دو ر الادارة والرونة التنظيمية في تخفيف الامتثال...
DESCRIPTION
ءؤرTRANSCRIPT
-
Electronic copy available at: http://ssrn.com/abstract=1371231
1
THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE
Vicky Arnold University of Central Florida
University of Melbourne
Tanya Benford University of Central Florida
Joseph Canada
University of Central Florida
Steve G. Sutton University of Central Florida
University of Melbourne
March 2009
* This research was funded by the Institute of Internal Auditors Research Foundation. The authors wish to thank the IIARF for their generous funding and support of our research. We would also like to thank Maggie Abernethy, Vairam Arunachalam, Mary Curtis, Michael Davern, Fred Davis, Carlin Dowling, Don Finn, Clark Hampton, Kevin Kobelsky, Anne Lillis, Elaine Mauldin, Aldi Masli, Vern Richardson, Jake Rose, Patrick Wheeler, workshop participants at the University of Arkansas, University of Melbourne, University of Missouri, and the University of North Texas, as well as participants at the 2008 Asia-Pacific Research Symposium on Accounting Information Systems, 2008 International Conference on Enterprise Systems, Accounting and Logistics, and 2009 AAA Information Systems Section Mid-Year Meeting for their helpful feedback on earlier versions. We are also appreciative of research assistance provided by Randy Kuhn.
-
Electronic copy available at: http://ssrn.com/abstract=1371231
2
THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE
Abstract
The impact of new regulatory requirements for internal control reporting on an organizations ability to maintain strategic flexibility has been debated extensively. This paper uses a systems perspective to examine the relationship between an organizations pre-regulatory effectiveness of enterprise risk management (ERM) processes and their reactiveness to new regulatory mandates. This focus on ERM processes first examines the influence of ERM on the ex ante development of organization structures (i.e. information technology systems compatibility and organizational strategic flexibility). These structures are then examined for their influence on the use of appropriate actions (i.e. control environment and comprehensive compliance processes) to mitigate the difficulty of compliance. Data were collected on these main constructs and related influential constructs from chief audit executives representing a broad range of North American organizations. We specifically focus on Section 404 of the U.S. Sarbanes-Oxley Act of 2002 (hereafter, SOX 404). Structural modeling was used to test the relationships simultaneously and to understand the predictive behavior of the various attributes. First, the results reveal a strong positive relationship between the effectiveness of ERM and strategic flexibility which is partially mediated by IT compatibilitythe ability to capture and share data across an enterprise. Second, the results show a strong positive relationship between strategic flexibility and use of effective implementation processes for new compliance requirements over internal control reporting, but the relationship is fully mediated by the strength of an organizations control environment. Third, our structural model allows us to identify both direct effects of ERM effectiveness on the strength of the control environment and the indirect effects of ERM effectiveness on control environment via the interrelationships with IT compatibility and strategic flexibility. Measurement of these indirect effects captures a more complete view as to the influence of ERM effectiveness on the strength of the control environment; the combined direct and indirect effects increase by 16% the variance in strength of control environment explained by ERM. In brief, our research finds that organizations with effective ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates, while organizations that lacked effective ERM processes prior to SOX 404 compliance had weaker implementation processes and had a more difficult experience in complying with the mandates. These findings provide key insights into the importance of ERM for creating an organizational form that can effectively deal with regulatory compliance issues in volatile environments. Keywords: enterprise risk management, organizational strategic flexibility, control environment, IT compatibility, internal control, management control systems, Sarbanes-Oxley Act. Data Availability: Data are available upon request subject to institutional review board restrictions.
-
1
THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE
I. INTRODUCTION
Many countries have recently implemented a myriad of internal control reporting
mandates for public companies.1 Arguably, the most pervasive of these new mandates was the
Sarbanes-Oxley Act of 2002 (SOX), enacted by the U.S. Congress in July, 2002, with global
implications for public companies who wished to be registered on the U.S. stock exchanges.
Since that time, there has been a substantial backlash including allegations that the SOX Act is
quack legislation (Romano 2005) and a myriad of questions as to whether the corporate
governance provisions have a justifiable cost-benefit (e.g. DeFond and Francis 2005). There
have also been questions of whether the burden of SOX regulatory requirements would
irreversibly weaken the U.S. stock exchanges financial market leadership position (Bloomberg-
Schumer-McKinsey Report, 2007). One of the more controversial components of the law is
Section 404 with its mandates for broad reaching internal controls over financial reporting that
must be attested to by management and opined upon by an auditor. As a result, the U.S. SEC
held numerous hearings about this provision and the implementation of 404 requirements was
repeatedly delayedparticularly for small and medium sized enterprises and foreign registrants.2
Among the major concerns of the SEC were complaints by smaller enterprises that these internal
control and risk management processes would impede the enterprises ability to react to market
changes due to resulting restrictions in organizational flexibility (Katz 2006). Preliminary
evidence from several case studies of smaller firms required to file as accelerated filers suggests 1 Global internal control reporting regulations include Canadas National Instrument 52-109 (NI 52-109), the U.S. Sarbanes-Oxley Act of 2002 (SOX 404), the Australian Corporate Law Economic Reform Program Act (CLERP 9), the EU 8th Directive, the French Lois sur la Securite Financiere (LSF), the Italian Legislative Decree 231 and Decree 262, and Japans Financial Instruments and Exchange Law (J-SOX) (E&Y 2008a). 2 These so called non-accelerated filers are currently being phased into 404 reporting requirements with managements report on controls required for fiscal year-ends on or after July 15, 2007, and the auditors opinion on managements report being required for fiscal year-ends on or after July 15, 2008.
-
2
this may be the case for some firms depending on their existing organizational structures and
processes (Arnold et al., 2007).
We explore these concerns through an empirical evaluation of companies that have
completed the SOX 404 reporting process to evaluate how organizational structures and
processes impact the difficulty of adhering to the newly mandated compliance requirements.
Specifically, we examine the relationship between effective ERM practices and the facilitation of
organizational strategic flexibility, and the subsequent impact of organizational strategic
flexibility on the development of effective compliance implementation processes and difficulty
in meeting compliance objectives. In examining these relationships, we consider the mediating
roles of information technology (IT) systems and the organizations control environment. The
conceptual model presented is a generalized model that explains how these organizational
structures and processes facilitate compliance with new regulatory mandates.
In developing our conceptual model, we specifically address concerns voiced regarding
the relationship between control structures and organizational strategic flexibility from a systems
perspective. We adopt the conceptual foundations from theory on capability-building for
entrepreneurial alertness (e.g. ERM) which views strategic organizational flexibility as the key to
organizations success in volatile business environments (Sambamurthy et al. 2003). We build
upon Sambamurthy et al.s model by incorporating research on management control systems (see
Langfield-Smith 1997 and Chenhall 2003 for reviews). This integration helps explain the
relationship between strategic flexibility and management control and how ERM and
organizational flexibility facilitate the development of effective processes for responding to new
regulatory mandatesin this case, new internal control reporting mandates. While early studies
seem to indicate that control systems did not facilitate strategic decisions in organizations, recent
-
3
studies consistently find the opposite. If broader-based measures, rather than just financial
measures, are used, management control systems actually serve as vital informers for strategic
decision making with more control information being desired in more flexible environments
(Simons 1990; Davila 2000; Ahrens and Chapman 2004; Ditillo 2004; Chenhall and Euske
2007).
