Efficiency of IT Audit in Corporate Governance

Published Date: 28 Feb 2018

Critical Research Analysis On The Effectiveness Of IT Auditing For Corporate Governance

Chapter 1: Introduction

1.1 Introduction

Auditing is one of the essential elements for the successful functioning of the business and helps an organization to face the external world with precise information on its business and issues related to accountability. Also, it is universally accepted that any business organization irrespective of its nature of business must provide relevant documentation to the government and other legal authorities with respect to their income and expenditure in order to meet the rules and regulations on tax. In the initial years of its introduction, auditing was primarily concerned with only the finance and finance related activities within the business that is accounted for in the business. Apparently, the revenue generated by the company and the costs associated are the major contributing factors for decision making on the tax and shareholder benefits. Alongside, the growth of information technology and the increase in the public awareness has further intensified the need for conducting an efficient auditing process to provide accountability for their business activities.

It is intriguing to note that information technology has become an integral part of every business organization making information as a critical element for the effective operation of the business itself. Thus the need for auditing the information and IT based activities that account for the finance for the organization both revenue and expenses are imperative. This report is focused on the effective role of information technology audit in the corporate governance in the UK business organizations. The fact that the corporate governance is the portrait of the a company to the external world both in terms of performance as well as financial information makes it a critical element for the success of an organization.

It is also imperative that the corporate governance of an organization is essential not only for the benefit of the stakeholders but also for the economic stability in the business market as well as the entire nation. This report is aimed to present a critical research analysis on the effectiveness of IT auditing for corporate governance in UK. The report will throw light on the various aspects relate to achieving effectiveness in through IT audit as part of corporate governance and critically analyses the Sarbanes Oxley Act on IT audit and information transparency.

1.2: Aim and Objectives

The aim of this dissertation is to critically analyse the efficiency of IT audit in the corporate governance among the UK business organizations. This is achieved by embracing the research upon the following objectives.

• To critically analyse the concept of corporate governance and its importance for an organization both internal and external to the business.
• To analyse the critical nature of information in business and the growth of information systems in corporate governance.
• To analyse the corporate financial reporting frauds and the role of information technology in such cases through critically analysing examples from various industries.
• To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to be implemented by corporate organizations in the UK.
• To provide case study analysis with examples from banking sector and Energy sector in the UK on the application of the Sarbanes Oxley Act-section 404.

1.3: Research Definition

The research in this report is accomplished using secondary information resources only. This is mainly because of the fact that a public opinion on the IT auditing is totally irrelevant and the business organizations will not reveal their corporate information other than that is published in the annual reports due to data protection and privacy issues. Hence the research analysis in the case study is entirely qualitative in nature (i.e.) the research is based upon the journals and white papers published rather than using first had data for quantifying the analysis.

The case study analysis is conducted upon the energy and banking sector of the UK. Whilst a critical analysis on HSBC bank Plc is presented under the banking sector, National Grid Transco, Plc is the company of interest in the Energy sector of the UK. The case study analysis on these organizations will provide critical information on the use of section 404 of Sarbanes Oxley Act and the company's strive to accomplish IT audit that support financial results for corporate governance. The research analyses only those areas of information systems that directly contribute to the financial results of a company rather than the entire information technology infrastructure of the company.

1.4: Justification for the research

The fact that information plays a critical role in every sphere of a business in the twenty-first century as argued by Efraim Turban et al (2004) has apparently increased the role of IT from just an operational support element to a strategic element of the entire business itself. Furthermore, the fraud detected in the ENRON and WorldCom cases (discussed in later chapters) were predominantly because of the frauds in information that attributes to the financial performance of the company. Hence, this research is conducted in order to throw light on the critical nature of information in the auditing process. The fact that energy (electricity and gas) and banking sectors are major business sectors that directly deal with the general public on a day-to-day basis apart from the increased interests of the stakeholders is the major reason for embracing the research on these two sectors of business in the UK.

1.5: Chapter overview

Chapter 1: Introduction

This is the current chapter, which introduces the reader with the aim and objectives of the research and the research definition.

Chapter 2: Literature Review - Corporate Governance

In this chapter a critical overview of corporate governance and the need for auditing and financial performance is discussed in the light of business environments in the UK. The discussion throws light on the need for achieving corporate governance and the essential elements of the business that contributes to corporate governance of a company are discussed with focus upon the entire business.

Chapter 3: Information systems and corporate governance

This chapter critically analyses the role of information technology in business organizations and the critical nature of information in supporting corporate governance. This is followed by the critical analysis of the corporate financial frauds by providing false information with examples from Enron and WorldCom cases.

Chapter 4: Sarbanes Oxley Act

This chapter begins with an overview of the Sarbanes Oxley Act. This is followed by the critical analysis of the section 404 of the Sarbanes Oxley Act, which was published by Securities and Exchange Commission to be followed in the UK since June 2003.

Chapter 5: Case Study 1: Banking Sector

This chapter initially analyses the banking sector as a whole and establishes the critical nature of information in the corporate governance of the competing organizations. This is then followed by the analysis of HSBC Bank Plc one of the potential competitors in the banking sector both within the UK and across the globe. The analysis throws light on the adherence of the Sarbanes Oxley Act section 404 by the company and the policies followed by the company to accomplish information transparency and consistency.

