Critical Research Analysis On The Effectiveness Of IT Auditing For Corporate Governance
Chapter 1: Introduction
Auditing is one of the essential elements for the successful functioning of the business and helps an organization to face the external world with precise information on its business and issues related to accountability. Also, it is universally accepted that any business organization irrespective of its nature of business must provide relevant documentation to the government and other legal authorities with respect to their income and expenditure in order to meet the rules and regulations on tax. In the initial years of its introduction, auditing was primarily concerned with only the finance and finance related activities within the business that is accounted for in the business. Apparently, the revenue generated by the company and the costs associated are the major contributing factors for decision making on the tax and shareholder benefits. Alongside, the growth of information technology and the increase in the public awareness has further intensified the need for conducting an efficient auditing process to provide accountability for their business activities.
It is intriguing to note that information technology has become an integral part of every business organization making information as a critical element for the effective operation of the business itself. Thus the need for auditing the information and IT based activities that account for the finance for the organization both revenue and expenses are imperative. This report is focused on the effective role of information technology audit in the corporate governance in the UK business organizations. The fact that the corporate governance is the portrait of the a company to the external world both in terms of performance as well as financial information makes it a critical element for the success of an organization.
It is also imperative that the corporate governance of an organization is essential not only for the benefit of the stakeholders but also for the economic stability in the business market as well as the entire nation. This report is aimed to present a critical research analysis on the effectiveness of IT auditing for corporate governance in UK. The report will throw light on the various aspects relate to achieving effectiveness in through IT audit as part of corporate governance and critically analyses the Sarbanes Oxley Act on IT audit and information transparency.
1.2: Aim and Objectives
The aim of this dissertation is to critically analyse the efficiency of IT audit in the corporate governance among the UK business organizations. This is achieved by embracing the research upon the following objectives.
- To critically analyse the concept of corporate governance and its importance for an organization both internal and external to the business.
- To analyse the critical nature of information in business and the growth of information systems in corporate governance.
- To analyse the corporate financial reporting frauds and the role of information technology in such cases through critically analysing examples from various industries.
- To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to be implemented by corporate organizations in the UK.
- To provide case study analysis with examples from banking sector and Energy sector in the UK on the application of the Sarbanes Oxley Act-section 404.
1.3: Research Definition
The research in this report is accomplished using secondary information resources only. This is mainly because of the fact that a public opinion on the IT auditing is totally irrelevant and the business organizations will not reveal their corporate information other than that is published in the annual reports due to data protection and privacy issues. Hence the research analysis in the case study is entirely qualitative in nature (i.e.) the research is based upon the journals and white papers published rather than using first had data for quantifying the analysis.
The case study analysis is conducted upon the energy and banking sector of the UK. Whilst a critical analysis on HSBC bank Plc is presented under the banking sector, National Grid Transco, Plc is the company of interest in the Energy sector of the UK. The case study analysis on these organizations will provide critical information on the use of section 404 of Sarbanes Oxley Act and the company's strive to accomplish IT audit that support financial results for corporate governance. The research analyses only those areas of information systems that directly contribute to the financial results of a company rather than the entire information technology infrastructure of the company.
1.4: Justification for the research
The fact that information plays a critical role in every sphere of a business in the twenty-first century as argued by Efraim Turban et al (2004) has apparently increased the role of IT from just an operational support element to a strategic element of the entire business itself. Furthermore, the fraud detected in the ENRON and WorldCom cases (discussed in later chapters) were predominantly because of the frauds in information that attributes to the financial performance of the company. Hence, this research is conducted in order to throw light on the critical nature of information in the auditing process. The fact that energy (electricity and gas) and banking sectors are major business sectors that directly deal with the general public on a day-to-day basis apart from the increased interests of the stakeholders is the major reason for embracing the research on these two sectors of business in the UK.
1.5: Chapter overview
Chapter 1: Introduction
This is the current chapter, which introduces the reader with the aim and objectives of the research and the research definition.
Chapter 2: Literature Review - Corporate Governance
In this chapter a critical overview of corporate governance and the need for auditing and financial performance is discussed in the light of business environments in the UK. The discussion throws light on the need for achieving corporate governance and the essential elements of the business that contributes to corporate governance of a company are discussed with focus upon the entire business.
Chapter 3: Information systems and corporate governance
This chapter critically analyses the role of information technology in business organizations and the critical nature of information in supporting corporate governance. This is followed by the critical analysis of the corporate financial frauds by providing false information with examples from Enron and WorldCom cases.
Chapter 4: Sarbanes Oxley Act
This chapter begins with an overview of the Sarbanes Oxley Act. This is followed by the critical analysis of the section 404 of the Sarbanes Oxley Act, which was published by Securities and Exchange Commission to be followed in the UK since June 2003.
Chapter 5: Case Study 1: Banking Sector
This chapter initially analyses the banking sector as a whole and establishes the critical nature of information in the corporate governance of the competing organizations. This is then followed by the analysis of HSBC Bank Plc one of the potential competitors in the banking sector both within the UK and across the globe. The analysis throws light on the adherence of the Sarbanes Oxley Act section 404 by the company and the policies followed by the company to accomplish information transparency and consistency.
Chapter 6: Case Study 2: Energy Business
This chapter presents a critical analysis of the energy sector in the UK. This overview is followed by the critical analysis of the Energy transmission and Distribution conglomerate National Grid Transco Plc. The analysis throws light on the company's strategies and policies to achieve information transparency and reliability in the business. The research also establishes the critical nature of information in the business of the company.
Chapter 7: Discussion and Conclusion
The research conducted in the above two case studies are discussed in the light of corporate governance and the Sarbanes Oxley Act section 404. The analysis will provide a comprehensive review of the research conducted so far and establishes the coherence between the academic theories and the real-world scenarios. This is followed by the critical analysis of the objectives of the research followed by conclusion for the dissertation.
Chapter 2: Literature Review - Corporate Governance
2.1: Background Information
Gerry Johnson and Kevan Scholes (2001) say, Corporate Governance is an essential element for any business organization mainly because of the fact that the corporate governance is the message conveyed by the company to the external world including the general public and stakeholders. Alongside, it is also interesting to note that the corporate governance of an organization not only communicates to the external world but mainly provide a one-stop information resource to anyone who is interested in the organization. The corporate governance of the company is essential for not only effectively communicating to the external world but mainly to attract potential customers in the general public both for the business as well as identify potential investors to the company. Furthermore, the fact that corporate governance is also the comprehensive analysis of the entire organization performance by taking the first chapter of every company's annual report makes it critical for an organization to effectively maintain and achieve a high level of corporate governance as argued by Gerry Johnson and Kevan Scholes (2002).
Denzil Watson and Tony head (1998) further argue that the corporate governance of a company is not only a one page message conveyed by the chairman of the organization but also concerns with the relationship between the company management and its owners in the entire structure of the organization. Apart from the relationship with the owners and stakeholders, the corporate governance is also an essential element for the effective management of the human resource of the company itself mainly because of the fact that not only the interests of the existing workforce should be nurtured but the company should also maintain a positive corporate governance to attract new employees to the organization in order to achieve long-term organic growth as argued by Denzil Watson and Tony head (1998).
Another interesting fact identified by Denzil Watson and Tony head (1998) is that the corporate governance is a critical element in determining the remuneration for the senior executives in many organizations within the UK, which apparently means that the corporate governance is the mechanism that is used by the owners to govern the management of the company. Also, it is interesting to note that the corporate governance in the UK companies has been traditionally stressed upon the importance of internal control and importance of the role of financial reporting and accountability in the organization to its stakeholders and general public.
2.2: Need for corporate governance
Corporate governance of an organization is not only a message that is being conveyed to the stakeholders or the method of managing the management by the owners of the company but essentially the way of monitoring the company's growth and its position in the entire business market it is operating. The corporate governance is also important for achieving competitive advantage in the target market because of the fact that the customers in the target market are keen in identifying the attributes of the organization that sells the products to them. This includes every form of business including consumer industry, retail sector and even power and energy management sector as identified by Sebastian Nokes (2001). Furthermore, the corporate governance in an organization is also essential for efficiently monitoring and deploying the infrastructure of the company itself.
Chris Brown (2005) argues that the corporate governance of an organization is essential for not only increasing the productivity of the organization but also to become an inspiring element for the employees in the organization to achieve higher level of performance within the organization. Furthermore, it is also interesting to note that the corporate governance of a company is essential to manage the senior management of the organization for not only monitoring the productivity but also for deploying the revenue for further business development. It is imperative that finance is the heart of the entire corporate governance mainly because of the fact that a company's performance is determined based upon its financial performance both by the stakeholders as well as the general public.
T.C. Melewar (2003) further argues that the corporate governance of the organization is essential for not only the efficient management of the organization but also for identifying any potential issues that should be verified in order to achieve coherent results during the process of auditing in the company.
Following the fall of the Enron and WorldCom which was mainly because of the failure of the management of the company to provide coherent information for audit process and fraud activities in the financial information, the Securities and Exchange Commission of United States of America has made it a rule that the corporate governance of a company must also include non-executive directors who are responsible stakeholders and people of social respect who would validate the activities of the company itself. Furthermore, the Securities and Exchange Commission has also made it mandatory that the auditing committee of the company must contain at least three non-executive directors mainly to facilitate the validation and approval of the results from the audit committee.
The Legal and Regulatory exchange of the UK (2002) has also justified that even though the non-executive directors cannot fulfil all the expectations, they can help achieve the company to effectively perform in the business through continuously monitoring the activities of the entire organization and providing valuable guidance to the board of executive directors in the form of suggestions. Alongside, the Department of Trade and Industry has also justified the fact that even though, the non-executive directors in the company do not involve themselves in the day-to-day business of the organization, they are the responsible for the efficiency and overall effectiveness of the organization with respect to the organization's performance and reliability of the results.
Furthermore, the fact that the corporate governance in an organization also contributes to the economic stability of the entire business market itself since the revenue generated from a business sector in a nation is obviously the summation of the revenue generated by the individual organization competing in the business and fraud in the corporate governance will eventually affect the economic stability of the business sector itself as argued by Malcolm McDonald (1996).
2.3: Essential elements of corporate governance
Even though it is clear that the financial performance and the financial statements are critical to the corporate governance itself, Denzil Watson and Tony Head (1998) have identified the following elements as the major contributing elements to achieve efficient corporate governance in any business organization.