The results of our study provide several contributions to the literature and have
implications for the discourse on the benefits of mandates for internal control reporting. First, we
establish a strong link between effective ERM and organizational strategic flexibility while
identifying the critical mediating effect of strong IT systems. Second, we establish a strong link
between organizational strategic flexibility and organizational reactiveness to new regulatory
mandatesin this case mandates related to effective internal control systems. Importantly, we
also identify the mediating effect of the control environment on the ability of flexible
organizations to implement effective compliance processes. Third, the overall results provide
evidence of a direct relationship between effective ERM processes and the organizations control
environment. Additionally there is also a substantial indirect effect due to the impact of ERM on
IT systems and organizational strategic flexibility that help explain overall control environment
development. Finally, while prior research has focused primarily on the organizational factors
that facilitate the development of ERM (e.g. Kleffner et al. 2003; Liebenberg and Hoyt 2003;
Beasley et al. 2005), we focus on how the effectiveness of ERM from a strategic benefits
perspective impacts organizational structure and its ability to respond to changes in the business
environmenti.e., how effective, strategic-oriented ERM benefits an organization.
The remainder of this paper is presented in four parts. Section two expands upon the
underlying theory and prior related literature that provides the conceptual development of the
-
4
hypotheses and overall research model. The third and fourth sections provide the research
methods and results of the model and hypotheses testing. The fifth and final section provides an
overview of the results and the implications for future research.
II. BACKGROUND AND HYPOTHESES
Arnold et al. (2007), using four case studies of companies that had recently completed
SOX 404 compliance, provide preliminary insight into the effect of regulatory compliance
efforts on organizational processes and performance. Their findings indicate that all four firms
adopted some level of ERM processes in addressing SOX 404 compliance efforts. However, two
of the four firms had substantial difficulty in meeting compliance requirements; and both of these
firms felt that newly implemented risk management processes and internal control procedures
hindered their customer cycle times putting them at a competitive disadvantage. They primarily
viewed the control structures as limiting their flexibility to react strategically. On the other hand,
the other two firms endured far less stress during their compliance efforts. Each had a strong
system of internal controls; and, each established procedures very early on for addressing the
required changes under the new regulatory mandates. These results raise questions regarding
whether there are structural differences between the four firms that contributed to differing
experiences in implementation difficulty and different perceptions on the impact in terms of
organizational flexibility.
Based on prior case research showing the perceived influence of ERM practices and
organizational structure on companies ability to address the new mandates (Arnold et al. 2007),
we develop a research model that integrates a strategic view of ERM (Treasury Board 2001;
Sambamurthy et al. 2003; COSO 2004) with organizational theory perspectives on
-
5
organizations ability to maintain flexibility and react to regulatory change (e.g. Volberda 1996;
Sambamurthy et al. 2003; Palanisamy 2005).
ERM as A Basis for Entrepreneurial Alertness
Theory on capability building and entrepreneurial action is premised on the resource
based view of the firm where information technology (IT) is viewed as not having strategic value
by itself, but rather as a resource that can be shaped and refined to become an enabler of
organizational flexibility that in turn facilitates competitive action (Sambamurthy et al. 2003).
The key to the theory, however, is entrepreneurial alertness, which is the capability to explore
the marketplace and identify opportunities for action. Entrepreneurial alertness drives the
evolution of IT systems to facilitate the organizations strategic flexibility, thus creating an
indirect as well as a direct effect of entrepreneurial alertness on the development of strategic
flexibility. Similarly, entrepreneurial alertness, by enabling strategic flexibility, also supports the
organizations ability to respond to changes in the environment through execution of competitive
actions. Thus, competitive actions are not only supported directly by entrepreneurial alertness but
also indirectly through strategic flexibility (Sambamurthy et al. 2003).
Entrepreneurial alertness includes both strategic foresight (i.e. the ability to foresee risks
and opportunities) and systemic insight (i.e. the ability to use foresight to shape competitive
actions that provide advantage) (Sambamurthy et al. 2003). ERM represents perhaps the
strongest form of entrepreneurial alertness with its focus on integrating risk management
processes at an enterprise-wide level in order to provide a uniform capability for responding to
risks and seizing opportunities. The Treasury Board of Canada (2001) was one of the early
advocates of integrated risk management (i.e. ERM) and defines ERM as
a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making
-
6
strategic decisions that contribute to the achievement of an organization's overall corporate objectives (p. 10).
While everyone in the organization has some responsibility for ERM, an organizations Board of
Directors has overall responsibility for ensuring risks are managed, but in practice the
management team is generally delegated with the responsibility (Institute of Internal Auditors
2004). As such, ERM integrates risk management activities while elevating its status as a key
component of the firms overall strategy thus enabling the organization to respond strategically
to both risks and opportunities (Liebenberg and Hoyt 2003).
In building an organizations risk profile, information and knowledge must be aggregated
across the strategic and operational levels to assist managers in understanding the range of risks
(internally and externally) and the related opportunities (Treasury Board 2001, p. 15). To
facilitate the aggregation of information and knowledge across the organization, the Treasury
Board recognizes the need to consider potential technological solutions to support on-going
activities that facilitate risk awareness and management through information sharing (Treasury
Board 2001, p. 31).
From a theoretical perspective, ERM can be viewed as fundamental to the evolution of IT
systems, organizational strategic flexibility, and competitive actions that may result in either
necessary responses to risks or the potential to seize opportunities. The conceptual model is
shown in Figure 1.
[Insert Figure 1 about here]
Background and Hypotheses
While the need for risk management was strongly advocated in Canada prior to the major
U.S. corporate failures in 2002 (e.g. Enron and WorldCom), the passage of SOX in the U.S. led
the Committee of Sponsoring Organizations of the Treadway Committee (COSO 2004) to
-
7
release a revised internal control framework that adopted ERM concepts and took a more
strategic view of control processes. This framework expanded the scope of its earlier framework
(COSO 1992) to focus more comprehensively on ERM.
While COSOs ERM framework has become the guiding directive adopted by the vast
majority of organizations (particularly in the U.S.) complying with SOX 404, the implementation
in many cases focused on the underlying internal control framework and not the strategic
organizational-level risk management processes characterized by ERM. While internal control is
an integral part of ERM from a COSO (2004, 25) point of view, ERM is broader than internal
control as it focuses more fully on risk and risk management. Still, in the face of SOX 404
requirements, many organizations have focused on procedural aspects of control and have not
implemented effective, strategically-oriented ERM processes or have only implemented minimal
processes (Beasley et al. 2005; E&Y 2008a).
Surveys reveal ERM as the major issue currently being addressed by audit committees
(E&Y 2008a; KPMG 2008). Likewise, the October 2008 joint meeting of the European and
North American Audit Committee Leadership Networks highlights both the urgency to develop
effective ERM processes and the on-going struggle many organizations face when implementing
effective ERM practices. ERM frequently continues to be hampered by a narrow, business-unit
view of risk that persists among top management (EACLN and NAACLN 2008).
In order to achieve ERM objectives, relevant information must be identified, captured,
and communicated in a form and timeframe that enables people to carry out their
responsibilities (COSO 2004, 25). Levine (2004) notes that from an implementation
perspective, the information needs of ERM necessitate the availability of IT systems that provide
a true, unified picture of risk across the organization. Information and knowledge must be
-
8
aggregated across strategic and operational levels of the enterprise to assist managers in
understanding and assessing the existing range of internal and external risks (Treasury Board
2001, p. 15). Thus, one of the fundamental challenges of implementing ERM is aggregating the
underlying data required to monitor the various components of organizational risk (Lam 2003).
