1
Voluntary disclosure regarding IT-related risks and controls.
An empirical research regarding the company characteristics
and the level of disclosure of IT-related risks and controls
of Dutch listed companies
Thesis Amsterdam IT-Audit Programme Amsterdam Business School
Amsterdam
Drs. Vincent van Slingerland EMA Student number: 10903208
Deloitte Accountants B.V. Leeuwarden Date of Completion: 1 October 2015 Supervisor: Drs. Marcel Fikke RE RA CISA
2
Voluntary disclosure regarding IT-related risks and controls.
An empirical research regarding the company characteristics
and the level of disclosure of IT-related risks and controls
of Dutch listed companies
1V. van Slingerland
Amsterdam IT-Audit ProgrammeAmsterdam Business School
ABSTRACT: The disclosure of IT-related risks and controls are a matter of considerable interest and importance to the Dutch reporting community2. However, the relationship between the level of disclosure and the reported IT-related risks and controls are not definitively established and difficult to measure. This research investigates whether there is a relation between the disclosure of IT-related risks and controls in 2014 in comparison to 2009 by regressing the company characteristics, Amsterdam stock market, industry, company size, auditor, and specific financial characteristics. The level of disclosure is measured based on the annual report of companies positioned on the AEX, AMX and the AScX for a sample of 52 companies in both 2014 and 2009. Empirical evidence suggests that the disclosure in 2014 has significantly increased in comparison to 2009. For companies positioned on the AMX, the technology industry, or those that have Deloitte Accountants B.V. or KPMG Accountants N.V. as auditor, the voluntary disclosure of IT-related risks and controls has improved significantly. An in-depth regression analysis, based on the disclosure of 2014 and 2009, did not find a relation regarding the company characteristics and the level of voluntary disclosure over 2014 nor in 20093.
Key words: Voluntary disclosure, IT-related risks and controls, Voluntary Disclosure Index.
1Disclaimer. No part of this publication may be reproduced or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, or stored in any retrieval system of any nature, without the written permission of the author
2Dutch reporting community is defined as all stakeholders that make use of the annual reports of Dutch listed companies. 3Statistical knowledge is required in the assessment of this research. The topics discussed are descriptive statistics, paired
3
Table of Contents
Chapter 1 Introduction ... 4
1.1 Introduction. ... 4
1.2 Motivation. ... 4
1.3 Problem statement and research questions. ... 5
1.4 Relevance ... 5
1.5 Structure ... 7
1.6 Conclusion. ... 7
Chapter 2 Theoretical frame work ... 8
2.1 Introduction. ... 8
2.2 Risk reporting disclosure requirements ... 8
2.3 Risk reporting frameworks ... 10
2.4 Measuring disclosure of IT-risks and controls. ... 11
Chapter 3 Methodology ... 13 3.1 Introduction. ... 13 3.2 Research design. ... 13 3.3 Methodology ... 13 3.4 Research model ... 16 3.5 Conclusion. ... 17 Chapter 4 Analysis ... 18 4.1 Introduction. ... 18 4.2 Descriptive statistics. ... 18 4.3 Research results. ... 24 4.4 Conclusion. ... 30 Chapter 5 Conclusion ... 31 5.1 Introduction. ... 31
5.2 Conclusion and discussion. ... 31
5.3 Limitations and suggestions for further research. ... 34
Bibliography ... 35
4
Chapter 1
Introduction
1.1
Introduction.
This chapter discusses the motivation, problem statement, and research questions for the present research. The first section encompasses insight into the motivation for and the objectives of the present research. The second section describes the problem statement and research questions. The last section presents the relevance and structure of this research.
1.2
Motivation.
The present research focuses on the comparison of the disclosure of IT-related risks and controls of Dutch listed companies4 between the years 2014 and 20095. Risk reporting in annual reports of the Dutch listed companies appears to be the cornerstone of these reports. This is due to stakeholders demanding openness and more accountability from management of the company to ensure that the incentives of the board are aligned with stakeholder interests. Consequently, the increased demand for risk reporting is argued to be a better indicator of a company’s long-term viability and provides additional information for decision-making (Hermanson, 2000).
In 2014, almost 71% of all companies with more than 250 employees use comprehensive automated systems (ERP) in their business operations. This is an increase of 31.5% in comparison the total use in 2009 (Centraal Bureau voor de Statistiek, 2009; 2014). The introduction of comprehensive automated systems is highly complex with substantial financial risks due to the long period and system complexity. Specifically, after introducing the system to the company, maintaining it, and making sure the information is confidential, inegrity, and available is a challenge.
The World Economic Forum published their insight report “Global Risks 2014” in which decision-makers from business, academia, and the public sector provided insight on the risks of greatest concern for conducting business in their country (World Economic Form, 2014). Based on the conclusions of the report, the following three technological risks in terms of likelihood and impact are classified among the top ten risks: critical information infrastructure breakdown, data fraud or theft, and cyber-attacks. In the insight report “Global Risks 2009” (World Economic Form, 2009), no technological risks in terms of likelihood and impact are classified within the top ten risks.
4 In the Netherlands, a significantly larger proportion of employees work on the Internet (58%) in comparison with the EU average (47%). Therefore, it is expected that the IT-risks increase for companies in the Netherlands is comparison with other EU companies (Statistiek, 2014). The AEX, AMX, and AScX are selected because these indexes represent the largest companies of the Netherlands. It is expected that the largest companies will disclose more information in comparison to smaller companies because they have more resources and more political pressure to disclose information (Meckling, 1976), (G.K. Meek, 1995) and (J.J. Archambault, 2003).
5 The year 2014 has been selected, because it represents the latest annual report available at the time this research is conduced and therefore, the most relevant. A timeframe of 5 years has been selected because the expected difference would be the most significant.
5 Based on this information, the assumption is made that the reporting community is now more aware of the technological risks in business and demands openness and more accountability from management to disclose information regarding these risks. In the academic literature, no research has been conducted regarding the publication of IT-related risks and controls and, therefore, the objective of this research is to determine whether it can be empirically supported that the level of disclosure regarding IT-related risks and controls has increased in 2014 in comparison to 2009.
1.3
Problem statement and research questions.
The purpose of the present research is to examine whether there are differences between the level of disclosures in 2014 in comparison to 2009 regarding IT-related risks and controls. Furthermore, this will provide insight on which companies in the AEX, AMX, and AScX indexes disclose more information regarding IT-related risks and controls compared to other companies based on their characteristics (i.e., size, industry, and auditor). As alluded to previously, the problem statement is as follows:
“Have companies increased the disclosure of IT-related risks and controls in the financial statements and what is the influence of company characteristics on the amount of disclosure?”
In order to answer the problem statement the following research questions have been formulated. 1 What are risk reporting disclosure requirements?
2 What risk frameworks are used for reporting purposes?
3 What is the amount of IT-related risks and controls disclosure in 2009 and in 2014?
4 Which company characteristics can best serve as an explanation for the amount of IT-related risks and controls disclosure?