2.3.1: Human Resource
Michael Armstrong (2003) argues, Human resource is the most indispensable resource for any organization. Apparently this is because of the fact that the costs associated with the recruitment and training of new staff in an organization is very high when compared to retaining the existing workforce and effectively nurturing their performance to increase productivity s well as stabilize the costs as identified by Denzil Watson and Tony Head (1998). Furthermore it is imperative that only the effective performance of the human resource of the organization without encouraging any errors and maintaining the transparency in their work related activities would provide accuracy and consistency in the business activities across the entire organization right from the operational level. It is also clear that even though the corporate governance concept is entirely strategic in nature, the business generates revenue only from the very en of the operational staff and hence the need to achieve accuracy and reliability at operational level is imperative for the efficient corporate governance in an organization.
Derek Torrington and Laura Hall (1995) argue that the human resource of an organization not only contribute to the efficiency or performance of the organization, but also contribute to the overall reliability of the organization which is an essential element to achieve corporate governance in the organization. This is mainly because of the fact that the staff right from the operational level to the top level management must have the commitment in achieving the standards set by the company in performing the business which is essential for the corporate governance itself mainly because of the fact that corporate governance is increasingly being treated as a factor of reliability on the company rather than a information resource to judge the performance of the company. Alongside, Derek Torrington and Laura Hall (1995) further argue that the efficiency of the human resource of an organization is the primary contributing factor for the accuracy and reliability of the company's performance in the external world. This also explains that the human resource of an organization not only contribute to the efficiency and revenue generation of the company but also for the corporate governance of the organization itself.
The above arguments justify that the human resource management and efficiency is essential for corporate governance in any business organization in UK.
As argued before finance is the backbone for any business since every organization operating in the commercial environment are focused in generating revenue and the increase in competition in the business due to globalisation and innovative business methods has apparently increased the need to focus on generating revenue with minimal costs as argued by Gerry Johnson and Kevan Scholes, 2001). The above statement clearly justifies that finance is the critical element for the corporate governance in every business organization. Alongside, it is also essential to mention that the financial results are the end-product that is being analysed by the auditors even though the way in which the revenue is generated and the process of maintaining the cash flow are other critical elements of the business itself.
Denzil Watson and Tony Head (1998) further argue that the corporate governance is predominantly based upon the fundamental issues of resource and finance allocation is addressed through the corporate governance only. This further makes it clear that even though accounting is a critical element of the finance, the output of which is actually being audited, the resource allocation and the finance management are the critical ingredients for the corporate governance in the organization which makes finance as the backbone of the corporate governance to any business organization. It is further intriguing to note that finance is not just the way of managing the allocation of money and financial resources but essentially the accountability to the allocations is the major factor that is analysed in the corporate governance of any organization apart from the corporate finance itself. Hence, accountability in terms of financial performance and management are the critical factors that contribute to the corporate governance of an organization.
The rule passed by Securities and Exchange Commission of the UK that the financial statements must be disclosed not only in the annual reports but periodically published for public notice in order to enable the investors and stakeholders to critically judge the organization performance has made it clear that corporate governance embraces finance of the organization.
Alongside, it is also clear from the Bank of Credit and Commerce International (BCCI) that the companies must disclose their financial information and also provide accountability for all the revenue generated and costs incurred not only in the annual balance sheet but also in a periodic fashion further justifies that the corporate governance is critically dependant on finance.
The infrastructure in this context is not just the furniture and desktop computers that are used to accomplish the day-to-day business process but mainly the infrastructure that handles the finance and finance related information and activities. These include the software and hardware systems that hold the information on the finance and also those infrastructure elements that contribute to the generation of revenue in the first place. Denzil Watson and Tony Head (1998) further argue that the infrastructure in a corporate governance context also includes those that accomplish the effective auditing process and also the infrastructure elements that contain critical information on the finance and billing.
Alongside, the infrastructure not only provides support to the finance and billing in an organization but also mainly contributes to the efficient retrieval and storage of the information (discussed in next chapter) and also supports the financial decision b=making in terms of corporate communication and deciding upon the allocation of finance for further development within the organization.
This further justifies the fact that infrastructure in a corporate governance context not only includes the storage and retrieval system (electronic) but also includes those infrastructure that actually processing the payments made by the customers to the organization and the expenses of the organization in order to run the day-to-day business.
Communication is critical for corporate governance because of the fact that only through the effective communication of the information to the audit committee, the organization can gain reliability and provide concrete information in their corporate governance. Since the corporate governance is predominantly the managing of the senior management of the organization and is derived from the process of auditing and verifying the activities of the company in every segment of the organization (including Human Resource and Finance) makes the communication a critical element for the smooth operation of the business. Furthermore, the communication also plays the vital role of communicating the information to the external world.
The aforementioned elements of the corporate governance are mainly in line with the day-to-day business process of the company itself. In order to maintain the accuracy of the corporate governance and increase the transparency as well abide by the regulations of the Securities and Exchange Commission, corporate governance consists of the following committees as identified by The Business Roundtable of UK (2004).
2.3.1: Audit Committee
According to the Securities and Exchange Commission it is mandatory for every publicly owned company to have an audit committee comprised of solely independent directors. This makes it clear that auditing is the heart of corporate governance and the accuracy of the entire business process will be accountable to the audit committee. Furthermore, the audit committee is also responsible for verifying and checking every aspect contributing to the business and the financial performance of the organization hence making it a critical element of the entire corporate governance itself. Alongside, it is also imperative that the independent directors belong to various segments of the business and also that the committee should comprise of non-executive directors for the purpose of accomplishing the consistency in the operation itself.
This further justifies that that audit committee is responsible for justifying the accountability of the organization.
The Securities and Exchange Commission clearly states that the audit committee should comprise of at least three members (directors) of the audit committee should be independent of the entire organization and should not participate in the management of the business directly or indirectly. These directors are called the non-executive directors as discussed above and they are appointed mainly to provide unbiased assessment on the business operations so as to clearly establish the business process and accountability for corporate governance of the organization.
Denzil Watson and Tony Head (1998) say that even though it is not expected out of an independent director to have comprehensive financial knowledge it is essential for the non-executive directors to possess the fundamental knowledge on finance and its relevance to the business itself. They further argue that the directors in the audit committee should be able to conduct the auditing process with a critical eye to identify any flaws in the business process or the methodology of the organization in order to judge the company's financial performance.
Even though, auditing is predominantly related to the finance and revenue of an organization, the other elements like information technology, human resource and infrastructure discussed above are also judged by the audit committee which is the reason for accommodating the directors in the committee from various fields of specialization in order to provide critical suggestions and provide accurate assessments upon the performance of the organization itself.
In order to accomplish the aforementioned tasks the audit committee comprises of the following
Risk Profile: The risk profile is maintained to monitor the corporate risks as well as the risks local to the committee itself. The Business Roundtable (2004) argues that the risk management is essential for the committee mainly to identify the risks associated with the business itself in order to efficiently manage the committee itself. The risks in this contest is mainly the risk associated with a committee member providing a biased judgement or an inaccurate judgement due to his consideration will eventually affect the entire auditing process itself. This is the main reason for the presence of non-executive directors who are expected to review every decision made by the committee.
Outside Auditors: The outside auditors are employed mainly to accomplish auditing process in an unbiased fashion in specialist areas like information technology etc where the external auditor employed will be accountable for the auditing of specific segment of the business. The audit committee is responsible for monitoring the efficient performance of the auditors and also manage the overall process of auditing in the organization. The decision of the audit committee is based upon the results produced by the outside auditors with respect to the areas they were employed to audit within the organization and hence the choice of the auditor is decided by the committee itself.
Independent operation: The audit committee operates independent of the entire organization. This is primarily to accomplish unbiased judgement by the committee and also enable the committee to perform effectively without being disturbed by the day-to-day business issues.
2.3.2: Corporate governance Committee
Apart from the process of auditing which is very essential for corporate governance, it is also essential to have a corporate governance committee, which is central to the entire board of the organization. The Securities and Exchange Commission also states that it is mandatory for every publicly owned company to have a corporate governance committee that makes the decision and performs the overall management and accountability of the corporate governance for the organization itself. The corporate governance committee is also called the nominating committee that is responsible for nominating the directors under various committees that support the corporate governance like the audit committee discussed above. Also, the corporate governance committee is responsible for the nomination and management of the directors of the company itself who are accountable to the audit committee during the audit process. Like the audit committee, the corporate governance committee must also comprise of independent directors only. The Securities and Exchange Commission further expects the corporate governance committee to comprise of non-executive directors like the audit committee for the same reason as in the case of the audit committee. The Business Roundtable (2004) further argues that the fact the independent directors in the corporate governance committee reinforce the idea that the governance process of the organization is unbiased and reliable.
Apart from the above functions the corporate governance committee also has the responsibility of safeguarding the independence of the board in order to effectively assess the performance of the company against the set norms and also establish the accountability for the activities of the organization. Another major function of the corporate governance committee is to oversee the corporation and review the organization's process of providing information to the board in order to conduct the auditing process effectively.
2.3.3: Compensation Committee
The compensation committee performs the critical part for monitoring the compensation provided to the board and the senior management of the company. Like the audit committee and the corporate governance committee, the compensation committee should also comprise of independent directors are it is essential for any publicly owned company as stated y the Securities and Exchange Commission.
The committee not only decides the compensation for the senior management but also decides the allocation of revenue for compensation to the entire company itself that comprises of all the staff members other than the directors and senior management.
The committee also performs the essential action of monitoring the compensation for the senior management based upon the results from the auditing and corporate governance committees.
The committee is expected to work closely with the other two committees for gathering the information to decide upon the compensation for the senior management but the decision of the committee is not influenced by the other committees of corporate governance in a publicly owned organization as stated by The Business Roundtable (2004).
The committee also creates the overall compensation structure for the entire organization and the decision made by the committee is completely independent.
Alongside, the members of the committee should also comprise of non-executive directors like the audit committee and the corporate governance committee. It is also argued by The Business Roundtable (2004) that the compensation committee should understand the incentives structure independent of the industry and also provide a comprehensive compensation structure through efficient allocation of the resources (finance) to various levels of the company right from the senior management up to the operational level.
The above overview clearly explains the critical nature of corporate governance in an organization and its importance for achieving harmonic business operation. The overview on the committees and the various elements of corporate governance have proved that the corporate governance is not merely a tool for assessing the company's performance but essentially to judge the company's activities and establish accountability for the revenue generated and the expenses of the company.
The next chapter provides a critical overview on Information systems and its role the process of auditing and contribution to corporate governance.
