The effectiveness of intarnal controls over financial reporting

This thesis addresses the topic of Internal Controls over Financial Reporting. This topic has been widely addressed by the researches in the United States of America (US) after the Sarbanes-Oxley Act due to the increase of responsibilities on these controls. Italy has followed the US regulation with the law number 262 of 2005 and Internal Controls over Financial Reporting have become of the interest of the regulators and of the companies that have to implement their evaluation. The thesis aims to analyze the effectiveness of Internal Controls over Financial Reporting. The effectiveness can be analyzed looking at the output of the Internal Controls over Financial Reporting evaluation or looking at the procedures used in this evaluation. The outputs of the evaluation are the Internal Control Deficiencies found and disclosed to the market by the responsible for Internal Controls over Financial Reporting, that usually is the Chief Financial Officer (CFO). Literature based on Sarbanes-Oxley Act usually uses this approach because in US is possible to have public data on Internal Control Deficiencies disclosed to the market. In Italy this kind of disclosure is limited, thus one part of the thesis analyzes the Internal Control Deficiencies found by the companies but not disclosed to the market because under the materiality level. The thesis looks at the Internal Auditor Detection Process to understand where are the problems that bring to more severe and persistent Internal Control Deficiencies and look for the type of Internal Control Deficiencies more severe and persistent. The idea under this research is to find the more problematic issues where the companies have to focus to increase the effectiveness of their Internal Controls over Financial Reporting. Because of this difficulty in data availability for Internal Control Deficiencies, the effectiveness have been analyzed looking at the procedures used to evaluate the Internal Controls over Financial Reporting. The procedures have been analyzed looking at the quality of each phase of the audit cycle. The Internal Controls over Financial Reporting have been divided in its components of Entity Level Controls, Account-specific Controls and Information Technology Controls. Information Technology Controls Quality has been then related to audit risk and audit fees to see the relation between internal controls and external controls performed by external auditors. The idea under this research is that if the internal controls are effective and assure a higher reliability of financial reporting, the external auditors can reduce their work. Finally Information Technology Controls have been deeply investigates in their relevant component of outsourced controls. Based on specific frameworks, one part of the thesis address the Audit Quality of Outsourced Information Technology Controls, that is of significant interest nowadays. The idea under this research is that the evaluation of these controls without going directly in the outsourcers' location is not enough to assure the effectiveness and the reliability of financial reporting that use the information technology controlled. Even if the standards let to use indirect evaluation or service auditors' attestations, the thesis proposes to use the direct evaluation for a better effectiveness. Thus, the thesis is structured in three studies: 1. Audit Quality of Outsourced Information Technology Controls. 2. Information Technology Controls Quality and Audit Fees: Evidence from Italy. 3. Internal Auditor Detection Process and Internal Control Deficiencies Types. The order of the presentation follows the advancement of the paper for the publication.