IDEAS home Printed from https://ideas.repec.org/p/arx/papers/1802.10001.html
   My bibliography  Save this paper

The Information Content of Sarbanes-Oxley in Predicting Security Breaches

Author

Listed:
  • J. Christopher Westland

Abstract

We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian "effective" control decisions on 88% of situations where there was a control breach concerning a portable device. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and "educate" management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware. Hazard and occupancy models showed that both SOX 302 and 404 section audits provided information on the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management "material weakness' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%.

Suggested Citation

  • J. Christopher Westland, 2018. "The Information Content of Sarbanes-Oxley in Predicting Security Breaches," Papers 1802.10001, arXiv.org.
    • Handle: RePEc:arx:papers:1802.10001
    as

    Download full text from publisher

    File URL: http://arxiv.org/pdf/1802.10001
    File Function: Latest version
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. J. Christopher Westland, 2000. "Research Report: Modeling the Incidence of Postrelease Errors in Software," Information Systems Research, INFORMS, vol. 11(3), pages 320-324, September.
    2. Sarah C. Rice & David P. Weber, 2012. "How Effective Is Internal Control Reporting under SOX 404? Determinants of the (Non‐)Disclosure of Existing Material Weaknesses," Journal of Accounting Research, Wiley Blackwell, vol. 50(3), pages 811-843, June.
    3. Jeffrey M Wooldridge, 2010. "Econometric Analysis of Cross Section and Panel Data," MIT Press Books, The MIT Press, edition 2, volume 1, number 0262232588, December.
    4. Feng, Mei & Li, Chan & McVay, Sarah, 2009. "Internal control and management guidance," Journal of Accounting and Economics, Elsevier, vol. 48(2-3), pages 190-209, December.
    5. Engel, Ellen & Hayes, Rachel M. & Wang, Xue, 2007. "The Sarbanes-Oxley Act and firms' going-private decisions," Journal of Accounting and Economics, Elsevier, vol. 44(1-2), pages 116-145, September.
    6. Jean-Philippe Bouchaud & Marc Mezard, 2000. "Wealth condensation in a simple model of economy," Science & Finance (CFM) working paper archive 500026, Science & Finance, Capital Fund Management.
    7. Lucas, Robert Jr, 1976. "Econometric policy evaluation: A critique," Carnegie-Rochester Conference Series on Public Policy, Elsevier, vol. 1(1), pages 19-46, January.
    8. A. Craig MacKinlay, 1997. "Event Studies in Economics and Finance," Journal of Economic Literature, American Economic Association, vol. 35(1), pages 13-39, March.
    9. Kang, Qiang & Liu, Qiao & Qi, Rong, 2010. "The Sarbanes-Oxley act and corporate investment: A structural assessment," Journal of Financial Economics, Elsevier, vol. 96(2), pages 291-305, May.
    10. John C. Coates IV, 2007. "The Goals and Promise of the Sarbanes-Oxley Act," Journal of Economic Perspectives, American Economic Association, vol. 21(1), pages 91-116, Winter.
    11. Bouchaud, Jean-Philippe & Mézard, Marc, 2000. "Wealth condensation in a simple model of economy," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 282(3), pages 536-545.
    12. Ashbaugh-Skaife, Hollis & Collins, Daniel W. & Kinney Jr., William R., 2007. "The discovery and reporting of internal control deficiencies prior to SOX-mandated audits," Journal of Accounting and Economics, Elsevier, vol. 44(1-2), pages 166-192, September.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. James Christopher Westland, 2020. "Predicting credit card fraud with Sarbanes‐Oxley assessments and Fama‐French risk factors," Intelligent Systems in Accounting, Finance and Management, John Wiley & Sons, Ltd., vol. 27(2), pages 95-107, April.
    2. Ge, Weili & Koester, Allison & McVay, Sarah, 2017. "Benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures," Journal of Accounting and Economics, Elsevier, vol. 63(2), pages 358-384.
    3. J. Christopher Westland, 2022. "Assessing Privacy and Security of Information Systems from Audit Data," Information Systems Frontiers, Springer, vol. 24(5), pages 1417-1434, October.