Chapter 3: Information systems and corporate governance
3.1: Background information
Information systems is the term used to identify the comprehensive deployment of Information technology and IT related products to accomplish the processing of information and presenting the right information for the decision makers. John Ward and Joe Peppard (2002) argue that the information systems in an organization not only includes the technology and technology related products but also those segments of the business the actually process and generate output from the information like the billing, revenue and purchasing departments of a corporation. Furthermore, they argue that the strategic use of information to facilitate effective decision making by the senior management of the organization apparently increases the need to identify critical information as well as maintain integrity of the information to accomplish accuracy and reliability. Information technology has seen tremendous growth in every sphere of business with the increase in the competition and the innovative methods of business like Customer Relationship Marketing and buyer behaviour modelling.
The use of information by the external entities like the stakeholders, and governing authorities has also increased with the increase in the companies utilizing the information technology to accomplish their business process. It is interesting to note that the information technology in an organization not only provides operational support but also helps accomplish the decision making by the senior management efficiently.
3.2: Role of information technology in business
The increase in globalisation and the presence of foreign players in the business organizations has apparently increased the competition in the UK business markets. The increase in the outsourcing and the need to reduce costs has further increased the need for the organizations to deploy innovative methods to identify areas where they can eliminate costs as well as identify new areas for potential business.
Alongside, the fact that information technology has increased the speed of processing information and reduced the level o errors associated with the business has apparently increased its popularity among the competitors. Efraim Turban et al (2004) further argue that the companies participating the business process within the UK are increasingly facing competition from electronic commerce issues and the need to increase the revenue is increasing with the increasing costs as well as the continuous competition by reducing the price of products. The above statement may be applicable for organizations dealing with general public or the consumer industry but for organizations in the Banking sector and the energy transmission sector where the service is offered to the customers and the pricing is not a critical part, the information technology essentially plays the vital role of identifying new customers as well as providing ability to serve the customers effectively.
3.2.1: Business-to-Business perspective
In a business-to-business perspective, information technology has not only increased the speed of communication but also essentially increased the accuracy of the information being processed between two organizations. Alongside, information technology has also accomplished the ability to conduct video conferencing and other forms of communication eventually reducing the costs for the business and at the same time increasing the productivity of the staff in the company.
Apart from the above-mentioned points, in a business-to-business perspective, the organizations are increasingly leveraging information technology to achieve secure transaction of information critical to the business. The increased use of Internet by the organizations and the deployment of electronic commerce have further increased the speed with which the decision is being made by the different business organizations involved in a specific deal. The market review on the business-to-business marketing in the year 2004 has revealed that the industries are increasingly using the information technology to quickly make their decisions in order to meet the competition in the business markets they are competing. Furthermore, Isla Gower (2004) argues that in a Business-to-business environment the information being transferred is critical and requires to be of high accuracy levels mainly because of the fact that the information so processed contributes directly to the decision making of the involved parties and hence can have a severe impact on the business in case of in accurate information being sent to the involved parties.
Alongside, in a business-to-business environment, the information processed is not only strategic in nature but also serves as ingredient for critical analysis and forecasting by the decision makers in order to analyse a given business market and trend of the business in the target market.
The above argument clearly establishes the vital nature of information in a business-to-business perspective. It is clear that the information being processed is not only critical but also essential for maintaining harmonic relationship between the involved organizations.
3.1.2: Business-to-consumer Perspective
Unlike the business-to-business situation discussed above the business-to-consumer case is more critical in nature because of the fact that it not only involves high density of information being processed but also the business faces the customers in the general public. Apparently the public opinion upon the organization will change and can have potential impact on the entire business if the information being processed is not accurate.
Alongside, the information technology has not only revolutionised the process of business by accomplishing electronic commerce but also accomplished quick and timely communication to the customers through various forms of electronic communication like e mails, Internet publications, news letters etc., The fact that the people in the general public also comprise the stakeholders in the organization has further made it critical for the requirement of presenting accurate information to the customers in order to increase their market share and leverage competitive advantage.
Since this report is focused upon the corporate governance where the information is mainly used for the decision making and providing reliable information to the stakeholders a detailed analysis of the advancements in information technology to leverage business development are not discussed.
3.2: Information Technology as part of the business process
Many organizations are increasingly using the information technology to increase their speed of the day-to-day business process itself on top of utilizing information technology to produce effective reports and conduct complex calculations. National Grid Transco, the company under analysis is one such organization to have deployed the information technology on a nationwide basis across its various branches and third parties involved in the business process. The company processes large amount of information everyday, as part of the business process and most of the information is sensitive in nature that could affect the revenue generated by the company itself. With reference to the concept of corporate governance this information that is being processed must be verified and validated in order to account for the billing and payment from the customers for the company. A detailed analysis is presented in chapter 6 of this report.
Alongside, the banking sector which is another industry under consideration is increasingly depending upon information technology not only to attract customers but mainly to conduct their business process effectively and support the financial decision making both at branch level for issues related to money lending and opening new accounts as well as at corporate level to decision making on investments and business development. Alongside, the leading conglomerates like Barclays and HSBC in the banking sector leverage information technology for not only processing of the information but also for the communication of critical information like foreign exchange rates, share prices, and other critical information which has o be validated before being published for the shareholders to view.
The above two brief examples clearly identify that the information that is being processed by the companies are the main contributing factors for the actual revenue generation in the company itself. National Grid Transco, Plc for example is a company that is completely dealing with energy where revenue is being generated based upon the energy transferred to the customers. In this case an error in the processing of the information related to the energy will directly impact upon the billing, which will eventually hinder the corporate governance of the company itself.
This justifies that the extensive use of information technology in business process has apparently increased the extent to which errors can occur in the business process itself, which will affect the company's corporate governance drastically.
3.3: IT audit in corporate governance
The discussion in the previous section throws light upon the use of information technology as part of the business process by many organizations. Christopher Barnatt (2000) argues that the corporate governance in an organization even though embraces the auditing of the finance and revenue establishing accountability, mainly depends upon the information that is underlying the revenue generated or the cost incurred since the financial quantification by the company is based upon the actual information on their day-to-day business. This further makes it clear that information not only plays a critical role in managing the audit data but also essentially plays a vital role in validating the raw data that is actually used to account for the revenue within the organization.
The above statement clearly explains that the information technology in critical for the business process and revenue generation apart from the aspects of customer relationship etc., John Ward (2000) further argues that the information technology in a business environment with reference to corporate governance of the organization provides the initial input for the actual revenue accountability of the organization. Furthermore, he argues that the possibility to provide false information in order to cover any major issues within the organization will eventually affect the corporate governance of the organization. Alongside, it is clear from the above argument that the technology behind the processing of the information itself needs to be validated n terms of access control and security measures in order to prevent unauthorised access to the information.
Enron, a leading company in the energy sector of the United States of America actually published false information on the amount of energy generated and transferred to the customers which eventually presented a high level of financial performance by the company resulting in investment by many shareholders. This was mainly because of the fact that the company was entering false information on the input end (i.e.) entering false information on the amount of energy sold to which has apparently resulted in the chain of actions resulting in the company's bankruptcy. Isla Gower (2004) further argues that the fall of Enron because of the presentation of false information on the company's business data (i.e.) energy in kilowatt hours proves that the actual information upon the company's business process is the quantifying factor for the company's performance that resulted in economic instability in the energy sector of the United States of America in the year 2001. Furthermore, Enron has also failed in accounting for its debts since 1987 and the profit was overstated in the annual reports which led to rise in the share prices from mere dollars in the early 1990s to nearly $90 in 2001. The fact that Enron committed financial fraud by hiding the information related to its debts would have been identified by the then auditors of the company Arthur Anderson was the cause for the company's bankruptcy and financial instability in the United States of America for a brief period in 2001. Since Enron was not actually producing any products and was actually acting as a middleman in the energy business, the fall of Enron the seventh largest company in United States of America in 2001 did not gravely affect the country's economy (Joseph Liberman, 2002). Alongside, it is also essential to mention that the company failed mainly because of its inability to balance the revenue and debts since it made investments without monitoring its debts, which eventually resulted in the company's financial frauds with information.
WorldCom unlike Enron was a leading telecommunications company with a range of telecommunications products being produced. They went bankrupt because of the fact that it misinterpreted the information on expenses as investment which apparently increased the company's position in the stock market (Mark Tran 2002). Furthermore, the failure of the company to adhere to the accounting standards and strictly classify the expenses by the company from its investment led to the bankruptcy of the company. In this case as opposed to the case of Enron where the information was falsely entered, the information in case of the WorldCom was actually misinterpreted by the company.
The above examples clearly explain that the auditing of the information technology and the actual input data flow is essential for the successful approval of the information produced in the financial statements. This further justifies the fact that information technology no longer plays an operational role in the business organizations and hence the need to audit information technology products and the process of the IT systems itself is highly essential in order to maintain information consistency so as to achieve effective corporate governance in the organization.
Chapter 4: Sarbanes Oxley Act
This chapter presents an overview of the Sarbanes Oxley Act, which was passed by the government of United States of America following the corporate financial frauds in the recent years in Enron and WorldCom. This is then followed by a critical analysis of the sections 404 of the Sarbanes Oxley Act, which was published as the final rule by Securities and Exchange Commission of the United States of America to be followed since June 2003. The need for the analysis of the Sarbanes Oxley Act as a separate chapter is mainly because of the need to emphasise the various elements that contribute to the transparency of information in the financial reporting and the need for internal control of the information being processed in order to increase information security as well as consistency of information.
Although there are established compliance rules for financial accounting itself, the Sarbanes Oxley Act is being critically evaluated in this report mainly because of the fact that the research is upon the IT audit for achieving corporate governance which implies that the information consistency and accuracy with respect to the financial reporting is the key issue being addressed by the company.
Even though Sarbanes Oxley Act is an American law passed by the Securities and Exchange Commission of United States of America, the law is also internationally applicable because of the fact that the corporate governance of a publicly quoted company is essential for the stable operation of the economy as well as to nurture the investor confidence which is critical for a free range economy as identified by the Institute of Internal Auditors UK. Furthermore, the fact that many leading companies are quoted in the New York Stock exchange since the globalisation has increased the investment in foreign nations and increased the need for presence in the United States of America has apparently created the need for the companies to comply with the Sarbanes Oxley Act.
4.1: Overview of Sarbanes Oxley Act
The Sarbanes Oxley Act was passed by the US government in order to restore the investor confidence in the United States of America as well as to increase the transparency in the business process itself so as to prevent further financial frauds like that of Enron and WorldCom due to the misinterpretation or providing false information etc., The Sarbanes Oxley Act comprises of eleven sections that presents comprehensive information about he compliance for an organizations in using the information to accomplish efficient financial reporting within the organization.