1.4
Relevance
6This paragraph discusses the academic and social relevance of the present research. The first subsection encompasses insight into the academic relevance of the present research. The second subsection describes the social relevance.
6 This research makes references to academic research which is older than twenty years. More recent research is mainly based on the methodology and outcomes of this twenty year old research. In the auditor’s opinion the credits, in terms of a reference should be assigned to the first researcher
6
Academic relevance
Previous research on the link between voluntary disclosure and risk reporting in financial statements determined that the amount of voluntary disclosure is an important influence factor for the following:
the company characteristics and corporate size (C.W. Chow, 1987) and (G.K. Meek, 1995); the financial leverage (C.W. Chow, 1987);
assets proportion (C.W. Chow, 1987);
type of industry and financial performance (G.K. Meek, 1995);
the auditor of the company (Wallace R.S.O., 1994) and (J.J. Archambault, 2003).
The present research contributes to the literature by determining whether companies have changed their disclosure of IT-related risks and controls and whether there are certain company characteristics that may explain qualitatively more information than other companies may. There are several studies regarding the identification of risks in information system projects (J.J. Jiang, 1996), (S.V. Grabski, 2001), but no research has been conducted regarding the disclosure of IT risks and controls. This research is also valuable in respect of prior research regarding risk management, voluntary disclosure, and transparency.
Social relevance
This research focuses on IT-related risks and controls and examines whether there are differences between the levels of disclosures in 2014 in comparison to 2009. It also investigates what the influence of company characteristics is on the amount of disclosure. Stakeholders have recently increased their attention on risk management as an integrated component of corporate governance, mainly because of the credit crisis that started in 2009. As stated by the Dutch government: “millions of people throughout the world depend on the performance of listed companies”; therefore, the government recognizes the great importance of corporate governance and the supervision of these listed companies. The government constantly seeks improvements in the laws. In particular, it seeks:
greater transparency in annual reports; better accountability by supervisory boards;
more protection for shareholders. (Dutch Government, 2015)
Further examination of the industry comparison of the level of voluntary disclosure on IT-related risks and controls principles provides insight into the risk management and disclosure of a company in comparison to its peers. This research has social relevance because it organizes information regarding disclosed IT-related risks and controls by making a comparison between company characteristics and the level of disclosure. It increases the transparency of decision-making processes and supports decision makers7.
7 The results of this research could improve the accountability by the supervisory boards of companies with characteristics that have a low disclosure score regarding IT-related risks and controls.
7
1.5
Structure
Chapter two of this research covers the theoretical framework. This theoretical framework is the basis of the research in which the elements of the conceptual model are outlined. First, disclosure requirements are discussed. Secondly, the frameworks that companies can use to address IT- related risks and controls are discussed. In the last part of chapter two, other research on voluntary disclosure is examined to determine how the level of voluntary disclosure can be measured. In chapter three, the methodology of the research is presented based on the information received from the theoretical framework. Furthermore, empirical research hypothesis, the research sample, and the empirical model are addressed.
Chapter four discusses the empirical results of this research. Chapter four further provides answers to the research questions three and four and answers the question whether there is empirical evidence that influences the time component regarding the amount of IT-related risks and controls. This chapter also addresses research question four that details which company characteristics can best serve as an explanation for the amount of IT-risk reporting. Chapter five answers the problem statement and summarizes this research.
1.6
Conclusion.
This chapter explains the motivation and the problem statement of the present research. Furthermore, the four research questions have been formulated. This chapter concludes with the relevance and an overview of the present research structure.
8
Chapter 2
Theoretical frame work
2.1
Introduction.
This chapter discusses the risk reporting disclosure requirements in the Netherlands and the reasons for companies and their directors to disclose addition information (voluntary disclosure) in their annual report. In addition, the most frequently used risk frameworks for reporting purpose COSO and COBIT are discussed. The last section of this chapter explains the method used to measure the disclosure of IT-risks and controls for this research.
2.2
Risk reporting disclosure requirements
This section is divided into two sections, namely risk reporting in the annual report and risk reporting and voluntary disclosure. The first section provides insight into the disclosure requirements in the Netherlands. The second section explains the academic reasons for companies and their directors to disclose more or less information regarding their risks and uncertainties.
2.2.1 Risk reporting in the annual report
In this section, the disclosure requirements are discussed. Based on Dutch law, companies need to report their risk through a directors’ report8 (Tweede Kamer en de Eerste Kamer, 2010). Based on the size and complexity of the company, the most important financial and non-financial performance indicators need to be disclosed. Dutch law states that the directors’ report should disclose its information in a true and fair overview. However, it does not give an indication as to what information should be included. The “Raad voor de Jaarverslaggeving” (RJ) assists companies to disclose their main risks and uncertainties with which they are confronted. In essence, companies should interpret the legal requirements by disclosing information about the following five risk aspects:
risk appetite: provide a description of the main features of the willingness to hedge risks and uncertainties risk response: describe the measures taken to control main risks and uncertainties, if possible with a
qualitative description of the expected effectiveness of the measures taken
sensitivity analyses: give a description of the expected impact on the results and/or financial position if one or more of the main risks and uncertainties were to occur;
monitoring: give a description of the risks and uncertainties that have had a major impact on the company in the past financial year, and the consequences for the company and
adjustments: whether and, if so, which, improvements have been or are implemented in the risk management system of the legal entity (Raad voor de Jaarverslaggeving, 2014).
8 The director’s report is a comprehensive analysis of the situation on the balance sheet date. The mandatory requirements are divided in five sections namely: general information, financial information, outlook paragraph, corporate governance, and the imbalanced distribution of seats on the management board and board of supervisory directors.
9 Disclosure requirements regarding IT-related risks and controls are not embedded in Dutch law nor in the RJ. Based on (Tweede Kamer en de Eerste Kamer, 2010) and (Raad voor de Jaarverslaggeving, 2014) a company needs to disclose information regarding their main risks and measures taken to control these risks and uncertainties.
The extensiveness of the risk and control description is determined by the company and its directors based on the likelihood of the risks and their possible financial impact on the company. Therefore, the following section provides insight into the theoretical reasons for companies and their directors to disclose more or less information regarding their risks and uncertainties.
2.2.2 Risk reporting and voluntary disclosure
The basic idea of voluntary disclosure is that it renders the capital allocation process more efficient and reduces the average cost of capital for a company (Financial Accounting Standards Board, 2011). Companies and their directors provide disclosure through their annual report and other regulatory filings to their reporting community. At the same time, there is an information asymmetry and agency conflicts between the directors and the reporting community.
First, information asymmetry arises from information differences and conflicting incentives between directors and the reporting community. This problem is also called the “lemon problem” and is addressed by G.A. Akerlof in 1970. In his seminal article, the presence of information asymmetry creates an adverse selection problem. When a customer cannot tell the quality of, for example, an automobile, the customer is willing to pay only an average price for the car. Consequently, the price is more attractive to automobile sellers who have a bad product than to an automobile seller who has a good product. (G.A. Akerlof, 1970). This same principle of adverse selection is applicable in terms of the reporting community and the directors of a company. The
reporting community values companies based on their own information; if the reporting community cannot
distinguish a good company from a bad company, it will value the company on an average level. This average level may be an inflation of the actual company value in the case of a bad company.
