Is IT your Achilles heel

Companies require solid information technology to guarantee effective financial control systems. This is important for internal corporate governance, especially public financial reporting.


What happens to companies that have weak IT systems and, thus, weaker internal controls? Research conducted by Bruce Weber shows that such corporate weakness can cost companies in a way they perhaps never realised.

There's a new potential weakness in the body corporate; and companies afflicted with it can find themselves not only publicly taken to task, they might even find their market valuation shrinking. And you can thank (at least indirectly) the 2002 US Sarbanes-Oxley Act (SOX) for alerting all of us to the problem. The financial distress calls of 2001-2002 seem like a distant memory compared to recent downturns, but companies like Enron and Worldcom and their misrepresentation of true financial performance triggered US lawmakers to pass SOX. Its goal was (by
new auditing processes mandated by law) to root out all financial misstatements and fraudulent representations of the financial health of publicly traded companies. Yet any company operating under SOX guidelines also found that its internal processes and controls for generating financial reports were also under a new public microscope.

Three-year hurdle

From the date of the passage of the law, companies had three years to prepare for the new standards for corporate governance. The emphasis from the start was on internal control. That phrase is worth defining here in the context of the law. "Internal control" isthe process carried out in a company and overseen by a board of directors to provide reasonable assurance of: (a) the reliability of financial reporting, (b) the effectiveness and efficiency of financial operations and (c) compliance with applicable laws and regulations. For any company not clear about how to design and manage such controls, resources have been available since at least 1985. What's significant is that US federal agencies, like the Public Company Accounting Oversight Board (PCAOB), quickly augmented SOX by defining how it would interpret a lack of internal controls as a corporate weakness: its Auditing Standard No. 2 defines material internal control weaknesses as "... more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis by employees in the normal course of their assigned functions."

SOX required company managers to look at how internal control over financial reporting is handled; currently, companies are required not just to report their financial data, but also attest to the internal controls they have in place on how that data is generated. The standard is that there has to be reasonable assurance regarding reliability of financial reports coming out, and the auditors as wellas the managers have to sign this control report.

Put succinctly: starting in 2005, companies that could not demonstrate that they had their internal controls well in hand were (fairly or not) open to serious question about the accuracy of their financial statements. And, as we all know so very well after the corporate crashes of the last year, companies that aren't strong financially (or whose management surprises the markets with unexpectedly weak results or worse need to restate previous results) - and transparently so - are weaker competitors. All of this, curiously, magnified the importance of information technology inside companies - for in the complex, modern corporation, IT is the only way to generate financial reports with the requisite detail, speed and accuracy.

Dull competitive edge

The competitive sword of publicly traded companies today really does have two edges. First, a company must seek the support of customers, but it also must attract the support of stockholders. Researching the first wave of SOX reports is already beginning to teach us a great deal about what it takes to tightly control corporate financials and about who's watching for any weakness in a company's bottom-line statements.

Journals such as Compliance Week ( have been scanning published 10K reports for any "material
weakness in financial control and reporting". In 2006, the journal studied data from 399 firms that disclosed 688 deficiencies (companies could list more than one) in their 2005 10Ks and found that the top six types of listed material weaknesses were: personnel, taxes, financial procedures, documentation, revenue recognition, and IT-financial systems. Fifty-two of the companies targeted information technology as a weakness.

Seeing this, I thought it would be interesting to look more closely at as many of those 52 companies for any marketplace impact tied to this performance shortfall. In other words, I wanted to know if a company citing IT as a key weakness in internal controls soon found itself not only receiving the attention of agencies like the PCAOB but also the potential wrath of investors.

Given the fact that companies had three years to prepare for the demands SOX imposed, it surprised me to find this many companies declaring so many weaknesses. But what surprised me even more was the fact that these weaknesses cost them. Big. I had the chance to delve into the particulars of 47 of the 52 companies. Then, by tracking the FY2006 10K filing date relative to the equally weighted index for market value, as monitored by the Centre for Research in Security Prices (, the statistics were most revealing:

  • Shareholder returns of 47 companies reporting material weaknesses in their controls over financial reporting due to IT and financial systems saw their CRSP equally weighted index drop 1.46 per cent.

  • The average firm in the sample saw its market value fall $6.2 million.

  • For the 23 companies that failed to remediate their material weaknesses in their controls within the next year, CRSP equally weighted index dropped by 2.16 per cent.

  • This is a $9.1 million fall in market cap for the average firm in the sample.

Achilles' heel?

Over the years, many scholars have studied the contribution of IT to business performance and shareholder  performance - the results are not conclusive by any means. It's important for me to state that it is assuredly the combined impact of possible weaknesses in internal controls that can cause a company to falter when it comes to meeting SOX, or any other set of high-level, performance standards.

But it's also important to state something that requires only basic logic. Financial reporting today is so intertwined with technology - within companies, between companies and, especially, between companies and the investment world - that IT can safely be listed as a critical variable in this discussion. I think it sends a bad signal to the market when any company today is not running its IT function in a manner that assures investors that they're going to get reliable and accurate financial data. From now on, such a weakness will always raise a huge red flag. The initial research seems to indicate strongly that companies that cannot warrant their internal controls will see potential legal problems dealing with laws such as SOX as well as a sinking market cap caused by investors who lost confidence in management quickly and sold their stock accordingly.

Bruce Weber ( is Professor of Information Management at London Business School.