A content analysis of auditors' reports on IT internal control weaknesses: The comparative advantages of an automated approach to control weakness identification

We employ an automated content analysis approach to provide a snapshot of the terminology auditors actually use to describe information technology weaknesses (ITWs). We develop and use a dictionary based on textual analysis of auditors' reports on internal control filed under Section 404 of the Sarbanes–Oxley Act from 2004 to 2009. Using the dictionary with content analysis software led to the identification of 14 categories of ITWs in order of decreasing frequency of occurrence: (1) access, (2) monitoring, (3) design issues, (4) change and development, (5) end-user computing, (6) segregation of incompatible functions, (7) policies, (8) documentation, (9) masterfiles, (10) backup, (11) staffing sufficiency and competency, (12) security (other than over access), (13) outsourcing and (14) operations. The use of automated content analysis methodology also helped us identify potential disconnects between terminology used in auditors' reports and that used in published frameworks and guidelines. We provide the dictionary and discuss the methodology used in creating and applying the dictionary to the analysis of the textual content of auditors' reports on internal control, including the advantages and limitations of automated ITW identification.

► We use content analysis to identify information technology weaknesses (ITWs) in auditors' SOX 404 reports. ► We compare the efficacy of using automated vs. manual content analysis methods. ► We categorize terminology used to report ITWs in SOX 404 reports. ► We examine terminology used in professional frameworks and guidelines. ► We check if same terminology is used in auditors' reports on internal control.