Chapter 6: Case Study 2: Energy Business

This chapter presents a critical analysis of the energy sector in the UK. This overview is followed by the critical analysis of the Energy transmission and Distribution conglomerate National Grid Transco Plc. The analysis throws light on the company's strategies and policies to achieve information transparency and reliability in the business. The research also establishes the critical nature of information in the business of the company.

Chapter 7: Discussion and Conclusion

The research conducted in the above two case studies are discussed in the light of corporate governance and the Sarbanes Oxley Act section 404. The analysis will provide a comprehensive review of the research conducted so far and establishes the coherence between the academic theories and the real-world scenarios. This is followed by the critical analysis of the objectives of the research followed by conclusion for the dissertation.

Chapter 2: Literature Review - Corporate Governance

2.1: Background Information

Gerry Johnson and Kevan Scholes (2001) say, Corporate Governance is an essential element for any business organization mainly because of the fact that the corporate governance is the message conveyed by the company to the external world including the general public and stakeholders. Alongside, it is also interesting to note that the corporate governance of an organization not only communicates to the external world but mainly provide a one-stop information resource to anyone who is interested in the organization. The corporate governance of the company is essential for not only effectively communicating to the external world but mainly to attract potential customers in the general public both for the business as well as identify potential investors to the company. Furthermore, the fact that corporate governance is also the comprehensive analysis of the entire organization performance by taking the first chapter of every company's annual report makes it critical for an organization to effectively maintain and achieve a high level of corporate governance as argued by Gerry Johnson and Kevan Scholes (2002).

Denzil Watson and Tony head (1998) further argue that the corporate governance of a company is not only a one page message conveyed by the chairman of the organization but also concerns with the relationship between the company management and its owners in the entire structure of the organization. Apart from the relationship with the owners and stakeholders, the corporate governance is also an essential element for the effective management of the human resource of the company itself mainly because of the fact that not only the interests of the existing workforce should be nurtured but the company should also maintain a positive corporate governance to attract new employees to the organization in order to achieve long-term organic growth as argued by Denzil Watson and Tony head (1998).

Another interesting fact identified by Denzil Watson and Tony head (1998) is that the corporate governance is a critical element in determining the remuneration for the senior executives in many organizations within the UK, which apparently means that the corporate governance is the mechanism that is used by the owners to govern the management of the company. Also, it is interesting to note that the corporate governance in the UK companies has been traditionally stressed upon the importance of internal control and importance of the role of financial reporting and accountability in the organization to its stakeholders and general public.

2.2: Need for corporate governance

Corporate governance of an organization is not only a message that is being conveyed to the stakeholders or the method of managing the management by the owners of the company but essentially the way of monitoring the company's growth and its position in the entire business market it is operating. The corporate governance is also important for achieving competitive advantage in the target market because of the fact that the customers in the target market are keen in identifying the attributes of the organization that sells the products to them. This includes every form of business including consumer industry, retail sector and even power and energy management sector as identified by Sebastian Nokes (2001). Furthermore, the corporate governance in an organization is also essential for efficiently monitoring and deploying the infrastructure of the company itself.

Chris Brown (2005) argues that the corporate governance of an organization is essential for not only increasing the productivity of the organization but also to become an inspiring element for the employees in the organization to achieve higher level of performance within the organization. Furthermore, it is also interesting to note that the corporate governance of a company is essential to manage the senior management of the organization for not only monitoring the productivity but also for deploying the revenue for further business development. It is imperative that finance is the heart of the entire corporate governance mainly because of the fact that a company's performance is determined based upon its financial performance both by the stakeholders as well as the general public.

T.C. Melewar (2003) further argues that the corporate governance of the organization is essential for not only the efficient management of the organization but also for identifying any potential issues that should be verified in order to achieve coherent results during the process of auditing in the company.

Following the fall of the Enron and WorldCom which was mainly because of the failure of the management of the company to provide coherent information for audit process and fraud activities in the financial information, the Securities and Exchange Commission of United States of America has made it a rule that the corporate governance of a company must also include non-executive directors who are responsible stakeholders and people of social respect who would validate the activities of the company itself. Furthermore, the Securities and Exchange Commission has also made it mandatory that the auditing committee of the company must contain at least three non-executive directors mainly to facilitate the validation and approval of the results from the audit committee.

The Legal and Regulatory exchange of the UK (2002) has also justified that even though the non-executive directors cannot fulfil all the expectations, they can help achieve the company to effectively perform in the business through continuously monitoring the activities of the entire organization and providing valuable guidance to the board of executive directors in the form of suggestions. Alongside, the Department of Trade and Industry has also justified the fact that even though, the non-executive directors in the company do not involve themselves in the day-to-day business of the organization, they are the responsible for the efficiency and overall effectiveness of the organization with respect to the organization's performance and reliability of the results.

