The novelty, ambiguity, and the lack of official guidance surrounding cryptocurrency transactions impose additional audit risks that should be considered during client-acceptance and retention and planning audit procedures. We develop a four-quadrant model to assist auditors in client-acceptance and continuance decisions and identify cryptocurrency risks that should be considered during audit planning and audit evidence gathering.
The Securities and Exchange Commission's 2009 enhanced proxy disclosure requirements and the updated Committee of Sponsoring Organizations' (COSO) Internal Control Framework have caused organizations to increase their focus on risk management and consider the impact of information technology (IT) in enterprise risk management. Our study examines whether board involvement, board expertise, and top management's risk culture affect the maturity of IT risk management practices (maturity) in firms. We find that board involvement positively influences maturity while top managers' risk-taking behavior is associated with lower maturity. Even though board expertise influences maturity, board involvement is more important in explaining maturity. Maturity is higher in firms where risk oversight lies with a board-level, rather than a management, committee. However, the maturity of ITRM practices does not differ among firms whether risk oversight lies with the overall board, or any other board committee. The findings contribute to an under-researched area in IT governance.
SUMMARY
The novelty, ambiguity, and the lack of official guidance surrounding cryptocurrency transactions impose additional audit risks that should be considered during client acceptance and retention and planning audit procedures. We develop a four-quadrant model to assist auditors in client acceptance and continuance decisions and identify cryptocurrency risks that should be considered during audit planning and audit evidence gathering.
The Securities and Exchange Commission's enhanced disclosure rule on risk oversight, state laws requiring public disclosure of compromised customer information, and high-profile customer information breaches have caused Information Technology (IT) risk management practices to be a major concern for boards of directors and management. The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Enterprise Risk Management (ERM) framework emphasizes the importance of the board's oversight role while also bringing attention to the firm's reporting structure. Consequently, our study examines whether the maturity of IT risk management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer (CEO)/Chairman duality. We develop a scale to measure strategic and operational maturity under the larger auspice of IT risk management and distribute a survey to high-level IT professionals. Our survey also captures the reporting structure of their firms. Consistent with our hypothesis, we find that the maturity of strategic IT risk management practices are higher when the CIO reports directly to the CEO. However, contrary to expectations, we do not find that operational risk management is more mature when the CIO reports to the Chief Financial Officer (CFO). Instead, operational risk management is higher when the CIO reports to the CEO. For public firms, the maturity of IT risk management practices are higher when the CEO is also the chairman of the board of directors. As C-level officers may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and interested stakeholders on how well IT risk is managed and factors that affect IT governance.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.