Critical Research Analysis On The Effectiveness Of IT Auditing For

Corporate Governance
Chapter 1: Introduction

1.1 Introduction

Auditing is one of the essential elements for the successful functioning of the business and helps an
organization to face the external world with precise information on its business and issues related to
accountability. Also, it is universally accepted that any business organization irrespective of its nature
of business must provide relevant documentation to the government and other legal authorities with
respect to their income and expenditure in order to meet the rules and regulations on tax. In the initial
years of its introduction, auditing was primarily concerned with only the finance and finance related
activities within the business that is accounted for in the business. Apparently, the revenue generated
by the company and the costs associated are the major contributing factors for decision making on the
tax and shareholder benefits. Alongside, the growth of information technology and the increase in the
public awareness has further intensified the need for conducting an efficient auditing process to
provide accountability for their business activities.

It is intriguing to note that information technology has become an integral part of every business
organization making information as a critical element for the effective operation of the business itself.
Thus the need for auditing the information and IT based activities that account for the finance for the
organization both revenue and expenses are imperative. This report is focused on the effective role of
information technology audit in the corporate governance in the UK business organizations. The fact
that the corporate governance is the portrait of the a company to the external world both in terms of
performance as well as financial information makes it a critical element for the success of an
organization.

It is also imperative that the corporate governance of an organization is essential not only for the
benefit of the stakeholders but also for the economic stability in the business market as well as the
entire nation. This report is aimed to present a critical research analysis on the effectiveness of IT
auditing for corporate governance in UK. The report will throw light on the various aspects relate to
achieving effectiveness in through IT audit as part of corporate governance and critically analyses the
Sarbanes Oxley Act on IT audit and information transparency.

1.2: Aim and Objectives

The aim of this dissertation is to critically analyse the efficiency of IT audit in the corporate
governance among the UK business organizations. This is achieved by embracing the research upon the
following objectives.
 • To critically analyse the concept of corporate governance and its importance for an
organization both internal and external to the business.
• To analyse the critical nature of information in business and the growth of information systems
in corporate governance.
• To analyse the corporate financial reporting frauds and the role of information technology in
such cases through critically analysing examples from various industries.
• To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the act to
be implemented by corporate organizations in the UK.
• To provide case study analysis with examples from banking sector and Energy sector in the UK
on the application of the Sarbanes Oxley Act-section 404.

1.3: Research Definition

The research in this report is accomplished using secondary information resources only. This is mainly
because of the fact that a public opinion on the IT auditing is totally irrelevant and the business
organizations will not reveal their corporate information other than that is published in the annual
reports due to data protection and privacy issues. Hence the research analysis in the case study is
entirely qualitative in nature (i.e.) the research is based upon the journals and white papers published
rather than using first had data for quantifying the analysis.

The case study analysis is conducted upon the energy and banking sector of the UK. Whilst a critical
analysis on HSBC bank Plc is presented under the banking sector, National Grid Transco, Plc is the
company of interest in the Energy sector of the UK. The case study analysis on these organizations will
provide critical information on the use of section 404 of Sarbanes Oxley Act and the company's strive to
accomplish IT audit that support financial results for corporate governance. The research analyses only
those areas of information systems that directly contribute to the financial results of a company rather
than the entire information technology infrastructure of the company.

1.4: Justification for the research

The fact that information plays a critical role in every sphere of a business in the twenty-first century
as argued by Efraim Turban et al (2004) has apparently increased the role of IT from just an
operational support element to a strategic element of the entire business itself. Furthermore, the
fraud detected in the ENRON and WorldCom cases (discussed in later chapters) were predominantly
because of the frauds in information that attributes to the financial performance of the company.
Hence, this research is conducted in order to throw light on the critical nature of information in the
auditing process. The fact that energy (electricity and gas) and banking sectors are major business
sectors that directly deal with the general public on a day-to-day basis apart from the increased
interests of the stakeholders is the major reason for embracing the research on these two sectors of
business in the UK.

1.5: Chapter overview

Chapter 1: Introduction

This is the current chapter, which introduces the reader with the aim and objectives of the research
and the research definition.

Chapter 2: Literature Review - Corporate Governance

In this chapter a critical overview of corporate governance and the need for auditing and financial
performance is discussed in the light of business environments in the UK. The discussion throws light on
the need for achieving corporate governance and the essential elements of the business that
contributes to corporate governance of a company are discussed with focus upon the entire business.

Chapter 3: Information systems and corporate governance

This chapter critically analyses the role of information technology in business organizations and the
critical nature of information in supporting corporate governance. This is followed by the critical
analysis of the corporate financial frauds by providing false information with examples from Enron and
WorldCom cases.

Chapter 4: Sarbanes Oxley Act

This chapter begins with an overview of the Sarbanes Oxley Act. This is followed by the critical analysis
of the section 404 of the Sarbanes Oxley Act, which was published by Securities and Exchange
Commission to be followed in the UK since June 2003.

Chapter 5: Case Study 1: Banking Sector

This chapter initially analyses the banking sector as a whole and establishes the critical nature of
information in the corporate governance of the competing organizations. This is then followed by the
analysis of HSBC Bank Plc one of the potential competitors in the banking sector both within the UK
and across the globe. The analysis throws light on the adherence of the Sarbanes Oxley Act section 404
by the company and the policies followed by the company to accomplish information transparency and
consistency.

Chapter 6: Case Study 2: Energy Business

This chapter presents a critical analysis of the energy sector in the UK. This overview is followed by the
critical analysis of the Energy transmission and Distribution conglomerate National Grid Transco Plc.
The analysis throws light on the company's strategies and policies to achieve information transparency
and reliability in the business. The research also establishes the critical nature of information in the
business of the company.

Chapter 7: Discussion and Conclusion

The research conducted in the above two case studies are discussed in the light of corporate
governance and the Sarbanes Oxley Act section 404. The analysis will provide a comprehensive review
of the research conducted so far and establishes the coherence between the academic theories and the
real-world scenarios. This is followed by the critical analysis of the objectives of the research followed
by conclusion for the dissertation.

Chapter 2: Literature Review - Corporate Governance

2.1: Background Information

Gerry Johnson and Kevan Scholes (2001) say, Corporate Governance is an essential element for any
business organization mainly because of the fact that the corporate governance is the message
conveyed by the company to the external world including the general public and stakeholders.
Alongside, it is also interesting to note that the corporate governance of an organization not only
communicates to the external world but mainly provide a one-stop information resource to anyone who
is interested in the organization. The corporate governance of the company is essential for not only
effectively communicating to the external world but mainly to attract potential customers in the
general public both for the business as well as identify potential investors to the company.
Furthermore, the fact that corporate governance is also the comprehensive analysis of the entire
organization performance by taking the first chapter of every company's annual report makes it critical
for an organization to effectively maintain and achieve a high level of corporate governance as argued
by Gerry Johnson and Kevan Scholes (2002).

Denzil Watson and Tony head (1998) further argue that the corporate governance of a company is not
only a one page message conveyed by the chairman of the organization but also concerns with the
relationship between the company management and its owners in the entire structure of the
organization. Apart from the relationship with the owners and stakeholders, the corporate governance
is also an essential element for the effective management of the human resource of the company itself
mainly because of the fact that not only the interests of the existing workforce should be nurtured but
the company should also maintain a positive corporate governance to attract new employees to the
organization in order to achieve long-term organic growth as argued by Denzil Watson and Tony head
(1998).

Another interesting fact identified by Denzil Watson and Tony head (1998) is that the corporate
governance is a critical element in determining the remuneration for the senior executives in many
organizations within the UK, which apparently means that the corporate governance is the mechanism
that is used by the owners to govern the management of the company. Also, it is interesting to note
that the corporate governance in the UK companies has been traditionally stressed upon the
importance of internal control and importance of the role of financial reporting and accountability in
the organization to its stakeholders and general public.

2.2: Need for corporate governance

Corporate governance of an organization is not only a message that is being conveyed to the
stakeholders or the method of managing the management by the owners of the company but essentially
the way of monitoring the company's growth and its position in the entire business market it is
operating. The corporate governance is also important for achieving competitive advantage in the
target market because of the fact that the customers in the target market are keen in identifying the
attributes of the organization that sells the products to them. This includes every form of business
including consumer industry, retail sector and even power and energy management sector as identified
by Sebastian Nokes (2001). Furthermore, the corporate governance in an organization is also essential
for efficiently monitoring and deploying the infrastructure of the company itself.

Chris Brown (2005) argues that the corporate governance of an organization is essential for not only
increasing the productivity of the organization but also to become an inspiring element for the
employees in the organization to achieve higher level of performance within the organization.
Furthermore, it is also interesting to note that the corporate governance of a company is essential to
manage the senior management of the organization for not only monitoring the productivity but also
for deploying the revenue for further business development. It is imperative that finance is the heart
of the entire corporate governance mainly because of the fact that a company's performance is
determined based upon its financial performance both by the stakeholders as well as the general
public.

T.C. Melewar (2003) further argues that the corporate governance of the organization is essential for
not only the efficient management of the organization but also for identifying any potential issues that
should be verified in order to achieve coherent results during the process of auditing in the company.

Following the fall of the Enron and WorldCom which was mainly because of the failure of the
management of the company to provide coherent information for audit process and fraud activities in
the financial information, the Securities and Exchange Commission of United States of America has
made it a rule that the corporate governance of a company must also include non-executive directors
who are responsible stakeholders and people of social respect who would validate the activities of the
company itself. Furthermore, the Securities and Exchange Commission has also made it mandatory that
the auditing committee of the company must contain at least three non-executive directors mainly to
facilitate the validation and approval of the results from the audit committee.

The Legal and Regulatory exchange of the UK (2002) has also justified that even though the non-
executive directors cannot fulfil all the expectations, they can help achieve the company to effectively
perform in the business through continuously monitoring the activities of the entire organization and
providing valuable guidance to the board of executive directors in the form of suggestions. Alongside,
the Department of Trade and Industry has also justified the fact that even though, the non-executive
directors in the company do not involve themselves in the day-to-day business of the organization, they
are the responsible for the efficiency and overall effectiveness of the organization with respect to the
organization's performance and reliability of the results.
Furthermore, the fact that the corporate governance in an organization also contributes to the
economic stability of the entire business market itself since the revenue generated from a business
sector in a nation is obviously the summation of the revenue generated by the individual organization
competing in the business and fraud in the corporate governance will eventually affect the economic
stability of the business sector itself as argued by Malcolm McDonald (1996).

2.3: Essential elements of corporate governance

Even though it is clear that the financial performance and the financial statements are critical to the
corporate governance itself, Denzil Watson and Tony Head (1998) have identified the following
elements as the major contributing elements to achieve efficient corporate governance in any business
organization.

