JOnline: The Need for Legislation Like Sarbanes-Oxley for IT Governance: An Australian Perspective 

 
Download Article

In the wake of notorious corporate failures and accounting scandals, there has been increased concern about corporate governance, especially the issue of internal controls over financial reporting. The US enacted the Sarbanes-Oxley Act as a response and other countries have responded with similar legislation.

In today's business environment, it is not difficult to observe that information technology (IT) involves most steps—if not all—in financial reporting. Accordingly, IT governance becomes a matter of concern.

Interestingly, the way that Australia responds to corporate failures is similar to the US in terms of legislation reform. By examining the extent to which current Australian regulations address IT governance in comparison to those in the US, this article discusses whether legislation like the US Sarbanes-Oxley Act of 2002 is needed in Australia.

Background

There is little doubt that the breach (or abuse) in accounting practices that are derived from and blamed for violations in corporate governance resulted in the scandals of such companies as Enron, WorldCom, Health International Holdings (HIH) Insurance and One-Tel.1 Developing standards, regulations and guidelines related to governance, including enterprise governance, corporate governance and IT governance,2 is extremely critical for rebuilding stakeholders' confidence.3

In the US, accounting standards were blamed for the issue of financial scandals. The Financial Accounting Standards Board (FASB) was criticized for accounting standards that were too lax at the time Enron collapsed.4 It is undeniable that Sarbanes-Oxley was passed in response to the instances of high-profile financial corruption.5 The objective of the Act was to restore investors' confidence in US public markets that were severely affected by business failures and corporate scandals.6 The Act has a direct influence on IT governance in organizations by requirements related to internal controls.7

Australia does not currently have any particular regulations on IT governance. However, the country does have Australian Standard for IT Governance AS8015 "Corporate Governance of Information and Communication Technology." This standard was issued by SAI Global,8 an applied information service company that helps organizations manage risk, achieve compliance and drive business improvement.

In other words, AS8015 has been regarded as a consultation document or voluntary standard in Australia. In this context, it is not difficult to understand why a number of chief information officers (CIOs) in Australia firmly believe that it is necessary to have "something of this level of authority" that describes good IT governance, gives them an independent view and shows how IT governance processes should be implemented in organizations.9 That is why many Australian companies have followed Sarbanes-Oxley as a benchmark standard.10

In recent years, there has been an increase in support for the development of standards and guidelines that particularly address the IT environment. However, Australian regulations have been built based on general principles, while many argue that specific rules are needed.11 The question is whether Australian accounting, auditing and assurance standards adequately ensure that Australian companies adhere to appropriate IT governance, or whether legislation similar to Sarbanes-Oxley is required.

Corporate Governance

The broad concept of governance encompasses corporate governance, enterprise governance and IT governance.

Corporate, Enterprise and IT Governance

Corporate governance is defined as a set of relationships among the company's management, executives and stakeholders.12 It is a system designed to direct and manage a company that influences three main aspects used for evaluating a company's success: objectives, risks and performance.13 More specifically, corporate governance deals with the responsibilities of a company's board of directors in managing the company and its relationship with stakeholders.14

Enterprise governance is described as a set of responsibilities and practices exercised by a company's board of directors and executive management with the aim of providing strategic direction that ensures the achievement of the enterprise's objectives, the appropriate management of its risks and rational use of its resources.15 Although the concept of enterprise governance is generally understood, there is no formal expression of its definition and promotion.16

While corporate and enterprise governance are driven by a company's need to cope with the many challenging matters occurring in the current business environment (e.g., recent scandals, increased competition, shareholder activism and increased emphasis on accountability), the expanding role of IT and the proliferation of technology solutions are the decisive factors driving IT governance.17

IT governance is the responsibility of company boards and executives, and is an integral part of the corporate enterprise, which embraces leadership, organizational structures and processes guaranteeing that the organization's IT sustains and extends its strategies and objectives.18 In other words, IT governance is concerned with the issues of the major responsibilities of boards, and the way to bring IT and business into alignment. IT governance not only addresses the question of prioritizing and selecting projects, but also the matter of appropriately allocating IT resources.19