Moreover, the agency problem potentially arises when a contractual relationship is agreed upon between two (or more) parties, where one party (the “agent”) acts for, on behalf of, or as a representative of the other party (the “principal”). The cornerstone of this problem is that the agent often has better and more complete information than the principal does regarding relevant information and facts. It is difficult for the principal to determine whether the agent delivers the performance as promised. Based on this knowledge, the agent has an incentive to behave self-centredly (opportunistically) which might not be in the interest of the principal, due to the fact that the agent will not have to suffer the consequences of his actions personally (S.A. Ross, 1973).
10 Masulis argues that there are four reasons for the agency problem, namely:
directors prefer greater levels of consumption and less intensive work, as these factors do not decrease their remuneration and the value of the company’s shares that they own,
directors prefer less risky investments and lower financial leverage, because in this way they may decrease the danger of bankruptcy and avoid losses on their managerial capital and portfolios,
directors prefer a short-term investment horizon,
directors avoid problems stemming from reductions in employment levels, which increase with the changes in control of a company (Masulis, 1988).
Therefore, it is argued that it is important for the principal to control the agency problem because it could lead to waste of scarce resources, hampers capital market function, and hinders economy growth (C.S. Eun and B.G. Resnick, 2005).
In sum, the present research is based on the assumption that directors have better information than the principal does. The director will, based on the economic theory, reduce the information asymmetry because this could be beneficial for the company in terms of improved valuation and reduced cost of capital (Botosan C. , 1997).
2.3
Risk reporting frameworks
The directors of the company are responsible for developing and maintaining a system of internal control over financial reporting that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (Sarbanes-Oxley Act, 2002). The Sarbanes-Oxley Act (SOx) is applicable to companies that are under the jurisdiction of the Securities and Exchange Commission (SEC). In the adopting release of the Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, the adopting release mentioned the Internal Control— Integrated Framework (1992) created by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) as an example of a suitable framework. Therefore, many companies have adopted the COSO framework, a leading framework for reporting on internal control over financial reporting. Dutch companies listed both in the Netherlands and in the US, are under the jurisdiction of SEC and, therefore, required to report on internal control over financial reporting. Many companies adopted the COSO framework in the Netherlands, for example, Aegon and Arcelor Mittel listed in the Netherlands and the US, and report in their 2014 annual report the COSO framework as the Standard for reporting on financial reporting. The corporate governance code in the Netherlands does not state what framework should be used for reporting on financial reporting. Yet companies like AkzoNobel, Heineken, ING, and Philips report in their annual report COSO as their control framework. As stated by L. Paape, “the COSO framework is the Standard in corporate governance reports, there are hardly any corporate governance reports that do not link to COSO” (Paape, 2008).
11 Although COSO is the Standard used for forming an opinion on the effectiveness of companies’ internal control over financial reporting, companies and auditors may leverage other sources for more specific considerations. For example, the Control Objectives for Information and Related Technology (COBIT) framework is issued by ISACA and is intended to be a framework of IT risks for internal control over financial reporting. COBIT is considered the most comprehensive IT governance framework for IT-specific risk and control considerations. COBIT provides a framework for directors, users, information systems audit control, and security practitioners (S. Zhang, 2013). De Nederlandse Bank (DNB) is a public limited company that operates as an independent body in the Netherlands. The DNB is responsible for safeguarding financial stability in the Netherlands and is part of the European System of Central Banks (ESCB). Based on Dutch law for (wet Financieel Toezicht en de Pensioenwet) financial companies, subject to section 3:17, it is required to organize its operations in such a way as to safeguard controlled and sound operations. The DNB has developed an assessment framework consisting of a selection9 from COBIT in order to test the security of information. Specifically, financial companies must comply with a maturity level of at least three for the selected controls. The controls IT risk management framework, risk assessment, and maintenance and monitoring of a risk action plan a maturity level of at least 4 is required. In conclusion, it is expected that companies will report their IT-related risks and controls based on COSO and/or COBIT.
2.4
Measuring disclosure of IT-risks and controls.
In order to measure the voluntary disclosure a voluntary disclosure index (VDI) has been constructed. The VDI regarding IT-related risks and controls is established based on the principles of risk management COSO and COBIT and the requirements based on Dutch law (see Appendix A). The main topics are:
IT strategy; Risk assessment; Control activities.
There are two ways to determine the level of voluntary disclosure: weighted and unweighted (T.E. Cooke, 1989). The weighted approach states that information has a different importance to the users of the annual report. Professional judgment is required to determine the weight of the voluntary disclosure index. This approach leads to a scale that varies between zero and one. This implies that scores are subjective and are derived by the perception of the author of this research. Therefore, the assumption is used that each item is equally important for the different users of the annual report (T.E. Cooke, 1989), (R.S.O. Wallace, 1994), (Akhtaruddin, 2005), (H. De La Bruslerie, 2010), and (B. Omar, 2011).
9 A total of 54 COBIT controls are identified regarding the security of information. Financial companies need to assess these controls and report to the DNB periodically.
12 A score of one is given when the item is disclosed in the annual report and a score of zero when it is not disclosed. Twenty elements are included in the voluntary disclosure index. The total disclosure is the total of score per individual element of the voluntary disclosure index. The maximum score is twenty and the minimum score zero. The higher the score on the index, the more IT risk are reported in the annual report.
2.5
Conclusion.
This chapter explained the reporting disclosure requirements based on Dutch law. The conclusion is made that disclosure requirements regarding IT-related risks and controls are not embedded in Dutch law nor in the RJ. Based on the information asymmetry and the agency theory, it is expected that companies and their directors will voluntarily disclose their main IT-related risks and controls because of the benefits for the company. In addition, the internal control over financial reporting frameworks COSO and COBIT are discussed. These two frameworks are considered the Standard regarding the disclosure of internal control over financial reporting. Based on the COSO and COBIT frameworks, the voluntary disclosure index regarding the IT-related risks and controls is conducted. In chapter 3, the methodology of this research is discussed.
13
Chapter 3
Methodology
3.1
Introduction.
This chapter discusses the research design and the methodology used to conduct this research. The first section provides insight into the research design. The second section encompasses the methodology and the research design. Eight hypotheses are postulated to answer research questions three and four. The last section presents the research model based on the hypotheses formulated in the second section.
3.2
Research design.