2.3.1: Human Resource

Michael Armstrong (2003) argues, Human resource is the most indispensable resource for any
organization. Apparently this is because of the fact that the costs associated with the recruitment and
training of new staff in an organization is very high when compared to retaining the existing workforce
and effectively nurturing their performance to increase productivity s well as stabilize the costs as
identified by Denzil Watson and Tony Head (1998). Furthermore it is imperative that only the effective
performance of the human resource of the organization without encouraging any errors and
maintaining the transparency in their work related activities would provide accuracy and consistency in
the business activities across the entire organization right from the operational level. It is also clear
that even though the corporate governance concept is entirely strategic in nature, the business
generates revenue only from the very en of the operational staff and hence the need to achieve
accuracy and reliability at operational level is imperative for the efficient corporate governance in an
organization.

Derek Torrington and Laura Hall (1995) argue that the human resource of an organization not only
contribute to the efficiency or performance of the organization, but also contribute to the overall
reliability of the organization which is an essential element to achieve corporate governance in the
organization. This is mainly because of the fact that the staff right from the operational level to the
top level management must have the commitment in achieving the standards set by the company in
performing the business which is essential for the corporate governance itself mainly because of the
fact that corporate governance is increasingly being treated as a factor of reliability on the company
rather than a information resource to judge the performance of the company. Alongside, Derek
Torrington and Laura Hall (1995) further argue that the efficiency of the human resource of an
organization is the primary contributing factor for the accuracy and reliability of the company's
performance in the external world. This also explains that the human resource of an organization not
only contribute to the efficiency and revenue generation of the company but also for the corporate
governance of the organization itself.
The above arguments justify that the human resource management and efficiency is essential for
corporate governance in any business organization in UK.

2.3.2: Finance

As argued before finance is the backbone for any business since every organization operating in the
commercial environment are focused in generating revenue and the increase in competition in the
business due to globalisation and innovative business methods has apparently increased the need to
focus on generating revenue with minimal costs as argued by Gerry Johnson and Kevan Scholes, 2001).
The above statement clearly justifies that finance is the critical element for the corporate governance
in every business organization. Alongside, it is also essential to mention that the financial results are
the end-product that is being analysed by the auditors even though the way in which the revenue is
generated and the process of maintaining the cash flow are other critical elements of the business
itself.

Denzil Watson and Tony Head (1998) further argue that the corporate governance is predominantly
based upon the fundamental issues of resource and finance allocation is addressed through the
corporate governance only. This further makes it clear that even though accounting is a critical
element of the finance, the output of which is actually being audited, the resource allocation and the
finance management are the critical ingredients for the corporate governance in the organization
which makes finance as the backbone of the corporate governance to any business organization. It is
further intriguing to note that finance is not just the way of managing the allocation of money and
financial resources but essentially the accountability to the allocations is the major factor that is
analysed in the corporate governance of any organization apart from the corporate finance itself.
Hence, accountability in terms of financial performance and management are the critical factors that
contribute to the corporate governance of an organization.

The rule passed by Securities and Exchange Commission of the UK that the financial statements must
be disclosed not only in the annual reports but periodically published for public notice in order to
enable the investors and stakeholders to critically judge the organization performance has made it
clear that corporate governance embraces finance of the organization.

Alongside, it is also clear from the Bank of Credit and Commerce International (BCCI) that the
companies must disclose their financial information and also provide accountability for all the revenue
generated and costs incurred not only in the annual balance sheet but also in a periodic fashion further
justifies that the corporate governance is critically dependant on finance.

2.3.3: Infrastructure

The infrastructure in this context is not just the furniture and desktop computers that are used to
accomplish the day-to-day business process but mainly the infrastructure that handles the finance and
finance related information and activities. These include the software and hardware systems that hold
the information on the finance and also those infrastructure elements that contribute to the
generation of revenue in the first place. Denzil Watson and Tony Head (1998) further argue that the
infrastructure in a corporate governance context also includes those that accomplish the effective
auditing process and also the infrastructure elements that contain critical information on the finance
and billing.

Alongside, the infrastructure not only provides support to the finance and billing in an organization but
also mainly contributes to the efficient retrieval and storage of the information (discussed in next
chapter) and also supports the financial decision b=making in terms of corporate communication and
deciding upon the allocation of finance for further development within the organization.

This further justifies the fact that infrastructure in a corporate governance context not only includes
the storage and retrieval system (electronic) but also includes those infrastructure that actually
processing the payments made by the customers to the organization and the expenses of the
organization in order to run the day-to-day business.

2.2.4: Communication

Communication is critical for corporate governance because of the fact that only through the effective
communication of the information to the audit committee, the organization can gain reliability and
provide concrete information in their corporate governance. Since the corporate governance is
predominantly the managing of the senior management of the organization and is derived from the
process of auditing and verifying the activities of the company in every segment of the organization
(including Human Resource and Finance) makes the communication a critical element for the smooth
operation of the business. Furthermore, the communication also plays the vital role of communicating
the information to the external world.

2.3: Committees

The aforementioned elements of the corporate governance are mainly in line with the day-to-day
business process of the company itself. In order to maintain the accuracy of the corporate governance
and increase the transparency as well abide by the regulations of the Securities and Exchange
Commission, corporate governance consists of the following committees as identified by The Business
Roundtable of UK (2004).

2.3.1: Audit Committee

According to the Securities and Exchange Commission it is mandatory for every publicly owned
company to have an audit committee comprised of solely independent directors. This makes it clear
that auditing is the heart of corporate governance and the accuracy of the entire business process will
be accountable to the audit committee. Furthermore, the audit committee is also responsible for
verifying and checking every aspect contributing to the business and the financial performance of the
organization hence making it a critical element of the entire corporate governance itself. Alongside, it
is also imperative that the independent directors belong to various segments of the business and also
that the committee should comprise of non-executive directors for the purpose of accomplishing the
consistency in the operation itself.

This further justifies that that audit committee is responsible for justifying the accountability of the
organization.

The Securities and Exchange Commission clearly states that the audit committee should comprise of at
least three members (directors) of the audit committee should be independent of the entire
organization and should not participate in the management of the business directly or indirectly. These
directors are called the non-executive directors as discussed above and they are appointed mainly to
provide unbiased assessment on the business operations so as to clearly establish the business process
and accountability for corporate governance of the organization.

Denzil Watson and Tony Head (1998) say that even though it is not expected out of an independent
director to have comprehensive financial knowledge it is essential for the non-executive directors to
possess the fundamental knowledge on finance and its relevance to the business itself. They further
argue that the directors in the audit committee should be able to conduct the auditing process with a
critical eye to identify any flaws in the business process or the methodology of the organization in
order to judge the company's financial performance.

Even though, auditing is predominantly related to the finance and revenue of an organization, the
other elements like information technology, human resource and infrastructure discussed above are
also judged by the audit committee which is the reason for accommodating the directors in the
committee from various fields of specialization in order to provide critical suggestions and provide
accurate assessments upon the performance of the organization itself.

In order to accomplish the aforementioned tasks the audit committee comprises of the following

Risk Profile: The risk profile is maintained to monitor the corporate risks as well as the risks local to
the committee itself. The Business Roundtable (2004) argues that the risk management is essential for
the committee mainly to identify the risks associated with the business itself in order to efficiently
manage the committee itself. The risks in this contest is mainly the risk associated with a committee
member providing a biased judgement or an inaccurate judgement due to his consideration will
eventually affect the entire auditing process itself. This is the main reason for the presence of non-
executive directors who are expected to review every decision made by the committee.

Outside Auditors: The outside auditors are employed mainly to accomplish auditing process in an
unbiased fashion in specialist areas like information technology etc where the external auditor
employed will be accountable for the auditing of specific segment of the business. The audit
committee is responsible for monitoring the efficient performance of the auditors and also manage the
overall process of auditing in the organization. The decision of the audit committee is based upon the
results produced by the outside auditors with respect to the areas they were employed to audit within
the organization and hence the choice of the auditor is decided by the committee itself.
Independent operation: The audit committee operates independent of the entire organization. This is
primarily to accomplish unbiased judgement by the committee and also enable the committee to
perform effectively without being disturbed by the day-to-day business issues.

2.3.2: Corporate governance Committee

Apart from the process of auditing which is very essential for corporate governance, it is also essential
to have a corporate governance committee, which is central to the entire board of the organization.
The Securities and Exchange Commission also states that it is mandatory for every publicly owned
company to have a corporate governance committee that makes the decision and performs the overall
management and accountability of the corporate governance for the organization itself. The corporate
governance committee is also called the nominating committee that is responsible for nominating the
directors under various committees that support the corporate governance like the audit committee
discussed above. Also, the corporate governance committee is responsible for the nomination and
management of the directors of the company itself who are accountable to the audit committee during
the audit process. Like the audit committee, the corporate governance committee must also comprise
of independent directors only. The Securities and Exchange Commission further expects the corporate
governance committee to comprise of non-executive directors like the audit committee for the same
reason as in the case of the audit committee. The Business Roundtable (2004) further argues that the
fact the independent directors in the corporate governance committee reinforce the idea that the
governance process of the organization is unbiased and reliable.

Apart from the above functions the corporate governance committee also has the responsibility of
safeguarding the independence of the board in order to effectively assess the performance of the
company against the set norms and also establish the accountability for the activities of the
organization. Another major function of the corporate governance committee is to oversee the
corporation and review the organization's process of providing information to the board in order to
conduct the auditing process effectively.

2.3.3: Compensation Committee

The compensation committee performs the critical part for monitoring the compensation provided to
the board and the senior management of the company. Like the audit committee and the corporate
governance committee, the compensation committee should also comprise of independent directors
are it is essential for any publicly owned company as stated y the Securities and Exchange Commission.

The committee not only decides the compensation for the senior management but also decides the
allocation of revenue for compensation to the entire company itself that comprises of all the staff
members other than the directors and senior management.

The committee also performs the essential action of monitoring the compensation for the senior
management based upon the results from the auditing and corporate governance committees.
The committee is expected to work closely with the other two committees for gathering the
information to decide upon the compensation for the senior management but the decision of the
committee is not influenced by the other committees of corporate governance in a publicly owned
organization as stated by The Business Roundtable (2004).

The committee also creates the overall compensation structure for the entire organization and the
decision made by the committee is completely independent.

Alongside, the members of the committee should also comprise of non-executive directors like the
audit committee and the corporate governance committee. It is also argued by The Business
Roundtable (2004) that the compensation committee should understand the incentives structure
independent of the industry and also provide a comprehensive compensation structure through
efficient allocation of the resources (finance) to various levels of the company right from the senior
management up to the operational level.

2.4: Conclusion

The above overview clearly explains the critical nature of corporate governance in an organization and
its importance for achieving harmonic business operation. The overview on the committees and the
various elements of corporate governance have proved that the corporate governance is not merely a
tool for assessing the company's performance but essentially to judge the company's activities and
establish accountability for the revenue generated and the expenses of the company.

The next chapter provides a critical overview on Information systems and its role the process of
auditing and contribution to corporate governance.