Effective Corporate and IT Governance Boosts Value

Some governance experts maintain that corporations achieve good corporate governance when corporate decision making reflects the rights and responsibilities of stakeholders.20 But it is worth noting that the elements of good corporate governance vary from country to country, as a result of differences in culture.21 In an article in the Journal of Corporate Citizenship, the author argues that, in the UK, good corporate governance is obtained by trust based on the use of codes of best practice—whereas, in the US, it is based on strict compliance with the law.22

It is widely accepted that the effectiveness of IT governance is measured by the extent to which IT is in alignment with the enterprise, by the way IT facilitates the enterprise's ability to exploit opportunities and maximize benefits, by the way IT resources are utilized responsibly, and by how IT-related risks are managed appropriately.23 Hence, it can be concluded that effective IT governance boosts the enterprise's value.

Corporate and IT Governance Under Regulations

Sarbanes-Oxley produced sweeping changes not only in the field of corporate governance but also in that of IT governance. As the Act states, its aim is to protect investors by improving the accuracy and reliability of corporate disclosures that are made pursuant to the securities laws.24 In compliance with Sarbanes-Oxley, the US Securities and Exchange Commission (SEC) registrants' management is required to use such frameworks as the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control—Integrated Framework, or other frameworks that satisfy the statute without decreasing investors' benefits for evaluating a company's internal controls over financial reporting.25 This requirement directly impacts the field of IT governance because IT is the foundation of an effective system of internal controls over financial reporting.26

When it comes to the Australian corporate environment governance of Australian corporations, not unlike that of US companies, is directly affected by company legislation (e.g., the Corporations Act of 2001, the Australian Securities and Investments Commission Act of 2001 and the Financial Services Reform Act of 2001). Apart from company legislation, Australian companies may also follow other sets of corporate governance principles, such as the Principles of Good Corporate Governance and Best Practice Recommendations by the Australian Stock Exchange, the Blue Book by the Investment and Financial Services Association Limited, or the Corporate Governance Guidelines of the Australian Council of Super Investors Inc. While management adapts its corporate governance to various sources of legislation, there is little IT governance-related legislation in Australia.27 Australian corporations may consider adopting the 8000 series of corporate governance standards28 established in 2003 by SAI Global as a means for achieving good corporate governance. Nevertheless, it is worth noting that those standards, like AS8015 mentioned previously, are voluntary standards.

Accounting and Auditing Standards in Relation to IT Governance

There is little doubt that, in today's business environment, financial reporting has become increasingly dependent on IT, which involves nearly all steps in producing financial statements. Accordingly, the area of IT governance is addressed by any legislation that aims to impact internal controls over financial reporting.

In the US

Before Sarbanes-Oxley was passed and led to the reform of business legislation, accounting standards were criticized for being too lax and having too many rules with too little room for principles-based judgments. A lack of auditor independence and the failure to detect fraud in the profession's monitoring were also parts of the problem.29

After Sarbanes-Oxley was passed, US standard setters, such as the SEC, FASB, American Institute of Certified Public Accountants (AICPA) and the US Public Company Accounting Oversight Board (PCAOB), attempted to improve accounting and auditing standards to mitigate the conflicts and inconsistencies in accounting literature.30 The SEC and PCAOB devoted considerable efforts to enforce the Act. Among the regulations and guidelines, Auditing Standard No. 2 has the most significant impact on IT governance. Auditors have adopted it to assess whether a public company's managers have accurately reported on internal controls over financial reporting. The standard requires auditors to acquire an understanding of, and evaluate, management's process for measuring the effectiveness of its company's internal controls over financial reporting. As for IT governance, auditors are required to test the IT general controls of the auditee by:

  • Evaluating the extent to which IT involves each period-end financial reporting process element
  • Making inquiries of the auditee's management or other parties by following the IT-applied process flow of actual transactions rather than reviewing the copies of documents
  • Measuring the degree to which internal controls over financial reporting rely on the effectiveness of IT general controls31

It is widely accepted that it will be costly if companies are forced to be audited by an external auditor; hence, it is causally necessary for management to make great efforts to ensure that the company's controls, including IT governance, comply with the standard. Clearly, then, the standard strongly influences IT governance of entities operating in the US environment.