In order to answer the problem statement, data is collected by analysing the annual reports 2014 and 2009 of Dutch listed companies positioned in the Amsterdam Exchange Index (AEX), the Amsterdam Midcap Index (AMX), and the Amsterdam small cap index (AScX). The AEX index represents the 25 largest securities on the Euronext Amsterdam, based on their market cap. The AMX index represents the midsize, the next 25 largest securities (26-50) on the Euronext Amsterdam. The AScX index represents the small size, the next 25 largest securities (51-75) on the Euronext Amsterdam. Because this research compares the years 2014 and 2009, in which these firms need to be listed for a consecutive five-year period on the AEX, the AMX, and the AScX, the sample size decreases by 23 companies. The selected sample size for this research consists of 20 AEX companies, 20 AMX companies, and 12 AScX companies, which amounts to a sample size of 52 companies (N=52). Collectively, 104 annual reports were analysed over the years. In appendix B, an overview of all companies is included. The companies that presented their annual report in foreign currencies are converted by the exchange rate per December 31, 2014 and 2009 respectively. In appendix B, the employed exchange rates are included. When, for example, the fiscal year refers to 2009 / 2010, the financial data at the end of June 2010 is used as a proxy.
3.3
Methodology
The AEX, AMX, and AScX indexes are selected because these indexes represent the largest companies in the Netherlands. It is expected that the largest companies will disclose more information in comparison to smaller companies because they have more resources and more political pressure to disclose information (Meckling, 1976), (G.K. Meek, 1995) and (J.J. Archambault, 2003). The dependent variable used in this research is the voluntary disclosure index (see Chapter 2.4). The independent variables (i.e., the company characteristics) are determined based on prior research. Based on prior research, the following company characteristics were selected:
Table 1: Company characteristics
Company characteristics
Euronext Amsterdam Index Leverage of the company
Primary industry Profitability of the company
14 Because there is no research available regarding IT-related risks and controls, the company characteristics of prior research that find empirical evidence of increased voluntary disclosure were selected for this research. Based on the results of this exploratory research, additional company characteristics could be investigated in future research.
3.3.1. Voluntary disclosure index
In paragraph 2.4., the voluntary disclosure index is designed. This index is calculated based on the total score on IT strategy, risk assessment of IT risks, and the reported IT control activities. The variable voluntary disclosure index is described as VDI. The insight report “Global Risks 2014” (World Economic Form, 2014) (see Chapter 1.2) shows an increase in risks regarding Information and Communication Technology (ICT) in comparison with the insight report 2009. That leads to the first hypothesis that is tested in this research: Hypothesis 1: The amount of disclosure of IT-related risks and controls is significantly changed over the period 2014 and
2009.
A second hypothesis is conducted to ascertain whether certain company characteristics have increased their reporting IT-related risks and controls in 2014 in comparison to 2009.
Hypothesis 2: The amount of disclosure of IT-related risks and controls is significantly changed for the company characteristics10 over the period 2014 and 2009.
3.3.2. Euronext Amsterdam Index
The Euronext Amsterdam index (EAI) is defined as the Amsterdam Exchange Index (AEX), the Amsterdam Midcap Index (AMX), and the Amsterdam small cap index (AScX). Distinction is made between the three indexes because they face different capital market pressure to disclose information11. Companies that raise capital internationally are likely to disclose more information in the annual report to reduce the cost of capital as discussed in paragraph 2.2.2. Therefore, it is expected that the score of the voluntary disclosure index is higher for companies located in the AEX than for companies located in the AScX. Both Botosan and Meek find evidence that if the company is internationally oriented, it is more likely to disclose more financial information (G.K. Meek, 1995) and (Botosan C. , 1997). Furthermore, (G.K. Meek, 1995) argues that the larger a company is, the lower the information production costs and, as a result, large firms are expected to disclose more information.
Hypothesis 3: The level of disclosure of IT-related risks and controls is positively related to the Euronext Amsterdam index
10 Company characteristics: Euronext Amsterdam Index, leverage, primary industry, profitability, size and auditor 11 The Euronext Amsterdam Index is determined by the year 2014. The assumption is made that the index 2014 = index 2009
15
3.3.3. Primary industry
The primary industry is defined by the Industry Classification Benchmark (ICB). The ICB is maintained by FTSE International Limited and is a system that categorizes the companies per industry. The sample comprises the following nine industries: Industrials, Consumer Goods, Financials, Consumer Services, Basic Materials, Technology, Health Care, Oil and Gas, and Telecommunications. It is proposed that different industries may be affected by different influences regarding their IT risk disclosure. Specifically, research done by Cooke, Wallace, and Meek provides evidence that the industry type could affect the level of disclosure (T.E. Cooke, 1989), (R.S.O. Wallace, 1994), (G.K. Meek, 1995).
Hypothesis 4: The level of disclosure of IT-related risks and controls is positively related to the Industry Classification Benchmark
3.3.4. Size of the company
The size of the company is divided in three variables, namely, turnover (TO), total assets (TA), and total equity (TE). The size of the company is included as a variable due to the expectation that larger companies have more resources and more political pressure to voluntarily disclose information to reduce their agency costs (Meckling, 1976), (G.K. Meek, 1995), and (J.J. Archambault, 2003).
Hypothesis 5: The level of disclosure of IT-related risks and controls is positively related to the size of the company
3.3.5. Leverage of the company
The leverage of the company is divided into two variables, namely, equity to debt (TB_TE) (total debt / total Equity) and current liabilities to equity (CL_TE) (total current liabilities / total equity). Research on this subject is contradictory. Barton finds supporting evidence that the leverage of a company is related to the level of voluntary disclosure (J.Barton, 2004). Others argue that companies have an incentive to reduce the information asymmetry by increasing their level of voluntary disclosure (G.K. Meek, 1995) (J.J. Archambault, 2003). Meek and Archambault did not find evidence that the leverage is positively related to the level of voluntary disclosure. They argue that the lenders are able to obtain relevant information directly from the company. In this research, it is assumed that the leverage is positively related to the level of voluntary disclosure.
16
3.3.6. Profitability of the company
The profitability of the company is divided into two variables, namely, net income (NI) and return on equity (NI_TE) (net income/total equity). The profitability of a company has been used as a variable in research. The profitability is positively related to the level of voluntary disclosure, according to research (S. Chen, 2008). It is argued that the voluntary disclosure can affect investor decision making. On the other hand, further research (G.K. Meek, 1995) did not find a relation between the level of voluntary disclosure and the profitability of the company. This research assumes that there is a positive relation between the level of voluntary disclosure and the profitability of a company.
Hypothesis 7: The level of disclosure of IT-related risks and controls is positively related to the profitability of the company
3.3.7. Auditor of the company
The auditor of the company (AUDITOR) is positively related to the level of voluntary disclosure. (Wallace R.S.O., 1994) and (J.J. Archambault, 2003) argue that a Big Four audit firm compels companies to voluntarily disclose more information. A Big Four auditor has, in comparison to a small audit firm, greater resources, technical knowledge, and global reach. The assumption is made that the level of voluntary disclosure is positively related to the auditor of the firm.