Furthermore, the fact that the corporate governance in an organization also contributes to the economic stability of the entire business market itself since the revenue generated from a business sector in a nation is obviously the summation of the revenue generated by the individual organization competing in the business and fraud in the corporate governance will eventually affect the economic stability of the business sector itself as argued by Malcolm McDonald (1996).

2.3: Essential elements of corporate governance

Even though it is clear that the financial performance and the financial statements are critical to the corporate governance itself, Denzil Watson and Tony Head (1998) have identified the following elements as the major contributing elements to achieve efficient corporate governance in any business organization.

2.3.1: Human Resource

Michael Armstrong (2003) argues, Human resource is the most indispensable resource for any organization. Apparently this is because of the fact that the costs associated with the recruitment and training of new staff in an organization is very high when compared to retaining the existing workforce and effectively nurturing their performance to increase productivity s well as stabilize the costs as identified by Denzil Watson and Tony Head (1998). Furthermore it is imperative that only the effective performance of the human resource of the organization without encouraging any errors and maintaining the transparency in their work related activities would provide accuracy and consistency in the business activities across the entire organization right from the operational level. It is also clear that even though the corporate governance concept is entirely strategic in nature, the business generates revenue only from the very en of the operational staff and hence the need to achieve accuracy and reliability at operational level is imperative for the efficient corporate governance in an organization.

Derek Torrington and Laura Hall (1995) argue that the human resource of an organization not only contribute to the efficiency or performance of the organization, but also contribute to the overall reliability of the organization which is an essential element to achieve corporate governance in the organization. This is mainly because of the fact that the staff right from the operational level to the top level management must have the commitment in achieving the standards set by the company in performing the business which is essential for the corporate governance itself mainly because of the fact that corporate governance is increasingly being treated as a factor of reliability on the company rather than a information resource to judge the performance of the company. Alongside, Derek Torrington and Laura Hall (1995) further argue that the efficiency of the human resource of an organization is the primary contributing factor for the accuracy and reliability of the company's performance in the external world. This also explains that the human resource of an organization not only contribute to the efficiency and revenue generation of the company but also for the corporate governance of the organization itself.

The above arguments justify that the human resource management and efficiency is essential for corporate governance in any business organization in UK.

2.3.2: Finance

As argued before finance is the backbone for any business since every organization operating in the commercial environment are focused in generating revenue and the increase in competition in the business due to globalisation and innovative business methods has apparently increased the need to focus on generating revenue with minimal costs as argued by Gerry Johnson and Kevan Scholes, 2001). The above statement clearly justifies that finance is the critical element for the corporate governance in every business organization. Alongside, it is also essential to mention that the financial results are the end-product that is being analysed by the auditors even though the way in which the revenue is generated and the process of maintaining the cash flow are other critical elements of the business itself.

Denzil Watson and Tony Head (1998) further argue that the corporate governance is predominantly based upon the fundamental issues of resource and finance allocation is addressed through the corporate governance only. This further makes it clear that even though accounting is a critical element of the finance, the output of which is actually being audited, the resource allocation and the finance management are the critical ingredients for the corporate governance in the organization which makes finance as the backbone of the corporate governance to any business organization. It is further intriguing to note that finance is not just the way of managing the allocation of money and financial resources but essentially the accountability to the allocations is the major factor that is analysed in the corporate governance of any organization apart from the corporate finance itself. Hence, accountability in terms of financial performance and management are the critical factors that contribute to the corporate governance of an organization.

The rule passed by Securities and Exchange Commission of the UK that the financial statements must be disclosed not only in the annual reports but periodically published for public notice in order to enable the investors and stakeholders to critically judge the organization performance has made it clear that corporate governance embraces finance of the organization.

Alongside, it is also clear from the Bank of Credit and Commerce International (BCCI) that the companies must disclose their financial information and also provide accountability for all the revenue generated and costs incurred not only in the annual balance sheet but also in a periodic fashion further justifies that the corporate governance is critically dependant on finance.

2.3.3: Infrastructure

The infrastructure in this context is not just the furniture and desktop computers that are used to accomplish the day-to-day business process but mainly the infrastructure that handles the finance and finance related information and activities. These include the software and hardware systems that hold the information on the finance and also those infrastructure elements that contribute to the generation of revenue in the first place. Denzil Watson and Tony Head (1998) further argue that the infrastructure in a corporate governance context also includes those that accomplish the effective auditing process and also the infrastructure elements that contain critical information on the finance and billing.

Alongside, the infrastructure not only provides support to the finance and billing in an organization but also mainly contributes to the efficient retrieval and storage of the information (discussed in next chapter) and also supports the financial decision b=making in terms of corporate communication and deciding upon the allocation of finance for further development within the organization.

This further justifies the fact that infrastructure in a corporate governance context not only includes the storage and retrieval system (electronic) but also includes those infrastructure that actually processing the payments made by the customers to the organization and the expenses of the organization in order to run the day-to-day business.

2.2.4: Communication

Communication is critical for corporate governance because of the fact that only through the effective communication of the information to the audit committee, the organization can gain reliability and provide concrete information in their corporate governance. Since the corporate governance is predominantly the managing of the senior management of the organization and is derived from the process of auditing and verifying the activities of the company in every segment of the organization (including Human Resource and Finance) makes the communication a critical element for the smooth operation of the business. Furthermore, the communication also plays the vital role of communicating the information to the external world.