In short, it can be concluded that the US accounting and auditing standard setters have promulgated standards and guidelines to meet requirements of the Act and deal with the deficiency and ineffectiveness of US accounting and auditing standards concerning internal controls and IT governance that led to the notorious accounting scandals and collapses in recent years.

In Australia

The focus now will be turned to corporate collapses and accounting scandals in Australia, as well as instances of inadequate accounting standards and suspect ethics leading to manipulation of financial reports and corporate failures.32 Accounting practices and the accounting regime were the main factors contributing to HIH Insurance's collapse.33 Specifically, the weaknesses of accounting and auditing, which contributed to the company's demise, represented questionable accounting practices. These practices can be termed creative accounting practices and are attributable to the negligence of auditors. It is generally acknowledged that these are crucial reasons leading to an undermining of the functions of financial reporting.

In an effort to solve, or at least mitigate, this effect, the accounting and auditing standard setters have focused on internal controls encompassing IT controls that would halt management's behaviors in pursuing self-interest and weakening governance mechanisms. However, in retrospect, the fact is that there were no accounting and auditing standards covering the issue of internal controls in the era of those failures. In other words, Australian accounting and auditing standards did nothing about internal controls, and ultimately, IT governance.

In the wake of recent corporate failures, there has been a significant increase in the accounting profession's authoritative influence on accounting standards setting and financial reporting that aim to improve the quality of auditing and accounting standards.34 According to Act No. 50 of 2001 as amended,35 all types of entities are required to apply accounting and auditing standards. In this sense, the enforcement of the accounting and auditing standard setters could contribute to better IT governance if their standards addressed issues related to this area. However, the Australian Accounting Standards Board, up until that point, had not yet covered IT controls or IT governance in any accounting standards. Before CLERP 9 Act 2004 was passed, Australian auditing standards were known as the set of Australian Auditing and Assurance Standards (AUS), Auditing and Assurance Guidance Statements (AGS), Audit and Assurance Guides, Audit and Assurance Alerts (AAA), and Guidance Notes. Among them, there are two standards (AUS 402 "Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement" and AUS 404 "Audit Implications Relating to Entities Using a Service Entity") and three guidance statements (AGS 1018 "IT Environments—Stand-Alone Personal Computers," AUG 1020 "IT Environments—On-line Computer Systems" and AUG 1022 "IT Environments—Database Systems") closely related to internal controls and IT governance.36

AUS 402 describes five core elements of internal controls, including the control environment, the entity's risk assessment process, information systems, control activities and the monitoring of control. In terms of IT control, AUS 402 strongly emphasizes IT involvement in the auditee's information systems and control activities. First, auditors are required to obtain an understanding of the information system, including the IT procedures and the related electronic accounting records. Particularly, auditors should be aware of the potential risk of changing amounts in the automated processes. Also, auditors are required to have an awareness that evidence of such intervention in the automatic information system is difficult to detect because it is minimal or invisible. Secondly, in acquiring an understanding of control activities, auditors are advised to gain an understanding of how the auditee has responded to risks arising from IT. Under AUS 402, the auditee's controls over IT systems are recognized to have been effective only when the integrity of information and the security of the data are ensured.37 According to the Australian government's Auditing and Assurance Standards Board (AUASB), AUS 402 was superseded by Auditing Standard ASA 315 "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement" on 1 July 2006. ASA 315 imposes mandatory requirements on auditors rather than describing the degree of auditors' responsibilities as perceived in the current standard.38

Turning to the current AUS 404 or even the new ASA 402 "Audit Considerations Relating to Entity Using Service Organization" (which went into effect on 1 July 2006), there are not many requirements relating to IT controls. Only one requirement refers to IT governance, stipulating that the auditor is required to acquire an understanding of information available on control relevant to the service organization's information system (such as IT general controls and application controls), which enables the auditor to understand the entity and its environment.39

When it comes to AGS, the former AUASB, which belongs to the Australian Accounting Research Foundation, issued three guidance statements related to IT environments of which the auditors should be aware in conducting an audit, including a stand-alone personal computer environment, an online computer systems environment and a database systems environment. These statements describe the effectiveness of internal controls in the IT environment, the effects of the IT environment on the accounting system and related controls, and the influences of the IT environment on audit procedures.40 However, these guidance statements were withdrawn following the withdrawal of the three equivalent statements of the International Auditing and Assurance Standards Board (IAASB) in December 2004.41 According to the reconstituted AUASB, these AGSs will be progressively reissued over the next two years. However, as of the printing of this article, AUASB has not reissued these AGSs.