This need for data is highlighted in Ernst and Youngs (2008b) prescribed approach for
developing effective ERM. The firm notes the importance of designing and developing the
desired ERM processes and, once these processes have been deployed, assessing the degree of
alignment and coordination across the organization in assessing, improving and monitoring risks
and controls (p. 6). Two key components of this alignment and coordination process are the
leveraging of IT and the development of governance processes that start with the tone at the top
to create an appropriate control environment (p. 4-5). Of interest at this point is the focus on IT
where Ernst and Young (2008b) asserts that IT must be effectively leveraged to support the
organizations risk framework. This includes making any necessary changes to assure IT systems
effectively support risk identification and assessment as well as facilitate monitoring of risks to
recognize adverse trends proactively (p. 5). This leveraging of IT based on ERM strategies is
consistent with that put forth in the theory on capability building and entrepreneurial alertness
(Sambamurthy et al. 2003).
The focus on enterprise wide data availability is indicative of the need for organizational
information systems that have high IT compatibility. Byrd and Turner (2000) define IT
compatibility as the ability to share any type of information across any type of technology
component. In essence, it suggests a transparency of information that allows access to critical
data from anywhere within the organization through linked and integrated information systems.
While core enterprise systems may exist in organizations even before ERM efforts evolve, IT
-
9
research highlights the needs to assimilate technology in order to garner strategic benefit
(Sambamurthy and Zmud 1999). With enterprise systems in particular, involvement and pressure
from top management to drive assimilation and shape IT processes to support strategic processes
is critical (Liang et al. 2007). Given the importance placed on information flow, we expect that
increased effectiveness of ERM processes will be indicative of top management involvement and
desire for increased IT compatibility. This leads to the first hypothesis:
H1: As the effectiveness of ERM increases, IT compatibility will increase.
As previously noted, one of the major concerns has been the impact of control procedures
that are implemented as a part of an organizations ERM strategy on the flexibility of the
organization and its ability to react strategically to changes in the business environment.
Organizational strategic flexibility is reflective of an ability to respond appropriately and timely
to a wide variety of changes in the competitive environment, and is a function of managerial
capabilities and the responsiveness of the organization (Volberda 1996). Palanisamy (2005)
notes the importance of IT flexibility in facilitating such responsiveness by an organizations
management. Without easy accessibility of organization-wide data on performance and
capabilities, it is difficult for an organization to understand and respond to new market, product,
or service opportunities and to understand shifts in customer preferences and needs
opportunities that require increased organizational flexibility to respond effectively and
efficiently. Based on Byrd and Turners (2000) dissection of the components of IT flexibility, the
IT compatibility component is critical to supporting managements ability to react and thereby
maintain strategic flexibility. This is also consistent with Chapman and Kihns (2009) findings
that centralized data that is accessible organization-wide increased organizational flexibility.
Research in management control systems on facilitating organizational strategic
flexibility provides two key pieces to understanding the relationships between ERM, IT
-
10
compatibility, and strategic flexibility. First, Chenhall and Euske (2007) specifically note the
role of risk management processes in the successful adaptation of strategic direction. Second, the
literature points to the importance of diverse, readily available information. Abernethy and
Brownell (1999) show a relationship between the type of information needed and the strategic
orientation of the firm, with more strategically oriented firms requiring more dynamic
information. Further, strategically oriented firms demand broader scope information (Bouwens
and Abernethy 2000), and this broad scope information is highly important to organizational
flexibility (Abernethy and Lillis 1995). In combination, these two perspectives suggest that ERM
processes are important to supporting organizational strategic flexibility. As theorized by
Sambamurthy et al (2003), this relationship occurs through high levels of IT compatibility that
provide broad scope information readily retrievable to support strategic decision making. This
leads to the second and third hypotheses:
H2: As IT compatibility increases, organizational strategic flexibility will increase.
H3: The positive effect of ERM processes on organizational strategic flexibility is mediated by the level of IT compatibility.
As noted earlier, Ernst and Young (2008b) highlights the importance of establishing the
proper tone at the top of the organization to assure that the control culture of the organization is
brought in alignment with a risk management perspective. The control environment of the firm
must evolve to a form compatible with the ERM strategies and processes. The control
environment is the foundation for all other components of internal control, providing discipline
and structure. In terms of the theory, the control environment embodies a type of competitive
action that a firm must execute to facilitate reaction to identified risks and opportunities
(Sambamurthy et al. 2003).
-
11
Similarly, Volberda (1996) notes that an organization can only continue to act flexibly if
conditions are developed to maintain the organizations controllability and responsiveness. If
management tries to increase the flexibility mix beyond the limits of organizational conditions,
the controllability of the organization will diminish. (Volberda 1996, 363). The managerial
control literature similarly points to the importance of effective managerial control as necessary
to support strategic flexibility (Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; Naranjo-
Gil and Hartmann 2006; 2007). Thus, an organization that maintains a consistent state of strong
organizational strategic flexibility will only do so if it uses that strategic flexibility to develop
and maintain an effective control environment that promotes discipline and structure. This leads
to the fourth and fifth hypotheses:
H4: As ERM effectiveness increases, the strength of the control environment will also increase.
H5: Higher levels of organizational strategic flexibility will promote stronger control environments.
Faced with new regulatory compliance requirements, an organization must react quickly
in order to put the processes in place to achieve compliance effectively and efficiently. By
definition, organizational strategic flexibility is the ability to respond appropriately and timely to
changes in the competitive environment (Volberda 1996). The introduction of new regulation is
reflective of such a change in the competitive environment. Thus, more flexible organizations
would be expected to react to regulatory changes by implementing appropriate and timely
processes to achieve compliance.
Amburgey and Miner (1992) view this ability to react to change by implementing
appropriate and timely processes as strategic momentum. In terms of organizational change,
strategic momentum is the tendency to maintain or expand the emphasis and direction of prior
strategic actions in reacting to current strategic challenges (Amburgey and Miner 1992). The
-
12
experience with change that comes with organizations having high levels of strategic flexibility
provides the ability to incorporate core routines for facilitating change into the structural inertia
(i.e. culture) of the firm (Amburgey et al. 1993). High levels of strategic flexibility coupled with
a culture prepared to address change are perceived to be even more critical when the forces
driving the change are intensified (Grewal and Tansuhaj 2001). Arnold et al. (2007) observe this
facilitating link between a change culture and the ability to adapt to control requirements under
SOX 404 mandates in two of the four firms they studied.
The inertia that allows firms to adapt and repetitively apply change routines (Amburgey
et al. 1993) is consistent with the organizational culture required within regulatory environments
that mandate on-going processes that facilitate compliance. This compliance culture, which must
become engrained in the organizational culture, accordingly influences the control consciousness
of the organizations peoplei.e. the control environment (COSO 1992). This creation of a
strong control environment should have a direct effect on the viability of compliance
implementation processes. Arnold et al. (2007) note the importance of a strong tone at the top
for facilitating the change in culture required for implementing SOX 404 compliance mandates.
Hence, while organizational strategic flexibility should facilitate the development of effective
implementation processes, the impact is likely increased (decreased) in the presence (absence) of
a strong control environment. The control environment is a critical catalyst for successfully
implementing strategic compliance processes. This leads to the sixth and seventh hypotheses:
H6: A stronger control environment will lead to more effective SOX compliance implementation processes.
H7: Higher levels of organizational strategic flexibility will promote stronger SOX compliance implementation processes, but this relationship will be mediated by the strength of the control environment.
