Do Material Weaknesses in Information-Technology Related Internal Controls Affect Firms’ 8-K Filing Timeliness and Compliance? October 1 - 3, 2015Symposium.

Symposium 2015

Do Material Weaknesses in Information-Technology Related Internal Controls Affect

Firms’ 8-K Filing Timeliness and Compliance?

October 1 - 3, 2015

Symposium 2015

Ray Henrickson CA, CPA, CISA

• Recently retired VP Information Systems & Technology Audit at Scotiabank

• + 35 years as an IT auditor

October 1 - 3, 2015

Symposium 2015

The Premise

• The relative strength of a firm’s internal controls, especially those surrounding IT-related components (e.g., access, processing, reporting), play a leading role in affecting the timeliness and four day compliance requirement for the Form 8-K.

• The focus is on understanding the roles played by a firm’s AIS

October 1 - 3, 2015

Symposium 2015

My Challenges - AIS

• Difference between ICMW and ITMW?• What is a material IT control weakness?

• Impact on financial reporting• Time/cost to remediate• Customer disruption• Relationship to risk

• Is the definition consistent across the sample population?• Are we really only dealing with reported control

weaknesses?• Is there a difference between one or multiple reported

weaknesses?

October 1 - 3, 2015

IT Control Environment

Communications link

Web page

OutputInput ApplicationProcessing

Logic Changes

Emergency changes

ParametersJob scheduleCalendars

Security validation

Communications link

Master file

Updated Master file

Web page

Production line

October 1 - 3, 2015 Symposium 2015

Symposium 2015

What’s an 8-K• Registrant's Business and Operations

– Entry into a Material Definitive Agreement– Termination of a Material Definitive Agreement– Bankruptcy or Receivership– Mine Safety - Reporting of Shutdowns and Patterns of Violations

• Financial Information– Completion of Acquisition or Disposition of Assets– Results of Operations and Financial Condition– Creation of a Direct Financial Obligation or an Obligation under an

Off-Balance Sheet Arrangement of a Registrant– Triggering Events That Accelerate or Increase a Direct Financial

Obligation or an Obligation under an Off-Balance Sheet Arrangement

– Costs Associated with Exit or Disposal Activities– Material Impairments

• Securities and Trading Markets– Notice of Delisting or Failure to Satisfy a Continued Listing Rule or

Standard; Transfer of Listing– Unregistered Sales of Equity Securities– Material Modification to Rights of Security Holders

• Matters Related to Accountants and Financial Statements– Changes in Registrant's Certifying Accountant– Non-Reliance on Previously Issued Financial Statements or a

Related Audit Report or Completed Interim Review

• Corporate Governance and Management– Changes in Control of Registrant– Departure of Directors or Certain Officers; Election of Directors;

Appointment of Certain Officers; Compensatory Arrangements of Certain Officers

– Amendments to Articles of Incorporation or Bylaws; Change in Fiscal Year

– Temporary Suspension of Trading Under Registrant's Employee Benefit Plans

– Amendment to Registrant's Code of Ethics, or Waiver of a Provision of the Code of Ethics

– Change in Shell Company Status– Submission of Matters to a Vote of Security Holders– Shareholder Director Nominations

• Asset-Backed Securities – ABS Informational and Computational Material– Change of Servicer or Trustee– Change in Credit Enhancement or Other External Support– Failure to Make a Required Distribution– Securities Act Updating Disclosure

• Regulation FD– Regulation FD Disclosure

• Other Events– Other Events (The registrant can use this Item to report events that

are not specifically called for by Form 8-K, that the registrant considers to be of importance to security holders.)

• Financial Statements and Exhibits

October 1 - 3, 2015

Symposium 2015

My Challenges – 8-K

• Difference between timeliness and compliance? Does it matter?

• How is the 8-K produced?• In-house compliance/legal department• Outside third party

• How do controls in the IT environment relate to 8-K reporting?

• End user computing vs corporate systems

October 1 - 3, 2015

Symposium 2015

Typical 8-K Preparation

October 1 - 3, 2015

8-K Template

Symposium 2015

COSO Control Framework

October 1 - 3, 2015

Symposium 2015

COSO Control Framework

October 1 - 3, 2015

Symposium 2015

The Relationship

IT Control Activities

Non-IT Control Activities

How long it takes to do 8-K Reporting

October 1 - 3, 2015

Operations Compliance

Symposium 2015

The Analysis

October 1 - 3, 2015

Complicated Events

Non-Complicated

Events Surprise EventsNon-Surprise

EventsInternal Control

Internal Control Material Weakness

IT Material Weakness

Other Material Weakness

IT Control Improvement

IT Control Weakness continues

Firm Characteristics

Size

Leverage

Return On Assets

Annual Abnormal Return

Age of the firm

Big 4 Audit Firm

Financial Health

Loss

Rate of growth

Operation Complexity

Number of operational or geographic segments

Foreign Transaction

Restructure

Symposium 2015

Conclusions• For internal control weaknesses

• Firms that reported a material weakness in internal control submitted their 8-K filing later in the four-day timeframe.

• For IT-related internal control weaknesses• For complicated events, firms that reported IT-related material weaknesses in

internal controls submitted their 8-K filing later in the four-day timeframe.• For non-complicated events, there was no statistical relationship between IT-

related material weaknesses in internal controls and the 8-K reporting timeliness.

• Remediation (deterioration) in the quality of IT-related internal controls had no impact.

• Overall• 14,422 firms• 118,863 reports• 127 non-compliant reports

October 1 - 3, 2015

Symposium 2015

What’s Missing

• Fundamental difference between AIS processes and 8-K event reporting

• The degree of independence and autonomy between AIS and Compliance Reporting processes, controls and IT

• Whether the reported control weaknesses were pervasive or situational

• No consideration of the influence of the Control Environment / Governance / “Tone at the Top”

October 1 - 3, 2015

Symposium 2015

Practical Application

• No foreseeable practical application of this study to the planning and execution of financial, IT or compliance audits

October 1 - 3, 2015