    4. DeFond, Mark & Zhang, Jieying, 2014. "A review of archival auditing research," Journal of Accounting and Economics, Elsevier, vol. 58(2), pages 275-326.
    5. Chang, Yu-Tzu & Chen, Hanchung & Cheng, Rainbow K. & Chi, Wuchun, 2019. "The impact of internal audit attributes on the effectiveness of internal control over operations and compliance," Journal of Contemporary Accounting and Economics, Elsevier, vol. 15(1), pages 1-19.
    6. Todd D. Kravet & Sarah E. McVay & David P. Weber, 2018. "Costs and benefits of internal control audits: evidence from M&A transactions," Review of Accounting Studies, Springer, vol. 23(4), pages 1389-1423, December.
    7. Nejadmalayeri, Ali & Nishikawa, Takeshi & Rao, Ramesh P., 2013. "Sarbanes-Oxley Act and corporate credit spreads," Journal of Banking & Finance, Elsevier, vol. 37(8), pages 2991-3006.
    8. Dina El-Mahdy & Myung Park, 2014. "Internal control quality and information asymmetry in the secondary loan market," Review of Quantitative Finance and Accounting, Springer, vol. 43(4), pages 683-720, November.
    9. Bolton, Brian & Lian, Qin & Rupley, Kathleen & Zhao, Jing, 2016. "Industry contagion effects of internal control material weakness disclosures," Advances in accounting, Elsevier, vol. 34(C), pages 27-40.
    10. Margaret A. Abernethy & Wei Li & Yunyan Zhang & Hanzhong Shi, 2023. "Firm culture and internal control system," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 63(3), pages 3095-3123, September.
    11. Stefan Arping & Zacharias Sautner, 2010. "Did the Sarbanes-Oxley Act of 2002 make Firms less Opaque? Evidence from Analyst Earnings Forecasts," Tinbergen Institute Discussion Papers 10-129/2/DSF 5, Tinbergen Institute.
    12. Sean T. McGuire & Stevanie S. Neuman & Sarah C. Rice, 2020. "Interim Effective Tax Rate Estimates and Internal Control Quality," Contemporary Accounting Research, John Wiley & Sons, vol. 37(1), pages 603-633, March.
    13. Baolei Qi & Liuchuang Li & Qing Zhou & Jinghui Sun, 2017. "Does internal control over financial reporting really alleviate agency conflicts?," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 57(4), pages 1101-1125, December.
    14. Stojkoski, Viktor & Karbevski, Marko & Utkovski, Zoran & Basnarkov, Lasko & Kocarev, Ljupco, 2021. "Evolution of cooperation in networked heterogeneous fluctuating environments," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 572(C).
    15. Maximilian Klöckner & Christoph G. Schmidt & Stephan M. Wagner, 2022. "When Blockchain Creates Shareholder Value: Empirical Evidence from International Firm Announcements," Production and Operations Management, Production and Operations Management Society, vol. 31(1), pages 46-64, January.
    16. Venkatasubramanian, Venkat & Luo, Yu & Sethuraman, Jay, 2015. "How much inequality in income is fair? A microeconomic game theoretic perspective," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 435(C), pages 120-138.
    17. E. Samanidou & E. Zschischang & D. Stauffer & T. Lux, 2001. "Microscopic Models of Financial Markets," Papers cond-mat/0110354, arXiv.org.
    18. Kočišová, J. & Horváth, D. & Brutovský, B., 2009. "The efficiency of individual optimization in the conditions of competitive growth," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 388(17), pages 3585-3592.
    19. Wunhong Su & Liuzhen Zhang & Chao Ge & Shuai Chen, 2022. "Association between Internal Control and Sustainability: A Literature Review Based on the SOX Act Framework," Sustainability, MDPI, vol. 14(15), pages 1-30, August.
    20. Badolato, Patrick G. & Donelson, Dain C. & Ege, Matthew, 2014. "Audit committee financial expertise and earnings management: The role of status," Journal of Accounting and Economics, Elsevier, vol. 58(2), pages 208-230.

    More about this item

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:arx:papers:1802.10001. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: arXiv administrators (email available below). General contact details of provider: http://arxiv.org/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.