Information intensity, control deficiency risk, and materiality

Purpose - This paper leverages the concept of business information intensity (BII) with the aim of developing a model to assess control deficiency risk (CDR) in organizations. BII measures the extent of use of IT by an organization in its products and value chain. Design/methodology/approach - The paper develops a conceptual model that uses BII and CDR to examine alternative approaches to risk management. This model contains four quadrants that provide insight into varying risk management strategies for business processes. CFOs and internal auditors fromFortune100 companies are surveyed to illustrate how the model may be used to guide management in assessing IT security expenditure. Findings - The model suggests that spending on IT and information security is higher for companies with high BII‐CDR than those with low BII‐CDR. Research limitations/implications - Analysis focused on only two quadrants in a four‐quadrant model. Future research may seek to refine the measurement of BII and CDR, and offer greater insight into the types of business processes that fall into each of the four quadrants as well as those that do not fit neatly into those quadrants. Practical implications - Organizations may use the BII‐CDR model to assess risk and to evaluate investments in IT security and other control activities. The model also highlights the need to redefine the concept of materiality and to consider its link to BII and CDR. Auditors should consider the interaction of BII and CDR in planning the audit, conducting field work, and managing overall audit risk. Originality/value - The paper provides original insights into the relationship between BII and CDR and its implications for treatment of materiality. It was observed that activities which support critical business processes are themselves critical. This is an important departure from traditional approaches to evaluating materiality.