The management responsibilities identified by the Sarbanes Oxley Act section 404 which was approved by the Securities and Exchange Commission to be followed by the companies are
- Accept responsibility for internal control over financial reporting
- Evaluate the effectiveness of internal control using suitable criteria
- Support the evaluation with sufficient evidence and documentation
The aforementioned points clearly justify the fact that information is the critical element for the entire process of financial reporting and hence it is essential to control the financial reporting and the information related to financial reporting.
Furthermore, the Sarbanes Oxley Act emphasise on the internal control of the information and the finance reporting methods in order to maintain coherence in the information being processed and achieve effective corporate governance for the company.
Alongside, the Sarbanes Oxley Act also protects the interests of the employees and their rights when they were involved in providing vital information on a fraud being continued within the organization against the company. The provision in the Sarbanes Oxley Act that the employer has to pay a fine of up to $250,000 for terminating the employment of an employee for providing correct information on a fraud within the organization for financial reporting or other areas which would potentially affect the corporate governance of the company resulting in false reporting.
4.2: Section 404 of Sarbanes Oxley Act
The section 404 of the Sarbanes Oxley Act, which was approved by the Securities and Exchange Commission as a rule to be adhered by the publicly owned organizations, expects the following to be accomplished by all the organizations in their financial reporting and control
- Strict Standards for Corporate accountability with respect to the established and approved methods of the governing bodies in the respective countries. This apparently means that the organizations in the United States of America for example must provide its financial reports in line with the standards laid by the IRS (Inland revenue service) of United States of America whilst the companies in UK must adhere the standards laid by the Inland Revenue Service of UK. The soc section 404 further provides the provision for following a single method of accounting for financial reporting that is internationally accredited in order to meet the requirements by multinational companies.
- Present a written assessment as of the year-end every year. This means that the companies must provide a comprehensive documentation of all the information resources and the processes being followed by the companies in order to accomplish the transparency level within the organization. Also the written assessment in this context is purely internal since a comprehensive documentation of all the process must be prepared and controlled internally in order to enable speedy retrieval as well as quick and accurate processing of the information by the company for financial reporting.
- Written assessment by the external auditor. The written assessment by the external auditor is not only to be accomplished on the traditional accounting and financial reports but right from the first elements that fed information into the system that eventually provides input to the financial report either for income or expense. This is argued by Ian P. Dewing and Peter O. Russell (2004) that even though the internal auditing is necessary to be comprehensive by including every aspect of the information systems that account for the financial reporting, it is more important for an external body to approve the auditing so accomplished mainly because of the fact that the external audit will justify the internal audit which is essential for the completeness of the entire system of the auditing.
- Declaratory statement in the year annual report and accounts. This is in line with the corporate governance statement released by the company it is annual report. The company should include the details of the internal auditing and the verification from the external auditor upon the completion of the auditing in order to establish the consistency and increase the reliability of the investors upon the corporate organizations. The fall in the stock markets in United States of America after the fall of Enron and WorldCom has apparently led to a situation where the investors are not ready to rely upon any big organizations and hesitated to invest upon the shares eventually leading the economic instability in United States of America. This was the major reason for the government of United States of America to quickly pass the section 404 of the Sarbanes Oxley Act as a rule through Securities and Exchange Commission in order to increase reliability among investors as well as increase the stock market performance.
4.3: Internal control deficiencies
As discussed before the Sarbanes Oxley Act section 404 is mainly to accomplish the internal control of the information relating to the financial reporting in order to leverage investor reliability. Any deficiency in the control will obviously lead to a loss of certain material value. This deficiency is classified into three categories as mentioned in Table 1
Table 1: Internal Control Deficiencies and their material value as identified by Sarbanes Oxley Act
Type of Internal Control Deficiency
<0.8% of the profit or around 7 million
(More than inconsequential)
>0.5% and <5% of the profit
Audit Committee of the company
(to the overall financial statement)
> 5% profit or around 70 million of the net profit value
Shareholders (i.e.) public.
From the above table it is very clear that the Sarbanes Oxley Act is keen in capturing any potential financial losses even in the initial stages through internal control and the reporting actions stated in Table 1 further justifies the importance given to gaining investor reliability.
4.4: External Auditing
As stated before, the Sarbanes Oxley Act has made it mandatory for strict internal controls and auditing of the procedures, which in turn must be audited by an external auditor. The responsibilities of the external auditor so appointed are listed below
- Audits of internal control and financial statements are integrated (i.e.) every potential deficiency and financial loss in the internal control are appropriately mentioned in the financial statements of the company.
- Evaluate the management's assessment process, including the documentation procedure. The section 404 of the Sarbanes Oxley Act which is being established as the rule expects the organisations to maintain all the electronic documentation using a defined naming convention and also establish version control for all the critical documents that serve as the input for various analysis and queries of the company that have potential financial impact. The documentation and version control will not only ease the process of auditing but also mainly increase the accuracy with which the organization manipulates the information. Alongside, the fact that the information related to financial reporting are being communicated between various levels of the organization internally makes it imperative to maintain a single copy of the document or information sent electronically to the personnel involved. This increases the consistency of information being viewed as well as increases the reliability of the information being processed.
- Test both design and operating effectiveness of controls for all relevant assertions related to all significant accounts and disclosures. This mainly evaluates the way in which the information is actually being processed by the company (i.e.) the internal policies, billing methodologies, exceptional circumstances and how they are handled by the company etc., The fact that many publicly owned organizations deal with queries and disputes related to financial reporting like disputing in the amount billed etc., has made it necessary for the organization to follow a unified code of practise to the achieve consistent results every time in handling financial information. Furthermore the design in this context is predominantly the structured approach to manipulating information in order to gain consistency in the financial reporting which will eliminate any errors and flaws in the corporate governance of the company.
- Evaluate the results of the testing by the management and others such as the internal audit and consider whether to use the internal audit results for the auditing purposes. From this statement it is clear that it is under the discretion of the auditor to use the results of the internal audit systems of the company. This further emphasise that even though the organization is expected to adapt strict internal control and auditing policies as mentioned before, it is the duty of the external auditor to validate the methods followed by the company and the accuracy prior to using the results from the internal audit for their auditing purpose itself. From this statement, it is clear that the Sarbanes Oxley Act not only aims to achieve investor confidence but mainly to eliminate any flaws leading to potential economic threats to the industry itself.
- Evaluate the severity of all identified internal control deficiencies and consider the evidence from all sources to reach a conclusion. This again explains that the external auditor is accountable for any discrepancy in the information being processed towards financial reporting since, the external auditor is expected to review and verify all internal deficiencies irrespective of their severity and provide their individual conclusion upon the deficiency after analysing the evidence. This makes it clear that Sarbanes Oxley Act treats the external auditor as the key element in the corporate governance of an organization even though it equally emphasises of the internal control and auditing.
- Report on the management's assessment and on the effectiveness of internal control over financial reporting. From this statement it is clear that the external auditor is the person responsible for the overall auditing of the company even though the internal auditing and control are necessary.
4.5: Communication and Reporting
As discussed in the literature review, the corporate governance of an organization embraces effective communication and reporting of the information for auditing. This makes it imperative that the management communicates effectively with the external auditing team as well as maintains effective internal communication between various sections of the management.
The Sarbanes Oxley Act has laid the following norms for communication and reporting
- Communication of all deficiencies: This approach of the Sarbanes Oxley Act was criticised by many critics since the reporting of minor deficiencies were considered as unnecessary. The fact that a company can categorise a potential issue as a inconsequential deficiency due to misinterpretation of the information as in the case of WorldCom where the company categorised all its major expenses as investment justifies the demand of Sarbanes Oxley Act to report all the identified internal deficiencies irrespective of their severity within the management or external o the business.
- The significant deficiencies should be identified by the external auditors and then reported to the audit committee in order to derive on a concrete conclusion of whether or not to categorise the deficiency identified as inconsequential or severe. This approach by the Sarbanes Oxley Act to report the identified deficiencies to the audit committee and arrive upon a unified decision apparently makes it clear that the information being deployed by the company in the organization as well as the technology being used should be verified for any potential deficiencies and these deficiencies should be verified and evaluated by the external auditing team. This eventually increases the transparency of the information and the entire business process itself eventually increasing the investor confidence.
- Sarbanes Oxley Act further allows the company not to disclose any significant deficiencies identified as such in their annual report but provide accountability in their financial statement of the annual report. This statement apparently protects the company's business process itself since any potential deficiencies disclosed in the published annual report will eventually hinder the company's growth because of the fact that the deficiency in the business process will eventually discourage the investors from purchasing their shares eventually reducing the market value of the company itself. Hence in order to prevent the company from loosing its market share through revealing the actual deficiency, the Sarbanes Oxley Act has made it clear thither company must account for every deficiency in their financial report but still need not disclose the actual deficiency identified in the published annual report. Alongside, it is also interesting to note that the communications of the deficiencies to the external audit or and the joint decision of the audit committee and the external auditor will eliminate any errors in justifying a deficiency in the internal control as inconsequential or vice versa.
- Unqualified opinion: The Sarbanes Oxley Act strictly prohibits the unqualified opinions in the corporate governance of the company. It is essential to state that the Sarbanes Oxley Act expects documentary evidence for all the deficiencies as well as the information related to the deficiency that lead to potential impact on the financial report. Since the Sarbanes Oxley Act is primarily concerned with the process of maintaining information integrity and accuracy to achieve investor confidence through eliminating financial reporting frauds, it is essential for the organization to provide evidence for every deficiency identified in order to justify whether it is inconsequential or not. Alongside, the Sarbanes Oxley Act authorises the external auditor to categorise any deficiency without ample supporting documentation as a potential material weakness. Hence it is essential for the companies to adhere to strict procedures for information storage and retrieval as well as maintaining the electronic filing systems itself within the organization.
- Periodic reporting of any material changes to the internal auditing and control methods. The Sarbanes Oxley Act expects the management to report any potential changes made to the internal controls as well as the material changes to the external auditors. This is mainly effective when an organization undergoes any changes with respect to its trivial methods of reporting and process of information as well as in cases of any new software or hardware installation. The Sarbanes Oxley Act strictly requires the organization to provide concrete documentary evidence to any changes in the technology being used as well as the changes to the methods of reporting regularly in order to establish consistency in the information being analysed by the audit committee and the senior management. This apparently increases the consistency of information as well as ease the process of auditing itself since the external auditor can effectively perform the audit process when the management communicates him effectively.
- Scope Limitation and management responsibilities: The Sarbanes Oxley Act authorises the auditor to disqualify any opinion of the management when the communication of the information related to a deficiency is not appropriate and have not met the standards. This statement authorises the external auditor to disqualify a specific internal control method or disapprove the entire internal control method when the deficiency identified is not properly justified with ample documentary evidence. This approach of the Sarbanes Oxley Act towards the information that is contributing for the financial reporting apparently increases the consistency and accuracy with which the information is being processed as well as controlled by the management in order to successfully pass the external auditor's demand.