Chapter 3: Information systems and corporate governance

3.1: Background information

Information systems is the term used to identify the comprehensive deployment of Information
technology and IT related products to accomplish the processing of information and presenting the
right information for the decision makers. John Ward and Joe Peppard (2002) argue that the
information systems in an organization not only includes the technology and technology related
products but also those segments of the business the actually process and generate output from the
information like the billing, revenue and purchasing departments of a corporation. Furthermore, they
argue that the strategic use of information to facilitate effective decision making by the senior
management of the organization apparently increases the need to identify critical information as well
as maintain integrity of the information to accomplish accuracy and reliability. Information technology
has seen tremendous growth in every sphere of business with the increase in the competition and the
innovative methods of business like Customer Relationship Marketing and buyer behaviour modelling.
The use of information by the external entities like the stakeholders, and governing authorities has also
increased with the increase in the companies utilizing the information technology to accomplish their
business process. It is interesting to note that the information technology in an organization not only
provides operational support but also helps accomplish the decision making by the senior management
efficiently.

3.2: Role of information technology in business

The increase in globalisation and the presence of foreign players in the business organizations has
apparently increased the competition in the UK business markets. The increase in the outsourcing and
the need to reduce costs has further increased the need for the organizations to deploy innovative
methods to identify areas where they can eliminate costs as well as identify new areas for potential
business.

Alongside, the fact that information technology has increased the speed of processing information and
reduced the level o errors associated with the business has apparently increased its popularity among
the competitors. Efraim Turban et al (2004) further argue that the companies participating the
business process within the UK are increasingly facing competition from electronic commerce issues
and the need to increase the revenue is increasing with the increasing costs as well as the continuous
competition by reducing the price of products. The above statement may be applicable for
organizations dealing with general public or the consumer industry but for organizations in the Banking
sector and the energy transmission sector where the service is offered to the customers and the pricing
is not a critical part, the information technology essentially plays the vital role of identifying new
customers as well as providing ability to serve the customers effectively.

3.2.1: Business-to-Business perspective

In a business-to-business perspective, information technology has not only increased the speed of
communication but also essentially increased the accuracy of the information being processed between
two organizations. Alongside, information technology has also accomplished the ability to conduct
video conferencing and other forms of communication eventually reducing the costs for the business
and at the same time increasing the productivity of the staff in the company.

Apart from the above-mentioned points, in a business-to-business perspective, the organizations are
increasingly leveraging information technology to achieve secure transaction of information critical to
the business. The increased use of Internet by the organizations and the deployment of electronic
commerce have further increased the speed with which the decision is being made by the different
business organizations involved in a specific deal. The market review on the business-to-business
marketing in the year 2004 has revealed that the industries are increasingly using the information
technology to quickly make their decisions in order to meet the competition in the business markets
they are competing. Furthermore, Isla Gower (2004) argues that in a Business-to-business environment
the information being transferred is critical and requires to be of high accuracy levels mainly because
of the fact that the information so processed contributes directly to the decision making of the
involved parties and hence can have a severe impact on the business in case of in accurate information
being sent to the involved parties.

Alongside, in a business-to-business environment, the information processed is not only strategic in

nature but also serves as ingredient for critical analysis and forecasting by the decision makers in order
to analyse a given business market and trend of the business in the target market.

The above argument clearly establishes the vital nature of information in a business-to-business
perspective. It is clear that the information being processed is not only critical but also essential for
maintaining harmonic relationship between the involved organizations.

3.1.2: Business-to-consumer Perspective

Unlike the business-to-business situation discussed above the business-to-consumer case is more critical
in nature because of the fact that it not only involves high density of information being processed but
also the business faces the customers in the general public. Apparently the public opinion upon the
organization will change and can have potential impact on the entire business if the information being
processed is not accurate.

Alongside, the information technology has not only revolutionised the process of business by
accomplishing electronic commerce but also accomplished quick and timely communication to the
customers through various forms of electronic communication like e mails, Internet publications, news
letters etc., The fact that the people in the general public also comprise the stakeholders in the
organization has further made it critical for the requirement of presenting accurate information to the
customers in order to increase their market share and leverage competitive advantage.

Since this report is focused upon the corporate governance where the information is mainly used for
the decision making and providing reliable information to the stakeholders a detailed analysis of the
advancements in information technology to leverage business development are not discussed.

3.2: Information Technology as part of the business process

Many organizations are increasingly using the information technology to increase their speed of the
day-to-day business process itself on top of utilizing information technology to produce effective
reports and conduct complex calculations. National Grid Transco, the company under analysis is one
such organization to have deployed the information technology on a nationwide basis across its various
branches and third parties involved in the business process. The company processes large amount of
information everyday, as part of the business process and most of the information is sensitive in nature
that could affect the revenue generated by the company itself. With reference to the concept of
corporate governance this information that is being processed must be verified and validated in order
to account for the billing and payment from the customers for the company. A detailed analysis is
presented in chapter 6 of this report.
Alongside, the banking sector which is another industry under consideration is increasingly depending
upon information technology not only to attract customers but mainly to conduct their business process
effectively and support the financial decision making both at branch level for issues related to money
lending and opening new accounts as well as at corporate level to decision making on investments and
business development. Alongside, the leading conglomerates like Barclays and HSBC in the banking
sector leverage information technology for not only processing of the information but also for the
communication of critical information like foreign exchange rates, share prices, and other critical
information which has o be validated before being published for the shareholders to view.

The above two brief examples clearly identify that the information that is being processed by the
companies are the main contributing factors for the actual revenue generation in the company itself.
National Grid Transco, Plc for example is a company that is completely dealing with energy where
revenue is being generated based upon the energy transferred to the customers. In this case an error in
the processing of the information related to the energy will directly impact upon the billing, which will
eventually hinder the corporate governance of the company itself.

This justifies that the extensive use of information technology in business process has apparently
increased the extent to which errors can occur in the business process itself, which will affect the
company's corporate governance drastically.

3.3: IT audit in corporate governance

The discussion in the previous section throws light upon the use of information technology as part of
the business process by many organizations. Christopher Barnatt (2000) argues that the corporate
governance in an organization even though embraces the auditing of the finance and revenue
establishing accountability, mainly depends upon the information that is underlying the revenue
generated or the cost incurred since the financial quantification by the company is based upon the
actual information on their day-to-day business. This further makes it clear that information not only
plays a critical role in managing the audit data but also essentially plays a vital role in validating the
raw data that is actually used to account for the revenue within the organization.

The above statement clearly explains that the information technology in critical for the business
process and revenue generation apart from the aspects of customer relationship etc., John Ward (2000)
further argues that the information technology in a business environment with reference to corporate
governance of the organization provides the initial input for the actual revenue accountability of the
organization. Furthermore, he argues that the possibility to provide false information in order to cover
any major issues within the organization will eventually affect the corporate governance of the
organization. Alongside, it is clear from the above argument that the technology behind the processing
of the information itself needs to be validated n terms of access control and security measures in order
to prevent unauthorised access to the information.

Enron, a leading company in the energy sector of the United States of America actually published false
information on the amount of energy generated and transferred to the customers which eventually
presented a high level of financial performance by the company resulting in investment by many
shareholders. This was mainly because of the fact that the company was entering false information on
the input end (i.e.) entering false information on the amount of energy sold to which has apparently
resulted in the chain of actions resulting in the company's bankruptcy. Isla Gower (2004) further argues
that the fall of Enron because of the presentation of false information on the company's business data
(i.e.) energy in kilowatt hours proves that the actual information upon the company's business process
is the quantifying factor for the company's performance that resulted in economic instability in the
energy sector of the United States of America in the year 2001. Furthermore, Enron has also failed in
accounting for its debts since 1987 and the profit was overstated in the annual reports which led to rise
in the share prices from mere dollars in the early 1990s to nearly $90 in 2001. The fact that Enron
committed financial fraud by hiding the information related to its debts would have been identified by
the then auditors of the company Arthur Anderson was the cause for the company's bankruptcy and
financial instability in the United States of America for a brief period in 2001. Since Enron was not
actually producing any products and was actually acting as a middleman in the energy business, the fall
of Enron the seventh largest company in United States of America in 2001 did not gravely affect the
country's economy (Joseph Liberman, 2002). Alongside, it is also essential to mention that the company
failed mainly because of its inability to balance the revenue and debts since it made investments
without monitoring its debts, which eventually resulted in the company's financial frauds with
information.

WorldCom unlike Enron was a leading telecommunications company with a range of

telecommunications products being produced. They went bankrupt because of the fact that it
misinterpreted the information on expenses as investment which apparently increased the company's
position in the stock market (Mark Tran 2002). Furthermore, the failure of the company to adhere to
the accounting standards and strictly classify the expenses by the company from its investment led to
the bankruptcy of the company. In this case as opposed to the case of Enron where the information was
falsely entered, the information in case of the WorldCom was actually misinterpreted by the company.

The above examples clearly explain that the auditing of the information technology and the actual
input data flow is essential for the successful approval of the information produced in the financial
statements. This further justifies the fact that information technology no longer plays an operational
role in the business organizations and hence the need to audit information technology products and the
process of the IT systems itself is highly essential in order to maintain information consistency so as to
achieve effective corporate governance in the organization.

Chapter 4: Sarbanes Oxley Act

This chapter presents an overview of the Sarbanes Oxley Act, which was passed by the government of
United States of America following the corporate financial frauds in the recent years in Enron and
WorldCom. This is then followed by a critical analysis of the sections 404 of the Sarbanes Oxley Act,
which was published as the final rule by Securities and Exchange Commission of the United States of
America to be followed since June 2003. The need for the analysis of the Sarbanes Oxley Act as a
separate chapter is mainly because of the need to emphasise the various elements that contribute to
the transparency of information in the financial reporting and the need for internal control of the
information being processed in order to increase information security as well as consistency of
information.

Although there are established compliance rules for financial accounting itself, the Sarbanes Oxley Act
is being critically evaluated in this report mainly because of the fact that the research is upon the IT
audit for achieving corporate governance which implies that the information consistency and accuracy
with respect to the financial reporting is the key issue being addressed by the company.

Even though Sarbanes Oxley Act is an American law passed by the Securities and Exchange Commission
of United States of America, the law is also internationally applicable because of the fact that the
corporate governance of a publicly quoted company is essential for the stable operation of the
economy as well as to nurture the investor confidence which is critical for a free range economy as
identified by the Institute of Internal Auditors UK. Furthermore, the fact that many leading companies
are quoted in the New York Stock exchange since the globalisation has increased the investment in
foreign nations and increased the need for presence in the United States of America has apparently
created the need for the companies to comply with the Sarbanes Oxley Act.

4.1: Overview of Sarbanes Oxley Act

The Sarbanes Oxley Act was passed by the US government in order to restore the investor confidence in
the United States of America as well as to increase the transparency in the business process itself so as
to prevent further financial frauds like that of Enron and WorldCom due to the misinterpretation or
providing false information etc., The Sarbanes Oxley Act comprises of eleven sections that presents
comprehensive information about he compliance for an organizations in using the information to
accomplish efficient financial reporting within the organization.