Laws Related to IT Governance

Laws have had an impact on IT governance. Accounting and auditing standards and regulations are not sufficient to address the broad and complex area of IT governance.

In the US

As mentioned previously, Sarbanes-Oxley was enacted to mitigate the corporate failures caused by the inaccurate and untruthful nature of financial reports.42 The high-profile failures, such as Enron, were the result of many factors, and internal controls over financial reporting in terms of accounting management's terminology was one of the most significant. The Act deals with this issue, with a heavy emphasis on companies' internal controls in sections 302 and 404.43 One of the requirements in section 302 is that the principal financial officer(s), or the person performing a similar function, must certify the responsibilities of the company's management for effectively designing and maintaining the company's internal controls. Section 404 addresses two aspects of internal controls: one is the company's responsibility, and the other is the registered public accounting firm's (the auditor's). The company's managers are required to produce an annual internal control report containing a statement on their responsibilities for establishing and maintaining an adequate control structure and procedures for financial reports. The auditor must be responsible for attesting to the assessment of the auditee managers on their statement.

After the Act was passed, the SEC and PCAOB devoted a great deal of effort to put it into effect by clarifying the Act, promulgating further regulations and issuing in-depth guidelines. Additionally, many in the private sector promoted the enforcement of the Act by producing Sarbanes-Oxley-related compliance. By complying with the Act, companies put more effort into internal controls to increase accountability. The company's management, in particular, is required to apply an effective framework to assess its company's internal controls.44 In today's business environment, it is generally understood that IT involves all stages of the financial reporting process. Therefore, not surprisingly, it can be concluded that Sarbanes-Oxley is a prominent regulation affecting IT governance.

In Australia

At present, Australia does not have specific IT governance regulations. This is why there have been considerable efforts by the government to develop specific IT governance standards in recent years.45 Concerning Australian laws, the CLERP 9 Act of 2004 is recognized as a response to corporate failures. However, the CLERP 9 Act does not directly address internal controls and IT governance.

As for the Privacy Act of 1988, although some experts46 assert that it is an IT governance-related legislation in Australia, it has no section that particularly addresses the governance of IT. Under the Act, IT governance may be implied by the requirements of storage and security of personal information and tax file number information.47

Conclusion

The fact is that there is no international accounting or auditing standard in Australia designed to directly influence IT governance. In this sense, it is worth noticing that the AUASB uses the IAASB's International Standards on Auditing (ISA) as a base, and that the AUASB officially adopts the standards of the IAASB.48 Therefore, it would be misleading to state that the AASB and AUASB comprehensively address IT governance in their standards.

Scandals in Australia, such as those of HIH Insurance, Harris Scarfe and One-Tel, have somewhat mirrored scandals in the US.49 Not surprisingly, then, in the wake of such failures, the reactions of regulators and the professions (especially accounting and auditing) and the concern of the community in Australia are to some extent similar to those in the US. While both Sarbanes-Oxley in the US and CLERP 9 in Australia were passed in reaction to the financial collapses, the latter is less stringent.50

Taking all discussions and comparisons into account, the logical conclusion is that Australia needs legislation to closely regulate IT governance. This legislation should be closely related to the country's legal, economic and cultural circumstances.

Endnotes

1 Yakhou, M.; V.P. Dorweiler; "Dual Reforms: Accounting and Corporate Governance," Managerial Auditing Journal, vol. 19, no. 3, 2004, p. 361-377

2 Hamaker, S.; "Spotlight on Governance," Information Systems Control Journal, vol. 1, 2003, p. 15-19

3 Damianides, M.; "Sarbanes-Oxley and IT Governance: New Guidance on IT Control and Compliance," Information Systems Management, vol. 22, no. 1, 2005, p. 77-85

4 "Leaders: The Lessons From Enron," The Economist, vol. 362, no. 8259, 2002, p. 10

5 Butler, C.W.; G.L. Richardson; "Potential Control Processes for Sarbanes-Oxley Compliance," Information Systems Control Journal, vol. 2, 2006

6 IT Governance Institute, IT Control Objectives For Sarbanes-Oxley, USA, 2006. Orlikoff, J.E.; M. Totten; "Governance in the Spotlight: What the Sarbanes-Oxley Act Means for You," Trustee, vol. 57, no. 8, 2004, p. 15-18.