-
13
Finally, more effective SOX compliance implementation processes should reduce the
difficulty in achieving compliance. This is the eighth and final hypothesis:
H8: A stronger SOX compliance implementation process will result in less difficulty achieving compliance.
This final hypothesis serves primarily as a control to assure that higher perceived levels of
activity actually result in tangible benefits.
Figure 2 graphically presents the hypothesized relationships and visually captures the
interrelationships among the various constructs. In terms of the theory on capability building and
entrepreneurial alertness, the research model expands upon the competitive actions portion of the
conceptual model to consider in greater detail the activities necessary for an effective response to
the given regulatory change.
[Insert Figure 2 about here]
III. RESEARCH METHOD
A field survey method was adopted for this study in order to identify and understand the
relationships as they exist within a set of organizations. Partial least square (PLS) analysis
(SmartPLS 2.0 Beta 2005) was used to validate the study constructs and to test the relationships
hypothesized in the conceptual model presented in Figure 2. The following sub-sections
elaborate on the participants, instrument development and validation, and the method of analysis.
Participants
The Institute of Internal Auditors Research Foundation (IIARF) hosted the survey
employed in this study. An invitation to participate was sent by the IIARF to 1,383 members
identified as Chief Audit Executives or the equivalent. A total of two hundred fifty-one
members completed the survey for a total response rate of 18.1%; 139 (55.6%) were employed at
organizations that have completed the SOX 404 compliance process, 111 (44.4%) were
-
14
employed at organizations that either are not subject to SOX 404 compliance or have not
completed the compliance process, and 1 participant did not respond to this question. While all
invitees were identified by the IIA as the chief audit executives in their organizations, responses
were screened based on the demographics in order to identify anyone that did not appear to fit
the sample profile. Of the 139 respondents at organizations that had completed the SOX
compliance process, two indicated they were staff auditors with less than five years experience
and one individual, also with less than five years experience, did not respond to the question
related to position. The data from these three respondents were excluded from further analyses.
Data from the remaining 136 respondents were examined for completeness. In one case,
the participant responded to less than 30% of the survey and in another case the participant
omitted all items related to one variable of interest; these cases were also dropped from further
analyses. A test of overall randomness found that remaining missing data was missing
completely at random (MCAR) (chi-square = 314.933 df = 386 p-value = 0.997) and the
expectation maximization algorithm (EM) (SPSS 15.0 2006) was used to calculate replacement
values as necessary (Hair et al. 2006).
Respondents were afforded the option of selecting N/A Dont Know for each of the
survey measures. The N/A Dont Know responses were examined to assess the magnitude and
pattern (if any) to these data. Twenty-one of the participants selected N/A Dont Know for
more than 10% of the survey items and these respondents data were all excluded from further
analyses3. The remaining not applicable responses were evaluated and found to be completely
at random (MCAR chi-square = 336.007 df = 312 p-value = 0.168) and EM (SPSS 15.0 2006)
was used to calculate replacement values (Hair et al. 2006). All remaining analyses for the
3 The demographic data for these twenty-one respondents were examined to see if there was a concentration in a particular industry or some other participant demographic characteristic; however, these frequencies were similar to that of participants retained in the sample.
-
15
current study are based on the remaining 113 respondents employed at organizations that
reported having completed at least 1 filing consistent with the requirements of SOX 404.
Of the 113 respondents used in this study, 106 (93.81%) were employed at publicly
traded companies and 92 (81.42%) had over ten years internal audit, accounting, finance and/or
IT experience. Twenty-six (23.01%) were employed in manufacturing, 19 (16.81%) in financial
services/real estate, 12 (10.62%) in technology, 11 (9.73%) in insurance, and 10 (8.85%) in
utilities. Seventy-eight (69.03%) of the survey respondents were male and 33 (29.20%) were
female (2 did not respond to this item). Demographic data is shown in Table 1.
[Insert Table 1 here]
Survey Instrument
The online survey was divided into two sections; the first section captured measures of
the latent variables employed in this study. The second section of the survey instrument collected
respondents demographic information. The structural model, which is shown in Figure 3,
includes five latent variables with reflective item measures (i.e. effectiveness of ERM, IT
compatibility, organizational strategic flexibility, control environment, and SOX implementation
difficulty) and one latent variable with formative item measures (i.e., the SOX compliance
implementation process). Descriptive statistics as well as the individual items for the construct
measures are presented in Table 2.
[Insert Figure 3 and Table 2 here]
ERM is an organizational process that enables firms to holistically identify, assess and
measure the potential impact of risks that can affect firm value. The five ERM item measures
used in the current study were developed to reflect participants assessment of the effectiveness
of their firms enterprise risk management procedures at a strategic level. Specifically, these
-
16
measures were developed to reflect top managements role in risk management, as top
management must develop consistency of operational objectives and goals throughout the
organization by implementing risk management processes that provide consistent and reliable
information about both organizational risks and opportunities. Additionally, ERM ensures that
control processes identify risks that may affect the achievement of objectives, and that the
identified risks are complimented with appropriate responses. The item measures for the ERM
Process construct shown in Table 2 reflect a clear picture of an organizations internal strategic
environment with a focus on achieving the strategic benefits that should be derived from
effective ERM strategies and processes (Treasury Board 2001; E&Y 2008b; COSO 2004).
IT compatibility is a sub-component of Byrd and Turners (2000) technical IT
infrastructure flexibility construct and measures the organizations ability to share information
across various technology components. The item measures for IT compatibility were adapted
from Byrd and Turner (2000). However over 10% of the respondents indicated that two of the
Byrd and Turner (2000) item measures were not applicable for their organization. As a result,
these items were dropped from further analysis. While all item measures are included in Table 2,
descriptive statistics are only shown for the four item measures retained.
Organizational strategic flexibility reflects the organizations ability to respond to the
opportunities and challenges of a competitive environment (Sanchez 1995). Four item measures
of organizational strategic flexibility are employed in the current study. These measures are
adapted from those validated by Cannon and St. John (2004) and focus on organizations
strategic accommodation of market/product changes.
The control environment construct reflects the organizations corporate environment as it
relates to internal controls. The five item measures in the current study for the control
-
17
environment were derived from COSOs original Internal Control Integrated Framework
(1992). COSO (1992) specifically mentions integrity and ethical values in the form of tone at
the top and an enforceable code of conduct, commitment to competence, active board of
directors, and appropriate organizational structure. Overall a strong control environment consists
of strong tone at the top supported by an organizational structure that encourages ethical
behavior. This organizational structure includes active communication between internal audit
and the board of directors/audit committee, enforceability of the code of conduct (item3) and
anonymous reporting mechanisms. The item measures for control environment shown in table 2
are reflective of a strong control environment.
The facets of organizational process change that are combined to form the construct for
SOX compliance implementation process include leadership, teamwork, change in
organizational culture and technology support functions. These item measures, which are shown
in Table 2, were derived from organizational and business process change best practices and
case study results (Kettinger and Grover 1995; Ungan 2005; Arnold et al. 2007).
Data Analysis
As shown in Figure 3, four of the constructs in the structural model are both exogenous
and endogenous. In addition, the SOX compliance implementation process construct is
formative rather than reflective, thus partial least squares (SmartPLS 2.0 beta 2005) is used for
data analysis and to assess construct convergent and discriminant validity.