2.3: Committees

The aforementioned elements of the corporate governance are mainly in line with the day-to-day business process of the company itself. In order to maintain the accuracy of the corporate governance and increase the transparency as well abide by the regulations of the Securities and Exchange Commission, corporate governance consists of the following committees as identified by The Business Roundtable of UK (2004).

2.3.1: Audit Committee

According to the Securities and Exchange Commission it is mandatory for every publicly owned company to have an audit committee comprised of solely independent directors. This makes it clear that auditing is the heart of corporate governance and the accuracy of the entire business process will be accountable to the audit committee. Furthermore, the audit committee is also responsible for verifying and checking every aspect contributing to the business and the financial performance of the organization hence making it a critical element of the entire corporate governance itself. Alongside, it is also imperative that the independent directors belong to various segments of the business and also that the committee should comprise of non-executive directors for the purpose of accomplishing the consistency in the operation itself.

This further justifies that that audit committee is responsible for justifying the accountability of the organization.

The Securities and Exchange Commission clearly states that the audit committee should comprise of at least three members (directors) of the audit committee should be independent of the entire organization and should not participate in the management of the business directly or indirectly. These directors are called the non-executive directors as discussed above and they are appointed mainly to provide unbiased assessment on the business operations so as to clearly establish the business process and accountability for corporate governance of the organization.

Denzil Watson and Tony Head (1998) say that even though it is not expected out of an independent director to have comprehensive financial knowledge it is essential for the non-executive directors to possess the fundamental knowledge on finance and its relevance to the business itself. They further argue that the directors in the audit committee should be able to conduct the auditing process with a critical eye to identify any flaws in the business process or the methodology of the organization in order to judge the company's financial performance.

Even though, auditing is predominantly related to the finance and revenue of an organization, the other elements like information technology, human resource and infrastructure discussed above are also judged by the audit committee which is the reason for accommodating the directors in the committee from various fields of specialization in order to provide critical suggestions and provide accurate assessments upon the performance of the organization itself.

In order to accomplish the aforementioned tasks the audit committee comprises of the following

Risk Profile: The risk profile is maintained to monitor the corporate risks as well as the risks local to the committee itself. The Business Roundtable (2004) argues that the risk management is essential for the committee mainly to identify the risks associated with the business itself in order to efficiently manage the committee itself. The risks in this contest is mainly the risk associated with a committee member providing a biased judgement or an inaccurate judgement due to his consideration will eventually affect the entire auditing process itself. This is the main reason for the presence of non-executive directors who are expected to review every decision made by the committee.

Outside Auditors: The outside auditors are employed mainly to accomplish auditing process in an unbiased fashion in specialist areas like information technology etc where the external auditor employed will be accountable for the auditing of specific segment of the business. The audit committee is responsible for monitoring the efficient performance of the auditors and also manage the overall process of auditing in the organization. The decision of the audit committee is based upon the results produced by the outside auditors with respect to the areas they were employed to audit within the organization and hence the choice of the auditor is decided by the committee itself.

Independent operation: The audit committee operates independent of the entire organization. This is primarily to accomplish unbiased judgement by the committee and also enable the committee to perform effectively without being disturbed by the day-to-day business issues.

2.3.2: Corporate governance Committee

Apart from the process of auditing which is very essential for corporate governance, it is also essential to have a corporate governance committee, which is central to the entire board of the organization. The Securities and Exchange Commission also states that it is mandatory for every publicly owned company to have a corporate governance committee that makes the decision and performs the overall management and accountability of the corporate governance for the organization itself. The corporate governance committee is also called the nominating committee that is responsible for nominating the directors under various committees that support the corporate governance like the audit committee discussed above. Also, the corporate governance committee is responsible for the nomination and management of the directors of the company itself who are accountable to the audit committee during the audit process. Like the audit committee, the corporate governance committee must also comprise of independent directors only. The Securities and Exchange Commission further expects the corporate governance committee to comprise of non-executive directors like the audit committee for the same reason as in the case of the audit committee. The Business Roundtable (2004) further argues that the fact the independent directors in the corporate governance committee reinforce the idea that the governance process of the organization is unbiased and reliable.

Apart from the above functions the corporate governance committee also has the responsibility of safeguarding the independence of the board in order to effectively assess the performance of the company against the set norms and also establish the accountability for the activities of the organization. Another major function of the corporate governance committee is to oversee the corporation and review the organization's process of providing information to the board in order to conduct the auditing process effectively.

2.3.3: Compensation Committee

The compensation committee performs the critical part for monitoring the compensation provided to the board and the senior management of the company. Like the audit committee and the corporate governance committee, the compensation committee should also comprise of independent directors are it is essential for any publicly owned company as stated y the Securities and Exchange Commission.

The committee not only decides the compensation for the senior management but also decides the allocation of revenue for compensation to the entire company itself that comprises of all the staff members other than the directors and senior management.