7 Brown, W.; F. Nasuti; "Sarbanes-Oxley and Enterprise Security: IT Governance—What It Takes to Get the Job Done," Information Systems Security, vol. 14, no. 5, 2005, p. 15-28

8 To observe the extent to which standards established by SAI Global can be regarded as regulations, it is helpful to obtain a clear understanding of the relationship among SAI Global, Standards Australia and the Australian Government, which is explained in Australian Government Productivity Commission 2006, Standard Setting and Laboratory Accreditation—
Productivity Commission Research Report
, 2006, www.pc.gov.au/study/standards/finalreport/standards.pdf.

9 "High Visibility," The Sydney Morning Herald, 23 January 2006, www.smh.com.au/articles/2006/01/23/1137864846886.html?page=fullpage#database

10 Jones, W.; "IT Governance Regulation—An Australian Perspective," Information Systems Control Journal, vol. 2, 2005, p. 20-22

11 Lucy, J.; FSR, CLERP 9 and Surveillance Programs: ASIC Priorities Over the Next 12 Months, Queensland, 2004,
www.asic.gov.au/asic/pdflib.nsf/LookupByFilename /ICAA_speech_130304.pdf/$file/ICAA_speech_130304.pdf

12 Organisation for Economic Co-operation and Development, OECD Principles of Corporate Governance, 2004, www.oecd.org/dataoecd/32/18/31557724.pdf

13 ASX Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations, 2003, www.asx.com.au/about/pdf/ASXRecommendations.pdf

14 Pass, C.; "Corporate Governance and the Role of Non-executive Directors in Large UK Companies: An Empirical Study," Corporate Governance, vol. 4, no. 2, 2004, p. 52-63

15 IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.itgi.org

16 Op. cit., Hamaker

17 Op. cit., Hamaker

18 Op. cit., IT Governance Institute, 2003

19 Luftman, J.N.; C.V. Bullen; D. Liao; E. Nash; C. Neumann; Managing the Information Technology Resource: Leadership in the Information Age, Pearson Prentice Hall, New Jersey, USA, 2004

20 Shailer, G.E.P.; An Introduction to Corporate Governance in Australia, Pearson-Sprintprint, New South Wales, 2004

21 Murphy, A.; K. Topyan; "Corporate Governance: A Critical Survey of Key Concepts, Issues, and Recent Reforms in the US," Employee Responsibilities and Rights Journal, vol. 17, no. 2, 2005, p. 75-89

22 Morrison, J.; "Legislating for Good Corporate Governance: Do We Expect Too Much?," Journal of Corporate Citizenship, no. 15, 2004, p. 121-133

23 Cilli, C.; "IT Governance: Why a Guideline?," Information Systems Control Journal, vol. 3, 2003, p. 22-24. De Haes, S.; W. Van Grembergen; "IT Governance and Its Mechanisms," Information Systems Control Journal, vol. 1, 2004, p. 27-33

24 US Sarbanes-Oxley Act of 2002, 2002, www.pcaobus.org/About_the_PCAOB/Sarbanes_Oxley_Act_of_2002.pdf

25 US Securities and Exchange Commission, Final Rule: Management's Reports on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, 2003, www.sec.gov/rules/final/33-8238.htm

26 Fox, C.; "Sarbanes-Oxley—Considerations for a Framework for IT Financial Reporting Controls," Information Systems Control Journal, vol. 1, 2004, p. 52-54

27 Op. cit., Jones

28 The 8000 series of corporate governance standards includes AS8000 Good Governance Principles, AS8001 Fraud and Corruption Control, AS8002 Organisational Code of Conduct, AS8003 Corporate Social Responsibility and AS8004 Whistle-blower Protection Programs.

