Abstract
We investigated publicly reported security breaches of internal controls in corporate information systems to determine whether U.S. Securities and Exchange Commission (SEC) data are information bearing with respect to breaches of security and privacy. The issue has grown in importance as information systems breaches have steadily grown costlier and more frequent. Our analysis supports a high predictability for credit card breaches, portable device related breaches and breaches conducted by firm insiders. Our study also found evidence that employees are subverting particularly strict internal controls by using portable devices that can be carried outside the physical boundaries of the firm. In general, auditing and corporate data filed with the SEC was non-informative with regard to breaches involving unintended disclosures, physical losses, hacking and malware and workplace computers. Scope and fees associated with auditing are significant factors in predicting security breaches, whereas assessments of internal controls effectiveness was shown to be less significant for prediction.
Similar content being viewed by others
References
Ashbaugh-Skaife, H., Collins, D.W., Kinney, Jr WR, & LaFond, Ryan. (2008). The effect of SOX internal control deficiencies and their remediation on accrual quality. The Accounting Review, 83(1), 217–50.
Bedard, J.C, & Graham, L. (2011). Detection and severity classifications of Sarbanes-Oxley section 404 internal control deficiencies. The Accounting Review, 86(3), 825–55.
Bedard, J.C., Hoitash, R., & Hoitash, U. (2009). Evidence from the united states on the effect of auditor involvement in assessing internal control over financial reporting. International Journal of Auditing, 13 (2), 105–25.
Berger, P.G., Feng, L., & Wong, M.H.F. (2005). The impact of Sarbanes-Oxley on cross-listed companies. Unpublished Paper.
Bratton, W.W. (2003). Enron, Sarbanes-Oxley and accounting: rules versus principles versus rents. Villanova Law Review, 48, 1023.
Coates, I.V., & John, C. (2007). The goals and promise of the Sarbanes-Oxley act. Journal of Economic Perspectives, 21(1), 91–116.
Drawbaugh, K., & Aubin, D. (2012). Analysis: A Decade on, is Sarbanes-Oxley working.
Engel, E., Hayes, R.M., & Wang, Xue. (2007). The Sarbanes–Oxley act and firms’ going-private decisions. Journal of Accounting and Economics, 44(1-2), 116–45.
Ettredge, M., Guo, F., & Li, Y. (2018). Trade secrets and cyber security breaches. Journal of Accounting and Public Policy, 37(6), 564–85.
Executives. (2007). Financial. http://www.financialexecutives.org.
Feng, M., Li, C., & McVay, S. (2009). Internal control and management guidance. Journal of Accounting and Economics, 48(2-3), 190–209.
Feng, M., Li, C., McVay, S.E., & Skaife, H. (2014). Does ineffective internal control over financial reporting affect a firm’s operations? evidence from firms’ inventory management. The Accounting Review, 90(2), 529–57.
Ge, W., Koester, A., & McVay, S. (2016). The costs and benefits of section 404 (b) exemption: evidence from small firms’ internal control disclosures. Available at SSRN.
Hoitash, U., Hoitash, R., & Bedard, J.C. (2009). Corporate governance and internal control over financial reporting: a comparison of regulatory regimes. The Accounting Review, 84(3), 839–67.
Kang, Q., Liu, Q., & Qi, R. (2010). The Sarbanes-Oxley act and corporate investment: a structural assessment. Journal of Financial Economics, 96(2), 291–305.
Kwon, J., & Johnson, M.E. (2013). Health-Care security strategies for data protection and regulatory compliance. Journal of Management Information Systems, 30(2), 41–66.
Lin, S., Pizzini, M., Vargus, M., & Bardhan, I.R. (2011). The role of the internal audit function in the disclosure of material weaknesses. The Accounting Review, 86(1), 287–323.
Menn, J. (2012). Bank security: thieves down the line.
Rice, S.C., & Weber, D.P. (2012). How effective is internal control reporting under sox 404? determinants of the (non-) disclosure of existing material weaknesses. Journal of Accounting Research, 50(3), 811–43.
Rice, S.C., Weber, D.P., & Wu, B. (2014). Does SOX 404 have teeth? consequences of the failure to report existing internal control weaknesses. The Accounting Review, 90(3), 1169–1200.
Richardson, V.J., Smith, R.E., & Watson, M.W. (2019). Much ado about nothing: The (lack of) economic impact of data privacy breaches. Journal of Information Systems, 33(3), 227–65.
Romano, R. (2004). The Sarbanes-Oxley act and the making of quack corporate governance. Yale LJ, 114, 1521.
Westland, J. (2020). Christopher predicting credit card fraud with Sarbanes-Oxley assessments and fama-french risk factors, intelligent systems in accounting, finance and management. https://doi.org/10.1002/isaf.1472.
Whalen, D., Cheffers, M., & Usvyatsky, O. (2012). Financial restatements: A twelve year comparison. Audit Analytics.
Zhong, C., Lin, T., Liu, P., Yen, J., & Chen, K. (2018). A cyber security data triage operation retrieval system. Computers & Security, 76, 12–31.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Westland, J.C. Assessing Privacy and Security of Information Systems from Audit Data. Inf Syst Front 24, 1417–1434 (2022). https://doi.org/10.1007/s10796-021-10129-5
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-021-10129-5