Internal control reporting by non-accelerated filers

I examine three issues related to internal control reporting by non-accelerated filers. Motivation for the three studies comes from the fact that Section 404 of the Sarbanes-Oxley Act (SOX) continues to be controversial, as evidenced by the permanent exemption from Section 404(b) of SOX granted to non-accelerated filers by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The Dodd-Frank Act also requires the SEC to study compliance costs associated with smaller accelerated filers. In the first part of my dissertation, I document that the audit fee premium for non-accelerated filers disclosing a material weakness in internal controls (a) is significantly lower than the corresponding premium for accelerated filers, and (b) declines significantly over time. I also find that in the case of accelerated filers remediating clients pay lower fees compared to clients continuing to report internal control problems; however, such differences are not observed in the case of non-accelerated filers. The second essay focuses on audit report lag. The results indicate that presence of material weaknesses are associated with increased audit report lags, for both accelerated and non-accelerated filers. The results also indicate that the decline in report lag following remediation of problems is greater for accelerated filers than for non-accelerated filers. The third essay examines early warnings (pursuant to Section 302 disclosures) for firms that subsequently disclosed internal control problems in their 404 reports. The analyses indicate that non-accelerated firms with shorter CFO tenure, presence of accounting experts on the audit committee, and more frequent audit committee meetings are more likely to provide prior Section 302 warnings. Overall the results suggest that there are differences in internal control reporting between the accelerated and non-accelerated filers. The results provide empirical grounding for the ongoing debate about internal control reporting by non-accelerated filers.

Associations between SOX 404 opinions and auditors, audit committees, and executives

This dissertation examined three issues associated with Section 404 of the Sarbanes-Oxley Act (SOX) that are of current interest to regulators and the accounting profession. For the first essay, I examined auditor changes from 2003 to 2005 for 2,454 non-financial firms that filed their initial SOX 404 opinions prior to July 1, 2005. My results showed that there is a significant association between the receipt of an adverse SOX 404 opinion and auditor resignations - both before and after the issuance of the SOX 404 opinion. The data related to auditor dismissals show that clients are not successful in opinion shopping, since clients dismissing the auditor before the SOX 404 report also are more likely to receive an adverse SOX 404 opinion than clients not changing auditors. My second essay examined the relation between audit committee characteristics and changes in material weaknesses in internal control over financial reporting under the new SOX regime. My results showed that improvements in internal control in the second year of SOX are associated with: (1) the number of audit committee members and (2) financial expertise of audit committee members. My third essay examined the relation between the appointment of the new executives and the subsequent receipt of initial section 404 of SOX opinions. My results showed that adverse SOX 404 reports will be more likely at firms that recently hired a new chief financial officer (CFO).

Social-cognitive antecedents of ambidextrous orientation in family-owned startups: The role of family ties, achievement motivation, and internal locus of control

Regulatory Focus Theory predicts that the motivation to self-regulate goal-directed thought and behavior depends on two distinct regulation strategies: a promotion focus based on attaining gains and a prevention focus based on avoiding losses. This study took a social-cognitive approach predicting that regulatory focus has an impact on how family startups (several family related founders) explore "new ideas", exploit "old certainties" and achieve the balance of both (ambidexterity), compared to lone founder startups (only one founder present). It was proposed that the social context of family ties among founders leads them to a prevention focus concerned with avoiding the loss of the socio-emotional benefits of those ties. In order to avoid such a loss, family founders were expected to increase their risk perceptions and thus, explore less than lone founders, who lack such socio-emotional ties. It was also proposed that two commonly used psychological traits in entrepreneurship research —achievement motivation and internal locus of control, predispose entrepreneurs to a promotion focus. Founders with a promotion focus, in turn, were hypothesized to lead startups to more risk-seeking behaviors and to more explorative orientation. The previous argument was used as a springboard to derive hypotheses about ambidexterity (the ability to exploit and explore simultaneously) and survival hazards. Using Regulatory Focus Theory, exploitative orientation, conceptualized as the motivational strength to continue on previous paths of action, was hypothesized to be not significantly different from that of lone founder startups. Taking previous arguments together, lone founder startups were hypothesized to be more ambidextrous than family startups. Finally, ambidexterity and internal locus of control were hypothesized to reduce survival hazards in family startups. The findings suggested that family startups explore less than lone founder startups even after controlling for group effects. Interesting but contradictory findings revealed that internal locus of control have both a positive direct effect and a positive interaction that increases the explorative and ambidextrous orientation gap of family startups over lone founder startups. As expected, ambidexterity and internal locus of control reduced survival hazards on family startups. Implications for practitioners were derived based on a sample of 470 nascent entrepreneurs.

