Posts

Posts

  • Roger S Debreceny
    Overview of JIS paper: The effects of information...
    blog entry posted March 9, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A new paper by Andrea Kelton, (Wake Forest University) and Murthy (University of South Florida) is The effects of information disaggregation and financial statement interactivity on judgments and decisions of nonprofessional investors. Andrea has provided this blog post on their paper.

     

    Andrea Kelton

    Andrea Kelton

    Uday Murthy

    Uday Murthy

     

     

    Information technologies enable firms to not only report more frequently, but to also enhance the decision-usefulness of financial information through variations in presentation format. We investigate whether the provision of financial statement interactivity via a web-based drilldown mechanism improves investors’ use of disaggregated financial statement information and, ultimately, their decisions. We suggest that a drilldown mechanism will mitigate the negative effects of information overload caused by disaggregation by allowing users to control their viewing of the disaggregation, focus their attentions on the relevant details, and avoid tendencies towards earnings fixation. However, we expect this load minimizing effect to depend upon the utility (i.e., relevance) of the disaggregated details to the investment task.

                We conduct an experiment with nonprofessional investor participants obtained from Amazon Mechanical Turk to investigate these issues. Participants completed a simple decision case wherein they reviewed either high utility or low utility disaggregated financial statements either with or without the drilldown mechanism. Overall, our results show that participants using the drilldown experienced lower cognitive load and were less susceptible to earnings fixation than those without the drilldown capability. However, when the disaggregated details provided limited new information, the use of the drilldown resulted in higher levels of cognitive load as compared to when the disaggregation provides new information.

                Our results should inform standard setters currently considering enhanced financial statement disaggregation. We provide evidence regarding the conditions when disaggregation is helpful versus harmful to investor decision making and the benefits and costs of financial statement interactivity.

     

     

  • Roger S Debreceny
    Overview of Theme Issue on Enterprise Ontologies
    blog entry posted March 6, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    Forthcoming in the Summer 2016 issue of the Journal of Information Systems is a theme issue on Enterprise Ontologies, edited by Guido Geerts from the University of Delaware. This is an overview of the theme issue from Guido. 

    Guido Geerts

    Guido Geerts

    In an environment that is characterized by dramatic increases in the volume and variety of data, tools for integration have become progressively more important. The most common way of addressing interoperability issues is by using ontologies: formal specifications of agreed-upon conceptualizations. Ontologies have also proved to be useful as reference models and for reasoning purposes. For more than three decades now, accounting scholars have conducted research in this area, most of it focusing on the REA enterprise ontology. The latter has proved to be useful in a wide variety of applications, including as a reference model during the development of enterprise software, for reasoning purposes, to improve interoperability in economic commerce, and as a framework for teaching core accounting and business process principles.

     

    The objective of the “theme issue on enterprise ontologies” was to extend research on enterprise ontologies in two ways. First, to present the latest developments in the field. This is done by the first two papers. The Scheller and Hruby paper—Business Processes and Value Delivery Modeling Using Possession, Ownership and Availability (POA) in Enterprises and Business Networks—presents a refinement to the REA enterprise ontology for defining value creation and transfer as flows of possession, ownership, and availability. The POA notation further aligns traditional accounting and REA accounting through intuitive business process descriptions. On the other hand, the Snow and Reck paper—Developing a Government Reporting Taxonomy—uses an empirical approach to create a taxonomy for government reporting. Its main objective is to improve accessibility to and comparison of government data for those who invest in municipal bond markets.