The management responsibilities identified by the Sarbanes Oxley Act section 404 which was approved
by the Securities and Exchange Commission to be followed by the companies are

• Accept responsibility for internal control over financial reporting

• Evaluate the effectiveness of internal control using suitable criteria
• Support the evaluation with sufficient evidence and documentation

The aforementioned points clearly justify the fact that information is the critical element for the
entire process of financial reporting and hence it is essential to control the financial reporting and the
information related to financial reporting.

Furthermore, the Sarbanes Oxley Act emphasise on the internal control of the information and the
finance reporting methods in order to maintain coherence in the information being processed and
achieve effective corporate governance for the company.
Alongside, the Sarbanes Oxley Act also protects the interests of the employees and their rights when
they were involved in providing vital information on a fraud being continued within the organization
against the company. The provision in the Sarbanes Oxley Act that the employer has to pay a fine of up
to $250,000 for terminating the employment of an employee for providing correct information on a
fraud within the organization for financial reporting or other areas which would potentially affect the
corporate governance of the company resulting in false reporting.

4.2: Section 404 of Sarbanes Oxley Act

The section 404 of the Sarbanes Oxley Act, which was approved by the Securities and Exchange
Commission as a rule to be adhered by the publicly owned organizations, expects the following to be
accomplished by all the organizations in their financial reporting and control

• Strict Standards for Corporate accountability with respect to the established and approved
methods of the governing bodies in the respective countries. This apparently means that the
organizations in the United States of America for example must provide its financial reports in
line with the standards laid by the IRS (Inland revenue service) of United States of America
whilst the companies in UK must adhere the standards laid by the Inland Revenue Service of
UK. The soc section 404 further provides the provision for following a single method of
accounting for financial reporting that is internationally accredited in order to meet the
requirements by multinational companies.
• Present a written assessment as of the year-end every year. This means that the companies
must provide a comprehensive documentation of all the information resources and the
processes being followed by the companies in order to accomplish the transparency level
within the organization. Also the written assessment in this context is purely internal since a
comprehensive documentation of all the process must be prepared and controlled internally in
order to enable speedy retrieval as well as quick and accurate processing of the information by
the company for financial reporting.
• Written assessment by the external auditor. The written assessment by the external auditor is
not only to be accomplished on the traditional accounting and financial reports but right from
the first elements that fed information into the system that eventually provides input to the
financial report either for income or expense. This is argued by Ian P. Dewing and Peter O.
Russell (2004) that even though the internal auditing is necessary to be comprehensive by
including every aspect of the information systems that account for the financial reporting, it is
more important for an external body to approve the auditing so accomplished mainly because
of the fact that the external audit will justify the internal audit which is essential for the
completeness of the entire system of the auditing.
• Declaratory statement in the year annual report and accounts. This is in line with the corporate
governance statement released by the company it is annual report. The company should
include the details of the internal auditing and the verification from the external auditor upon
the completion of the auditing in order to establish the consistency and increase the reliability
of the investors upon the corporate organizations. The fall in the stock markets in United
States of America after the fall of Enron and WorldCom has apparently led to a situation where
 the investors are not ready to rely upon any big organizations and hesitated to invest upon the
shares eventually leading the economic instability in United States of America. This was the
major reason for the government of United States of America to quickly pass the section 404 of
the Sarbanes Oxley Act as a rule through Securities and Exchange Commission in order to
increase reliability among investors as well as increase the stock market performance.

4.3: Internal control deficiencies

As discussed before the Sarbanes Oxley Act section 404 is mainly to accomplish the internal control of
the information relating to the financial reporting in order to leverage investor reliability. Any
deficiency in the control will obviously lead to a loss of certain material value. This deficiency is
classified into three categories as mentioned in Table 1

Table 1: Internal Control Deficiencies and their material value as identified by Sarbanes Oxley Act

Type of Internal Control Material Value Reported

Deficiency

Inconsequential <0.8% of the profit or around 7 Internally

million

Significant Deficiency >0.5% and <5% of the profit Audit Committee of the
company
(More than inconsequential)

Material Weakness > 5% profit or around 70 million Shareholders (i.e.) public.

of the net profit value
(to the overall financial
statement)

From the above table it is very clear that the Sarbanes Oxley Act is keen in capturing any potential
financial losses even in the initial stages through internal control and the reporting actions stated in
Table 1 further justifies the importance given to gaining investor reliability.

4.4: External Auditing

As stated before, the Sarbanes Oxley Act has made it mandatory for strict internal controls and
auditing of the procedures, which in turn must be audited by an external auditor. The responsibilities
of the external auditor so appointed are listed below

• Audits of internal control and financial statements are integrated (i.e.) every potential
deficiency and financial loss in the internal control are appropriately mentioned in the
financial statements of the company.
• Evaluate the management's assessment process, including the documentation procedure. The
section 404 of the Sarbanes Oxley Act which is being established as the rule expects the
organisations to maintain all the electronic documentation using a defined naming convention
and also establish version control for all the critical documents that serve as the input for
various analysis and queries of the company that have potential financial impact. The
documentation and version control will not only ease the process of auditing but also mainly
increase the accuracy with which the organization manipulates the information. Alongside, the
fact that the information related to financial reporting are being communicated between
various levels of the organization internally makes it imperative to maintain a single copy of
the document or information sent electronically to the personnel involved. This increases the
consistency of information being viewed as well as increases the reliability of the information
being processed.
• Test both design and operating effectiveness of controls for all relevant assertions related to
all significant accounts and disclosures. This mainly evaluates the way in which the information
is actually being processed by the company (i.e.) the internal policies, billing methodologies,
exceptional circumstances and how they are handled by the company etc., The fact that many
publicly owned organizations deal with queries and disputes related to financial reporting like
disputing in the amount billed etc., has made it necessary for the organization to follow a
unified code of practise to the achieve consistent results every time in handling financial
information. Furthermore the design in this context is predominantly the structured approach
to manipulating information in order to gain consistency in the financial reporting which will
eliminate any errors and flaws in the corporate governance of the company.
• Evaluate the results of the testing by the management and others such as the internal audit
and consider whether to use the internal audit results for the auditing purposes. From this
statement it is clear that it is under the discretion of the auditor to use the results of the
internal audit systems of the company. This further emphasise that even though the
organization is expected to adapt strict internal control and auditing policies as mentioned
before, it is the duty of the external auditor to validate the methods followed by the company
and the accuracy prior to using the results from the internal audit for their auditing purpose
itself. From this statement, it is clear that the Sarbanes Oxley Act not only aims to achieve
investor confidence but mainly to eliminate any flaws leading to potential economic threats to
the industry itself.
• Evaluate the severity of all identified internal control deficiencies and consider the evidence
from all sources to reach a conclusion. This again explains that the external auditor is
accountable for any discrepancy in the information being processed towards financial reporting
since, the external auditor is expected to review and verify all internal deficiencies
irrespective of their severity and provide their individual conclusion upon the deficiency after
analysing the evidence. This makes it clear that Sarbanes Oxley Act treats the external auditor
as the key element in the corporate governance of an organization even though it equally
emphasises of the internal control and auditing.
• Report on the management's assessment and on the effectiveness of internal control over
financial reporting. From this statement it is clear that the external auditor is the person
 responsible for the overall auditing of the company even though the internal auditing and
control are necessary.

4.5: Communication and Reporting

As discussed in the literature review, the corporate governance of an organization embraces effective
communication and reporting of the information for auditing. This makes it imperative that the
management communicates effectively with the external auditing team as well as maintains effective
internal communication between various sections of the management.

The Sarbanes Oxley Act has laid the following norms for communication and reporting

• Communication of all deficiencies: This approach of the Sarbanes Oxley Act was criticised by
many critics since the reporting of minor deficiencies were considered as unnecessary. The fact
that a company can categorise a potential issue as a inconsequential deficiency due to
misinterpretation of the information as in the case of WorldCom where the company
categorised all its major expenses as investment justifies the demand of Sarbanes Oxley Act to
report all the identified internal deficiencies irrespective of their severity within the
management or external o the business.
• The significant deficiencies should be identified by the external auditors and then reported to
the audit committee in order to derive on a concrete conclusion of whether or not to
categorise the deficiency identified as inconsequential or severe. This approach by the
Sarbanes Oxley Act to report the identified deficiencies to the audit committee and arrive upon
a unified decision apparently makes it clear that the information being deployed by the
company in the organization as well as the technology being used should be verified for any
potential deficiencies and these deficiencies should be verified and evaluated by the external
auditing team. This eventually increases the transparency of the information and the entire
business process itself eventually increasing the investor confidence.
• Sarbanes Oxley Act further allows the company not to disclose any significant deficiencies
identified as such in their annual report but provide accountability in their financial statement
of the annual report. This statement apparently protects the company's business process itself
since any potential deficiencies disclosed in the published annual report will eventually hinder
the company's growth because of the fact that the deficiency in the business process will
eventually discourage the investors from purchasing their shares eventually reducing the
market value of the company itself. Hence in order to prevent the company from loosing its
market share through revealing the actual deficiency, the Sarbanes Oxley Act has made it clear
thither company must account for every deficiency in their financial report but still need not
disclose the actual deficiency identified in the published annual report. Alongside, it is also
interesting to note that the communications of the deficiencies to the external audit or and
the joint decision of the audit committee and the external auditor will eliminate any errors in
justifying a deficiency in the internal control as inconsequential or vice versa.
• Unqualified opinion: The Sarbanes Oxley Act strictly prohibits the unqualified opinions in the
corporate governance of the company. It is essential to state that the Sarbanes Oxley Act
 expects documentary evidence for all the deficiencies as well as the information related to the
deficiency that lead to potential impact on the financial report. Since the Sarbanes Oxley Act is
primarily concerned with the process of maintaining information integrity and accuracy to
achieve investor confidence through eliminating financial reporting frauds, it is essential for
the organization to provide evidence for every deficiency identified in order to justify whether
it is inconsequential or not. Alongside, the Sarbanes Oxley Act authorises the external auditor
to categorise any deficiency without ample supporting documentation as a potential material
weakness. Hence it is essential for the companies to adhere to strict procedures for
information storage and retrieval as well as maintaining the electronic filing systems itself
within the organization.
• Periodic reporting of any material changes to the internal auditing and control methods. The
Sarbanes Oxley Act expects the management to report any potential changes made to the
internal controls as well as the material changes to the external auditors. This is mainly
effective when an organization undergoes any changes with respect to its trivial methods of
reporting and process of information as well as in cases of any new software or hardware
installation. The Sarbanes Oxley Act strictly requires the organization to provide concrete
documentary evidence to any changes in the technology being used as well as the changes to
the methods of reporting regularly in order to establish consistency in the information being
analysed by the audit committee and the senior management. This apparently increases the
consistency of information as well as ease the process of auditing itself since the external
auditor can effectively perform the audit process when the management communicates him
effectively.
• Scope Limitation and management responsibilities: The Sarbanes Oxley Act authorises the
auditor to disqualify any opinion of the management when the communication of the
information related to a deficiency is not appropriate and have not met the standards. This
statement authorises the external auditor to disqualify a specific internal control method or
disapprove the entire internal control method when the deficiency identified is not properly
justified with ample documentary evidence. This approach of the Sarbanes Oxley Act towards
the information that is contributing for the financial reporting apparently increases the
consistency and accuracy with which the information is being processed as well as controlled
by the management in order to successfully pass the external auditor's demand.