Convergent Validity
The measures used to assess the convergent validity of the reflective constructs employed
in this study are factor loadings, variance extracted, and construct composite reliability. The
factor loadings and cross loadings are presented in Table 3; the factor loadings for the constructs
-
18
with reflective item measures all exceed 0.70 and are higher than related cross-loadings (Chin
1998; Hair et al. 2006). In addition, as shown in Table 4, the variance extracted for each
reflective construct exceeds 0.50 and the construct composite reliability exceeds 0.70 (Fornell
and Larcker 1981; Hair et al. 2006). Together these results support the convergent validity of the
reflective constructs in the structural model (Fornell and Larcker 1981; Chin 1998; Hair et al.
2006). Measures of internal consistency are not appropriate for validating formative constructs
(Hair et al. 2006).
[Insert Tables 3 and 4 here]
Discriminant Validity
The average variance extracted for each latent variable was compared with the related
squared inter-construct correlations to assess discriminant validity (Hair et al. 2006). All of the
average variance extracted estimates were greater than the associated squared inter-construct
correlations (Table 5), which suggests that discriminate validity is not a problem for the
reflective constructs in the model. Additionally, as shown in Table 6, each inter-construct
correlation is also less than 0.85, which is another indicator of discriminant validity (Kline
2005).
[Insert Tables 5 and 6 here]
Formative Construct Validity
Formative measures form a composite index, thus, ensuring that the indicators do not
overweight any particular aspect of the construct is important(Chin 1998; Diamantopoulos et al.
2008). Variance inflation factors were calculated for each of the six indicators of the construct
for SOX compliance implementation process, using a measure of SOX implementation
difficulty. The VIF for one of the measures of SOX implementation process, Our organization
-
19
developed a formal approach to implementing SOX, was 4.4 (not shown), which exceeded the
recommended threshold of 3.3 (Diamantopoulos and Siguaw 2006; Petter et al. 2007). All six
item measures for this construct were reviewed; removing this item did not affect the construct
content validity (Hair et al. 2006; Petter et al. 2007). As shown in Table 3, the variance inflation
factors for the remaining measures of this construct were all less than 2.0, and they were retained
in the model (Hair et al. 2006).
IV. RESULTS
The purpose of this study was to examine the influence of ERM effectiveness on the
effective leveraging of IT systems, development of organizational strategic flexibility, and the
resulting reactiveness to new regulatory mandates over internal control reporting. The research
model theorized in the current study posits that factors impacting compliance implementation
processes include effectiveness of ERM, the level of IT compatibility, the organizations
strategic flexibility, and the strength of the organizations control environment. Because this
model includes a formative construct, parametric testing is not appropriate; bootstrapping (1000
samples with replacement) was used to calculate model t-statistics and standard errors
(Diamantopoulos and Winklhofer 2001). The construct R2, standardized path coefficients, and
p-values are presented in Figure 3 (SmartPLS 2.0 beta 2005).
H1 posits that ERM is an antecedent of IT compatibility. The results indicate that the
standardized path coefficient (+0.6014) is significant (p-value=0.001) and in the hypothesized
direction, providing support for H1. R2 for IT compatibility is 0.362 suggesting that ERM
explains 36.2% of the variation in IT compatibility. Consistent with prescribed ERM strategies,
these results support the view that the ability to share information across the organization is a
critical and necessary outcome of implementing effective ERM processes.
-
20
H2 posits that IT compatibility facilitates organizational strategic flexibility. The
standardized path coefficient of H2 (+0.3406) is also significant (p-value=0.001) in the
hypothesized direction. As shown in Figure 3, R2 for organizational strategic flexibility is 0.273.
This finding supports both the underlying theory on the relationship between ERM and strategic
flexibility as well as being consistent with prior managerial control research that suggests that
maintenance of flexible organizational structures requires easy access to organizational wide
information that facilitates monitoring (Abernathy and Lillis 1995; Abernathy and Brownell
1999; and Bouwens and Abernathy 2000.)
H3 posits that IT compatibility mediates the impact of ERM on organizational strategic
flexibility. Consistent with Baron and Kenney (1986) the three conditions that must be met to
support a mediation effect are evaluated. The first condition requires a significant relationship
between ERM and IT compatibility; tests of H1 provide support for this condition. The next
condition requires a significant relationship between IT compatibility and organizational
strategic flexibility; tests of H2 provide support for this condition. The third condition requires
that a significant relationship between ERM and organizational strategic flexibility become less
significant when a relationship between ERM and IT compatibility is included in the model. In
other words, for IT compatibility to mediate the impact of ERM on organizational strategic
flexibility, H1 and H2 should have significant path coefficients while the coefficient for H3
diminishes. Figure 4 indicates a significant relationship (p-value=.001) between ERM and
organizational strategic flexibility when the direct relationship between those two variables is
tested. When IT compatibility is included in the model the relationship between ERM and
organizational strategic flexibility, although still significant (p-value=.01) diminishes by almost
50% indicating that IT compatibility partially mediates the effect of ERM on organizational
-
21
strategic flexibility. Results of the Goodman I version of the Sobel test (z-value = 3.356, p-value
=0.0008) confirm the partial mediation effect. The identification and support of this mediating
effect is a major finding as it explains the interrelationship between three disparate literatures: (1)
conceptualizations on ERM (Treasury Board 2001, COSO 2004; E&Y 2008b), (2) findings in
the managerial control literature on the importance of broad based information to support
flexible organizations, and (3) findings in the strategic management literature on the critical role
of managerial control and IT capability on organizational strategic flexibility.
[Insert Figure 4 here]
H4 posits that improvements in ERM will lead to control environment improvements. The
standardized path coefficient (+0.6347) is significant (p-value = .001), providing support for H4.
ERM also impacts control environment through organizational strategic flexibility, thus the total
effect of ERM on control environment is 0.73822 (i.e. 0.6347 + (0.2408*0.2323) +
(0.6014*0.3406*0.2323)). By including organizational components impacted by ERM in the
research model (i.e. IT compatibility and organizational flexibility), our model reveals that the
total effect of ERM on control environment is substantially higher than the simple direct effect of
0.6347.
H5 posits that improved organizational flexibility is associated with an improved control
environment. Figure 3 indicates that the standardized path coefficient between organizational
strategic flexibility and control environment (+0.2323) is significant (p-value=0.001) in the
hypothesized direction, providing support for H5.This finding is consistent with theorizations
from a strategy perspective (Volberda 1996); findings in prior managerial control studies
(Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartmann 2006), and
the underlying theory on ERM facilitation of competitive actions. All have postulated that
-
22
flexible organizations are only sustainable if they develop strong controls, and our research
results show that a strong control environment represents one such control mechanism for
facilitating and supporting organizations ability to respond in an effective and timely manner.
H6 posits that the quality of the control environment influences the SOX compliance
implementation process. The standardized path coefficient between control environment and
SOX 404 compliance implementation process (+0.4979) is significant (p-value=0.001) and in the
hypothesized direction, providing support for H6. This finding provides additional support for the
finding that a strong tone at the top that facilitates a change in culture has a substantial
influence over the organizations proficiency in implementing SOX 404 compliance processes
(Arnold et al. 2007).
H7 posits that control environment mediates the impact of organizational strategic
flexibility on SOX compliance implementation process. As noted previously, three conditions
must be met to support a mediation effect (Baron and Kenney 1986). The first condition requires
a significant relationship between organizational strategic flexibility and control environment;
tests for H5 provide support for this condition. The next condition requires a significant
relationship between control environment and SOX compliance implementation process; tests of
H6 provide support for this condition. The third condition, which requires that a significant
relationship between organizational strategic flexibility and SOX compliance implementation
process become less significant when a relationship between organizational strategic flexibility
and control environment is included in the model, also exists. As shown in Figure 5, the
coefficient between organizational strategic flexibility and SOX 404 compliance implementation
process is significant (p-value=.001) but diminishes when control environment is included (p-
value=0.10). The results of the Goodman I version of the Sobel test (z-value = 3.0096 p-value
-
23
=0.003) confirm the full mediation effect. Thus, control environment fully mediates the effect of
organizational strategic flexibility on SOX compliance implementation process. Consistent with
Volberda (1996) this additional major finding demonstrates that the usefulness of organizations
strategic flexibility in facilitating responsiveness to new regulatory mandates is heavily
dependent on the strength of the control environment.