Hypothesis 8: The level of disclosure of IT-related risks and controls is positively related to the auditor of the company
3.4
Research model
To answer the aforementioned hypotheses, three research models were designed. The first model compares the mean change VDI change between the years 2014 and 2009. This model is used to explain whether the level of disclosure of IT-related risks and controls has significantly changed over the period 2014 and 2009. A matched pairs design was employed to test whether 2014 differs significantly from 2009 in terms of VDI, resulting in the following comparison (comparison c between each pair i) to test hypothesis 1:
𝑌̂1 VDI_CHANGE = (𝑉𝐷𝐼2014𝑖− 𝑉𝐷𝐼2009𝑖)
The VDI_CHANGE is then compared to the company characteristics and explains whether the level of disclosure of IT-related risks and controls has significantly changed over the period 2014 and 2009 for specific company characteristics to test hypothesis 2.
𝑌̂2 VDI_CHANGE = ∑ EAI(x1) + ICB(x2) + AUDITOR(x3)
+ TO(x4) + TA(x5) + TE(x6) +
TB_TE(x7) + CL_TE(x8) + NI(x9) + TO_TE(x10) +ε
17 The third model relates the level of voluntary disclosure and the company characteristics in the years 2009 and 2014 separately and is used to test the remaining hypotheses (3, 4, 5, 6, 7, and 8):
𝑌̂3𝑎 VDI_CHARACTERISTICS2009 = ∑ EAI(x1) + ICB(x2) + AUDITOR2009(x3)
+ TO2009(x4) + TA2009(x5) + TE2009(x6) +
TB_TE2009(x7) + CL_TE2009(x8) + NI2009(x9) + TO_TE2009(x10) + ε
𝑌̂3𝑏 VDI_CHARACTERISTICS2014 = ∑ EAI(x1) + ICB(x2) + AUDITOR2014(x3)
+ TO2014(x4) + TA2014(x5) + TE2014(x6) +
TB_TE2014(x7) + CL_TE2014(x8) + NI2014(x9) + TO_TE2014(x10) + ε
3.5
Conclusion.
This chapter has explained the research design and the methodology used to conduct the research on voluntary disclosure regarding IT-related risks and controls. Eight hypotheses have been formulated based on prior research to answer research questions three and four. Based on these hypotheses, a research model has been designed. In chapter 4, the results of these models are discussed.
18
Chapter 4
Analysis
4.1
Introduction.
This chapter outlines the results of the conducted analyses. First, descriptive statistics and the correlations are presented. Second, the results of the regressions are outlined, testing the association between the level of disclosure 2014 in comparison with 2009. The last section presents a concluding overview of the results.
4.2
Descriptive statistics.
In table 2, the descriptive statistics of the dependent variable VDI in 2014 and 2009 are presented. The total voluntary disclosure scores are divided into IT strategy, risk assessment, and control activities. The total voluntary disclosure scores lie in a range between zero and nine. The maximum score a company could score on the voluntary disclosure index is a score of twenty.
Table 2: Descriptive statistics of the dependent variable
Minimum Maximum Mean Std.deviation
Total VDI 2014 (20) 0 9 3.98 3.36 IT strategy (8) 0 5 1.94 1.59 Risk assessment (7) 0 3 1.19 1.05 Control activities (5) 0 4 0.85 1.04 Total VDI 2009 (20) 0 9 2.57 3.21 IT strategy (8) 0 5 1.31 1.64 Risk assessment (7) 0 3 0.87 1.09 Control activities (5) 0 1 0.40 0.50 Note 2014: N=52 Note 2009: N=52
Table 3 and 4 shows the minimum, maximum, mean, and standard deviation of the independent variables of 2014 and 2009. There is a broad range of variation in turnover, total assets, total equity, and net income. For example: Turnover 2014 ranges from 82,264,000 to 317,218,000,000 with a mean of 13,930,566,088 and standard deviation of 44,858,388,519. The total assets 2014 ranges from 117,123,000 to 992,856,000,000 with a mean of 42,690,296,103 and standard deviation of 152,100,225,822. Total equity 2014 ranges from 632,000.000 and 142,289,271,000 with a mean of 7,535,013,274 and standard deviation of 21,886,940,279 and net income 2014 ranges from -1,939,747,500 to 11,204,584,200 with a mean of 517,337,561 and standard deviation of 1,782,253,222. The distribution of turnover, total assets, total equity, and net income are skewed (2014 and 2009). The skewness can be fixed by omitting outliners or by transforming variables in the dataset. No transformations are performed because the conducted analyses are relatively robust against deviations from normality (i.e., ANOVA and regression).
19
Table 3: Descriptive statistics of the independent variable 2014
Minimum Maximum Mean Std.deviation
Euronext Amsterdam Index 1 3 1.85 0.78
Industry Classification Benchmark 1 9 3.19 2.23 Turnover 82,264,000 317,218,000,000 13,930,566,088 44,858,388,519 Total assets 117,123,000 992,856,000,000 42,690,296,103 152,100,225,822 Total Equity -632,000,000 142,289,000,000 7,535,013,274 21,886,940,279 Equity to debt -37.76 58.45 3.75 11.19
Current liabilities to equity -18.71 52.55 1.52 7.77
Net income -1,939,747,500 11,204,584,200 517,337,561 1,782,253,222
Return on equity -9.36 0.87 -0.12 1.35
Auditor 1 4 2.40 1.16
Note 2014: N=52
Table 4: Descriptive statistics of the independent variable 2009
Minimum Maximum Mean Std.deviation
Euronext Amsterdam Index 1 3 1.85 0.78
Industry Classification Benchmark 1 9 3.19 2.23 Turnover 103,794,000 200,017,172,000 10,895,950,126 29,245,147,029 Total assets 71,892,215 1,163,643,000,000 40,647,966,182 166,677,894,915 Total Equity 39,381,540 96,376,789,500 5,863,549,363 15,527,634,188 Equity to debt 0.41 31.76 3.57 6.08
Current liabilities to equity 0.00 4.35 0.94 0.97
Net income -1,467,800,000 20,400,000,000 750,901,252 3,114,898,787
Return on equity -1.42 1.08 0.09 0.29
Auditor 0.00 5.00 2.73 1.21
Note 2009: N=52
Main findings:
The descriptive statistics quantitatively describes the main features of the VDI and the company characteristics. The VDI is based on 20 elements as described in section 2.4. The maximum score on the voluntary disclosure index for a year is 1.040 (52 companies * maximum score of 20). In 2014 the total score was 207 (19.9%) and respectively 134 (12.8%) in 2009. In appendix C, a graphical overview for the company characteristics Euronext Amsterdam Index and the VDI for the Industry Classification Benchmark are included12 for VDI 2014 and VDI 2009. Another assumption could be that the internal control system of companies is not appropriately designed and publication of this information could hurt the company; therefore, companies could have an incentive not to publish this information to their stakeholders, but additional research is required.
20 Based on the scores on the VDI, the following elements produced low scores13 in either 2014 or 2009: Follow up on previous reported main IT goals;
Attitude towards ethic/environmental IT questions is provided; Significant IT issues during the year;
Information disclosed regarding the likelihood that these IT risks occur; The IT risks are quantified (sensitivity analysis);
Information disclosed regarding the likelihood that these IT risks occur;
Information disclosed regarding the design and operational effectiveness of the internal risk management and controls system by Management14;
Information disclosed regarding the design and operational effectiveness of the internal risk management and controls system by External Auditor;
Information disclosed regarding the impact on equity of the firm;
Information disclosed regarding significant deficiencies in the internal risk management and controls system;
Information disclosed regarding significant changes / improvements in the internal risk management and controls system.