4.6: Information management and control

As argued before, the Sarbanes Oxley Act as passed by the Securities and Exchange Commission mainly
to increase the clarity f information being processed that contributes to the financial reporting so as to
increase the investor confidence. This apparently means that the entire Sarbanes Oxley Act is
concerned mainly with the information management, control on the information and the deficiencies
associated with the control of the information and reporting that contributes to the financial reporting.
The Sarbanes Oxley Act emphasises the following specific areas with respect to the information systems
within an organization in order to increase the transparency as well as reduce deficiency in the control.
• Management and control of the technology: The Sarbanes Oxley Act has made it mandatory for
every organization to provide a comprehensive and coherent documentation on the technology
being deployed by the company in managing its information (.e.) the technology behind the
information system used by the organization. The Sarbanes Oxley Act emphasises that the
organization must maintain consistent documentation and reports for the technology and
software installed in the company for performing the day-to-day business process that accounts
for the financial reporting within the organization. This is mainly because of the arguments in
the previous chapters that the software or hardware technology that is behind the information
is the primary element that contributes to the manipulating of the data to provide the right
information. For example, in an FMCG (Fast Moving Consumer Goods) organization, the
company should not only account for the unit sales for every item but also mainly provide
information on how the financial value with respect to the units sold is being calculated by the
system they deploy in order to verify the consistency of the information. This makes it clear
that the Sarbanes Oxley Act emphasise the technical design of the software system being
deployed should be reported and precisely related to the business process of the organization.
• Reporting and communication: The section 404 of the Sarbanes Oxley Act emphasises on the
companies to report any changes made to the design of the software system (i.e.) changes
made to the technical design of the system in order to efficiently control the flow of
information within the organization. This is also essential in terms of reporting mainly because
of the fact that the company can provide concrete documentary evidence on consistent use of
the information and accuracy only when it can provide an effective report on the technical
design of the information system being deployed by the company.
• Access Control and security: One of the key issues faced by the information technology in any
organization is to prevent unauthorised access to sensitive information. The fact that many
organizations fail the IT audit mainly because of the lack of efficient access control
management explains that information security is essential to justify the accuracy and
consistency of the information being processed by the company. The section 404 of the
Sarbanes Oxley Act has further emphasised that the organizations should adhere to an
established access control techniques like Role Based Access Control in order to efficiently
control the access to information by users without any biased decision. Furthermore, the
external auditor is expected to verify the access control methods deployed and identify any
deficiency in the technique with respect to the impact on the financial information.
• Reporting of Control flow, information storage and retrieval: Even though access control is one
of the critical elements for the Sarbanes Oxley Act compliance, a much more critical issue is
mainly to establish the flow of the control between various elements of the information
technology being deployed within the organization itself in order to establish the accuracy of
information. John Ward and Joe Peppard (2002) argue that information can be justified as
accurate and consistent only when the flow of the control (i.e.) the flow of information and
their efficient mapping within the system is justified and clearly identified and verified. For
example when an organization provides a refund to the customer or provides compensation to
one of its staff under exceptional circumstances, this must be quantified and clearly mapped
with the actual financial reporting of the organization itself in order to effectively manage the
information. Alongside, the storage and retrieval techniques and the flow of control in these
 cases must also be quantified by the company in order to efficiently justify its information flow
and management of the information consistency. The Sarbanes Oxley Act emphasises that the
companies should not only report the aforementioned but also mainly provide ample
documentary support in order to meet the demands of the external auditor.

4.7: Conclusion

From the above arguments, it is clear that the Sarbanes Oxley Act aims to establish information
transparency within the organization and thus increase the investor confidence. This is mainly required
in order to maintain a free-range economy and nurture the competition in the business market.
Alongside the Sarbanes Oxley Act compliance has become mandatory for foreign organizations and the
deadline for achieving this compliance I laid as Jun 2006 for the UK based public organizations. The
above research thus is imperative for any organization that is publicly quoted and aims to gain foreign
investment in the form of shares. The case study analysis in the chapter 5 and chapter 6 will throw
light on the critical nature of information in the business sectors and the need for information
technology audit. The analysis on specific organization in each case study will throw light on the
organization's initiative to comply with Sarbanes Oxley Act and the internal controls established by the
organizations.

Chapter 5: Case Study 1: Banking Sector

5.1: Background Information

The banking sector is one of the major business sectors of the UK with big players like HSBC, Barclays,
etc., The Keynote Market analysis on the banking sector (2004) has revealed that the banking sector
accounts for more than 30% of the entire revenue generated by the UK economy. Furthermore, the
banking sector in the UK is increasingly facing competition from the non-financial organizations like the
retail sector players (TESCO<Plc etc).

Product: The banking sector includes a wide range of financial services and products including loans,
mortgages, and bank accounts for business and personal banking. The products included in the banking
sector vary with the need for the customers in the industry and also depends upon the nature of the
business in case of business banking as argued by Denzil Watson and Tony Head (1998).

5.2: Information in the banking sector

Tim McCollum (2004) says that the information technology in the banking sector has become an integral
element for the entire business process itself rather than just the use of information technology to
perform customer services. The fact that the computerisation and the increased use of banking
services over the Internet has revolutionised the use of information technology for business is one side
of the coin whilst it is also interesting to note that the banking organizations are using the information
technology for decision making as well as business process itself. It is also known that since the
customers are utilising the information technology services like electronic banking and electronic
services it is essential for the bank to monitor and control the effective flow of information as well as
maintain the integrity of the information being processed. This is highly critical as argued by Tim
McCollum (2004) who says that information technology has not only reached the core business process
but also accounts for the actual existence and validity of the information being processed.

Furthermore, since the banking sector is dealing with finance and money related products as a business
itself, the need to effectively distinguish between the revenue and investments is essential to provide
consistency in the information being processed by the company. The increase in the acquisitions and
mergers by the competitors like the HSBC the bank that grew through constant mergers and
acquisitions, it is essential for the banking sector organizations to maintain consistency in the
information as well as provide concrete evidence on the process of the technology itself.

The banking industry profile (2005) further argues that auditing in a banking sector organization is not
only a difficult process but also mainly a sensitive process to both the information being manipulated
as well as the information related to the financial services. The intriguing fact in the banking sector is
that the information related to expenses and investment can be easily misinterpreted because of the
fact that in both the cases the bank records the information as a debit. It is further interesting to note
that the information technology in the banking sector is utilised to thoroughly in order to maintain
efficient services and access to the accounts by the customers whilst incorporating efficient security
and access control techniques.

From the above arguments it is clear that the information technology is not only part of the operational
process but mainly forms the backbone for the banking sector organization to establish their financial
reporting as well as contribute to the corporate governance of the organization itself. Hence it is
essential for performing effective IT audit in the banking sector organization, which is evident from the
above arguments. The analysis on HSBC Bank Plc in the next section will throw light upon the various
methods utilised by the company to perform effective auditing and maintain information consistency to
contribute to the corporate governance of the bank.

5.3: HSBC Case Study

HSBC Bank Plc is the leading organization in the banking sector with global presence in all Asia,
America, Europe and Africa. A critical analysis on the company by Tim McCollum (2004) in his report on
the banking sector and IT Auditing reveals that the company has grown mainly through investing upon
acquisitions and mergers since the 1990s when it initially entered the entered the UK banking sector by
purchasing a percentage of the shares from Midland Bank UK. The company profile also states that the
company has not only grown in size but also utilised information technology to deploy its entire
business process in order to gain competitive advantage in the business market.

Since the company is also listed in the New York Stock Exchange, it is imperative for the company to
adhere to the Sarbanes Oxley Act in order to establish effective corporate governance and gain investor
confidence in the business market.
5.4: Critical analysis of the IT Audit procedures in HSBC

The IT audit in the HSBC is a very elaborate and intricate process as mentioned by Tim McCollum (2004)
who justified that the company not only has established controls for every element of the business
process but also established external auditing for all the controls.

5.4.1: Internal Controls

The internal controls in the HSBC Bank Plc comprise of three levels

• Operational Level internal control: in this level the line managers and the supervisors perform
the validating process of the information being processed by the specific branch on a day-to-
day basis. This control is mainly to identify any errors in the processing of the business in the
first instance itself in order to effectively establish the information accuracy in the business
process. Alongside, the operational level control also accounts for the day-to-day credit and
debit of the bank including all the elements like the ATM cash machines, cheque withdrawals
and other transactions like loans mortgage, etc. The interesting fact in this level of control is
that not only the information is being checked for validity; the organization has a set
procedure to escalate any discrepancy and provide paperwork or documentary evidence for any
amendments made on a day-to-day basis. This approach to the control in the operational level
apparently reduces the error in the information to a large extent even though the limitations
like processing times and cheque collection time cannot be accounted by the bank at
operational level.
• Middle management control: This level of control to the auditing and information is established
mainly to verify the information and validate the process periodically in order to reduce the
amount of information being processed at the corporate level whilst performing the auditing
process for the annual report. This level of the control mainly focuses on the integration and
control of the operational branches as clusters so that the operational limitations like the time
taken for the realisations of funds etc., can be overseen by this level of control. This level of
control further monitors the branches and performs any intermediate auditing and verifications
in the information being processed in order to maintain information accuracy. The fact that he
individual accounts are not verified but mainly the information related to the financial
transactions made on a given calendar date are checked for their validity and verified for
accuracy since this information is the input for the financial reporting for the company at both
the periodic and annual levels. The Group Annual Report of the company published in the April
2005 reveals that the company is not only involved in the process of IT Auditing but has also
mentioned it in the corporate governance report section of the annual report. Furthermore,
the middle management control also emphasise on the information consistency and addresses
any potential issues that are identified in the process of auditing the information that is being
processed for the financial reporting itself. The fact that the information that is being
processed is again the financial information of customers makes it critical for the bank to
efficiently manage and distinguish the information and provide accurate input to financial
reporting.
 • Senior Management Level control: the HSBC company profile (Data monitor, 2004) has clearly
stated that the senior management level of the control performs the process of verifying the
information processed by the company and establish accountability for any discrepancies in the
information. Alongside, this level of control also performs the process of identifying the
deficiencies in the internal controls and establishes their severity. This further justifies that
this level of the internal control is the actual team that faces the eternal auditor whilst
performing the external audit. This clearly justifies that the internal controls in the bank itself
are being monitored and accounted for their deficiencies by the Senior Management level of
the internal control who not only verify the information for their accuracy but also account for
any deficiency identified in the internal control system itself.

The aforementioned arguments clearly justify that the internal control of the information flow for the
financial reporting is highly structured as well as robust in nature. Furthermore, it is also interesting to
note that the company has established the internal control in line with the Sarbanes Oxley Act
compliance (company Profile, 2004) after the rule of Securities and Exchange Commission to follow the
Sarbanes Oxley Act section 404 by the all the publicly quoted companies in United States of America by
2004.