The last hypothesis, H8, posits an inverse relationship between the SOX compliance
implementation process and the amount of difficulty experienced by the organization during the
implementation process. To obtain a measure of SOX implementation difficulty, participants
were asked to respond to the following statement The change that was required for our
organization to comply with SOX was difficult to implement.
A formative construct is by definition unidentified (Hair et al. 2006), thus the SOX
difficulty construct provides model identification and supports the nomological validity of the
formative SOX compliance implementation process construct. The results indicate that the
standardized path coefficient -0.3065) is significant (p-value=0.01) and in the hypothesized
direction, providing support for H8.
[Insert Figure 5 here]
V. DISCUSSION
This research study was motivated in part by the discourse over the potential negative
impacts of new global internal control reporting mandates and, in part, by the need for a better
understanding of the relationship between ERM, IT capatibility, and organizational strategic
flexibility on both the development of a strong control environment and compliance difficulty.
Critics of SOX 404 requirements in particular have often pointed to a loss in strategic flexibility
as a cost of regulatory compliance and advocated rescinding this key aspect of the corporate
-
24
governance initiatives put in place by the Act. While our model specifically focuses on SOX 404
compliance requirements, the conceptual foundations of the model are more generalized and the
models applicability theoretically should also extend to organizational responses to other new
regulatory compliance requirements.
In formulating the conceptual model, consideration was given to the findings of Arnold et
al. (2007) in their case analysis of four small and medium-sized organizations experiences in
implementing SOX 404 compliance processes. Two of the four organizations had difficult
implementation experiences and two exhibited relatively minor difficulty in implementation. On
the surface, these case studies would seem to highlight conflicting evidence regarding the actual
existence of the concerns that have been raisedi.e. reduced strategic flexibility and hindered
competitiveness. A deeper examination of the documented cases, however, provides evidence
that the differences in experiences among the companies could be driven by organizational
culture and/or existing ERM strategies.
In this study, we develop a conceptual model that investigates the effects of
organizational culture and ERM processes on compliance. The model relies heavily on the theory
of capability building and entrepreneurial alertness while integrating that theory with the
managerial control systems literature in order to better understand the facilitation of competitive
actions required to respond to the new regulatory mandates. The theoretical relationships
between the four main constructs are better understood as a result of identifying the mediating
constructs that influence the nature of the relationships among the constructs. Testing of the
model, based on the reported organizational structures and experiences provided by 113 chief
audit executives from organizations having completed and reported upon SOX 404 compliance
requirements for internal controls, yields strong explanatory power and significant relationships
-
25
that are in line with the hypothesized relationships. Thus, the conceptual model appears to
provide a sound basis for understanding how various organizational structures and processes
affect the level of compliance difficulty experienced across a range of organizations.
First, we find that the effectiveness of ERM processes is very predictive of organizations
strategic flexibility, but that this relationship is partially mediated by IT compatibilitythe
ability to access and utilize enterprise wide data from across all organizational systems. Second,
we find that an organizations strategic flexibility is positively related to their ability to
implement effective processes for addressing compliance with new regulations, but that this
relationship is fully mediatedin this case by the strength of the control environment. Third, our
findings significantly enhance the theoretical understanding of the relationship between ERM
and the strength of the control environment by identifying not only a strong direct effect, but also
finding a strong indirect effect via the organizational structures and processes supported by
ERM. This indirect effect increases the explanatory power of ERM by 16% in terms of
explaining the variance in the strength of organizations control environment. In summary, the
results provide evidence that organizations with strong ERM processes prior to SOX 404
mandates faced fewer obstacles in implementing the processes necessary to meet internal control
requirements. On the other hand, the organizations that did not have effective ERM processes in
place incurred the greatest difficulty in implementing effective compliance processesthe very
organizations for which the Act was deemed so important.
There are limitations of the current study that should be considered when reflecting upon
the results. Many of these limitations are related to scope and also provide guidance on future
research needs. First, our responses were taken entirely from chief audit executives. Their views
on the SOX compliance experience may not be reflective of other chief executives in the
-
26
organization. Future studies may wish to consider multiple respondents for each organization in
order to get a more diverse perspective on the experiences. Second, our study considers a limited
set of organizational structures and processes, and additional organizational characteristics may
likely aid in further explaining the attributes and relationships that were observed in this study.
Organizations are complex entities and substantial research is required to uncover the myriad of
complex interrelationships that drive organizational behavior and performance. Third, our study
relies on the responses of chief audit executives which necessarily narrows our representation to
organizations that have at least one in-house internal auditor. Given the large market for
consulting services to assist with compliance efforts, there will be a relatively small subset of
organizations that still do not have an internal audit function in-house. While this has become
much rarer in the post-SOX era, future research should consider expanding the scope to these
organizations as well.
Overall, the research reported here provides an initial view into the effect of
organizational structures and processes on the ability to meet regulatory compliance mandates.
The relationships are strong and significant, the interrelationships complex, and the findings
highly insightful in terms of understanding the importance of ERM in effectively dealing with
volatile environments.
-
27
FIGURE 1 Strategic ERM Processes and the Impact on Organizational Structures and Competitive Action
Strategic ERM Processes
Leveraging of IT Systems
Strategic Flexibility
Competitive Action
-
28
FIGURE 2 Drivers of Sarbanes-Oxley 404 Compliance Difficulty
Enterprise Risk Management
Information Technology
Compatibility
Organizational StrategicFlexibility
Control Environment
Sarbanes-Oxley 404 Compliance Implementation
Process
Sarbanes-Oxley 404 Compliance
difficulty
H1
H2
H3
H4
H5
H6
H7
H8
-
29
FIGURE 3 Structural Model
-
30
FIGURE 4 Structural Model Test of Mediating Effects of Information Technology Compatibility
-
31
FIGURE 5 Structural Model Test of Mediating Effects of the Control Environment
Organizational StrategicFlexibility
ControlEnvironment
Sarbanes-Oxley404 Compliance Implementation
Process
H5+0.467***
H6+0.410***
H7+0.167
Organizational StrategicFlexibility
Sarbanes-Oxley404 Compliance Implementation
Process
H7+0.382***
* P-value < 0.05 (one-tailed t-statistic > 1.645)** P-value 2.236)
*** P-value < 0.001 (one-tailed t-statistic > 3.090)
-
32
Table 1 - Participant Demographics Category Frequency
N = 113 Percentage
Gender Male 78 69.03% Female 33 29.20% Not answered 2 1.77% Age 25 to 40 years 28 24.78% 40+ years 84 74.34%
Not answered 1 0.88% Experience 3 to 10 years 21 18.58% 10+ years 92 81.42% Industry Manufacturing 26 23.01% Financial services / real estate 19 16.81% Technology 12 10.62% Insurance carriers / agents 11 9.73% Utilities 10 8.85% Wholesale/retail 6 5.31% Transportation 6 5.31% Communication 4 3.54% Health 3 2.64% All other 16 14.16% Organizational Structure Publicly traded 106 93.81% Not publicly traded 6 5.31% Not answered 1 0.88%
-
33
Table 2 - Descriptive Statistics Construct Measures
Minimum Mean Median Maximum Std dev.