29 "In the Public Interest," Journal of Accountancy, vol. 199, Sarbanesno. 1, 2005, p. 63-70. "Leaders: Investor Self-protection: Enron a Year On," The Economist, vol. 365, no. 8301, 2002, p. 12. "Leaders: The Lessons From Enron," The Economist, vol. 362, no. 8259, 2002, p. 10. Melancon, B.C.; "A New Accounting Culture," Journal of Accountancy, vol. 194, no. 4, 2002, p. 27-30.

30 O'Connell, B.; L. Webb; H.R. Schwarzbach; "Batten Down the Hatches! U.S. Accounting Scandals and Lessons for Australia," Australian Accounting Review, vol. 15, no. 2, 2005, p. 52-67

31 US Public Company Accounting Oversight Board, Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, 2006, www.pcaobus.org/Rules/ Rules_of_the_Board/Auditing_Standard_2.pdf

32 Cooper, K.; H. Deo; "Recurring Cycle of Australian Corporate Reforms: A Never Ending Story," Journal of American Academy of Business, Cambridge, vol. 7, no. 2, 2005, p. 156-63. Leung, P.; B.J. Cooper; "The Mad Hatter's Corporate Tea Party," Managerial Auditing Journal, vol. 18, no. 6/7, 2003, p. 505-16.

33 Abeysekera, I.; "Accounting: In Crisis or Ascendancy?," Accounting History, vol. 10, no. 3, 2005, p. 71-87

34 Op. cit., Leung and Cooper

35 Corporations Act of 2001 2006, ComLaw—Federal Register of Legislative Instruments, Australian Capital Territory, www.frli.gov.au/ComLaw/Legislation/Act Compilation1.nsf/0/F62CB30C864F9E87CA257154000239DC?OpenDocument

36 Gay, G.; R. Simnett; Auditing and Assurance Services in Australia, McGraw-Hill Australia Pty Ltd, New South Wales, 2005

37 CPA Australia, Auditing and Assurance Handbook 2006, Pearson Prentice Hall, Australia, 2006

38 Auditing and Assurance Standards Board, ASA 315 "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement," 2006, www.auasb.gov.au/docs/AUASB_Standards/ ASA_315_28-04-06.pdf

39 Auditing and Assurance Standards Board, ASA 402 "Audit Considerations Relating to Entities Using Service Organisations," 2006, www.auasb.gov.au/docs/AUASB_Standards/ ASA_402_28-04-06.pdf

40 Client Newsletter, Tasmanian Audit Office, Hobart, June 2002, www.audit.tas.gov.au/publications/ clientnews/pdfs/news10_jun02.pdf

41 Three equivalent statements of IAASB are International Auditing Practice Statement (IAPS) 1001 "IT Environments—Stand-Alone Personal Computers," IAPS 1002 "IT Environments—On-line Computer Systems" and IAPS 1003 "Database Systems."

42 Smith, R.F.; "What IT Pros Must Know About Sarbanesno. Oxley," Windows IT Pro, vol. 11, no. 5, 2005, p. S1, 3-5

43 US Sarbanes-Oxley Act, 2002, www.pcaobus.org/About_the_PCAOB/ Sarbanes_Oxley_Act_of_2002.pdf

44 Op. cit., US Securities and Exchange Commission

45 Op. cit., Jones

46 Op. cit., Jones

47 Privacy Act of 1988, ComLaw—Federal Register of Legislative Instruments, Australian Capital Territory, www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/ F382FE715845EE4FCA25715E001F3A3E/$file/Privacy1988_WD02_Version1HYP.doc

48 Auditing and Assurance Standards Board, Regulation Impact Statement, 2006, www.auasb.gov.au/docs/AUASB_standards/Regulation_Impact_StatementRules_AUASB_28-4-04.pdf. Australian Accounting Standards Board, Explanatory Statement, 2006, www.aasb.com.au/pronouncements/standards_index.htm

49 Op. cit., Leung and Cooper

50 Op. cit., O'Connell, Webb and Schwarzbach

Nguyen Huu Cuong
has a bachelor of economics (in accounting) from the University of Danang (Danang City, Vietnam). He has been a lecturer of accounting at the College of Economics at the University of Danang from 1997 until now. He lectures in accounting theory and financial accounting to undergraduate students. He has six articles published in academic journals in Vietnam, including Accounting Review and Financial Magazine.


Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.