The present research is conducted on Dutch listed companies and concentrates on the disclosure of specific IT-related risks and controls. Theory suggests that voluntary disclosure makes the capital allocation process more efficient and reduces the average cost of capital for a company (Financial Accounting Standards Board, 2011). Management provides disclosure through their annual report and other regulatory filings to their stakeholders. However, there is still an information asymmetry and agency conflicts between the managers and their outside investors. The trade-off between the benefits of reducing the information asymmetry and the costs of aiding competitors by revealing proprietary information regarding the IT-related risks and controls could explain the low score on the voluntary disclosure index. Based on these scores, the question arises whether the directors’ report is compliant with Dutch law as stated in section 2.2. This is not within the scope of this research, but it could be a subject for further research.
13 VDI score ≤3
14 In this research the In-control statement by management is not seen as information regarding the design and operational effectiveness of the IT-related risks and controls
21 The following elements produced a high score15 on the VDI in both 2014 and 2009:
A statement of corporate IT goals or objectives;
A general statement of corporate IT strategy is provided; Actions taken to achieve the corporate IT goal are discussed; Risks16 identified to achieve IT related objectives;
IT related risks are categorized17 by management;
Information disclosed regarding the standards used18 to evaluate the design and operational effectiveness of the internal risk management and controls system.
The conclusion is made that the directors’ report mainly focuses on the IT objectives, the IT strategy, and the IT risks. The controls to mitigate these risks are not defined as a high score. Directors are aware of the IT risks that the company is facing, and publish this information through the directors’ report. The assumption exists that effective controls are not in place, or still “work in process” and therefore, not published in the directors’ report. This assumption is not tested in the research, but it could be a subject for further research.
Correlation
Correlations between the dependent variable and independent variables are presented in tables 5 and 6. In general, correlations coefficient ranges from -1 to +1. Values close to -1 (negative) or +1 (positive) indicate a very strong linear relationship. The closer the correlation is to zero, the weaker the relationship.
Based on the correlations for 2014, a relatively strong negative correlation19 exists between: Euronext Amsterdam Index and Total Equity;
Equity to debt and Return on equity;
Current liabilities to equity and Return on equity.
15 VDI score ≥ 20
16 Companies reported risks regarding confidentiality, integrity and availability, Data fraud or theft, and infrastructure breakdown.
17 Companies categorized the risk based on the COSO standards: strategic risks, operational risks, reporting risks and compliance
18 As an result of this research, the COSO standards, to evaluate the design and operational effectiveness of the internal risk management and controls system, are the Standard
19 Note: correlation is also used, for independent variables (Euronext Amsterdam Index and Industry Classification Benchmark) where a bi-serial point correlation applicable is.
22 The 2014 correlations also suggest a relatively strong positive correlation between:
Turnover and Total Equity; Turnover and Net income; Total assets and Total Equity; Total Equity and Net income;
Equity to debt and Current liabilities to equity.
The correlations for 2009 also suggest some strong relationships. For instance, there is a strong negative relation between the Euronext Amsterdam Index and Total Equity, and strong positive relations regarding Turnover with Total assets, Total Equity, and Net income. The same applies to the variables Total assets and Total Equity, Equity to debt and the variables Total Equity and Net income. In addition, Net income and Return on equity suggest that a strong positive relation exists.
Main findings:
Aforementioned strong correlations could hint at an issue of multicollinearity20 that could appear when performing the regression analysis, meaning that one variable can be linearly predicted from the others with a non-trivial degree of accuracy. To overcome this problem, the regression analysis is tested, one independent variable at a time. By doing this, the multicollinearity will not be accounted for in the regression analysis.
20 Multicollinearity is a state of very high intercorrelations or inter-associations among the independent variables. It is therefore a type of disturbance in the data, and if present in the data, the statistical inferences made about the data may not be reliable (Solutions, 2015). In this research, the multicollinearity is probably caused by the inclusion of variables that are computed from other variables in the data set. As a solution, the regression analysis will be tested, one independent variable at a time.
23
Table 5: Means, standard deviations and Pearson correlations between variables 2014
Variable 2014 M SD 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
(1) Voluntary Disclosure Index 3.98 3.36 -
(2) Euronext Amsterdam Index 1.85 0.78 .07 -
(3) Industry Classification Benchmark 3.19 2.23 .13 (.13) - (4) Turnover 13,930,566,088 44,858,388,519 (.19) (.30)* .30* - (5) Total assets 42,690,296,103 152,100,225,822 (.02) (.30)* .08 .31* - (6) Total Equity 7,535,013,274 21,886,940,279 (.16) (.36)** .30* .92** .60** - (7) Equity to debt 3.75 11.19 .07 .10 (.16) (.05) .19 .03 -
(8) Current liabilities to equity 1.52 7.77 .10 .22 (.18) (.06) (.06) (.05) .82** -
(9) Net income 517,337,561 1,782,253,222 (.07) (.32)* .19 .86** .31* .80** (.01) (.04) -
(10) Return on equity (0.12) 1.35 (.06) (.21) .15 .04 .04 .05 (.69)** (.92)** .09 -
(11) Auditor 2.40 1.16 .05 (.08) (.06) (.14) (.02) (.12) (.06) .01 (.02) (.09) -
Note: N=52
** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed).
Table 6: Means, standard deviations and Pearson correlations between variables 2009
Variable 2009 M SD 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
(1) Voluntary Disclosure Index 2.58 3.21 -
(2) Euronext Amsterdam Index 1.85 0.78 .07 -
(3) Industry Classification Benchmark 3.19 2.23 (.01) (.13) - (4) Turnover 10,895,950,126 29,245,147,029 .18 (.35)* .30* - (5) Total assets 40,647,966,182 166,677,894,915 .21 (.26) .05 .37** - (6) Total Equity 5,863,549,363 15,527,634,188 .16 (.38)** .30* .95** .50** - (7) Equity to debt 3.57 6.08 .15 (.03) (.06) .08 .62** .15 -
(8) Current liabilities to equity 0.94 0.97 (.05) .27 (.28)* (.08) (.19) (.17) (.07) -
(9) Net income 750.901.252 3.114.898.787 .19 (.25) .14 .47** .2 .43** .18 (.12) -
(10) Return on equity 0.09 0.29 .05 (.16) .08 .08 .06 .05 .11 (.18) .50** -
(11) Auditor 2.73 1.21 .16 .29* (.16) (.25) (.01) (.19) .14 .09 (.1) (.07) -
Note: N=52
** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed).
24
4.3
Research results.
This section will present the results of the regression analysis that tested the hypotheses formulated in section 3.3. The first section revolves around the VDI_CHANGE and uncovers that there is a relationship between changes in score on the voluntary disclosure index in 2014 in comparison 2009 for certain company characteristics. The second section depicts results regards the reported IT risks and controls that companies have reported in 2014 and 2009 in relation to their company characteristics.