4.6: Information management and control
As argued before, the Sarbanes Oxley Act as passed by the Securities and Exchange Commission mainly to increase the clarity f information being processed that contributes to the financial reporting so as to increase the investor confidence. This apparently means that the entire Sarbanes Oxley Act is concerned mainly with the information management, control on the information and the deficiencies associated with the control of the information and reporting that contributes to the financial reporting. The Sarbanes Oxley Act emphasises the following specific areas with respect to the information systems within an organization in order to increase the transparency as well as reduce deficiency in the control.
- Management and control of the technology: The Sarbanes Oxley Act has made it mandatory for every organization to provide a comprehensive and coherent documentation on the technology being deployed by the company in managing its information (.e.) the technology behind the information system used by the organization. The Sarbanes Oxley Act emphasises that the organization must maintain consistent documentation and reports for the technology and software installed in the company for performing the day-to-day business process that accounts for the financial reporting within the organization. This is mainly because of the arguments in the previous chapters that the software or hardware technology that is behind the information is the primary element that contributes to the manipulating of the data to provide the right information. For example, in an FMCG (Fast Moving Consumer Goods) organization, the company should not only account for the unit sales for every item but also mainly provide information on how the financial value with respect to the units sold is being calculated by the system they deploy in order to verify the consistency of the information. This makes it clear that the Sarbanes Oxley Act emphasise the technical design of the software system being deployed should be reported and precisely related to the business process of the organization.
- Reporting and communication: The section 404 of the Sarbanes Oxley Act emphasises on the companies to report any changes made to the design of the software system (i.e.) changes made to the technical design of the system in order to efficiently control the flow of information within the organization. This is also essential in terms of reporting mainly because of the fact that the company can provide concrete documentary evidence on consistent use of the information and accuracy only when it can provide an effective report on the technical design of the information system being deployed by the company.
- Access Control and security: One of the key issues faced by the information technology in any organization is to prevent unauthorised access to sensitive information. The fact that many organizations fail the IT audit mainly because of the lack of efficient access control management explains that information security is essential to justify the accuracy and consistency of the information being processed by the company. The section 404 of the Sarbanes Oxley Act has further emphasised that the organizations should adhere to an established access control techniques like Role Based Access Control in order to efficiently control the access to information by users without any biased decision. Furthermore, the external auditor is expected to verify the access control methods deployed and identify any deficiency in the technique with respect to the impact on the financial information.
- Reporting of Control flow, information storage and retrieval: Even though access control is one of the critical elements for the Sarbanes Oxley Act compliance, a much more critical issue is mainly to establish the flow of the control between various elements of the information technology being deployed within the organization itself in order to establish the accuracy of information. John Ward and Joe Peppard (2002) argue that information can be justified as accurate and consistent only when the flow of the control (i.e.) the flow of information and their efficient mapping within the system is justified and clearly identified and verified. For example when an organization provides a refund to the customer or provides compensation to one of its staff under exceptional circumstances, this must be quantified and clearly mapped with the actual financial reporting of the organization itself in order to effectively manage the information. Alongside, the storage and retrieval techniques and the flow of control in these cases must also be quantified by the company in order to efficiently justify its information flow and management of the information consistency. The Sarbanes Oxley Act emphasises that the companies should not only report the aforementioned but also mainly provide ample documentary support in order to meet the demands of the external auditor.
From the above arguments, it is clear that the Sarbanes Oxley Act aims to establish information transparency within the organization and thus increase the investor confidence. This is mainly required in order to maintain a free-range economy and nurture the competition in the business market. Alongside the Sarbanes Oxley Act compliance has become mandatory for foreign organizations and the deadline for achieving this compliance I laid as Jun 2006 for the UK based public organizations. The above research thus is imperative for any organization that is publicly quoted and aims to gain foreign investment in the form of shares. The case study analysis in the chapter 5 and chapter 6 will throw light on the critical nature of information in the business sectors and the need for information technology audit. The analysis on specific organization in each case study will throw light on the organization's initiative to comply with Sarbanes Oxley Act and the internal controls established by the organizations.
Chapter 5: Case Study 1: Banking Sector
5.1: Background Information
The banking sector is one of the major business sectors of the UK with big players like HSBC, Barclays, etc., The Keynote Market analysis on the banking sector (2004) has revealed that the banking sector accounts for more than 30% of the entire revenue generated by the UK economy. Furthermore, the banking sector in the UK is increasingly facing competition from the non-financial organizations like the retail sector players (TESCO<Plc etc).
Product: The banking sector includes a wide range of financial services and products including loans, mortgages, and bank accounts for business and personal banking. The products included in the banking sector vary with the need for the customers in the industry and also depends upon the nature of the business in case of business banking as argued by Denzil Watson and Tony Head (1998).
5.2: Information in the banking sector
Tim McCollum (2004) says that the information technology in the banking sector has become an integral element for the entire business process itself rather than just the use of information technology to perform customer services. The fact that the computerisation and the increased use of banking services over the Internet has revolutionised the use of information technology for business is one side of the coin whilst it is also interesting to note that the banking organizations are using the information technology for decision making as well as business process itself. It is also known that since the customers are utilising the information technology services like electronic banking and electronic services it is essential for the bank to monitor and control the effective flow of information as well as maintain the integrity of the information being processed. This is highly critical as argued by Tim McCollum (2004) who says that information technology has not only reached the core business process but also accounts for the actual existence and validity of the information being processed.
Furthermore, since the banking sector is dealing with finance and money related products as a business itself, the need to effectively distinguish between the revenue and investments is essential to provide consistency in the information being processed by the company. The increase in the acquisitions and mergers by the competitors like the HSBC the bank that grew through constant mergers and acquisitions, it is essential for the banking sector organizations to maintain consistency in the information as well as provide concrete evidence on the process of the technology itself.
The banking industry profile (2005) further argues that auditing in a banking sector organization is not only a difficult process but also mainly a sensitive process to both the information being manipulated as well as the information related to the financial services. The intriguing fact in the banking sector is that the information related to expenses and investment can be easily misinterpreted because of the fact that in both the cases the bank records the information as a debit. It is further interesting to note that the information technology in the banking sector is utilised to thoroughly in order to maintain efficient services and access to the accounts by the customers whilst incorporating efficient security and access control techniques.
From the above arguments it is clear that the information technology is not only part of the operational process but mainly forms the backbone for the banking sector organization to establish their financial reporting as well as contribute to the corporate governance of the organization itself. Hence it is essential for performing effective IT audit in the banking sector organization, which is evident from the above arguments. The analysis on HSBC Bank Plc in the next section will throw light upon the various methods utilised by the company to perform effective auditing and maintain information consistency to contribute to the corporate governance of the bank.
5.3: HSBC Case Study
HSBC Bank Plc is the leading organization in the banking sector with global presence in all Asia, America, Europe and Africa. A critical analysis on the company by Tim McCollum (2004) in his report on the banking sector and IT Auditing reveals that the company has grown mainly through investing upon acquisitions and mergers since the 1990s when it initially entered the entered the UK banking sector by purchasing a percentage of the shares from Midland Bank UK. The company profile also states that the company has not only grown in size but also utilised information technology to deploy its entire business process in order to gain competitive advantage in the business market.
Since the company is also listed in the New York Stock Exchange, it is imperative for the company to adhere to the Sarbanes Oxley Act in order to establish effective corporate governance and gain investor confidence in the business market.
5.4: Critical analysis of the IT Audit procedures in HSBC
The IT audit in the HSBC is a very elaborate and intricate process as mentioned by Tim McCollum (2004) who justified that the company not only has established controls for every element of the business process but also established external auditing for all the controls.
5.4.1: Internal Controls
The internal controls in the HSBC Bank Plc comprise of three levels
- Operational Level internal control: in this level the line managers and the supervisors perform the validating process of the information being processed by the specific branch on a day-to-day basis. This control is mainly to identify any errors in the processing of the business in the first instance itself in order to effectively establish the information accuracy in the business process. Alongside, the operational level control also accounts for the day-to-day credit and debit of the bank including all the elements like the ATM cash machines, cheque withdrawals and other transactions like loans mortgage, etc. The interesting fact in this level of control is that not only the information is being checked for validity; the organization has a set procedure to escalate any discrepancy and provide paperwork or documentary evidence for any amendments made on a day-to-day basis. This approach to the control in the operational level apparently reduces the error in the information to a large extent even though the limitations like processing times and cheque collection time cannot be accounted by the bank at operational level.
- Middle management control: This level of control to the auditing and information is established mainly to verify the information and validate the process periodically in order to reduce the amount of information being processed at the corporate level whilst performing the auditing process for the annual report. This level of the control mainly focuses on the integration and control of the operational branches as clusters so that the operational limitations like the time taken for the realisations of funds etc., can be overseen by this level of control. This level of control further monitors the branches and performs any intermediate auditing and verifications in the information being processed in order to maintain information accuracy. The fact that he individual accounts are not verified but mainly the information related to the financial transactions made on a given calendar date are checked for their validity and verified for accuracy since this information is the input for the financial reporting for the company at both the periodic and annual levels. The Group Annual Report of the company published in the April 2005 reveals that the company is not only involved in the process of IT Auditing but has also mentioned it in the corporate governance report section of the annual report. Furthermore, the middle management control also emphasise on the information consistency and addresses any potential issues that are identified in the process of auditing the information that is being processed for the financial reporting itself. The fact that the information that is being processed is again the financial information of customers makes it critical for the bank to efficiently manage and distinguish the information and provide accurate input to financial reporting.
- Senior Management Level control: the HSBC company profile (Data monitor, 2004) has clearly stated that the senior management level of the control performs the process of verifying the information processed by the company and establish accountability for any discrepancies in the information. Alongside, this level of control also performs the process of identifying the deficiencies in the internal controls and establishes their severity. This further justifies that this level of the internal control is the actual team that faces the eternal auditor whilst performing the external audit. This clearly justifies that the internal controls in the bank itself are being monitored and accounted for their deficiencies by the Senior Management level of the internal control who not only verify the information for their accuracy but also account for any deficiency identified in the internal control system itself.
The aforementioned arguments clearly justify that the internal control of the information flow for the financial reporting is highly structured as well as robust in nature. Furthermore, it is also interesting to note that the company has established the internal control in line with the Sarbanes Oxley Act compliance (company Profile, 2004) after the rule of Securities and Exchange Commission to follow the Sarbanes Oxley Act section 404 by the all the publicly quoted companies in United States of America by 2004.