The committee also performs the essential action of monitoring the compensation for the senior management based upon the results from the auditing and corporate governance committees.

The committee is expected to work closely with the other two committees for gathering the information to decide upon the compensation for the senior management but the decision of the committee is not influenced by the other committees of corporate governance in a publicly owned organization as stated by The Business Roundtable (2004).

The committee also creates the overall compensation structure for the entire organization and the decision made by the committee is completely independent.

Alongside, the members of the committee should also comprise of non-executive directors like the audit committee and the corporate governance committee. It is also argued by The Business Roundtable (2004) that the compensation committee should understand the incentives structure independent of the industry and also provide a comprehensive compensation structure through efficient allocation of the resources (finance) to various levels of the company right from the senior management up to the operational level.

2.4: Conclusion

The above overview clearly explains the critical nature of corporate governance in an organization and its importance for achieving harmonic business operation. The overview on the committees and the various elements of corporate governance have proved that the corporate governance is not merely a tool for assessing the company's performance but essentially to judge the company's activities and establish accountability for the revenue generated and the expenses of the company.

The next chapter provides a critical overview on Information systems and its role the process of auditing and contribution to corporate governance.

Chapter 3: Information systems and corporate governance

3.1: Background information

Information systems is the term used to identify the comprehensive deployment of Information technology and IT related products to accomplish the processing of information and presenting the right information for the decision makers. John Ward and Joe Peppard (2002) argue that the information systems in an organization not only includes the technology and technology related products but also those segments of the business the actually process and generate output from the information like the billing, revenue and purchasing departments of a corporation. Furthermore, they argue that the strategic use of information to facilitate effective decision making by the senior management of the organization apparently increases the need to identify critical information as well as maintain integrity of the information to accomplish accuracy and reliability. Information technology has seen tremendous growth in every sphere of business with the increase in the competition and the innovative methods of business like Customer Relationship Marketing and buyer behaviour modelling.

The use of information by the external entities like the stakeholders, and governing authorities has also increased with the increase in the companies utilizing the information technology to accomplish their business process. It is interesting to note that the information technology in an organization not only provides operational support but also helps accomplish the decision making by the senior management efficiently.

3.2: Role of information technology in business

The increase in globalisation and the presence of foreign players in the business organizations has apparently increased the competition in the UK business markets. The increase in the outsourcing and the need to reduce costs has further increased the need for the organizations to deploy innovative methods to identify areas where they can eliminate costs as well as identify new areas for potential business.

Alongside, the fact that information technology has increased the speed of processing information and reduced the level o errors associated with the business has apparently increased its popularity among the competitors. Efraim Turban et al (2004) further argue that the companies participating the business process within the UK are increasingly facing competition from electronic commerce issues and the need to increase the revenue is increasing with the increasing costs as well as the continuous competition by reducing the price of products. The above statement may be applicable for organizations dealing with general public or the consumer industry but for organizations in the Banking sector and the energy transmission sector where the service is offered to the customers and the pricing is not a critical part, the information technology essentially plays the vital role of identifying new customers as well as providing ability to serve the customers effectively.

3.2.1: Business-to-Business perspective

In a business-to-business perspective, information technology has not only increased the speed of communication but also essentially increased the accuracy of the information being processed between two organizations. Alongside, information technology has also accomplished the ability to conduct video conferencing and other forms of communication eventually reducing the costs for the business and at the same time increasing the productivity of the staff in the company.

Apart from the above-mentioned points, in a business-to-business perspective, the organizations are increasingly leveraging information technology to achieve secure transaction of information critical to the business. The increased use of Internet by the organizations and the deployment of electronic commerce have further increased the speed with which the decision is being made by the different business organizations involved in a specific deal. The market review on the business-to-business marketing in the year 2004 has revealed that the industries are increasingly using the information technology to quickly make their decisions in order to meet the competition in the business markets they are competing. Furthermore, Isla Gower (2004) argues that in a Business-to-business environment the information being transferred is critical and requires to be of high accuracy levels mainly because of the fact that the information so processed contributes directly to the decision making of the involved parties and hence can have a severe impact on the business in case of in accurate information being sent to the involved parties.

Alongside, in a business-to-business environment, the information processed is not only strategic in nature but also serves as ingredient for critical analysis and forecasting by the decision makers in order to analyse a given business market and trend of the business in the target market.

The above argument clearly establishes the vital nature of information in a business-to-business perspective. It is clear that the information being processed is not only critical but also essential for maintaining harmonic relationship between the involved organizations.

3.1.2: Business-to-consumer Perspective

Unlike the business-to-business situation discussed above the business-to-consumer case is more critical in nature because of the fact that it not only involves high density of information being processed but also the business faces the customers in the general public. Apparently the public opinion upon the organization will change and can have potential impact on the entire business if the information being processed is not accurate.

Alongside, the information technology has not only revolutionised the process of business by accomplishing electronic commerce but also accomplished quick and timely communication to the customers through various forms of electronic communication like e mails, Internet publications, news letters etc., The fact that the people in the general public also comprise the stakeholders in the organization has further made it critical for the requirement of presenting accurate information to the customers in order to increase their market share and leverage competitive advantage.

