This study provides evidence concerning the significance of assessing operational control risk as part of an integrative evaluation of internal controls. We examine whether operational control risk indicators can be used as cues to potential unreported financial reporting control weaknesses and financial reporting deficiencies. We use data breaches and an operational control risk index, created through textual analysis of Form 10-Ks, as our two primary indicators of operational control risk. We find positive relations between our operational control risk indicators and future financial reporting control weaknesses, restatements, SEC comment letters, and audit fees, even after controlling for contemporaneous financial reporting control weaknesses. These findings suggest that operational control risk is informative of potential financial reporting deficiencies.

Data Availability: Breach data are available subject to the approval of the Identity Theft Resource Center. All other data are publicly available from the sources identified in the article.

You do not currently have access to this content.