A critical analysis of James Weber And Dana Fortun (2005) upon the internal control and IT audit has revealed that the HSBC bank Plc is not only utilizing the internal control for the purpose of verifying and establishing the information accuracy but also for the purpose of establishing a proactive method of verifying the information right from the operational level in order to eliminate the occurrence of deficiency in the material weakness when identified at a later instance. Alongside, the strict methods of maintaining documentary evidence for any amendments in the information and any discrepancy being verified proves that the company is maintaining high levels of information consistency right from the operational level in order to avoid any material weakness in the deficiency in the internal control. Furthermore, the entire company structure of the HSB bank embraces the auditing personnel at all levels of the management in order to establish the consistency and information accuracy prior to financial reporting in the corporate governance of the annual report.
Internal Control Deficiencies identified in HSBC:
Even though the bank has a robust system for internal control of the information, the following deficiencies were identified by Time Steel (2005):
The bank does not maintain accurate information on the number of customers being answered on a given calendar date and there is no satisfactory paper evidence for the bank to justify a loan lent to a customer or an account opened. The Even though the bank holds copies of passport and other personal information of the customers, the fact that many international customers who have not lived in the country for long are also successful in securing a loan with minimal information. This risk was identified and categorised as significant deficiency in the annual audit for the year ending April 2005.
The bank does not hold clear information upon the conversations with a customer even though the information related to rejection or acceptance of a specific application is recorded in the system. Alongside, the fact that the customers can easily change their address for correspondence over the Internet as well as by filling in a form in the branch is also questionable for accuracy and hence this was categorised as a significant deficiency of the system.
5.5: External Auditing
The company's external auditors in the United States of America have verified the aforementioned deficiencies and concluded that the internal control is functioning effectively apart from these deficiencies. Alongside, the external auditors also agreed with the internal control standards and approved the level of accuracy maintained even though in the year ending 2004 the external auditing for the HSBC faced a very had time because of the irregularity in compliance to the Sarbanes Oxley Act. Alongside, the increase in the control level in the year 2004 as well as the increased level of marinating documentary evidence is the primary reasons for the successful approval of the internal control by the external auditors in the year ending April 2005.
5.6: Communications and reporting
The communication of the information within the HSBC bank is strictly though the internal e-mails maintained at high levels of security. The information being communicated and reported are all documented and maintained for evidence in order to establish the accuracy and consistency of the information. Alongside, the communications of the deficiencies identified follows a structured pattern as argued by Time Steel (2005). Furthermore, the communications between various levels of the organization as well as the internal control further increases the level of accuracy of the information being processed.
Alongside, the reporting of the information to various levels of the organization follows a structured pattern and the periodic reporting of any identified deficiency as well as highlighting any potential information deficiency that might lead to a material weakness is promptly communicated to the senior management as well as the corporate directors periodically in order to eliminate any errors and inconsistency in the information that contributes to the financial reporting of the company in the corporate governance. This method of the company to strictly report every discrepancy irrespective of the critically in the control or the financial impact is in tandem with the reporting and communication expectations of the Sarbanes Oxley Act.
5.7: IT Auditing
The above arguments are predominantly concerned with the quality of the information and its impact on the financial reporting on the company. But it is also mandatory to conduct comprehensive auditing upon the technology being deployed and the control flow of the information that provides the information the quality of which is analysed in the internal control. The various methods adopted by HSBC in the light of IT audit are presented here. These are extracted form the company profile published in January 2005.
The HSBC Bank deploys state of art information technology systems to manage the entire operations of the banking services offered by the company. The company utilises the IBM Mainframe architecture and Tivoli Storage Management for the purpose of maintaining and updating the financial information of the customers as well as updating the transactions that provide information contributing to the financial reporting. Alongside, the company also deploys the IBM Content Manager architecture to analyse ad store the information that is being processed by the systems in order to prepare reports and communicate any potential information discrepancy to the users. A detailed analysis of the storage and programming architectures is out of the scope of this report. The IS department of the company maintains a detailed technical documentation of every element and module in the entire system used for the business process. The relationship between every class modules and their manipulation methods to calculate the desired output are all documented and verified by the organization. The internal control discussed in the previous section performs the process of monitoring and verifying the consistency and accuracy of the documents to the desired output of the system. The senor management levels of the internal control are responsible for the process of verifying the technical documents and validating their accuracy. They are also accountable for any potential deficiency identified and the internal control of the bank also provides information on any deficiency identified in order to rectify any errors in the information due to the impact of the technical discrepancy.
Access Control: the access control techniques followed by the HSBC Bank Plc is robust and strong in order to maintain he integrity of the information. The bank has detailed documentation of the methods of access control implementation as well s the ways in which it is being monitored in separate documents. The documents relating to access control actually form part of the technical document but are critically evaluated separately by the internal control team over the technical specifications of the system. The installation of any new access control technique is also documented and verified prior to implementation because of the fact that any changes introduced into the IT system should be effected in the documentation and their impact upon the information being used for financial reporting should be verified prior to actually implementing it in the real world scenario. This policy of the HSBC Bank Plc further justifies the company's critical treatment of information technology auditing as part for the entire auditing process.
Change Management: the company profile (2005) clearly states that any changes introduced in the IT system is addressed through an impact analysis process prior to implementing the changes because of the fact that the information technology once being used live by the users in the bank as well as the customers, should be amended only after proper approval for system outage and compliance with the agreed time frames and deadlines. This statement clarifies that the company is adhering to approved standards f IT management through the procedural implementation of the changes rather than the sudden implementation without prior notice. Furthermore, the changes so implemented are also taken effect in the documentation and the control flow of the entire system in order to maintain coherent information flow between various segments of the business as well as provide accurate information that contributes for financial reporting.
In the next chapter a case study analysis on National Grid Transco Plc is presented to the reader followed by the conclusion in the chapter 7.
Chapter 6: Case Study 2: Energy Business
6.1: Background information
The energy sector of the UK is another lucrative and revenue generating sector in the UK economy. The fact that the Sarbanes Oxley Act came into effect further to the scandals of Enron which is an energy based company is the primary reason for the analysis of a similar sector in this report in order to provide a profound insight upon the need for information technology audit for corporate governance among UK organizations. The energy business unlike the banking sector has a varied rage of products right from electricity, gas, oil and other energy resources like wind energy etc., Isla Gower (2004) says that the energy business in the UK has seen tremendous growth in the recent years and the results of the Enron case has affected the entire process of auditing and information management within the company itself.
Furthermore, the energy sector in the UK contributes to more than 30% of the annual revenue with competitors competing not only in proceed and quality but also on the basis of reliability and accuracy.
The business comprises of two major segments
- Generation: This includes the actual production of energy in certain units like Kilo Watt Hours or any other standard unit convention approved by a scientific board like IEEE, System International, or British thermal Units. This value is the actual information that accounts for the revenue generation with respect to the companies that generate energy using conventional or non-conventional methods. The companies like British Gs, EDF, etc fall under this category of the energy business
- Transmission: this segment of the industry is the most interesting element as they perform the process of transporting or transmitting the energy from one point to another. These organizations do not generate any form of energy but perform the process of transporting the energy alone. The company under debate- National Grid Transco Plc is under this category of the energy business similar to Enron in the United States of America during the 1990s. The fact that the company does not have a specific product makes its business critical and revenue generation a intricate issue for the external auditors itself.
6.2: Nation Grid Transco Plc case study
Nation Grid Transco Plc is one of the largest organizations in the UK with investments and assets for more that 200 billion. The company's core business is gas and electricity transmission across the UK and into Europe. The company's investment includes the construction and maintenance of the gas transmission pipes laid underground across the UK as well transmission or electricity through the National Grid of the company across UK. The company is also listed in the New York stock exchange and hence it is essential for the company to adhere to the Sarbanes Oxley Act compliance.
6.2.1: The business Process
Unlike the banking counterpart HSBC, Nation Grid Transco Plc does not have a specific product as established before and hence a critical analysis of the business process ifs essential to prove its revenue generation itself.
The company transports gas and electricity through its pipes and gridlines (electric) respectively from the production point up to the customer doorstep. The customers include industries as well as power stations and the general public who are registered customers with the parent company producing the electricity or gas. It is also interesting to note that the company charges the customers (producers of gas and electricity) based upon the equivalent energy transported in Kilowatt-hours even though the gas transported is in measured in volume whilst the electricity transported in measured in thermos by the company. The demand for the gas and electricity varies with the season since the UK weather has a direct impact on the heating systems used in the houses that eventually increases or reduces the amount of gas or electricity consumed as the case may be.
The company also charges the customers (shippers and producers of energy) for the usage of their transmission system and the amount of gas transported to the destination. The revenue for the company is generated through billing the customers (producers of energy) for the amount of gas or electricity transported in Kilo Watt Hour Units.
The above overview on Nation Grid Transco Plc proves that the information for the financial reporting by the company comes from the energy being transported and the revenue generated from the transportations charges associated. Hence it is imperative for the organization to maintain accurate information upon the amount of energy transported a well as the time involved for the transportation on a day-to-day basis.
The company also follows a D-1 date convention whereby the company processes the information for the previous day of a given calendar date.
This further increases the need for maintaining the accuracy of the information since the information being processed is actually numbers related to volume and calorific value of the gas and electricity data which are scientific in nature but it is this information that feeds into the system of the company in order to generate the billing information for every customer in the UK. The customers for the Nation Grid Transco Plc with respect to the financial transactions are those who are producing the energy and the companies that receive the energy transported at the other end who utilise it for commercial purposes. Hence the customers to the organization are other business organization apparently creating a business-to-business scenario for the entire business process.
Since the process involves third party companies and organization who are charged for the usage Nation Grid Transco Plc's infrastructure further makes it critical for accurate information management and maintenance in order to provide precise information for billing that contributes for the financial reporting to the entire organization.
The company has two separate operating segments for the business one for gas transmission whilst another branch of the business is dedicated to the electricity transmission in the UK. The internal control is thus established for the two segments of the business separately and then integrated at the senior management level as discussed in section 6.3:
6.3: Internal control
The internal control in Nation Grid Transco Plc is more complex to that of the HSBC bank mainly because of the fact that the company's business involves information that is not directly quantifiable for financial results even though the revenue is generated based upon the information on the energy transported. The internal control structure as mentioned in the company profile (2005) is mentioned below
- Daily Flow control: This section of the company monitors the daily flow of the gas transported on a day-to-day basis. The information is received from the sites that use the gas as well as the companies that actually produce the gas in another remote location. The measurement of the gas used is transferred from the meters installed by the company at the sites though satellite Radio Frequency signals that are received by the company's receiver in the control room. This information is verified for their consistency using computer software systems developed specifically for their purposes. The Daily flow control team perform the operational level monitoring of the gas transported by the company. Any discrepancy s immediately highlighted to the relevant authorities and the relevant documentation secured by the team.