Since this report is focused upon the corporate governance where the information is mainly used for the decision making and providing reliable information to the stakeholders a detailed analysis of the advancements in information technology to leverage business development are not discussed.

3.2: Information Technology as part of the business process

Many organizations are increasingly using the information technology to increase their speed of the day-to-day business process itself on top of utilizing information technology to produce effective reports and conduct complex calculations. National Grid Transco, the company under analysis is one such organization to have deployed the information technology on a nationwide basis across its various branches and third parties involved in the business process. The company processes large amount of information everyday, as part of the business process and most of the information is sensitive in nature that could affect the revenue generated by the company itself. With reference to the concept of corporate governance this information that is being processed must be verified and validated in order to account for the billing and payment from the customers for the company. A detailed analysis is presented in chapter 6 of this report.

Alongside, the banking sector which is another industry under consideration is increasingly depending upon information technology not only to attract customers but mainly to conduct their business process effectively and support the financial decision making both at branch level for issues related to money lending and opening new accounts as well as at corporate level to decision making on investments and business development. Alongside, the leading conglomerates like Barclays and HSBC in the banking sector leverage information technology for not only processing of the information but also for the communication of critical information like foreign exchange rates, share prices, and other critical information which has o be validated before being published for the shareholders to view.

The above two brief examples clearly identify that the information that is being processed by the companies are the main contributing factors for the actual revenue generation in the company itself. National Grid Transco, Plc for example is a company that is completely dealing with energy where revenue is being generated based upon the energy transferred to the customers. In this case an error in the processing of the information related to the energy will directly impact upon the billing, which will eventually hinder the corporate governance of the company itself.

This justifies that the extensive use of information technology in business process has apparently increased the extent to which errors can occur in the business process itself, which will affect the company's corporate governance drastically.

3.3: IT audit in corporate governance

The discussion in the previous section throws light upon the use of information technology as part of the business process by many organizations. Christopher Barnatt (2000) argues that the corporate governance in an organization even though embraces the auditing of the finance and revenue establishing accountability, mainly depends upon the information that is underlying the revenue generated or the cost incurred since the financial quantification by the company is based upon the actual information on their day-to-day business. This further makes it clear that information not only plays a critical role in managing the audit data but also essentially plays a vital role in validating the raw data that is actually used to account for the revenue within the organization.

The above statement clearly explains that the information technology in critical for the business process and revenue generation apart from the aspects of customer relationship etc., John Ward (2000) further argues that the information technology in a business environment with reference to corporate governance of the organization provides the initial input for the actual revenue accountability of the organization. Furthermore, he argues that the possibility to provide false information in order to cover any major issues within the organization will eventually affect the corporate governance of the organization. Alongside, it is clear from the above argument that the technology behind the processing of the information itself needs to be validated n terms of access control and security measures in order to prevent unauthorised access to the information.

Enron, a leading company in the energy sector of the United States of America actually published false information on the amount of energy generated and transferred to the customers which eventually presented a high level of financial performance by the company resulting in investment by many shareholders. This was mainly because of the fact that the company was entering false information on the input end (i.e.) entering false information on the amount of energy sold to which has apparently resulted in the chain of actions resulting in the company's bankruptcy. Isla Gower (2004) further argues that the fall of Enron because of the presentation of false information on the company's business data (i.e.) energy in kilowatt hours proves that the actual information upon the company's business process is the quantifying factor for the company's performance that resulted in economic instability in the energy sector of the United States of America in the year 2001. Furthermore, Enron has also failed in accounting for its debts since 1987 and the profit was overstated in the annual reports which led to rise in the share prices from mere dollars in the early 1990s to nearly $90 in 2001. The fact that Enron committed financial fraud by hiding the information related to its debts would have been identified by the then auditors of the company Arthur Anderson was the cause for the company's bankruptcy and financial instability in the United States of America for a brief period in 2001. Since Enron was not actually producing any products and was actually acting as a middleman in the energy business, the fall of Enron the seventh largest company in United States of America in 2001 did not gravely affect the country's economy (Joseph Liberman, 2002). Alongside, it is also essential to mention that the company failed mainly because of its inability to balance the revenue and debts since it made investments without monitoring its debts, which eventually resulted in the company's financial frauds with information.

WorldCom unlike Enron was a leading telecommunications company with a range of telecommunications products being produced. They went bankrupt because of the fact that it misinterpreted the information on expenses as investment which apparently increased the company's position in the stock market (Mark Tran 2002). Furthermore, the failure of the company to adhere to the accounting standards and strictly classify the expenses by the company from its investment led to the bankruptcy of the company. In this case as opposed to the case of Enron where the information was falsely entered, the information in case of the WorldCom was actually misinterpreted by the company.

The above examples clearly explain that the auditing of the information technology and the actual input data flow is essential for the successful approval of the information produced in the financial statements. This further justifies the fact that information technology no longer plays an operational role in the business organizations and hence the need to audit information technology products and the process of the IT systems itself is highly essential in order to maintain information consistency so as to achieve effective corporate governance in the organization.