     

    Second, the theme issue also initiates a research stream that aims at a better understanding of the enterprise ontology landscape, similar to efforts being done in other disciplines. While all enterprise ontologies focus on representing “economic phenomena,” there are important differences among them in content, scope, and use. The definition of enterprise ontologies in terms of a common framework—the Ontology and Analysis Framework (ODAF)—results in structured discussions of their strengths, weaknesses, and applicability, and also enables comparative analysis among them (i.e., what are the gaps, overlaps, and synergies?). The third and fourth papers in the theme issue discuss specific enterprise ontologies in terms of ODAF. The de Cesare and Partridge paper—BORO as a Foundation to Enterprise Ontology—presents the Business Object Reference Ontology (BORO) as both a foundational ontology and a reengineering methodology. One of BORO’s characteristics is that it has been used extensively in practice for a wide variety of applications, including the re-engineering of legacy systems, the development of reference architectures for enterprise data exchange, and enterprise systems integration. On the other hand, the paper by Weigand—The e3value Ontology for Value NetworksCurrent States and Future Directions—provides a systematic overview of the e3value ontology and its use for exploring innovative business models from an economic point of view. In addition, it discusses a number of possible extensions, in particular the co-creation of value and value model quality.

     

  • Gia M Chevis
    Here's to a successful #iasmidyear2016
    blog entry posted February 26, 2016 by Gia M Chevis, tagged international, research in The Forum--The Blog of the International Section public

    The section's midyear meeting, held in New Orleans, was another wonderful success.  With approximately half of attendees hailing from places outside the U.S., it was a great opportunity to meet new people and reconnect with old friends.  Under Hollis Skaife's leadership, the Doctoral Consortium team welcomed many new researchers to the IAS family on Thursday to kick off the meeting.  Mark Holtzblatt and Eva Jermakowicz hosted an excellent CPE on fighting fraud; the handouts are attached to this post.  Friday and Saturday were filled with excellent speakers and concurrent sessions, with a fabulous dinner at Mulate's on Friday night.  Alta Prinsloo headlined a panel discussion on the IFAC and the importance of research evidence for standard setters, moderated by Katherine Schipper;  Bruce Behn laid out his vision for the future of the AAA.  Two Best Paper Awards were presented: one to Herita Akamah of the University of Oklahoma, and the other to Maria Vulcheva of Florida International University.

    Many, many thanks to Elaine Henry, Gina Rosa, and Wendy Wilson for their tireless efforts!!

    Search #iasmidyear2016 on Twitter to see pictures of some of the exciting events, and check back here for more pics and postings from the award winners.

  • Roger S Debreceny
    A new paper in JIS - Reporting Frequency and Presentation...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    This blog provides background on a new paper in JIS Reporting Frequency and Presentation Format. doi: http://dx.doi.org/10.2308/isys-51284

    A recent accepted paper in JIS is Reporting Frequency and Presentation Format: Detecting Real Activities Manipulation by Fengchun Tang, Christopher Kevin Eller and Benson Wier. The paper will be forthcoming in an issue of JIS.

    Benson Wier has provided this overview of the paper: 

    Managers increasingly rely on real activities manipulation (RAM) to manage earnings. Compared to accrual-based earnings management, RAM is more difficult to detect and thus poses particular challenges to financial information users. RAM can also be quite harmful to a company’s financial condition, as RAM often involves aiming for short-term earnings targets at the detriment of long-term firm value. This study investigates whether providing users with more frequent financial information improves their ability to detect sales-related RAM. We also investigate whether such effect is moderated by presentation format. We conducted an experiment with 77 financial analysts, manipulating information frequency (weekly versus quarterly financial reporting) and presentation format (tabular representation only versus tabular representation with graphical support). Results indicate that the combination of more frequent financial reporting and graphical support assists financial analysts in detecting RAM. Specifically, when financial information was presented in table format only, the likelihood of sales-related RAM reported by the participants does not differ between the more and less frequent reporting conditions. In contrast, when financial information was presented in tabular format with graphical support, participants in the more frequent reporting (weekly reporting) condition reported a significantly higher likelihood of sales-related RAM than participants in the less frequent reporting (quarterly reporting) condition. Overall, results suggest that more frequent reporting can improve RAM detection when users are aided with graphical support.

