A Research On Internal Control Over Financial Reporting In The IT Environment In China

Internal control over financial reporting (ICoFR) is an integral part of internal control. The control object is accounting information systems (AIS), which generates financial reporting. It aims to ensure the reliability of financial reporting, and it is only a subset of internal control, as internal control serves four objectives: strategic, operations, reporting and compliance. The deployment of information technology (IT) in firms changes traditional manual AIS, and influences the system environment as well. However, there are few studies focusing on ICoFR in the IT environment (IT-ICoFR).This dissertation discusses how IT affects ICoFR, and classifies ICoFR into 3 stages according to the degree that companies use IT: method-oriented control; object-oriented control; integrated control. Based on the analysis of the existing international IT-related control and audit standards or frameworks, this dissertation discovers that the related standards usually fall behind the practice, as most of them are still in the object-oriented stage. IT-related frameworks are brought up in accordance with the integrated IT environment, so they can be good reference for the establishment of ICoFR. While IT-ICoFR, IT governance and Information System audit are interrelated concepts, understanding their relations helps to comprehend and implement ICoFR. So this dissertation provides a thorough review of their origin and evolution.Using mySAP ERP and UFIDA for reference, this dissertation explores the elements of IT-ICoFR. CobiT is the "de fact" standard in IT control area, and COSO-ERM is the latest development of internal control-integrated framework, which is considered to be the "de fact" standard in internal control area. The salient characteristic of the former is process-based and goals-oriented, while the salient characteristic of the latter is risk-oriented. As a result, CobiT is more applicable to the process-level, while COSO-ERM is more appropriate for the entity-level. So it will be a proper way for companies to construct IT-ICoFR using both of the two frameworks. However, it's important to note that ICoFR is only one part of internal control. ICoFR is evolving as the environment changes and it should be integrated into companies' ERM to be one of the add-value factors.In the end, this dissertation advances some suggestions for the government to set up ICoFR-related laws and regulations, and bring forward several topics for future research.