The Impact Of Management Security Control Consciousness On Security Control Activities: Implications For Compliance With The Sarbanes-Oxley Act

Using information system audit documentation from 60 clients of a Big 4 firm, we extend Kizirian (2004) by examining whether management security control consciousness (i.e., the “tone at the top”) influences (1) security control activities performed by the client, and (2) the auditor’s firm-wide (i.e., global) assessment of security control.  Findings suggest that management control consciousness results in the employment of security controls.  The auditor’s assessment of the strength of management control consciousness can also affect the auditor’s assessment of the client’s global security control.  While our data pre-dates the Sarbanes-Oxley Act, our findings speak to the importance of assessing an organization's tone at the top, and thus, have implications for auditors working to certify a client’s compliance with the Sarbanes-Oxley Act.