SOX makes executives of public companies explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal control over financial reporting and disclosure. Given the critical role that IT-based systems play in the success of many companies and due to increased regulatory requirements, senior management is becoming more accountable for IT control effectiveness. However, given the paucity of quality data on IT control, to our knowledge, no empirical studies examine the influence of internal and external governance that could potentially affect IT control. This study examines the influence of senior management, the board of directors, and audit committee regarding IT control governance, by using companies' SOX 404 report data. We define IT control governance as the leadership and organizational structures and control processes which ensure that the company's IT sustains and extends the company's strategies and objectives. Specifically, IT control governance consists of internal IT control influences (referring to senior leadership involvement with IT control) and external IT control influences (referring to the role of independent directors, and audit committees on IT control). Since IT controls are crucial components of internal controls, we define companies' IT control
quality by identifying IT related control weaknesses from SOX 404 reports. IT controls are of lower quality if companies have at least one IT related material weaknesses in their SOX 404
reports. IT controls are of higher quality or effective if companies do not have any IT related material weaknesses. IT related weaknesses in SOX 404 reports include weaknesses in
information system design, access, security, data backup and recovery, and firewall protection.1