Abstract

Inadequate information technology (IT) management can lead to system ineffectiveness and operational stagnation within enterprises. While the application of IT governance provides a means for companies to validate IT functionality, oversee IT operations, and mitigate IT-associated risks, there is a paucity of research examining its implications of IT governance on IT controls, particularly within the context of a firm’s Internal Audit Function (IAF). Addressing this gap in the literature, this research delves into the relationship between the characteristics of the IAF and IT governance within the IAF. It further probes the linkage between IT governance associated with the IAF and IT control activities. We analyze survey data from 414 internal auditors across various Taiwanese companies using partial least squares regression. The findings suggest that IT knowledge and internal auditing roles have a significantly positive relationship with the quality of the IAF-IT relationship and IT governance processes. Similarly, IT audit competencies exhibit a significantly positive relationship with IT governance processes. Furthermore, properly structured IT governance processes and a high-quality IAF-IT relationship demonstrate a positive association with the effectiveness of general controls. This research amalgamates and extends prior investigations into IT governance and internal auditing, underlining their critical role in successfully implementing superior IT controls.

Introduction

Post the Enron scandal in 2000, the enactment of the Sarbanes-Oxley Act in the U.S. necessitated companies to take measures that ensure the efficacy of their internal controls over financial reporting (section 404). As information technology (IT) plays a pivotal role in ensuring the precision of a company’s financial reports, IT controls have thus become an integral component of Sarbanes-Oxley compliance initiatives. To facilitate IT governance, which pertains to formalizing strategic IT decisions and essential IT oversight processes, the Information Systems Audit and Control Association (ISACA) introduced the Control Objectives for Information and Related Technology (COBIT) in 2019. However, despite these measures, public companies still report material weaknesses in IT controls. A 2021 analysis of business processes and material weaknesses among public companies registered with the U.S. Securities and Exchange Commission by the accounting firm KPMG found that IT control material weaknesses accounted for 35 % of all material weaknesses in 2020 (KPMG, 2021a).

Given their critical role in corporate and financial security, material weaknesses in IT controls pose a significant threat to the legitimacy of companies (Haislip et al., 2016). Furthermore, such weaknesses can negatively impact the quality of the information in systems, potentially misleading management and resulting in improper decisions (Li et al., 2012). Stoel and Muhanna (2011) observe that companies with material weaknesses in IT internal controls underperformed those without such issues. In an era characterized by big data and sophisticated digital technologies, material weaknesses in IT internal controls can lead to substantial losses, thus emphasizing the need for effective IT controls.

Conclusion and suggestions

۵٫۱٫ Analyses and discussion
The potential for significant financial losses due to inadequate IT controls necessitates substantial attention to IT controls by businesses (Association of Certified Fraud Examiners, 2016; Stoel & Muhanna, 2011). The findings of this research illustrate a positive correlation between the involvement of Internal Audit Functions (IAFs) in IT governance and improvements in IT controls, thus offering contributions to scholarly discourse on IT governance. Our study broadens the conversation regarding the relationships among IAF quality, information security, and information security controls by integrating the dimension of IAF-IT relationship quality (Steinbart et al., 2013, 2018). Additionally, the results augment the research landscape on the interplay between IAF characteristics, their involvement in IT governance, and IT controls (Merhout and Havelka, 2008).

The IAF-IT relationship quality is significantly influenced by IT knowledge and internal audit roles. This aligns with the findings of Steinbart et al. (2013), who assert that a comprehensive understanding of information security can bolster the relationship quality between IAFs and information security. However, Steinbart et al. (2013) find no significant impact of the internal audit role on the relationship quality between IAFs and information security, which is a discrepancy with our findings. Our study further illustrates that IT knowledge, internal audit roles, and IT audit competencies significantly affect the IAF-IT governance process. This finding is in accordance with Merhout and Havelka (2008), who establish that the involvement of IAFs in IT governance is significantly associated with IT personnel and IT training or certification.