- Electricity measurement control: This level of the control is similar to the Daily Flow Control but performs he operational level information control and monitoring at the Electricity side of the business. The measurements in this case are mainly in the thermal units, which are quantified for Kilowatt-hours of energy transported so as to verify the information for consistency. Any errors identified or potential deficiency in the information is immediately escalated to the relevant parties concerned and the information is documented for the purpose of further auditing and verification.
- Unaccounted Gas and Electricity Control: This level of control operates by monitoring the flow of gas and the transmission of electricity with respect to the amount of relevant energy actually used by the sites and the customers. This level of the internal control monitors the discrepancy in the information gathered by the aforementioned tow levels of the control and periodically verifies the consistency of the information. The investigation is conducted on a weekly basis in order to verify the information being processed in relation to the amount of gas or electricity transported in order to establish the consistency of the information. This is critical for the business because of the fact hat the revenue generated is based upon the amount of energy transported in the form of gas or electricity as stated before. The Unaccounted Gs and Electricity control primarily performs the process of investigation into any potential issues that results in discrepancy of information and is also responsible for maintaining the documentation for the entire investigation itself. The Unaccounted Gas and Electricity control also reflects upon the company's consistency in billing and the need to identify the critical areas for improving the performance of the entire organization as well as provide accurate information for financial reporting, since the unaccounted energy is not billed until the customer is identified and the cause if rectified until which the company incurs the costs for the transportation of the energy.
- Audit Control: This level of the control mainly monitors the Unaccounted gas and electricity control but also analyses the information from the two operational level controls to identify any errors in the information that contributes to the billing eventually creating an impact upon the financial reporting and corporate governance of the company. This level of the control primarily monitors the accuracy of the information and also accounts for the information accuracy and any discrepancy in the documentation of the system to the external audit team.
- Senior Audit Control: This control reports to the audit committee of the company directly and accounts for the entire internal control of the company. The interesting fact is that the Senior Audit control not only monitors the information contributing to the financial reporting but the actual input the financial reporting itself thus providing a comprehensive control over the entire organization's information auditing to maintain the accuracy and consistency of the information.
The internal control described above provides a critical overview of the information auditing in the company in order to maintain accuracy and information consistency. It is further interesting to note that the internal control in the company is not only analysing the information contributing to the financial reporting but actually maintaining consistency levels in the billing and expenses side of the finance department of the company thus providing complete control over the information accuracy. Furthermore, the internal control also maintains the documentation on the activities for every calendar date since it is interesting to note that the business is operated on a 24x7 basis with the critical element of the business like the power transmission and gas transmission operating round the clock. Hence it is essential for the maintenance of the documentation on a daily basis.
6.4: External Audit
Price Water Cooper house Plc of the UK facilitates the external auditing for the company. The interesting fact to note before continuing with the external audit analysis, is that Nation Grid Transco Plc has been deploying the above mentioned structure of auditing for more than ten years and that the company has seen tremendous growth in the business as well as in its share prices mainly because of the reliability gained among the investors and customers.
The external audit from the Price Water Cooper house Plc has proved that the company's auditing and internal control does not have any significant deficiencies and the company is maintaining high level of information accuracy and information integrity. Furthermore, the Price Water Cooper house Plc audit has also confirmed that the company's management of the information and the level of consistency maintenance in the information are accurate to meet the standards of the Sarbanes Oxley Act.
6.5: Communications and Reporting
The company adheres to strict reporting and communicating policies. The periodic reports generated by the senior audit control level of the internal control apparently contributes to the periodic reports and financial statements published by the company. The audit committee of Nation Grid Transco Plc has complete control over the internal control and the auditing of the entire company.
Since there were not any significant deficiencies identified in the external audit, the communications and reports other than the periodic reports were not generated.
6.6: IT Auditing
Unlike the HSBC Bank Plc, Nation Grid Transco Plc does not use information technology extensively to perform the business process itself because of the fact that the business involves other variables like gas and electricity to contribute to the financial reporting. The company still performs its day-to-day information manipulation process by using state of art systems installed using Microsoft Windows operating systems and a customised application for integrating the various elements of the business information to generate reports.
6.6.1: Technical Documentation
The company maintains elaborate technical documents for the centralised IT system deployed across their network as well as for all the local reporting programs and legacy systems in order to maintain cohesive information as well as provide transparency in the process of the business itself. Furthermore, the technical documents prepared are internally audited for the validity by the internal control as well as the external auditors.
Alongside the technical documents so developed are also version controlled and a separate team of professionals work upon verifying the consistency of the information and the accuracy of the process itself. This justifies the fact that the company is maintaining comprehensive IT audit system to meet the requirements of the Sarbanes Oxley Act and achieve compliance to Sarbanes Oxley Act.
6.6.2: Version Control
The company has also incorporated the process of version controlling their documents including the technical design reports and the day-to-day analysis reports generated to address any specific issues raised by the third party involved. Furthermore, the company also adapts a file naming convention that provides the detailed guidelines for its staff to save the electronic files and documents in order to maintain information accuracy and consistency among different levels of the organization.
6.6.3: Access Control and information security
Like HSBC Bank Plc, Nation Grid Transco Plc has also incorporated robust access control techniques to prevent unauthorised access to information. The company has also incorporated a Business Continuity Management strategy to meet any disaster situation and perform effectively during the course of a disaster. Alongside, the access to the centralised databases is restricted to the administrators and the users can only have access to the information based upon their roles only.
This justifies the company's IT Audit strategy to contribute to the corporate governance of the organization through providing accurate information for financial reporting.
Chapter 7: Discussion and Conclusion
The case study analysis of the companies has revealed that information forms the integral part for any business and hence the need to maintain consistency and accuracy of the information is essential. Alongside, the analysis of HSBC bank Plc has revealed that banking sector not only needs to maintain the information related to credit and debit but mainly maintain the details for every transaction within the organization in order to distinguish between investment and expenses.
Alongside, the research analyses have also proved that the Sarbanes Oxley Act compliance is essential for the effective management of the information and not just for the need to be quoted in the New York Stock Exchange. Apart from the fact that the Sarbanes Oxley Act compliance eases the process of auditing and increase information transparency, the fact that the efficient management of the information and auditing in compliance with Sarbanes Oxley Act apparently increase the company's overall business process itself eventually increasing its performance thus resulting in higher levels of revenue being generated as well as avoiding discrepancy in the information being processed. This will apparently increase the performance of the organization itself irrespective of the nature of its business.
The discussion on the internal control in Nation Grid Transco Plc and HSBC Bank Plc has increased the level of information accuracy that is being used for financial reporting thus eliminating the errors in the first instance itself eventually increasing the revenue for the company as well as providing concrete documentation for any discrepancy identified in order to justify whilst conducting the auditing process.
It is also clear from the above chapters that auditing of the technology behind the information being processed is critical since any changes to the technical structure of the IT system will eventually affect the information accuracy and consistency thus affecting the overall financial reporting of the company and the corporate governance. The discussion on the access control techniques and the various strategies to prevent unauthorised access to the information has further revealed that the compliance to Sarbanes Oxley Act is not the only necessary criteria for an organization because of the fact that the information being processed by the companies are not only critical in nature but any infringement in the information will result in potential financial impact of the organization eventually affecting the corporate governance itself.
The fact that the investor confidence is essential for the sustainability of the market makes it imperative for every organization to adhere to strict IT audit policies and methods to establish the consistency of information that contributes to the financial reporting of the company. Alongside, the fact that the Sarbanes Oxley Act also monitors the financial impact on any information infringement and discrepancy thus resulting in a comprehensive analysis of the information internal control to identify any deficiencies in the process information management process itself in order to establish the information consistency and accuracy to contribute to the financial reporting of the organization. Furthermore, the Sarbanes Oxley Act also emphasises that the companies maintain relevant documentation and incorporate effective internal communicating in order to derive on a concrete conclusion makes it clear that the communication not only will leverage effective compliance to Sarbanes Oxley Act but mainly leverage effective communication among the various levels of the organization in order to effectively mange the information as well as provide comprehensive decision on any structural changes required.
The procedural approach to incorporating any structural changes in the IT system installed within the organization in both Nation Grid Transco Plc and HSBC Bank Plc further emphasises the fact that the information technology is not only a critical element for the business operation but the effective management of the IT system is essential in order to incorporate efficient management and improve the performance of the company thus providing accurate input to the corporate governance of the organization.
Apart form the arguments on Sarbanes Oxley Act compliance ,the fact that the UK organizations are increasingly adapting the auditing process for validating their information in order to prevent any errors in the financial reporting through the arguments of audit commission overview (2005) further makes it clear that the UK organizations are increasingly monitoring the information accuracy and consistency in order to prevent any errors leading to potential loss and hindrance to the corporate governance itself.
Alongside, the case study analysis on Nation Grid Transco Plc has proved that those organizations that do not have a product on its own can still establish Sarbanes Oxley Act compliance and provide efficient information accuracy through the continuous monitoring of the information being processed and the accuracy of the information can be achieved through continuous monitoring of the actual business process itself will leverage effective corporate governance in the organization. The fact that the Nation Grid Transco Plc is a company similar to that of Enron in the United States of America that faced bankruptcy in the 2002 makes it interesting to note that t strict adherence to the information audit policies internal as well as external even before the enforcement of the Sarbanes Oxley Act by Nation Grid Transco Plc has revealed that the information plays a critical role in the business of nay organization whatever be the technology that is implemented to manage the information which has apparently increased the performance and the corporate governance of Nation Grid Transco Plc in the UK.
Apart from the factors of information accuracy and consistency which is essential for the IT auditing, the critical element for the accomplishment of the IT audit effectively is the structured approach to the process of auditing itself as argued by the Audit commission of the UK (2005). This corresponds to those elements of the information technology like the maintenance of the technical documentation and effective control of the information flow between the various levels of the organizations that contribute to the efficiency of the entire auditing process itself. Alongside, the efficient management of the human resource as discussed in the literature review, a company can leverage efficient IT auditing because of the fact that it is the staff in the company who manipulate the information and feed the information into the computer which eventually gets manipulated to generate reports. Alongside, the fact that the organizations in the UK are increasingly deploying the information security methods and access control methods to prevent unauthorised access to the information further justifies the fact that not only the UK organization are aware of the information security breach and infringement but also the fact that their performance and financial reporting to corporate governance is directly contributed by the information they process as identified by Denzil Watson and Tony Head (1998).