Chapter 4: Sarbanes Oxley Act

This chapter presents an overview of the Sarbanes Oxley Act, which was passed by the government of United States of America following the corporate financial frauds in the recent years in Enron and WorldCom. This is then followed by a critical analysis of the sections 404 of the Sarbanes Oxley Act, which was published as the final rule by Securities and Exchange Commission of the United States of America to be followed since June 2003. The need for the analysis of the Sarbanes Oxley Act as a separate chapter is mainly because of the need to emphasise the various elements that contribute to the transparency of information in the financial reporting and the need for internal control of the information being processed in order to increase information security as well as consistency of information.

Although there are established compliance rules for financial accounting itself, the Sarbanes Oxley Act is being critically evaluated in this report mainly because of the fact that the research is upon the IT audit for achieving corporate governance which implies that the information consistency and accuracy with respect to the financial reporting is the key issue being addressed by the company.

Even though Sarbanes Oxley Act is an American law passed by the Securities and Exchange Commission of United States of America, the law is also internationally applicable because of the fact that the corporate governance of a publicly quoted company is essential for the stable operation of the economy as well as to nurture the investor confidence which is critical for a free range economy as identified by the Institute of Internal Auditors UK. Furthermore, the fact that many leading companies are quoted in the New York Stock exchange since the globalisation has increased the investment in foreign nations and increased the need for presence in the United States of America has apparently created the need for the companies to comply with the Sarbanes Oxley Act.

4.1: Overview of Sarbanes Oxley Act

The Sarbanes Oxley Act was passed by the US government in order to restore the investor confidence in the United States of America as well as to increase the transparency in the business process itself so as to prevent further financial frauds like that of Enron and WorldCom due to the misinterpretation or providing false information etc., The Sarbanes Oxley Act comprises of eleven sections that presents comprehensive information about he compliance for an organizations in using the information to accomplish efficient financial reporting within the organization.

The management responsibilities identified by the Sarbanes Oxley Act section 404 which was approved by the Securities and Exchange Commission to be followed by the companies are

• Accept responsibility for internal control over financial reporting
• Evaluate the effectiveness of internal control using suitable criteria
• Support the evaluation with sufficient evidence and documentation

The aforementioned points clearly justify the fact that information is the critical element for the entire process of financial reporting and hence it is essential to control the financial reporting and the information related to financial reporting.

Furthermore, the Sarbanes Oxley Act emphasise on the internal control of the information and the finance reporting methods in order to maintain coherence in the information being processed and achieve effective corporate governance for the company.

Alongside, the Sarbanes Oxley Act also protects the interests of the employees and their rights when they were involved in providing vital information on a fraud being continued within the organization against the company. The provision in the Sarbanes Oxley Act that the employer has to pay a fine of up to $250,000 for terminating the employment of an employee for providing correct information on a fraud within the organization for financial reporting or other areas which would potentially affect the corporate governance of the company resulting in false reporting.

4.2: Section 404 of Sarbanes Oxley Act

The section 404 of the Sarbanes Oxley Act, which was approved by the Securities and Exchange Commission as a rule to be adhered by the publicly owned organizations, expects the following to be accomplished by all the organizations in their financial reporting and control

• Strict Standards for Corporate accountability with respect to the established and approved methods of the governing bodies in the respective countries. This apparently means that the organizations in the United States of America for example must provide its financial reports in line with the standards laid by the IRS (Inland revenue service) of United States of America whilst the companies in UK must adhere the standards laid by the Inland Revenue Service of UK. The soc section 404 further provides the provision for following a single method of accounting for financial reporting that is internationally accredited in order to meet the requirements by multinational companies.
• Present a written assessment as of the year-end every year. This means that the companies must provide a comprehensive documentation of all the information resources and the processes being followed by the companies in order to accomplish the transparency level within the organization. Also the written assessment in this context is purely internal since a comprehensive documentation of all the process must be prepared and controlled internally in order to enable speedy retrieval as well as quick and accurate processing of the information by the company for financial reporting.
• Written assessment by the external auditor. The written assessment by the external auditor is not only to be accomplished on the traditional accounting and financial reports but right from the first elements that fed information into the system that eventually provides input to the financial report either for income or expense. This is argued by Ian P. Dewing and Peter O. Russell (2004) that even though the internal auditing is necessary to be comprehensive by including every aspect of the information systems that account for the financial reporting, it is more important for an external body to approve the auditing so accomplished mainly because of the fact that the external audit will justify the internal audit which is essential for the completeness of the entire system of the auditing.
• Declaratory statement in the year annual report and accounts. This is in line with the corporate governance statement released by the company it is annual report. The company should include the details of the internal auditing and the verification from the external auditor upon the completion of the auditing in order to establish the consistency and increase the reliability of the investors upon the corporate organizations. The fall in the stock markets in United States of America after the fall of Enron and WorldCom has apparently led to a situation where the investors are not ready to rely upon any big organizations and hesitated to invest upon the shares eventually leading the economic instability in United States of America. This was the major reason for the government of United States of America to quickly pass the section 404 of the Sarbanes Oxley Act as a rule through Securities and Exchange Commission in order to increase reliability among investors as well as increase the stock market performance.