4.3.1 Reported IT risks and controls in 2014 in comparison to 2009
First, a paired-samples T-test was employed to test the level of disclosure of IT-related risks and controls over the period 2014 and 2009, which is used to answer hypothesis 1. Then, the independent variables Euronext Amsterdam Index, Industry Classification Benchmark, and Auditor21 are examined in relation to the level of disclosure of IT-related risks and controls over the period 2014 and 2009 using the Analysis of Variance (ANOVA) model.
The analysis (see Table 7) shows a strong positive relationship between the change voluntary disclosure indexes in 2014 compared to the score in 2009. VDI_CHANGE indicates p-value < 0.05. In summary, this indicates that hypothesis 1 regarding the level of disclosure of IT-related risks and controls significantly changed over the period 2014 and 2009 has been answered. The coefficients for the change the voluntary disclosure index is considered strongly significant.
Table 7: Paired samples T-test VDI2014 and VDI2009
Paired samples T-test µ SE µ t p
𝑽𝑫𝑰_𝑪𝑯𝑨𝑵𝑮𝑬 1.4 51 2.58 0.01**
Note:
** Correlation is significant at the 0.01 level. * Correlation is significant at the 0.05 level.
The analysis (see Table 8) shows that there is a strong positive relationship between the changes in score on the voluntary disclosure index in 2014 compared to 2009 for the company characteristics:
Euronext Amsterdam Index: AMX;
Industry Classification Benchmark: Technology;
Auditors: Deloitte Accountants B.V. and KPMG Accountants N.V.
VDI_CHANGE indicates p-value < 0.05. This answers hypotheses 2 regarding the level of disclosure of IT-related risks and controls significantly changed for the defined company characteristics over the period 2014 and 2009.
21 Based on the P-score of hypotheses 3-7 (see paragraph 4.3.2.) regarding the company characteristics, Euronext Amsterdam Index, Industry Classification Benchmark, and Auditor, an additional analysis is made based on the VDI_CHANGE of these company characteristics. Based on the P-score of the characteristics size, leverage, and profitability, these characteristics are excluded from the additional analysis.
25
Table 8: Paired sample T-test VDI_CHANGE and Company characteristics
Paired samples T-test µ SE µ t p
Euronext Amsterdam Index
VDI_CHANGE and AEX 0.65 19 0.66 0.52
VDI_CHANGE and AMX 2.40 19 3.42 0.003**
VDI_CHANGE and AScX 1.00 11 0.82 0.43
Industry Classification Benchmark
VDI_CHANGE and Basic Materials 1.67 2 0.61 0.60
VDI_CHANGE and Consumer Goods 1.5 5 0.81 0.46
VDI_CHANGE and Consumer Services 0,57 6 1.55 0.17
VDI_CHANGE and Financials (0.10) 9 (0.70) 0.94
VDI_CHANGE and Health Care 1 - - - -
VDI_CHANGE and Industrials 1.41 16 1.61 0.13
VDI_CHANGE and Oil & Gas 2.00 2 0.50 0.67
VDI_CHANGE and Technology 6.5 3 4.91 0.02**
VDI_CHANGE and Telecommunications 1 - - - -
Auditor
VDI_CHANGE and Deloitte Accountants B.V. 2.57 13 2.6 0.02** VDI_CHANGE and Ernst and Young Accountants LLP (1.30) 9 1.26 0.23 VDI_CHANGE and KPMG Accountants N.V. 2.85 12 2.85 0.01** VDI_CHANGE and PricewaterhouseCoopers Accountants N.V. 0.87 14 0.76 0.46 VDI_CHANGE and BDO Audit & Assurance B.V.2 - - -
Note:
** Correlation is significant at the 0.01 level. * Correlation is significant at the 0.05 level.
1: The health care and telecommunications industries were excluded from the analysis because they remained the same across the two years 2014 and
2009. Specifically, healthcare scored a VDI of 0 in both years.
2: BDO Audit & Assurance B.V. is excluded from the analysis because they scored a VDI of 0 in both years.
Main findings:
Empirical evidence suggests that disclosure in 2014 has significantly increased in comparison to 2009. For companies with the following characteristics, the disclosure in 2014 has significantly increased in comparison to 2009:
Euronext Amsterdam Index: AMX;
Industry Classification Benchmark: technology;
Auditor: Deloitte Accountants B.V. and KPMG Accountants N.V.
26
4.3.2 Reported IT risks and controls 2014 and 2009 in relation to their company characteristics First, the influence of reported IT risks and controls is examined via a linear regression analysis in relation to their company characteristics, which was used to answer hypothesis 5, 6, and 7.
4.3.2.1. Outcome 2014: VDI analysis regarding size, leverage, and profitability of the company The analysis (see Table 9) shows that there is no significant relationship in 2014 between the score on the voluntary disclosure index and the size of the company. VDI_2014 and TO_2014, TA_2014, TE_2014 indicates p-value > 0.05. Likewise, the analysis (see Table 9) seems to indicate that there is no relationship between the score on the voluntary disclosure index and the leverage of the company. VDI_2014 and TB_TE_2014, CL_TE_2014 indicates p-value > 0.05. Finally, the analysis (see Table 9) seems to indicate that there is no relationship between the score on the voluntary disclosure index and the profitability of the company. VDI_2014 and PM_2014, TO_TE_2014 indicates p-value > 0.05.
Table 9: Regression of the independent variables on the Voluntary Disclosure Index 2014
Regression 201422 B SE B t p
Turnover (b1) ± 0 0 (1.39) 0.17
Total assets (b2) ± 0 0 (0.12) 0.91
Total Equity (b3) ± 0 0 (1.18) 0.25
Equity to debt (b4) 0.02 0.04 0.5 0.62
Current liabilities to equity (b5) 0.05 0.06 0.73 0.47
Net income (b6) ± 0 0 (0.48) 0.64
Return on equity (b7) (0.15) 0.35 (0.43) 0.67
Note: Degrees of freedom is df = 50. Constant is included for completeness, since it is reflected in the regression equation. ** Correlation is significant at the 0.01 level.
* Correlation is significant at the 0.05 level.
Main findings:
The company characteristics regarding size, leverage, and profitability of the company are not significantly related to the amount of disclosure in 2014.
27
4.3.2.2. Outcome 2009: VDI analysis regarding size, leverage and profitability of the company
The analysis (see Table 10) also shows that there is no relationship in 2009 between the score on the voluntary disclosure index and the size, leverage, and profitability of the company. VDI_2009 and TO_2009, TA_2009, TE_2009, TB_TE_2009, CL_TE_2009, PM_2009, TO_TE_2009 indicates p-value > 0.05. In summary, the results that have been presented answer hypothesis 5, 6, and 7 regarding the level of disclosure of IT-related risks and controls related to the size, leverage, and profitability. The linear regression analysis does not support the hypothesis. The coefficients of size, leverage, and profitability are not significant.
