession will require IT professionals to focus on operations-related ITRM practices, such as security, availability and confidentially of data and IS are closely related to internal controls. However, as this study demonstrates, the maturity of operations-related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT practitioners can use this study to raise awareness of the complex interrelationships among ITRM practices among managers to improve the overall ITRM practices in a firm.

The study also shows the importance of establishing proper communication channels among various business functions with regard to ITRM. Extant IT research identifies the importance of the firm’s communication structure on various firm performance measures. For example, Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive Officer and Chief Financial Officer. Firms with established communication channels have the necessary medium to educate and involve other departments with regard to the security of data. Thus, such firms are more likely to have mature risk management practices because of increased awareness of risks and preventive techniques.

The study contributes to ITG and risk management literature by identifying the role of monitoring-related ITRM practices on improving other areas of risk management. The study also extends the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and showing how ITRM practices follow organizational strategy implementation. Further, the authors identify four underlying ITRM categories. Consequently, researchers could choose between two factors (Vincent et al., 2017) or four factors based on the level of detail required for the particular study.

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance.

This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means.

This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization.

The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

This paper aims to identify the critical success factors in improving information security in Ghanaian firms.

Through an exploratory study of both public and private Ghanaian organizations. The study relied on a research model based on the technology–organization–environment (TOE) framework and a survey instrument to collect data from 525 employees. The data was analyzed using partial least squares-structural equation modeling (PLS-SEM).

The findings confirm the role of the technological, organizational and environmental contexts as significant determinants in the implementation of information security in Ghanaian organizations. Results from PLS-SEM analysis demonstrated a positive correlation between the technology component of information security initiative, organization’s internal efforts toward its acceptance and a successful implementation of information security in Ghanaian firms. Top management support and fund allocation among others will result in positive information security initiatives and positive attitudes toward securing the organization’s information assets.

The authors discussed the implications of the authors’ findings for research, practice and policy.

The results of this study will be useful for both governmental and non-governmental organizations in terms of best practices for increasing information security. Results from this study will aid organizations in developing countries to better understand their information security needs and identify the necessary procedures to address them.

This study contributes to filling the knowledge gap in organizational information security research and the TOE framework. Despite the TOE framework being one of the most influential theories in contemporary research of information system domains in an organizational context, there is not enough research linking the domains of information security and the TOE model.

This paper aims to highlight the role and impact of corporate governance in combating fraud by drawing on insights from the literature, identify gaps in the literature and suggest new directions for future research.

The paper is based on a comprehensive general literature review using multiple search engines and databases.

This paper finds that effective corporate governance can help reduce fraud risk, prevent fraud and detect fraud, particularly corporate fraud, insider fraud and asset diversion. Some companies use corporate governance mechanisms to bolster their reputation following fraud detection. Ineffective corporate governance increases fraud risk, provides the opportunity for perpetrating fraud and reduces the likelihood of fraud detection. The paper sheds light on several governance mechanisms that could help in mitigating fraud risk, as reported in the literature. The paper categorises these governance mechanisms into four broad governance aspects, including board leadership and the role of ethics; (b) board characteristics, composition and structure; ownership structure; accountability. The paper proposes a guide summarising these broad fundamental governance aspects, including specific anti-fraud controls and examples of how organisations could enhance ethical cultures and the tone at the top.

To the best of the author’s knowledge, this is the first paper to elucidate the role of corporate governance in countering fraud and develop guidance in this area. The proposed guidance could be helpful to businesses leaders, policymakers, researchers and academics alike.

Risks are an integral part of business, and enterprise risk management (ERM) is making its way towards effectively leading enterprises in addressing these risks. This chapter seeks to describe how European ERM practitioners minimize the risks they face by taking into consideration insights from the sector's best practices reflected in the ISO 31000 Risk Management Guidelines, COSO's ERM framework, contributions from university researchers, from the national risk management associations and the Federation of European Risk Management Associations (FERMA). This chapter will underscore the need for total alignment of practices and make a case for the need to align between ERM, governance, accounting and disclosure systems. In addition, there is no doubt that ERM – when incorporated in operations through appropriate governance mechanisms and accounting practices – could help firms respond to real-time volatilities more effectively. However, ERM practitioners' perspectives differ slightly from those of accountants in that no extensive legally binding rules are required in risk management, and a different scope of work is pursued.

The purpose of this paper is to explore the impact of technological change on the internal audit practices and skills requirements for internal auditors in an e-business environment.

Generalist internal auditors and specialist information technology (IT) internal auditors were surveyed online in ten countries, including the USA and the UK which, together, provided the majority of responses.

The results suggest a need for advanced IT-audit techniques in conducting the internal audit function, thereby increasing IT audit skill demands on generalist internal auditors. However, the results show a low confidence among internal auditors about their IT training and a continuing reliance upon IT audit specialists, rather than their own training/retraining.

The responses obtained in this study provide insight into both the status quo of the internal audit function, and to the changes that are needed to prepare generalist internal auditors for work in an e-business environment and, while the scale of the study limits the extent to which the findings may be generalized, they are consistent with the literature concerning the changing business environment and with the literature on resistance to change, suggesting that the issues revealed should be of concern.

The results reported in this paper are useful to internal auditing educators and regulators in their consideration of the skills needed by generalist internal auditors in e-business environment.

This study sheds light on a significantly growing area which remains relatively unexplored in the auditing-related literature, e-business audit. The study provides empirical evidence on challenges facing internal auditors in an e-business environment, thereby serving as a wake-up call, to both internal auditors and the professional bodies representing them, to defend their jurisdictional space against rival professional groups.