4.3: Internal control deficiencies

As discussed before the Sarbanes Oxley Act section 404 is mainly to accomplish the internal control of the information relating to the financial reporting in order to leverage investor reliability. Any deficiency in the control will obviously lead to a loss of certain material value. This deficiency is classified into three categories as mentioned in Table 1

Table 1: Internal Control Deficiencies and their material value as identified by Sarbanes Oxley Act

From the above table it is very clear that the Sarbanes Oxley Act is keen in capturing any potential financial losses even in the initial stages through internal control and the reporting actions stated in Table 1 further justifies the importance given to gaining investor reliability.

4.4: External Auditing

As stated before, the Sarbanes Oxley Act has made it mandatory for strict internal controls and auditing of the procedures, which in turn must be audited by an external auditor. The responsibilities of the external auditor so appointed are listed below

• Audits of internal control and financial statements are integrated (i.e.) every potential deficiency and financial loss in the internal control are appropriately mentioned in the financial statements of the company.
• Evaluate the management's assessment process, including the documentation procedure. The section 404 of the Sarbanes Oxley Act which is being established as the rule expects the organisations to maintain all the electronic documentation using a defined naming convention and also establish version control for all the critical documents that serve as the input for various analysis and queries of the company that have potential financial impact. The documentation and version control will not only ease the process of auditing but also mainly increase the accuracy with which the organization manipulates the information. Alongside, the fact that the information related to financial reporting are being communicated between various levels of the organization internally makes it imperative to maintain a single copy of the document or information sent electronically to the personnel involved. This increases the consistency of information being viewed as well as increases the reliability of the information being processed.
• Test both design and operating effectiveness of controls for all relevant assertions related to all significant accounts and disclosures. This mainly evaluates the way in which the information is actually being processed by the company (i.e.) the internal policies, billing methodologies, exceptional circumstances and how they are handled by the company etc., The fact that many publicly owned organizations deal with queries and disputes related to financial reporting like disputing in the amount billed etc., has made it necessary for the organization to follow a unified code of practise to the achieve consistent results every time in handling financial information. Furthermore the design in this context is predominantly the structured approach to manipulating information in order to gain consistency in the financial reporting which will eliminate any errors and flaws in the corporate governance of the company.
• Evaluate the results of the testing by the management and others such as the internal audit and consider whether to use the internal audit results for the auditing purposes. From this statement it is clear that it is under the discretion of the auditor to use the results of the internal audit systems of the company. This further emphasise that even though the organization is expected to adapt strict internal control and auditing policies as mentioned before, it is the duty of the external auditor to validate the methods followed by the company and the accuracy prior to using the results from the internal audit for their auditing purpose itself. From this statement, it is clear that the Sarbanes Oxley Act not only aims to achieve investor confidence but mainly to eliminate any flaws leading to potential economic threats to the industry itself.
• Evaluate the severity of all identified internal control deficiencies and consider the evidence from all sources to reach a conclusion. This again explains that the external auditor is accountable for any discrepancy in the information being processed towards financial reporting since, the external auditor is expected to review and verify all internal deficiencies irrespective of their severity and provide their individual conclusion upon the deficiency after analysing the evidence. This makes it clear that Sarbanes Oxley Act treats the external auditor as the key element in the corporate governance of an organization even though it equally emphasises of the internal control and auditing.
• Report on the management's assessment and on the effectiveness of internal control over financial reporting. From this statement it is clear that the external auditor is the person responsible for the overall auditing of the company even though the internal auditing and control are necessary.

4.5: Communication and Reporting

As discussed in the literature review, the corporate governance of an organization embraces effective communication and reporting of the information for auditing. This makes it imperative that the management communicates effectively with the external auditing team as well as maintains effective internal communication between various sections of the management.

The Sarbanes Oxley Act has laid the following norms for communication and reporting

• Communication of all deficiencies: This approach of the Sarbanes Oxley Act was criticised by many critics since the reporting of minor deficiencies were considered as unnecessary. The fact that a company can categorise a potential issue as a inconsequential deficiency due to misinterpretation of the information as in the case of WorldCom where the company categorised all its major expenses as investment justifies the demand of Sarbanes Oxley Act to report all the identified internal deficiencies irrespective of their severity within the management or external o the business.
• The significant deficiencies should be identified by the external auditors and then reported to the audit committee in order to derive on a concrete conclusion of whether or not to categorise the deficiency identified as inconsequential or severe. This approach by the Sarbanes Oxley Act to report the identified deficiencies to the audit committee and arrive upon a unified decision apparently makes it clear that the information being deployed by the company in the organization as well as the technology being used should be verified for any potential deficiencies and these deficiencies should be verified and evaluated by the external auditing team. This eventually increases the transparency of the information and the entire business process itself eventually increasing the investor confidence.
• Sarbanes Oxley Act further allows the company not to disclose any significant deficiencies identified as such in their annual report but provide accountability in their financial statement of the annual report. This statement apparently protects the company's busi