Table 10: Regression of the independent variables on the Voluntary Disclosure Index 2009
Regression 200923 B SE B t p
Turnover (b1) ± 0 0 1.33 0.19
Total assets (b2) ± 0 0 2.30 0.14
Total Equity (b3) ± 0 0 1.15 0.25
Equity to debt (b4) 0.08 0.07 1.10 0.28
Current liabilities to equity (b5) (0.18) 0.47 (0.38) 0.71
Net income (b6) ± 0 0 1.34 0.19
Return on equity (b7) 0.60 1.54 0.39 0.70
Note: Degrees of freedom is df = 50. Constant is included for completeness, since it is reflected in the regression equation. ** Correlation is significant at the 0.01 level.
* Correlation is significant at the 0.05 level.
Main findings:
The company characteristics regarding size, leverage, and profitability of the company are not related to the amount of disclosure in 2009.
4.3.2.3. VDI analysis regarding index, industry, and auditor of the company Euronext Amsterdam Index
The company characteristics Euronext Amsterdam Index, primary industry, and auditor of the company in relation to the reported IT risks and controls are tested via analysis of variance (ANOVA). The analysis of variance regarding the Euronext Amsterdam Index (see Table 11) shows that there is a weak positive relation (trend) in 2009 between the score on the voluntary disclosure index and the Euronext Amsterdam Index. VDI_2009 and EAI_2009 indicate p-value < 0.10. No relationship has been found between the score on the voluntary disclosure index and the Euronext Amsterdam Index in 2014. VDI_2009 and EAI_2009 indicate p-value > 0.05. In summary, the results that have been presented answer hypothesis 3 regarding the level of disclosure of IT-related risks and controls related to the Euronext Amsterdam index. The analysis of variance finds weak evidence in 2009 to support the hypothesis. The analysis of variance finds no further evidence in 2014 to support the hypothesis, as the coefficients for Euronext Amsterdam index are not significant.
28
Table 11: Analysis of variance Euronext Amsterdam Index
Analysis of variance SS df MS F p
Euronext Amsterdam Index 2014
Between 5.76 2 2.88 0.25 0.78
Within 571.22 49 11.66
Total 576.98 51
Euronext Amsterdam Index 2009
Between 50.03 2 25.01 2.58 0.09
Within 474.67 49 9.69
Total 524.69 51
Note:
** Correlation is significant at the 0.01 level. * Correlation is significant at the 0.05 level.
Primary industry
The analysis of variance regarding the primary industry (see Table 12) shows that there is no significant relationship in 2014 or 2009 between the score on the voluntary disclosure index and the primary industry of the company. VDI_2014 and ICB_2014, VDI_2009 and ICB_2009 indicate p-value > 0.05. In summary, the results that have been presented answer hypothesis 4 regarding the level of disclosure of IT-related risks and controls related to the Industry Classification Benchmark. The analysis of variance finds no evidence in 2014 or 2009 to support the hypothesis, as the coefficients for Industry Classification Benchmark are not significant.
Table 12: Analysis of variance Primary industry
Analysis of variance SS df MS F p Primary industry2014 Between 71.98 8 9 0.77 0.63 Within 505 43 11.74 Total 576.98 51 Primary industry2009 Between 75.65 8 9.46 0.91 0.52 Within 449.05 43 10.44 Total 524.69 51 Note:
** Correlation is significant at the 0.01 level. * Correlation is significant at the 0.05 level.
29
Auditor
The auditor of the company in relation to the reported IT risks and controls is examined via the auditor analysis of variance (see Table 13). The analysis of variance shows that there is a weak positive relation (trend) in 2014 and in 2009 between the score on the voluntary disclosure index and the auditor. VDI_2014 and AUDITOR_2014, VDI_2009 and AUDITOR_2009 indicate p-value < 0.10. In summary, the results that have been presented answer hypothesis 8 regarding the level of disclosure of IT-related risks and controls related to the auditor. The analysis of variance finds weak evidence in 2014 and 2009 to support the hypothesis. Therefore, the coefficients for the auditor hint at a positive relationship, but more research should be conducted to determine whether this finding can be replicated.
Table 13: Analysis of variance Auditor of the company
Analysis of variance SS df MS F p
Auditor of the company 2014
Between 85.13 4 28.38 2.77 0.05
Within 491.86 47 10.25
Total 576.98 51
Auditor of the company 2009
Between 84.64 4 21.16 2.26 0.08
Within 440.06 47 9.66
Total 524.69 51
Note:
** Correlation is significant at the 0.01 level. * Correlation is significant at the 0.05 level.
Main findings
Empirical evidence suggests that the company characteristic auditor influences24 the amount of disclosure in both 2014 and 2009. The company characteristic Euronext Amsterdam Index influences the amount of disclosure in 2014 (no relation is found regarding 2009). The characteristics primary industry and Euronext Amsterdam Index 2009 do not influence the amount of disclosure.
30
4.4
Conclusion.
This chapter explained the research conducted to answer the hypotheses. There is empirical evidence regarding the level of disclosure of IT-related risks and controls of Dutch listed companies positioned in the AEX, AMX, and AScX indexes in fiscal year 2014 in comparison to 2009. It also concluded that certain characteristics have increased their level of disclosure of IT-related risks and controls in 2014 in comparison to 2009. Regarding the voluntary disclosure index in 2014 and 2009, no particularly strong25 empirical evidence has been found regarding the level of disclosure of IT-related risks and controls and the company characteristics. The results are summarized in table A:
Table 14: Overview of the accepted and rejected hypotheses
Nr Hypotheses Test Conclusion
1 The amount of disclosure of IT-related risks and controls is
significantly changed over the time period 2014 and 2009. Paired samples T-test p-value <0.05 Accepted 2 The amount of disclosure of IT-related risks and controls is
significantly changed for the company characteristics26 over the time
period 2014 and 2009.
- Characteristic: EAI: AMX Paired samples T-test Accepted p-value <0.05 - Characteristic: ICB: Technology Paired samples T-test Accepted
p-value <0.05 - Characteristic: Auditor Deloitte Paired samples T-test Accepted
p-value <0.05 - Characteristic: Auditor KPMG Paired samples T-test Accepted
p-value <0.05 - Other characteristics Paired samples T-test Rejected
p-value >0.05 3 The level of disclosure of IT-related risks and controls is positively
related to the Euronext Amsterdam index Analysis of variance p-value >0.05 Rejected 4 The level of disclosure of IT-related risks and controls is positively
related to the Industry Classification Benchmark Analysis of variance p-value >0.05 Rejected 5 The level of disclosure of IT-related risks and controls is positively
related to the size of the company Regression p-value >0.05 Rejected 6 The level of disclosure of IT-related risks and controls is positively
related to the leverage of the company Regression p-value >0.05 Rejected 7 The level of disclosure of IT-related risks and controls is positively
related to the profitability of the company Regression p-value >0.05 Rejected 8 The level of disclosure of IT-related risks and controls is positively
related to the auditor of the company Analysis of variance p-value >0.05 Rejected
25 Significant P ≤ 0,05