Enterprise Risk Management (ERM) Process
1. Our organization performs a thorough enterprise-wide risk assessment at least once a year 1 3.65 4.00 5 1.314
2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives
1 3.04 3.00 5 1.109
3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 1 3.02 3.00 5 1.257
4. Management has effective processes to respond to identified risks 1 3.02 3.00 5 1.134
5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.
1 3.13 3.00 5 1.128
IT Compatibility
1. Remote, branch, and mobile offices have easy access to data from the home or central office 1 2.48 2.00 5 1.188
2. Our organization's ability to make rapid IT change is high 1 3.39 3.00 5 1.145
3. Information is shared seamlessly across our organization, regardless of the location 1 3.01 3.00 5 1.214
4. Our user interfaces provide transparent access to all applications. 1 2.96 3.00 5 1.105
-
34
5. Our organization offers a wide variety of types of information to end users (e.g. multimedia) (D)
6. Data received by our organization from electronic links with supply-chain partners are reliable (D)
Organizational Strategic Flexibility
1. Our organization has difficulty maximizing new market opportunities (RC) 1 2.50 2.00 5 1.127
2. Our organization is able to introduce new products/services 1 2.18 2.00 5 0.967
3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC) 1 2.29 2.00 5 1.027
4. Our organization is able to manage the impact of serving new classes of customers 1 2.42 2.00 5 0.975
Control Environment
1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk 1 2.65 3.00 5 1.034
2. The board of directors actively interacts with internal auditors 1 2.53 2.00 5 1.391
3. Our organization has an enforceable formal code of conduct 1 2.21 2.00 5 1.285
4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior 1 2.50 2.00 5 1.409
5. The actions of management support a strong internal control environment 1 2.29 2.00 5 1.080
-
35
SOX Compliance Implementation Process
1. Top management provided committed leadership in the implementation of SOX requirements 1 1.58 1.00 5 0.822
2. Our organization developed a formal approach to implementing SOX requirements 1 1.33 1.00 5 0.558
3. Our organization assembled an effective team to lead the SOX implementation process 1 1.44 1.00 5 0.704
4. Our organization experienced a change in organizational culture as a result of implementing SOX requirements 1 2.36 2.00 5 1.240
5. Our organization had a champion leading the SOX implementation process 1 1.52 1.00 5 0.790
6. The IT function in our organization effectively supported the necessary changes for SOX compliance 1 1.99 2.00 5 1.007
SOX Implementation Difficulty
1. The change that was required for our organization to comply with SOX was difficult to implement. 1 2.96 3.0 5 1.117
(RC) reverse coded (D) Items dropped due to volume of not applicable/dont know responses; items not included in data analyses Scale: 1 = Strongly Agree to 5 = Strongly Disagree
-
36
Table 3 - Item Loadings and Cross Loadings
Latent Variables with Reflective Indicators
Latent Variable
With Formative Indicators
VarianceInflationFactor
Control Environment
Enterprise Risk
Management IT
Compatibility
OrganizationalStrategic
Flexibility SOX
Difficulty
SOX Compliance
ImplementationProcess
CE1 0.799948 0.587382 0.520346 0.443651 -0.30446 0.433958 CE2 0.817297 0.645214 0.430881 0.418776 -0.35895 0.408118 CE3 0.779757 0.526933 0.491482 0.384745 -0.3615 0.435451 CE4 0.741822 0.487143 0.374668 0.299003 -0.20409 0.337813 CE5 0.770664 0.618163 0.504355 0.444200 -0.34635 0.489083
ERM1 0.480316 0.735474 0.376448 0.227031 -0.05027 0.119125 ERM2 0.681789 0.872316 0.538702 0.433014 -0.37431 0.421941 ERM3 0.685408 0.888451 0.559818 0.361941 -0.3129 0.333831 ERM4 0.671748 0.939087 0.575135 0.494995 -0.30959 0.451344 ERM5 0.659149 0.897131 0.53242 0.372234 -0.29524 0.363645 IFC1 0.48294 0.512423 0.835917 0.413831 -0.26963 0.238095 IFC3 0.522344 0.483832 0.881748 0.341684 -0.30837 0.308309 IFC5 0.518378 0.498639 0.816921 0.460071 -0.27521 0.384329 IFC6 0.510228 0.545117 0.868262 0.424306 -0.28279 0.278661 OF1rc 0.377564 0.241598 0.385518 0.732945 -0.22762 0.265035 OF2 0.383514 0.285678 0.337121 0.788538 -0.12844 0.317927
-
37
OF3rc 0.314371 0.342347 0.331338 0.773228 -0.03544 0.113477 OF4 0.45194 0.447844 0.398181 0.729167 -0.19754 0.306636
PERF3 -0.40847 -0.32467 -0.33331 -0.20395 1 -0.30648 SOXD1 0.430316 0.213079 0.25 0.130866 -0.18184 0.622641 1.5281 SOXD3 0.327479 0.214426 0.22585 0.291656 -0.0642 0.572628 1.7013 SOXD4 -0.24126 -0.22535 -0.11766 -0.21609 0.2156 -0.56392 1.0298 SOXD5 0.158904 0.034334 0.104942 0.153982 -0.02945 0.286873 1.4648 SOXD6 0.205493 0.239005 0.294668 0.164783 -0.15986 0.444248 1.3613
-
38
Table 4 - Tests of Convergent Validity
Variable Measures Factor
Loading
Construct Composite Reliability
Average Variance Extracted
Enterprise Risk Management (ERM) Process 0.9389 0.7556
1. Our organization performs a thorough enterprise-wide risk assessment at least once a year (D) 0.7355
2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives 0.8723
3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 0.8885
4. Management has effective processes to respond to identified risks 0.9391
5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being. 0.8971
IT Compatibility 0.9131 0.7244
1. Remote, branch, and mobile offices have easy access to data from the home or central office 0.8359
2. Our organization's ability to make rapid IT change is high 0.8817
3. Information is shared seamlessly across our organization, regardless of the location 0.8169
4. Our user interfaces provide transparent access to all applications. 0.8683
-
39
Organizational Strategic Flexibility 0.8423 0.5721
1. Our organization has difficulty maximizing new market opportunities (RC) 0.7329
2. Our organization is able to introduce new products/services 0.7885
3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC) 0.7732
4. Our organization is able to manage the impact of serving new classes of customers (D) 0.7292
Control Environment 0.8874 0.6120
1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk 0.7999
2. The board of directors actively interacts with internal auditors 0.8173
3. Our organization has an enforceable formal code of conduct 0.7798
4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior (D) 0.7418
5. The actions of management support a strong internal control environment 0.7707 (D) dropped and not included in analyses of construct validity (RC) reverse coded
-
40
Table 5 - Test of Discriminant Validity
Organizational Strategic
Flexibility IT
Compatibility ERM Control
Environment Average Variance Extracted 0.5721 0.7244 0.7556 0.6120
SQUARED INTER-CONSTRUCT CORRELATIONS Organizational Strategic Flexibility 1.0000 IT Compatibility 0.2356 1.0000 ERM 0.1985 0.3617 1.0000 Control Environment 0.2654 0.3577 0.5449 1.0000
-
41
Table 6 - Latent Variable Correlations
Control Environment
Enterprise Risk
ManagementIT
Compatibility
Organizational Strategic
Flexibility SOX
Difficulty
SOX Compliance
ImplementationProcess
Control Environment 1.0000
Enterprise Risk Management
0.7382 1.0000
IT Compatibility 0.5980 0.6014 1.0000
Organizational Strategic Flexibility
0.5151 0.4456 0.4854 1.0000
SOX Difficulty -0.4085 -0.3247 -0.3333 -0.2040 1.0000
SOX Compliance Implementation Process
0.5429 0.4053 0.3561 0.3439 -0.3065 1.0000
-
42
REFERENCES
Abernethy, M.A. and P. Brownell. 1999. The role of budgets in organizations facing strategic change: an exploratory study. Accounting Organizations and Society 24: 189-204.