Furthermore, the unit level control of the information and the reporting of any deficiency to the higher levels followed by Nation Grid Transco Plc not only increase the transparency but also increases the reliability of the company eventually in increasing the investor confidence which is the main reason for the evolution of IT audits and the Sarbanes Oxley Act.
The above discussion has revelled that the IT auditing is an essential element in any publicly owned organization irrespective of its compliance to Sarbanes Oxley Act mainly for accomplishing effective business process and achieving accurate financial reporting in the corporate governance of the organization.
7.2: Evaluation of Objectives
Objective 1: To critically analyse the concept of corporate governance and its importance for an organization both internal and external to the business.
The literature review on the corporate governance in chapter 2 provided a comprehensive overview on the concept of corporate governance. It was established that the corporate governance of an organization predominantly depend on the effective auditing and accurate financial reporting which contributes to the company's overall position in the target market as well as gain investor confidence Alongside it was also established that the corporate governance of an organization also contributed by the effective functioning of the human resources, finance, infrastructure and above all effective internal communication. The analysis on the committees for corporate governance proved that the corporate governance of an organization is not only the financial reporting but also monitors the overall operation of the entire senior management of the organization in order to gain sustainable market growth though improved performance and effective management. It was also established that the corporate governance committee in the corporate governance monitors the entire operation of the corporate governance in the organization and has complete control over the other two committees namely the audit committee and the compensation committee. Furthermore, the literature review on the corporate governance of an organization also revealed that the corporate governance is essential for all publicly quoted organisations and that the financial reporting is the critical element for the corporate governance.
Objective 2: To analyse the critical nature of information in business and the growth of information systems in corporate governance.
The analysis in chapter 3 has justified that the organizations in the UK are increasingly depending upon information technology for conducting their business process itself which contributes to the financial reporting in the corporate governance of the company. Alongside, the fact that the organizations are increasingly utilizing information technology to conduct business in both the business-to-business and business-to-consumer perspective apparently increases the critical nature of information in the entire business process itself. Alongside, the overview on the IT in corporate governance has further revealed that the information technology is not longer an operational component of the business because of the fact that the information contributing to the financial reporting of the organization is mainly derived from the information systems the provides input information for the financial value of the actual business of the company. furthermore, the overview has also revealed that it is not only essential to maintain the accuracy at the strategic level but mainly to provide accurate input to the system at operational level because of the fact that the sales or any form on the business operation at the operational level contributes to the actual revenue of the company itself and hence it is imperative to maintain accuracy and consistency right from the operational level of the system.
Objective 3: To analyse the corporate financial reporting frauds and the role of information technology in such cases through critically analysing examples from various industries.
The overview in chapter 3 on IT and corporate governance further revealed that the information used for the purpose of financial reporting is predominantly the input data by the personnel and the fact that any error or flaw in this input will apparently result in a fraud in the financial reporting resulting in the infringement of the corporate governance of the organization itself. Furthermore, it was also established that the actual technology behind the processing of the information itself should be capable of producing accurate results in order to maintain consistency and accuracy of the results. The deployment of various innovative technologies by the organizations in order to increase its market share and also present accurate information for financial reporting apparently justifies the need for a robust technology on top of accurate information system itself.
The analysis of the Enron and WorldCom issues have revealed that the information infringement was not only because of the frauds in the input of the information but mainly in misinterpreting the information as in the case of WorldCom where the company overstated its investment because of misinterpreting the expenses as investment. Furthermore, the analysis in the chapter also revealed that the corporate financial reporting frauds not only hinders the economic operation of the company but mainly affects the industry in which it is operating and also the economic stability of the country. Alongside , the analysis on the Sarbanes Oxley Act and the regulations of Securities and Exchange Commission has further revealed that the frauds in the financial reporting are the major elements that contribute to the hindrance of the corporate governance of the organization itself.
Objective 3: To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to be implemented by corporate organizations in the UK.
The analysis in Chapter 4 on the Sarbanes Oxley Act proved that the information consistency and accuracy o the information are essential for the successful financial reporting of an organization. Alongside, the overview on the Sarbanes Oxley Act has also established that the law protects the personnel and the interests of the staff in order to prevent the abuse of the personnel by the company for providing concrete information on frauds in the organization. The analysis on the section 404 which was passed as the rule by Securities and Exchange Commission has revealed that the companies publicly quoted withier within United States of America or foreign organization must adhere to the norms laid by the section 404 of the Sarbanes Oxley Act in order to achieve corporate governance. the discussion on the section 404 of the Sarbanes Oxley Act revealed that the information dealt with by the organization must be controlled internally right from the operational level up to the corporate level prior to the external auditing of the information itself. The different types of internal control deficiency identified by the Sarbanes Oxley Act section 404 has confirmed that the organization must not overlook even the slightest discrepancy and hence achieve high level of information transparency to achieve investor confidence. Furthermore the analysis on the Information Technology auditing and the various rules guidelines laid by the section 404 of the Sarbanes Oxley Act further reveals that the technology behind the information systems of an organization must be well structured, documented and controlled at all levels of the organization in order to maintain information accuracy and integrity of the information.
Objective 5: To provide case study analysis with examples from banking sector and Energy sector in the UK on the application of the Sarbanes Oxley Act-section 404.
The case study analyses on the banking sector with HSBC Bank Plc and Energy business in the UK with Nation Grid Transco Plc as the companies of debate, has revealed that the information technology forms a critical element in the management of the information as well as maintaining the accuracy of the information. The analysis on Nation Grid Transco Plc especially has revealed that even though the company does not have a specific product, it can still achieve transparency in operation through the efficient management o the information and the control of the errors through continuous auditing and checking in the company. alongside, the fact that Nation Grid Transco Plc is in the same line of business as Enron in United States of America which filed chapter 11 bankruptcy in the year 2002. the analysis on HSBC further revealed that by adhering to strict auditing principles and methods of management of the information technology infrastructure, an organization can apparently leverage information accuracy and data consistency which is essential for the accurate financial reporting in corporate governance of an organization.
The analysis on the companies has also revealed that the process of auditing is not only essential for the successful compliance to Sarbanes Oxley Act but mainly to establish the consistency in the business information in order to eliminate errors and increase the accuracy of the information being processed to provide financial reporting.
From the overview on the corporate governance it is clear that the financial reporting and efficient auditing are essential for the successful flawless financial reporting by the organization. It was also established that the corporate governance is directly impacted by the performance of the human resource of the organization even though it is the financial performance of the company that is visible in the corporate governance of an organization. The corporate governance also comprises of the monitoring and effective management of the senior management of an organization and the presence of the non-executive director in the corporate governance is mandatory to achieve unbiased decision-making and corporate governance in the company.
It was also established that the information plays a critical part in achieving accurate financial reporting and that the effective monitoring of the information through continuous auditing and verification will provide accurate and reliable information for financial reporting. The Sarbanes Oxley Act and the compliance to section 404 has further established that the internal control and efficient auditing of the information provides accurate input to the financial reporting of the company and also increases transparency of the information eventually leveraging investor confidence.
Furthermore, it is also established that the efficient management of the IT infrastructure and deployment of robust access control and storage management techniques will leverage accuracy in the information and also increase the reliability of the information being used for financial reporting. Thus to conclude the research, it is clear that the effective use of IT auditing techniques will leverage accuracy and reliability in the corporate governance of a n organization thus increasing the investor confidence. It is also proved that the Sarbanes Oxley Act even though an American law should be adhered as a unified code of conduct by all publicly quoted organizations in order to gain transparency in the business process and encourage the investment for more investors.
The research was focused on the effectiveness of IT audit in the corporate governance of UK organizations. This topic is very broad in nature since the UK business market consists of numerous industries. Hence it is recommended to conduct the report by concentrating the research upon a single industry like the banking industry or the retail sector in the UK business market.
Since primary research in the form of questionnaire is impossible because the organizations will not revel any information that is sensitive to the business as stated before in chapter 1, it is recommended to gain first hand information through the interview with key personnel of an organization. Since the report is academic in nature, this could not be accomplished within the limited time frame.
Chris Brown, (2005), The sustainable enterprise : profiting from best practice, UK: Kogan Page
Christopher Barnatt, (2000), Management Strategy and Information Technology, Text and Readings, Thomson Business Press
Denzil Watson and Tony Head, (1998), Corporate Finance Principles and Practise, UK: Financial Times Pitman Publishing
Derek Torrington and Laura Hall (1995), Personnel Management HRM in Action, 3rd Edition, UK: Prentice Hall
Efraim Turban et al, (2004), Electronic commerce 2004 : a managerial perspective, Upper Saddle River, N.J. : Pearson/Prentice Hall, 2004
Gerry Johnson and Kevan Scholes, (2001), Exploring corporate Strategy Fourth Edition, Prentice Hall of India Private Limited, India
John Ward and Joe Peppard, (2002), Strategic Planning and information Systems, 3rd edition, John Wiley and Sons
Michael Armstrong (2003), A handbook of human resource management practice, 9th Edition, London: Kogan Page.
Sebastian Nokes, (2001), Measuring and Controlling IT Costs, UK: Financial Times Prentice Hall9
Journals and White Papers
(2005), CPA- The Harder Test, The Audit Commission UK
Bob Garratt, (2005), A Portrait of Professional Directors: UK Corporate Governance in 2015, Corporate Governance, Volume 13, number 2.
Company Profile, (2004), HSBC Holdings Plc, Data monitor, UK
Company Profile, (2004), National Grid Transco Plc, UK: Data Monitor Ltd
Ian P. Dewing and Peter O. Russell (2004), Regulation of UK Corporate Governance: lessons from accounting, audit and financial services, Regulation of UK Corporate Governance, Volume 12 Number 1
Isla Gower (2004), Banking: Market Report Plus, Keynote Ltd
Isla Gower (2004), Market Report Plus: IT Industry Review, UK: Keynote Ltd
Institute of Internal Auditors UK, (2004), IT Audit, UK
James Weber And Dana Fortun, (2005), Ethics and Compliance Officer Profile: Survey, Audit and internal Control, UK: Business and Society Review
Joseph Liberman, (2002), Behind the Enron Scandal, News Analysis, EBSCO Publishing
T.C. MELEWAR, 2003, Determinants of the corporate Identity construct: a review of the literature, journal of marketing communications, Vol 9, pp 195-220.
The Business Round Table, (2004), Principles of Corporate Governance, ASSOCIATION OF CHIEF EXECUTIVE OFFICERS
Tim McCollum, (2004), Information Technology in the Banking Sector: A critical analysis, European journal of Management, Emerald