A critical analysis of James Weber And Dana Fortun (2005) upon the internal control and IT audit has
revealed that the HSBC bank Plc is not only utilizing the internal control for the purpose of verifying
and establishing the information accuracy but also for the purpose of establishing a proactive method
of verifying the information right from the operational level in order to eliminate the occurrence of
deficiency in the material weakness when identified at a later instance. Alongside, the strict methods
of maintaining documentary evidence for any amendments in the information and any discrepancy
being verified proves that the company is maintaining high levels of information consistency right from
the operational level in order to avoid any material weakness in the deficiency in the internal control.
Furthermore, the entire company structure of the HSB bank embraces the auditing personnel at all
levels of the management in order to establish the consistency and information accuracy prior to
financial reporting in the corporate governance of the annual report.

Internal Control Deficiencies identified in HSBC:

Even though the bank has a robust system for internal control of the information, the following
deficiencies were identified by Time Steel (2005):

The bank does not maintain accurate information on the number of customers being answered on a
given calendar date and there is no satisfactory paper evidence for the bank to justify a loan lent to a
customer or an account opened. The Even though the bank holds copies of passport and other personal
information of the customers, the fact that many international customers who have not lived in the
country for long are also successful in securing a loan with minimal information. This risk was identified
and categorised as significant deficiency in the annual audit for the year ending April 2005.
The bank does not hold clear information upon the conversations with a customer even though the
information related to rejection or acceptance of a specific application is recorded in the system.
Alongside, the fact that the customers can easily change their address for correspondence over the
Internet as well as by filling in a form in the branch is also questionable for accuracy and hence this
was categorised as a significant deficiency of the system.

5.5: External Auditing

The company's external auditors in the United States of America have verified the aforementioned
deficiencies and concluded that the internal control is functioning effectively apart from these
deficiencies. Alongside, the external auditors also agreed with the internal control standards and
approved the level of accuracy maintained even though in the year ending 2004 the external auditing
for the HSBC faced a very had time because of the irregularity in compliance to the Sarbanes Oxley
Act. Alongside, the increase in the control level in the year 2004 as well as the increased level of
marinating documentary evidence is the primary reasons for the successful approval of the internal
control by the external auditors in the year ending April 2005.

5.6: Communications and reporting

The communication of the information within the HSBC bank is strictly though the internal e-mails
maintained at high levels of security. The information being communicated and reported are all
documented and maintained for evidence in order to establish the accuracy and consistency of the
information. Alongside, the communications of the deficiencies identified follows a structured pattern
as argued by Time Steel (2005). Furthermore, the communications between various levels of the
organization as well as the internal control further increases the level of accuracy of the information
being processed.

Alongside, the reporting of the information to various levels of the organization follows a structured
pattern and the periodic reporting of any identified deficiency as well as highlighting any potential
information deficiency that might lead to a material weakness is promptly communicated to the senior
management as well as the corporate directors periodically in order to eliminate any errors and
inconsistency in the information that contributes to the financial reporting of the company in the
corporate governance. This method of the company to strictly report every discrepancy irrespective of
the critically in the control or the financial impact is in tandem with the reporting and communication
expectations of the Sarbanes Oxley Act.

5.7: IT Auditing

The above arguments are predominantly concerned with the quality of the information and its impact
on the financial reporting on the company. But it is also mandatory to conduct comprehensive auditing
upon the technology being deployed and the control flow of the information that provides the
information the quality of which is analysed in the internal control. The various methods adopted by
HSBC in the light of IT audit are presented here. These are extracted form the company profile
published in January 2005.

Technical Documentation:

The HSBC Bank deploys state of art information technology systems to manage the entire operations of
the banking services offered by the company. The company utilises the IBM Mainframe architecture and
Tivoli Storage Management for the purpose of maintaining and updating the financial information of the
customers as well as updating the transactions that provide information contributing to the financial
reporting. Alongside, the company also deploys the IBM Content Manager architecture to analyse ad
store the information that is being processed by the systems in order to prepare reports and
communicate any potential information discrepancy to the users. A detailed analysis of the storage and
programming architectures is out of the scope of this report. The IS department of the company
maintains a detailed technical documentation of every element and module in the entire system used
for the business process. The relationship between every class modules and their manipulation methods
to calculate the desired output are all documented and verified by the organization. The internal
control discussed in the previous section performs the process of monitoring and verifying the
consistency and accuracy of the documents to the desired output of the system. The senor
management levels of the internal control are responsible for the process of verifying the technical
documents and validating their accuracy. They are also accountable for any potential deficiency
identified and the internal control of the bank also provides information on any deficiency identified in
order to rectify any errors in the information due to the impact of the technical discrepancy.

Access Control: the access control techniques followed by the HSBC Bank Plc is robust and strong in
order to maintain he integrity of the information. The bank has detailed documentation of the methods
of access control implementation as well s the ways in which it is being monitored in separate
documents. The documents relating to access control actually form part of the technical document but
are critically evaluated separately by the internal control team over the technical specifications of the
system. The installation of any new access control technique is also documented and verified prior to
implementation because of the fact that any changes introduced into the IT system should be effected
in the documentation and their impact upon the information being used for financial reporting should
be verified prior to actually implementing it in the real world scenario. This policy of the HSBC Bank
Plc further justifies the company's critical treatment of information technology auditing as part for the
entire auditing process.

Change Management: the company profile (2005) clearly states that any changes introduced in the IT
system is addressed through an impact analysis process prior to implementing the changes because of
the fact that the information technology once being used live by the users in the bank as well as the
customers, should be amended only after proper approval for system outage and compliance with the
agreed time frames and deadlines. This statement clarifies that the company is adhering to approved
standards f IT management through the procedural implementation of the changes rather than the
sudden implementation without prior notice. Furthermore, the changes so implemented are also taken
effect in the documentation and the control flow of the entire system in order to maintain coherent
information flow between various segments of the business as well as provide accurate information
that contributes for financial reporting.

In the next chapter a case study analysis on National Grid Transco Plc is presented to the reader
followed by the conclusion in the chapter 7.

Chapter 6: Case Study 2: Energy Business

6.1: Background information

The energy sector of the UK is another lucrative and revenue generating sector in the UK economy. The
fact that the Sarbanes Oxley Act came into effect further to the scandals of Enron which is an energy
based company is the primary reason for the analysis of a similar sector in this report in order to
provide a profound insight upon the need for information technology audit for corporate governance
among UK organizations. The energy business unlike the banking sector has a varied rage of products
right from electricity, gas, oil and other energy resources like wind energy etc., Isla Gower (2004) says
that the energy business in the UK has seen tremendous growth in the recent years and the results of
the Enron case has affected the entire process of auditing and information management within the
company itself.

Furthermore, the energy sector in the UK contributes to more than 30% of the annual revenue with
competitors competing not only in proceed and quality but also on the basis of reliability and accuracy.

The business comprises of two major segments

• Generation: This includes the actual production of energy in certain units like Kilo Watt Hours
or any other standard unit convention approved by a scientific board like IEEE, System
International, or British thermal Units. This value is the actual information that accounts for
the revenue generation with respect to the companies that generate energy using conventional
or non-conventional methods. The companies like British Gs, EDF, etc fall under this category
of the energy business
• Transmission: this segment of the industry is the most interesting element as they perform the
process of transporting or transmitting the energy from one point to another. These
organizations do not generate any form of energy but perform the process of transporting the
energy alone. The company under debate- National Grid Transco Plc is under this category of
the energy business similar to Enron in the United States of America during the 1990s. The fact
that the company does not have a specific product makes its business critical and revenue
generation a intricate issue for the external auditors itself.

6.2: Nation Grid Transco Plc case study

Nation Grid Transco Plc is one of the largest organizations in the UK with investments and assets for
more that 200 billion. The company's core business is gas and electricity transmission across the UK and
into Europe. The company's investment includes the construction and maintenance of the gas
transmission pipes laid underground across the UK as well transmission or electricity through the
National Grid of the company across UK. The company is also listed in the New York stock exchange
and hence it is essential for the company to adhere to the Sarbanes Oxley Act compliance.

6.2.1: The business Process

Unlike the banking counterpart HSBC, Nation Grid Transco Plc does not have a specific product as
established before and hence a critical analysis of the business process ifs essential to prove its
revenue generation itself.

The company transports gas and electricity through its pipes and gridlines (electric) respectively from
the production point up to the customer doorstep. The customers include industries as well as power
stations and the general public who are registered customers with the parent company producing the
electricity or gas. It is also interesting to note that the company charges the customers (producers of
gas and electricity) based upon the equivalent energy transported in Kilowatt-hours even though the
gas transported is in measured in volume whilst the electricity transported in measured in thermos by
the company. The demand for the gas and electricity varies with the season since the UK weather has a
direct impact on the heating systems used in the houses that eventually increases or reduces the
amount of gas or electricity consumed as the case may be.

The company also charges the customers (shippers and producers of energy) for the usage of their
transmission system and the amount of gas transported to the destination. The revenue for the
company is generated through billing the customers (producers of energy) for the amount of gas or
electricity transported in Kilo Watt Hour Units.

The above overview on Nation Grid Transco Plc proves that the information for the financial reporting
by the company comes from the energy being transported and the revenue generated from the
transportations charges associated. Hence it is imperative for the organization to maintain accurate
information upon the amount of energy transported a well as the time involved for the transportation
on a day-to-day basis.

The company also follows a D-1 date convention whereby the company processes the information for
the previous day of a given calendar date.

This further increases the need for maintaining the accuracy of the information since the information
being processed is actually numbers related to volume and calorific value of the gas and electricity
data which are scientific in nature but it is this information that feeds into the system of the company
in order to generate the billing information for every customer in the UK. The customers for the Nation
Grid Transco Plc with respect to the financial transactions are those who are producing the energy and
the companies that receive the energy transported at the other end who utilise it for commercial
purposes. Hence the customers to the organization are other business organization apparently creating
a business-to-business scenario for the entire business process.
Since the process involves third party companies and organization who are charged for the usage
Nation Grid Transco Plc's infrastructure further makes it critical for accurate information management
and maintenance in order to provide precise information for billing that contributes for the financial
reporting to the entire organization.