Abernethy, M.A. and A.M. Lillis. 1995. The impact of manufacturing flexibility on management control systems design. Accounting Organizations and Society 20(4): 241-258.
Ahrens, T. and C.S. Chapman. 2004. Accounting for flexibility and efficiency: a field study in management control systems in a restaurant chain. Contemporary Accounting Research 21(2): 271-301.
Amburgey, T.L and A.S. Miner. 1992. Strategic Momentum: The Effects of Repetitive,
Positional, and Contextual Momentum on Merger Activity. Strategic Management Journal (13): 335-348.
Amburgey, T.L., D. Kelly, and W.P. Barnett. 1993. Resetting the Clock: The Dynamics of Organizational Change and Failure. Administrative Science Quarterly (38): 51-73.
Arnold, V., T. S. Benford, J. Canada, J. R. Kuhn Jr., and S. G. Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting. Vol. 4 No. 1 103-121.
Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations. Journal of Personality and Social Psychology. Vol. 51, No. 6, 1173-1182.
Beasley, M.S., R. Clune, and D.R. Hermanson. 2005. Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24: 521-531.
Bloomsberg, M. R., C.E. Schumer, and McKinsey and Company. 2007. Sustaining New Yorks and the US Global Financial Services Leadership (New York: McKinsey and Company).
Bouwens, J. and M. A. Abernethy. 2000. The consequences of customization on management accounting system design. Accounting Organizations and Society 25: 221-241.
Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of information technology infrastructure: Exploratory Analysis of a Construct. Journal of Management Information Systems; Summer Vol. 17, No. 1, 167-208.
Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy and Plant Level Flexibility. International Journal of Production Research, 42(10): pp 1987-2007.
Chapman, C.S. and L-A. Kihn. (2009). Information system integration, enabling control and performance. Accounting Organizations and Society 34(2): 151-169.
-
43
Chenhall, R.H. 2003. Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting Organizations and Society 28: 127-168.
Chenhall, R. H. and K.J. Euske. 2007. The role of management control systems in planned organizational change: an analysis of two organizations. Accounting Organizations and Society 32: 601-637.
Chin, W.W. 1998. The Partial Least Squares Approach to Structural Equation Modeling. Mosern Methods for Business Research. Marcoulides, G.A. Lawrence Erlbaum associates, New Jersey, USA: 295-336.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control Integrated Framework. American Institute of Certified Public Accountants.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management Integrated Framework. (Committee of Sponsoring Organizations of the Treadway Commission, AICPA: New York).
Davila, T. 2000. An empirical study on the drivers of management control systems design in new product development. Accounting Organizations and Society 25: 383-409.
DeFond, M.L. and J.R. Francis. 2005. Audit research after Sarbanes-Oxley. AUDITING: A Journal of Practice and Theory 24(supplement): 5-30.
Diamantopoulos, A., and J.A. Siguaw. 2006. Formative Versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration, British Journal of Management 17: pp. 263-282.
_________, P. Riefler and K.P. Roth. 2008. Advancing formative measurement models. Journal of Business Research. (In Press). __________and H.M. Winklhofer. 2001. Index Construction with Formative Indicators:An
Alternative to Scale Development. Journal of Marketing Research 38 (2): 269-277 Ditillo, A. 2004. Dealing with uncertainty in knowledge-intensive firms: the role of management
control systems as knowledge integration mechanisms. Accounting Organizations and Society 29: 401-421.
EACLN and NAACLN. 2008. Enterprise Risk: Recurring Challenges and New Considerations for the Audit Committee. ViewPoints for the Audit Committee Leadership Summit 8 (31 October 2008).
Ernst and Young. 2008a. Internal Controls: From Compliance to Competitive Edge (EYGM
Limited).
-
44
_____________. 2008b. The Future of Risk Management and Internal Control (EYGM Limited).
Fornell, C. and D. F. Larcker. 1981. Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research, Vol. 18, No. 1 39-50.
Grewal, R. and P. Tansuhaj. 2001. Building organizational capabilities for managing economic crisis: the role of market orientation and strategic flexibility. Journal of Marketing 65 (April): 67-80.
Institute of Internal Auditors. 2004. The Role of Internal Audit in Enterprise-wide Risk Management. London: The Institute of Internal Auditors UK and Ireland.
Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle River, NJ: Pearson Education Inc
Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com (May 02).
Kettinger, W. K. and V. Grover. 1995. Toward a Theory of Business Change Management. Journal of Management Information Systems. Vol. 12. No. 1 9-30.
Kleffner, A., R. Lee, and B. McGannon. 2003. The effect of corporate governance on the use of enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6(1): 53-73.
Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling, Second Edition. (The Guilford Press: New York)
KPMG. 2008. International Survey of Audit Committee Members (Audit Committee Institute, London).
Lam, J. 2003. Enterprise Risk Management. Hoboken, NJ: John Wiley & Sons, Inc.
Langfield-Smith, K. (1997). Manaement control systems and strategy: a critical review. Accounting Organizations and Society 22(2): 207-232.
Levine, R. 2004. Risk management systems: understanding the need. EDPACS 32(2): 1-13.
Liang, H., Saraf, N., Hu, Q., & Xue, Y. 2007. Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly 31(4): 59-88.
Liebenberg, A. and R. Hoyt. 2003. The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6(1): 37-52.
Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams use management accounting systems to implement strategy. Journal of Management Accounting Research 18: 21-53.
-
45
Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting systems, top management team heterogeneity and strategic change. Accounting Organizations and Society 32: 735-756.
Palanisamy, R. 2005. Strategic information systems planning model for building flexibility and success. Industrial Management and Data Systems 105(1): 63-81.
Petter, S., D. Straub., and A. Rai. 2007. Specifying Formative Constructs in Information Systems Research. MIS Quarterly. 31 (4): 623-656.
Ringle, C. M., S. Wende and A. Will. 2005. SmartPLS 2.0 (beta), www.smartpls.de.
Romano, R. 2005. The Sarbanes-Oxley Act and the making of quack corporate governance. The Yale Law Review 114: 1521-1611.
Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27 (2): 237-263.
Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for information technology governance: a theory of multiple contingencies. MIS Quarterly 23(2): pp.261-290.
Sanchez, R. 1995. Strategic Flexibility in Product Competition. Strategic Management Journal, 16: pp 135-159.
Simons, R. 1990. The role of management control systems in creating competitive advantage: a new perspective. Accounting Organizations and Society 15(1/2): 127-143.
Treasury Board. 2001. Integrated Risk Management Framework. (Treasury Board, Canadian Government, Ottawa).
Ungan, M. 2005. Management support for the adoption of manufacturing best practices: key factors. International Journal of Production Research. Vol. 43, No. 18, 38033820.
Volberda, H.W. 1996. Toward the flexible form: how to remain vital in hypercompetitive environments. Organization Science 7(4): 359-374.