Does the Format of Internal Control Disclosures Matter? An Experimental Investigation of Nonprofessional Investor Behavior

Tadesse, Amanuel Fekade

16 September 2015

This study investigates whether the current lack of structure of internal control weakness disclosures (a narrative about the reliability of the financial reporting system) leads nonprofessional investors to make differential investment decisions. Using the non-accelerated filer (smaller public company) setting, where nonprofessional investors are likely to consume unaudited internal control reports in their investing judgments and decisions, I examine two facets of internal control disclosure formats: presentation salience and disaggregation of material weaknesses. A 2 x 2 between-participants behavioral experiment was conducted with internal control presentation salience (bulleted vs. in-text) and disaggregation level (a single material weakness vs. a combination of multiple control deficiencies that is a material weakness). I find that nonprofessional investors reward companies that disclose internal control weaknesses more saliently. The results also indicate that disaggregation interacts with salience in that it increases the effect of salience on investing judgments such that salient (stealth) disclosure of a combination of control deficiencies is viewed more positively (negatively) than salient (stealth) disclosure of a material weakness. These findings are contrary to Rennekamp (2012) who finds that processing fluency in bad news leads to more negative investment judgements. Additional analyses indicated that the results related to management trust and credibility are consistent with prior literature. The findings contribute to academia and practice by shedding light on the importance that needs to be placed on the presentation format of internal control disclosures.

Internal Control Weaknesses

Material Weakness

Control Deficiency

Presentation Format

Disaggregation

SOX 404

Sarbanes Oxley

Accounting

ASSESSING COMMON CONTROL DEFICIENCIES IN CMMC NON-COMPLIANT DOD CONTRACTORS

Vijayaraghavan Sundararajan (12980984)

05 July 2022

<p> As cyber threats become highly damaging and complex, a new cybersecurity compliance certification model has been developed by the Department of Defense (DoD) to secure its Defense Industrial Base (DIB), and communication with its private partners. These partners or contractors are obligated by the Defense Federal Acquisition Regulations (DFARS) to be compliant with the latest standards in computer and data security. The Cybersecurity Maturity Model Certification (CMMC), and it is built upon existing DFARS 252.204-7012 and the NIST SP 800-171 controls. As of 2020, the DoD has incorporated DFARS and the National Institute of Standards and Technology (NIST) recommended security practices into what is now the CMMC. This thesis examines the most commonly identified security control deficiencies faced, the attacks mitigated by addressing these deficiencies, and suggested remediations, to 127 DoD contractors in order to bring them into compliance with the CMMC guidelines. By working with a compliance service provider, an analysis is done on how companies are undergoing and implementing important changes in their processes, to protect crucial information from ever-growing and looming cyber threats. </p>

Data security and protection

Hardware security

Software and application security

System and network security

Information security management

Security Control Deficiency

Mitigation

CMMC

NIST SP 800-171

Assessment

Control Family

Cybersecurity

Remediation

Cyber-attacks

Vulnerabilities