     

  • Roger S Debreceny
    Overview of JIS Paper. A Method to Evaluate Information...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public
    A forthcoming paper in JIS is by W. Alec Cram and R. Brent Gallupe "A Method to Evaluate Information Systems Control Alignment". This is one of the papers presented at the 1st JIS Research Conference (JISC2015). This post provides an overview of the paper. doi: http://dx.doi.org/10.2308/isys-51297

    Information systems controls are commonly viewed by managers and auditors as a means to not only adhere to compliance regulations, but also to aid in risk reduction and performance improvement. Existing frameworks such as COSO and COBIT provide practitioners with valuable guidance on selecting controls, yet organizations continue to be challenged with control deficiencies and poorly performing IS processes. This study considers a supplementary lens to examining the challenges of selecting and refining controls by introducing the concept of information systems control alignment. Here, we suggest that IS controls are most effective when they work together to complement organizational, staff, and process characteristics. In order to further develop this concept, our study sought to create a timely, accessible, and practical tool to determine the extent of control alignment within an IS process. Specifically, we conducted 29 interviews, as well as a pre-test, pilot test, and proof of concept evaluation, in order to develop, refine, and test a method that managers could use to evaluate IS control alignment.

    The resulting method takes the form of a survey, to be completed by a range of organizational representatives, that begins by establishing the particular IS process under investigation (e.g. managing enterprise architecture, managing security, etc.), as well the role of the participant and industry of the company. Next, the method asks participants to consider the characteristics of the control environment (i.e., the strategic, structural and cultural elements of an organization), control mechanisms (i.e., characteristics of the IS controls), socio-emotional characteristics (i.e., the impact that controls have on employees), and control execution (i.e., the extent that controls are evaluated and modified over time). Based on the collected responses from each participant, patterns within each category are depicted on a sliding scale that illustrate how well the identified IS controls align with the other elements.

    By using the tool in practice, managers can determine if there are aspects of the selected controls that conflict with organizational, staff, and process characteristics. This could encourage the selection of alternative controls, such as those that fall more in line with employee preferences or are more appropriate for the organizational structure. We view the method developed in this research as a tool that is complementary to the existing control frameworks, but one that provides a unique view into the importance of not only selecting more controls, but selecting the right controls for the situation. Future opportunities exist to expand the IS control alignment concept by aggregating results from the proposed method across different industries and IS processes. There is also an opportunity to apply the control alignment concept outside of IS, to evaluate the alignment of controls within traditional business processes such as financial close and accounts payable.

  • Roger S Debreceny
    Overview of JIS paper: IT Governance and the Maturity of IT...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public
    A forthcoming paper in JIS by Nishani Edirisinghe Vincent, Julia L. Higgs and Robert Pinsker is entitled IT Governance and the Maturity of IT Risk Management Practices. Here is a blog from the authors on the nature of the paper. doi: http://dx.doi.org/10.2308/isys-51365
     
    Nishani Vincent
    Nishani Vincent
     
    Julia HIggs
    Julia Higgs
     
    Rob Pinsker
    Rob Pinsker
     
     

                In the past decade, enterprise risk management has moved from just being a good business practice to a concern of regulators. For example, in 2009, the Securities Exchange Commission (SEC) approved enhanced proxy disclosure requirements addressing the board’s role in risk oversight. The SEC requires firms to report on the board’s leadership structure, the committee responsible for risk oversight at the board level, and the relationship between the management and the board in risk management/oversight.

                With the increased dependence on Information Technology (IT) for business operations, firms’ IT risks management has become a major component of enterprise risk management. Apart from the SEC’s disclosure requirement, state laws requiring public disclosure of compromised customer information, and high profile customer information breaches have caused IT risk management practices to be a major concern for boards of directors and management. Ongoing internal control assessments in firms based on best practice frameworks, such as The Committee of Sponsoring Organizations’ (COSO) Enterprise Risk Management (ERM) framework, emphasize the importance of the board’s oversight role while also bringing attention to the firm’s reporting structure. Therefore, this study examines whether the maturity of IT risk management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer (CEO)/Chairman of the board duality. 