The company has two separate operating segments for the business one for gas transmission whilst
another branch of the business is dedicated to the electricity transmission in the UK. The internal
control is thus established for the two segments of the business separately and then integrated at the
senior management level as discussed in section 6.3:

6.3: Internal control

The internal control in Nation Grid Transco Plc is more complex to that of the HSBC bank mainly
because of the fact that the company's business involves information that is not directly quantifiable
for financial results even though the revenue is generated based upon the information on the energy
transported. The internal control structure as mentioned in the company profile (2005) is mentioned
below

• Daily Flow control: This section of the company monitors the daily flow of the gas transported
on a day-to-day basis. The information is received from the sites that use the gas as well as the
companies that actually produce the gas in another remote location. The measurement of the
gas used is transferred from the meters installed by the company at the sites though satellite
Radio Frequency signals that are received by the company's receiver in the control room. This
information is verified for their consistency using computer software systems developed
specifically for their purposes. The Daily flow control team perform the operational level
monitoring of the gas transported by the company. Any discrepancy s immediately highlighted
to the relevant authorities and the relevant documentation secured by the team.
• Electricity measurement control: This level of the control is similar to the Daily Flow Control
but performs he operational level information control and monitoring at the Electricity side of
the business. The measurements in this case are mainly in the thermal units, which are
quantified for Kilowatt-hours of energy transported so as to verify the information for
consistency. Any errors identified or potential deficiency in the information is immediately
escalated to the relevant parties concerned and the information is documented for the purpose
of further auditing and verification.
• Unaccounted Gas and Electricity Control: This level of control operates by monitoring the flow
of gas and the transmission of electricity with respect to the amount of relevant energy
actually used by the sites and the customers. This level of the internal control monitors the
discrepancy in the information gathered by the aforementioned tow levels of the control and
periodically verifies the consistency of the information. The investigation is conducted on a
weekly basis in order to verify the information being processed in relation to the amount of gas
or electricity transported in order to establish the consistency of the information. This is
critical for the business because of the fact hat the revenue generated is based upon the
amount of energy transported in the form of gas or electricity as stated before. The
 Unaccounted Gs and Electricity control primarily performs the process of investigation into any
potential issues that results in discrepancy of information and is also responsible for
maintaining the documentation for the entire investigation itself. The Unaccounted Gas and
Electricity control also reflects upon the company's consistency in billing and the need to
identify the critical areas for improving the performance of the entire organization as well as
provide accurate information for financial reporting, since the unaccounted energy is not billed
until the customer is identified and the cause if rectified until which the company incurs the
costs for the transportation of the energy.
• Audit Control: This level of the control mainly monitors the Unaccounted gas and electricity
control but also analyses the information from the two operational level controls to identify
any errors in the information that contributes to the billing eventually creating an impact upon
the financial reporting and corporate governance of the company. This level of the control
primarily monitors the accuracy of the information and also accounts for the information
accuracy and any discrepancy in the documentation of the system to the external audit team.
• Senior Audit Control: This control reports to the audit committee of the company directly and
accounts for the entire internal control of the company. The interesting fact is that the Senior
Audit control not only monitors the information contributing to the financial reporting but the
actual input the financial reporting itself thus providing a comprehensive control over the
entire organization's information auditing to maintain the accuracy and consistency of the
information.

The internal control described above provides a critical overview of the information auditing in the
company in order to maintain accuracy and information consistency. It is further interesting to note
that the internal control in the company is not only analysing the information contributing to the
financial reporting but actually maintaining consistency levels in the billing and expenses side of the
finance department of the company thus providing complete control over the information accuracy.
Furthermore, the internal control also maintains the documentation on the activities for every
calendar date since it is interesting to note that the business is operated on a 24x7 basis with the
critical element of the business like the power transmission and gas transmission operating round the
clock. Hence it is essential for the maintenance of the documentation on a daily basis.

6.4: External Audit

Price Water Cooper house Plc of the UK facilitates the external auditing for the company. The
interesting fact to note before continuing with the external audit analysis, is that Nation Grid Transco
Plc has been deploying the above mentioned structure of auditing for more than ten years and that the
company has seen tremendous growth in the business as well as in its share prices mainly because of
the reliability gained among the investors and customers.

The external audit from the Price Water Cooper house Plc has proved that the company's auditing and
internal control does not have any significant deficiencies and the company is maintaining high level of
information accuracy and information integrity. Furthermore, the Price Water Cooper house Plc audit
has also confirmed that the company's management of the information and the level of consistency
maintenance in the information are accurate to meet the standards of the Sarbanes Oxley Act.

6.5: Communications and Reporting

The company adheres to strict reporting and communicating policies. The periodic reports generated
by the senior audit control level of the internal control apparently contributes to the periodic reports
and financial statements published by the company. The audit committee of Nation Grid Transco Plc
has complete control over the internal control and the auditing of the entire company.

Since there were not any significant deficiencies identified in the external audit, the communications
and reports other than the periodic reports were not generated.

6.6: IT Auditing

Unlike the HSBC Bank Plc, Nation Grid Transco Plc does not use information technology extensively to
perform the business process itself because of the fact that the business involves other variables like
gas and electricity to contribute to the financial reporting. The company still performs its day-to-day
information manipulation process by using state of art systems installed using Microsoft Windows
operating systems and a customised application for integrating the various elements of the business
information to generate reports.

6.6.1: Technical Documentation

The company maintains elaborate technical documents for the centralised IT system deployed across
their network as well as for all the local reporting programs and legacy systems in order to maintain
cohesive information as well as provide transparency in the process of the business itself. Furthermore,
the technical documents prepared are internally audited for the validity by the internal control as well
as the external auditors.

Alongside the technical documents so developed are also version controlled and a separate team of
professionals work upon verifying the consistency of the information and the accuracy of the process
itself. This justifies the fact that the company is maintaining comprehensive IT audit system to meet
the requirements of the Sarbanes Oxley Act and achieve compliance to Sarbanes Oxley Act.

6.6.2: Version Control

The company has also incorporated the process of version controlling their documents including the
technical design reports and the day-to-day analysis reports generated to address any specific issues
raised by the third party involved. Furthermore, the company also adapts a file naming convention that
provides the detailed guidelines for its staff to save the electronic files and documents in order to
maintain information accuracy and consistency among different levels of the organization.
6.6.3: Access Control and information security

Like HSBC Bank Plc, Nation Grid Transco Plc has also incorporated robust access control techniques to
prevent unauthorised access to information. The company has also incorporated a Business Continuity
Management strategy to meet any disaster situation and perform effectively during the course of a
disaster. Alongside, the access to the centralised databases is restricted to the administrators and the
users can only have access to the information based upon their roles only.

This justifies the company's IT Audit strategy to contribute to the corporate governance of the
organization through providing accurate information for financial reporting.

Chapter 7: Discussion and Conclusion

7.1: Discussion:

The case study analysis of the companies has revealed that information forms the integral part for any
business and hence the need to maintain consistency and accuracy of the information is essential.
Alongside, the analysis of HSBC bank Plc has revealed that banking sector not only needs to maintain
the information related to credit and debit but mainly maintain the details for every transaction within
the organization in order to distinguish between investment and expenses.

Alongside, the research analyses have also proved that the Sarbanes Oxley Act compliance is essential
for the effective management of the information and not just for the need to be quoted in the New
York Stock Exchange. Apart from the fact that the Sarbanes Oxley Act compliance eases the process of
auditing and increase information transparency, the fact that the efficient management of the
information and auditing in compliance with Sarbanes Oxley Act apparently increase the company's
overall business process itself eventually increasing its performance thus resulting in higher levels of
revenue being generated as well as avoiding discrepancy in the information being processed. This will
apparently increase the performance of the organization itself irrespective of the nature of its
business.

The discussion on the internal control in Nation Grid Transco Plc and HSBC Bank Plc has increased the
level of information accuracy that is being used for financial reporting thus eliminating the errors in
the first instance itself eventually increasing the revenue for the company as well as providing
concrete documentation for any discrepancy identified in order to justify whilst conducting the
auditing process.

It is also clear from the above chapters that auditing of the technology behind the information being
processed is critical since any changes to the technical structure of the IT system will eventually affect
the information accuracy and consistency thus affecting the overall financial reporting of the company
and the corporate governance. The discussion on the access control techniques and the various
strategies to prevent unauthorised access to the information has further revealed that the compliance
to Sarbanes Oxley Act is not the only necessary criteria for an organization because of the fact that the
information being processed by the companies are not only critical in nature but any infringement in
the information will result in potential financial impact of the organization eventually affecting the
corporate governance itself.

The fact that the investor confidence is essential for the sustainability of the market makes it
imperative for every organization to adhere to strict IT audit policies and methods to establish the
consistency of information that contributes to the financial reporting of the company. Alongside, the
fact that the Sarbanes Oxley Act also monitors the financial impact on any information infringement
and discrepancy thus resulting in a comprehensive analysis of the information internal control to
identify any deficiencies in the process information management process itself in order to establish the
information consistency and accuracy to contribute to the financial reporting of the organization.
Furthermore, the Sarbanes Oxley Act also emphasises that the companies maintain relevant
documentation and incorporate effective internal communicating in order to derive on a concrete
conclusion makes it clear that the communication not only will leverage effective compliance to
Sarbanes Oxley Act but mainly leverage effective communication among the various levels of the
organization in order to effectively mange the information as well as provide comprehensive decision
on any structural changes required.

The procedural approach to incorporating any structural changes in the IT system installed within the
organization in both Nation Grid Transco Plc and HSBC Bank Plc further emphasises the fact that the
information technology is not only a critical element for the business operation but the effective
management of the IT system is essential in order to incorporate efficient management and improve
the performance of the company thus providing accurate input to the corporate governance of the
organization.

Apart form the arguments on Sarbanes Oxley Act compliance ,the fact that the UK organizations are
increasingly adapting the auditing process for validating their information in order to prevent any
errors in the financial reporting through the arguments of audit commission overview (2005) further
makes it clear that the UK organizations are increasingly monitoring the information accuracy and
consistency in order to prevent any errors leading to potential loss and hindrance to the corporate
governance itself.

Alongside, the case study analysis on Nation Grid Transco Plc has proved that those organizations that
do not have a product on its own can still establish Sarbanes Oxley Act compliance and provide
efficient information accuracy through the continuous monitoring of the information being processed
and the accuracy of the information can be achieved through continuous monitoring of the actual
business process itself will leverage effective corporate governance in the organization. The fact that
the Nation Grid Transco Plc is a company similar to that of Enron in the United States of America that
faced bankruptcy in the 2002 makes it interesting to note that t strict adherence to the information
audit policies internal as well as external even before the enforcement of the Sarbanes Oxley Act by
Nation Grid Transco Plc has revealed that the information plays a critical role in the business of nay
organization whatever be the technology that is implemented to manage the information which has
apparently increased the performance and the corporate governance of Nation Grid Transco Plc in the
UK.

Apart from the factors of information accuracy and consistency which is essential for the IT auditing,
the critical element for the accomplishment of the IT audit effectively is the structured approach to
the process of auditing itself as argued by the Audit commission of the UK (2005). This corresponds to
those elements of the information technology like the maintenance of the technical documentation
and effective control of the information flow between the various levels of the organizations that
contribute to the efficiency of the entire auditing process itself. Alongside, the efficient management
of the human resource as discussed in the literature review, a company can leverage efficient IT
auditing because of the fact that it is the staff in the company who manipulate the information and
feed the information into the computer which eventually gets manipulated to generate reports.
Alongside, the fact that the organizations in the UK are increasingly deploying the information security
methods and access control methods to prevent unauthorised access to the information further
justifies the fact that not only the UK organization are aware of the information security breach and
infringement but also the fact that their performance and financial reporting to corporate governance
is directly contributed by the information they process as identified by Denzil Watson and Tony Head
(1998).