Social-cognitive Antecedents of Ambidextrous Orientation in Family-owned Startups: The Role of Family Ties, Achievement Motivation, and Internal Locus of Control

Regulatory Focus Theory predicts that the motivation to self-regulate goal-directed thought and behavior depends on two distinct regulation strategies: a promotion focus based on attaining gains and a prevention focus based on avoiding losses. This study took a social-cognitive approach predicting that regulatory focus has an impact on how family startups (several family related founders) explore “new ideas”, exploit “old certainties” and achieve the balance of both (ambidexterity), compared to lone founder startups (only one founder present). It was proposed that the social context of family ties among founders leads them to a prevention focus concerned with avoiding the loss of the socio-emotional benefits of those ties. In order to avoid such a loss, family founders were expected to increase their risk perceptions and thus, explore less than lone founders, who lack such socio-emotional ties. It was also proposed that two commonly used psychological traits in entrepreneurship research --achievement motivation and internal locus of control, predispose entrepreneurs to a promotion focus. Founders with a promotion focus, in turn, were hypothesized to lead startups to more risk-seeking behaviors and to more explorative orientation. The previous argument was used as a springboard to derive hypotheses about ambidexterity (the ability to exploit and explore simultaneously) and survival hazards. Using Regulatory Focus Theory, exploitative orientation, conceptualized as the motivational strength to continue on previous paths of action, was hypothesized to be not significantly different from that of lone founder startups. Taking previous arguments together, lone founder startups were hypothesized to be more ambidextrous than family startups. Finally, ambidexterity and internal locus of control were hypothesized to reduce survival hazards in family startups. The findings suggested that family startups explore less than lone founder startups even after controlling for group effects. Interesting but contradictory findings revealed that internal locus of control have both a positive direct effect and a positive interaction that increases the explorative and ambidextrous orientation gap of family startups over lone founder startups. As expected, ambidexterity and internal locus of control reduced survival hazards on family startups. Implications for practitioners were derived based on a sample of 470 nascent entrepreneurs.

An aspect-oriented approach to designing role-based access control services

Access control (AC) limits access to the resources of a system only to authorized entities. Given that information systems today are increasingly interconnected, AC is extremely important. The implementation of an AC service is a complicated task. Yet the requirements to an AC service vary a lot. Accordingly, the design of an AC service should be flexible and extensible in order to save development effort and time. Unfortunately, with conventional object-oriented techniques, when an extension has not been anticipated at the design time, the modification incurred by the extension is often invasive. Invasive changes destroy design modularity, further deteriorate design extensibility, and even worse, they reduce product reliability. ^ A concern is crosscutting if it spans multiple object-oriented classes. It was identified that invasive changes were due to the crosscutting nature of most unplanned extensions. To overcome this problem, an aspect-oriented design approach for AC services was proposed, as aspect-oriented techniques could effectively encapsulate crosscutting concerns. The proposed approach was applied to develop an AC framework that supported role-based access control model. In the framework, the core role-based access control mechanism is given in an object-oriented design, while each extension is captured as an aspect. The resulting framework is well-modularized, flexible, and most importantly, supports noninvasive adaptation. ^ In addition, a process to formalize the aspect-oriented design was described. The purpose is to provide high assurance for AC services. Object-Z was used to specify the static structure and Predicate/Transition net was used to model the dynamic behavior. Object-Z was extended to facilitate specification in an aspect-oriented style. The process of formal modeling helps designers to enhance their understanding of the design, hence to detect problems. Furthermore, the specification can be mathematically verified. This provides confidence that the design is correct. It was illustrated through an example that the model was ready for formal analysis. ^

Collaborative mediation

A Mediation System utilizes a central security mediator that is primarily concerned with securing the internal structure of the Mediation System. The current problem is that clients are unable to have authority and administrative rights over the security of their data during a transaction. In addition, this Mediation System is unsuited in presenting a metric that measures the level of confidence of security access rights. This creates a black-box perspective from the client towards the Mediation System and also gives no assurance to these clients that they have assigned the proper security access rights that reflect the current environment of the mediation system. This dissertation presents a Collaborative Information System (CIS) that uses an agent based approach to encapsulate collaborative information and security policies within the Mediation System which are under the control of the clients of the Mediation System. In conjunction with the CIS's Stochastic Security Framework it is possible to take a probabilistic approach in modeling the security access rights of a collaboration transaction. The research results showed that it is feasible to construct a Mediation System utilizing agents and stochastic equations to establish an environment where the client has authority and administrative control in assigning security access rights to their collaborative data that can establish a metric that measures the level of confidence of these assigned rights.