                Prior research on IT governance shows that there is a lack of research exploring the role of the board and management in IT risk management. We contribute to this literature first by developing a scale to measure maturity of IT risk management practices. We surveyed senior IT professionals on IT risk management practices identified based on ISACA’s Risk IT framework. The 19 item scale measures two broad categories of IT risks (strategic and operational) and associated management practices. Next we explored the reporting structure of the CIO (i.e. does the CIO report to CEO, CFO or any other C-suite executive) and its impact on the maturity of IT risk management practices. We found that the maturity of strategic and operational IT risk management practices are higher when the CIO reports directly to the CEO. For public firms, the maturity of IT risk management practices were higher when the CEO is also the chairman of the board of directors.

                Overall, our results suggest that top management attention is necessary to establish better IT risk management practices. As C-level officers may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and interested stakeholders on how well IT risk is managed. Further, our results from public companies suggest that IT issues are more likely to get elevated to the board and, thus, receive greater oversight attention in firms where there is CEO/Chairman of the board duality. Firms without CEO/Chairman of the board duality may need to implement practices to ensure IT risk issues are included in the board agenda and in turn get appropriate attention.

  • Roger S Debreceny
    Overview of JIS paper: The Relationship Between Board-Level...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper in JIS is by Julia L. Higgs, Robert Pinsker, Thomas Smith and George Young, is entitled The Relationship Between Board-Level Technology Committees and Reported Security Breaches. This blog by the authors provides an overview of the paper. doi: http://dx.doi.org/10.2308/isys-51402

    Julia Higgs

    Julia Higgs

     

    Rob Pinsker

    Rob Pinsker

    George Young

    George Young

    Thomas Smith

    Thomas Smith

    Cyber-attacks are increasing at a phenomenal rate across the globe and are doing significant damage to firms’ valuations, regulatory compliance practices, and reputation. The longer it takes to detect a breach, the more costly it becomes. Consequently, firms need a strong information technology governance (ITG) structure in order to quickly detect and ultimately resolve breach scenarios.

    Firms have multiple ITG approaches for dealing with breaches. The traditional approaches involve having either the audit committee of the board or overall board monitor the related IT risk. More recently, a concentrated board approach involves forming a technology committee to monitor and control IT risks, including security breaches. This study incorporates signaling theory to investigate the role of technology committees with regard to reported breaches, as well as examining whether the existence of a technology committee serves as a positive signal to the market.

    Results examining reported breaches from 2005-2014 indicate that firms with a technology committee have a significantly greater likelihood of being breached relative to firms without technology committees. In trying to understand why firms may elect various committees to respond to different risks, we find that the external breaches are more likely for firms with board-level technology committees while internal breaches are more likely for firms with risk and compliance committees. We further find that as a technology committee becomes more established, the firm is less likely to be breached. This result suggests that over time technology committees play a role in preventing, not just detecting and reporting, breaches.

    When examining market reactions, initial results support the prior literature’s findings that a security breach is associated with a negative market reaction, but the presence of a technology committee mitigates the negative market reaction for external breaches. Thus, we argue that the market reaction results provide a firm-provided signal indicating it has governance mechanisms in place to better handle the risk associated with security breaches.

    Board-level technology committees are a relatively new phenomenon, as prior research indicates none existed for public companies as recently as 2000. However, there has been an increasing trend in their formation over the past 10 years, presumably as an ITG mechanism. Our results suggest that these committees are helpful for firms when addressing the security risk component of the larger IT risk category. Consequently, study findings add to the extant ITG, disclosure, and signaling literatures.