Furthermore, the unit level control of the information and the reporting of any deficiency to the higher
levels followed by Nation Grid Transco Plc not only increase the transparency but also increases the
reliability of the company eventually in increasing the investor confidence which is the main reason for
the evolution of IT audits and the Sarbanes Oxley Act.

The above discussion has revelled that the IT auditing is an essential element in any publicly owned
organization irrespective of its compliance to Sarbanes Oxley Act mainly for accomplishing effective
business process and achieving accurate financial reporting in the corporate governance of the
organization.

7.2: Evaluation of Objectives

Objective 1: To critically analyse the concept of corporate governance and its importance for an
organization both internal and external to the business.

The literature review on the corporate governance in chapter 2 provided a comprehensive overview on
the concept of corporate governance. It was established that the corporate governance of an
organization predominantly depend on the effective auditing and accurate financial reporting which
contributes to the company's overall position in the target market as well as gain investor confidence
Alongside it was also established that the corporate governance of an organization also contributed by
the effective functioning of the human resources, finance, infrastructure and above all effective
internal communication. The analysis on the committees for corporate governance proved that the
corporate governance of an organization is not only the financial reporting but also monitors the
overall operation of the entire senior management of the organization in order to gain sustainable
market growth though improved performance and effective management. It was also established that
the corporate governance committee in the corporate governance monitors the entire operation of the
corporate governance in the organization and has complete control over the other two committees
namely the audit committee and the compensation committee. Furthermore, the literature review on
the corporate governance of an organization also revealed that the corporate governance is essential
for all publicly quoted organisations and that the financial reporting is the critical element for the
corporate governance.

Objective 2: To analyse the critical nature of information in business and the growth of information
systems in corporate governance.

The analysis in chapter 3 has justified that the organizations in the UK are increasingly depending upon
information technology for conducting their business process itself which contributes to the financial
reporting in the corporate governance of the company. Alongside, the fact that the organizations are
increasingly utilizing information technology to conduct business in both the business-to-business and
business-to-consumer perspective apparently increases the critical nature of information in the entire
business process itself. Alongside, the overview on the IT in corporate governance has further revealed
that the information technology is not longer an operational component of the business because of the
fact that the information contributing to the financial reporting of the organization is mainly derived
from the information systems the provides input information for the financial value of the actual
business of the company. furthermore, the overview has also revealed that it is not only essential to
maintain the accuracy at the strategic level but mainly to provide accurate input to the system at
operational level because of the fact that the sales or any form on the business operation at the
operational level contributes to the actual revenue of the company itself and hence it is imperative to
maintain accuracy and consistency right from the operational level of the system.

Objective 3: To analyse the corporate financial reporting frauds and the role of information technology
in such cases through critically analysing examples from various industries.

The overview in chapter 3 on IT and corporate governance further revealed that the information used
for the purpose of financial reporting is predominantly the input data by the personnel and the fact
that any error or flaw in this input will apparently result in a fraud in the financial reporting resulting
in the infringement of the corporate governance of the organization itself. Furthermore, it was also
established that the actual technology behind the processing of the information itself should be
capable of producing accurate results in order to maintain consistency and accuracy of the results. The
deployment of various innovative technologies by the organizations in order to increase its market
share and also present accurate information for financial reporting apparently justifies the need for a
robust technology on top of accurate information system itself.

The analysis of the Enron and WorldCom issues have revealed that the information infringement was
not only because of the frauds in the input of the information but mainly in misinterpreting the
information as in the case of WorldCom where the company overstated its investment because of
misinterpreting the expenses as investment. Furthermore, the analysis in the chapter also revealed
that the corporate financial reporting frauds not only hinders the economic operation of the company
but mainly affects the industry in which it is operating and also the economic stability of the country.
Alongside , the analysis on the Sarbanes Oxley Act and the regulations of Securities and Exchange
Commission has further revealed that the frauds in the financial reporting are the major elements that
contribute to the hindrance of the corporate governance of the organization itself.

Objective 3: To critically analyse Section 404 of the Sarbanes Oxley Act which is the final rule of the
act to be implemented by corporate organizations in the UK.

The analysis in Chapter 4 on the Sarbanes Oxley Act proved that the information consistency and
accuracy o the information are essential for the successful financial reporting of an organization.
Alongside, the overview on the Sarbanes Oxley Act has also established that the law protects the
personnel and the interests of the staff in order to prevent the abuse of the personnel by the company
for providing concrete information on frauds in the organization. The analysis on the section 404 which
was passed as the rule by Securities and Exchange Commission has revealed that the companies
publicly quoted withier within United States of America or foreign organization must adhere to the
norms laid by the section 404 of the Sarbanes Oxley Act in order to achieve corporate governance. the
discussion on the section 404 of the Sarbanes Oxley Act revealed that the information dealt with by the
organization must be controlled internally right from the operational level up to the corporate level
prior to the external auditing of the information itself. The different types of internal control
deficiency identified by the Sarbanes Oxley Act section 404 has confirmed that the organization must
not overlook even the slightest discrepancy and hence achieve high level of information transparency
to achieve investor confidence. Furthermore the analysis on the Information Technology auditing and
the various rules guidelines laid by the section 404 of the Sarbanes Oxley Act further reveals that the
technology behind the information systems of an organization must be well structured, documented
and controlled at all levels of the organization in order to maintain information accuracy and integrity
of the information.

Objective 5: To provide case study analysis with examples from banking sector and Energy sector in the
UK on the application of the Sarbanes Oxley Act-section 404.

The case study analyses on the banking sector with HSBC Bank Plc and Energy business in the UK with
Nation Grid Transco Plc as the companies of debate, has revealed that the information technology
forms a critical element in the management of the information as well as maintaining the accuracy of
the information. The analysis on Nation Grid Transco Plc especially has revealed that even though the
company does not have a specific product, it can still achieve transparency in operation through the
efficient management o the information and the control of the errors through continuous auditing and
checking in the company. alongside, the fact that Nation Grid Transco Plc is in the same line of
business as Enron in United States of America which filed chapter 11 bankruptcy in the year 2002. the
analysis on HSBC further revealed that by adhering to strict auditing principles and methods of
management of the information technology infrastructure, an organization can apparently leverage
information accuracy and data consistency which is essential for the accurate financial reporting in
corporate governance of an organization.
The analysis on the companies has also revealed that the process of auditing is not only essential for
the successful compliance to Sarbanes Oxley Act but mainly to establish the consistency in the business
information in order to eliminate errors and increase the accuracy of the information being processed
to provide financial reporting.

7.3: Conclusion

From the overview on the corporate governance it is clear that the financial reporting and efficient
auditing are essential for the successful flawless financial reporting by the organization. It was also
established that the corporate governance is directly impacted by the performance of the human
resource of the organization even though it is the financial performance of the company that is visible
in the corporate governance of an organization. The corporate governance also comprises of the
monitoring and effective management of the senior management of an organization and the presence
of the non-executive director in the corporate governance is mandatory to achieve unbiased decision-
making and corporate governance in the company.

It was also established that the information plays a critical part in achieving accurate financial
reporting and that the effective monitoring of the information through continuous auditing and
verification will provide accurate and reliable information for financial reporting. The Sarbanes Oxley
Act and the compliance to section 404 has further established that the internal control and efficient
auditing of the information provides accurate input to the financial reporting of the company and also
increases transparency of the information eventually leveraging investor confidence.

Furthermore, it is also established that the efficient management of the IT infrastructure and
deployment of robust access control and storage management techniques will leverage accuracy in the
information and also increase the reliability of the information being used for financial reporting. Thus
to conclude the research, it is clear that the effective use of IT auditing techniques will leverage
accuracy and reliability in the corporate governance of a n organization thus increasing the investor
confidence. It is also proved that the Sarbanes Oxley Act even though an American law should be
adhered as a unified code of conduct by all publicly quoted organizations in order to gain transparency
in the business process and encourage the investment for more investors.

Recommendations:

The research was focused on the effectiveness of IT audit in the corporate governance of UK
organizations. This topic is very broad in nature since the UK business market consists of numerous
industries. Hence it is recommended to conduct the report by concentrating the research upon a single
industry like the banking industry or the retail sector in the UK business market.

Since primary research in the form of questionnaire is impossible because the organizations will not
revel any information that is sensitive to the business as stated before in chapter 1, it is recommended
to gain first hand information through the interview with key personnel of an organization. Since the
report is academic in nature, this could not be accomplished within the limited time frame.
References:

Chris Brown, (2005), The sustainable enterprise : profiting from best practice, UK: Kogan Page

Christopher Barnatt, (2000), Management Strategy and Information Technology, Text and Readings,
Thomson Business Press

Denzil Watson and Tony Head, (1998), Corporate Finance Principles and Practise, UK: Financial Times
Pitman Publishing

Derek Torrington and Laura Hall (1995), Personnel Management HRM in Action, 3rd Edition, UK: Prentice
Hall

Efraim Turban et al, (2004), Electronic commerce 2004 : a managerial perspective, Upper Saddle River,
N.J. : Pearson/Prentice Hall, 2004

Gerry Johnson and Kevan Scholes, (2001), Exploring corporate Strategy Fourth Edition, Prentice Hall of
India Private Limited, India

John Ward and Joe Peppard, (2002), Strategic Planning and information Systems, 3rd edition, John
Wiley and Sons

Michael Armstrong (2003), A handbook of human resource management practice, 9th Edition, London:
Kogan Page.

Sebastian Nokes, (2001), Measuring and Controlling IT Costs, UK: Financial Times Prentice Hall9

Journals and White Papers

(2005), CPA- The Harder Test, The Audit Commission UK

Bob Garratt, (2005), A Portrait of Professional Directors: UK Corporate Governance in 2015, Corporate
Governance, Volume 13, number 2.

Company Profile, (2004), HSBC Holdings Plc, Data monitor, UK

Company Profile, (2004), National Grid Transco Plc, UK: Data Monitor Ltd

Ian P. Dewing and Peter O. Russell (2004), Regulation of UK Corporate Governance: lessons from
accounting, audit and financial services, Regulation of UK Corporate Governance, Volume 12 Number 1

Isla Gower (2004), Banking: Market Report Plus, Keynote Ltd

Isla Gower (2004), Market Report Plus: IT Industry Review, UK: Keynote Ltd

Institute of Internal Auditors UK, (2004), IT Audit, UK

James Weber And Dana Fortun, (2005), Ethics and Compliance Officer Profile: Survey, Audit and
internal Control, UK: Business and Society Review

Joseph Liberman, (2002), Behind the Enron Scandal, News Analysis, EBSCO Publishing

T.C. MELEWAR, 2003, Determinants of the corporate Identity construct: a review of the literature,
journal of marketing communications, Vol 9, pp 195-220.

The Business Round Table, (2004), Principles of Corporate Governance, ASSOCIATION OF CHIEF
EXECUTIVE OFFICERS

Tim McCollum, (2004), Information Technology in the Banking Sector: A critical analysis, European
journal of Management, Emerald