  • Roger S Debreceny
    Overview of JIS paper: SECURQUAL: An Instrument for...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper from Paul John Steinbart, Robyn L. Raschke, Graham Gal, and William N. Dilla is entitled  SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs. doi: http://dx.doi.org/10.2308/isys-51257

    Paul John Steinbart

    Robyn L. Raschke

    Graham Gal

    William N. Dilla

    Research on information security has been hampered by the scarcity of objective data concerning the effectiveness of organizations’ information security efforts. This study develops a multi-dimensional instrument based on the COBIT v4.1 Maturity Model rubrics. With the cooperation and support of the IMTA section of the AICPA, we collected four security outcome measures from 71 companies: number of noncompliance with security policy issues serious enough to be brought to the attention of the Board of Directors, number of security-related internal control weaknesses reported to the Board, number of attacks capable of causing serious harm that were detected and stopped before causing harm, and the number of attacks that did cause serious harm. We demonstrate that the instrument, SECURQUAL, is a reliable surrogate for measuring the effectiveness of an organization’s information security program.

    One desirable feature of SECURQUAL is its parsimony. It contains questions about only 18 of COBIT v4.1 Maturity Model rubrics. Further, the instrument uses only one Likert-type question with a five-point response scale to measure each of those topics. Thus, it should be a useful tool for both researchers and practitioners to assess the overall effectiveness of an organization’s information security.

  • Roger S Debreceny
    Overview of JIS paper: Applying Basic Gamification...
    blog entry last edited February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper in JIS is Ryan J. Baxter, D. Kip Holderness, and David A. Wood Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field. This blog provides an overview of the paper. doi: http://dx.doi.org/10.2308/isys-51341

    Ryan Baxter

    Ryan Baxter

    Kip Holderness

    Kip Holderness

    David Wood

    David Wood

    Companies use internal controls to protect and maintain the integrity of their information systems. However, internal controls are only as effective as the employees who operate them. Consequently, companies devote valuable resources to train employees on their responsibilities to safeguard company information. Most employees dislike compliance training and find the experience boring, which can lead to ineffective training.

    In an effort to improve the efficacy of training, some companies have begun incorporating basic elements of gaming into their training modules – a practice known as “gamification.” Our study makes use of a laboratory experiment using student participants and a field study using employees at a large multi-national bank to examine whether gamified training results in greater enjoyment and effectiveness than traditional, non-gamified training.

    Our participants report that gamified training is more enjoyable and interesting, and less boring than traditional, non-gamified training modalities. In addition, participants who completed the gamified training scored higher on information security knowledge assessments that those who received no training, though they did not score higher than those who received comparable non-gamified training.

    We also find that individual gaming preferences influence the effectiveness of gamified training. Specifically, we find that gamified training results in greater knowledge acquisition for “gamers,” those who participate in gaming on their own time, relative to “non-gamers.” This result was somewhat surprising, given that gamers were less impressed with gamified training than non-gamers. Our results suggest that companies need to understand the preferences of their employees when deciding on what types of training to implement.

    In summary, though gamification does not appear to be the silver bullet needed to increase both enjoyment and learning outright, it may reduce the apathy with which employees approach training, and our results suggest that it does not hinder learning. We believe that future research in this area will guide practitioners on matching the right gamification mechanics with organizational needs.

     

  • Roger S Debreceny
    Journal of Information Systems Conference 2016
    blog entry last edited February 4, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    Planning is underway for the Journal of Information Systems Conference 2016, to be held at the offices of Workday, Inc in October 2016.

    In March 2015, the Journal of Information Systems held its first research conference (JISC 2015). Planning is well underway for the Journal of Information Systems Conference 2016 (JISC 2016), to be held at the offices of Workday, Inc in October 2016. The theme is Big Data and Data Analytics. The conference will be edited by Dr. A. Faye Borthick of Georgia State University and Dr. Robyn Pennington of North Carolina State University. Dr Eileen Taylor of North Carolina State University will be the Chair of the Conference. The conference is being sponsored by Workday and the ITMA Division of the AICPA. Academic research papers are due on May 1, 2016. The Call for Papers is here.