Professional Documents
Culture Documents
ABI - Challenges in Enhancing ERP For Sarbanes-Oxley and Canadian Equivalent (This Is Probably Irrelevant)
ABI - Challenges in Enhancing ERP For Sarbanes-Oxley and Canadian Equivalent (This Is Probably Irrelevant)
ABI - Challenges in Enhancing ERP For Sarbanes-Oxley and Canadian Equivalent (This Is Probably Irrelevant)
www.emeraldinsight.com/0140-9174.htm
MRN
31,10
Challenges in enhancing
enterprise resource planning
systems for compliance with
758 Sarbanes-Oxley Act and
analogous Canadian legislation
Vinod Kumar and Raili Pollanen
Sprott School of Business, Carleton University, Ottawa, Canada, and
Bharat Maheshwari
Odette School of Business, University of Windsor, Windsor, Canada
Abstract
Purpose – This paper aims to examine major challenges faced by companies in enhancing their
enterprise resource planning (ERP) systems for compliance with regulatory internal control
requirements, specifically those imposed by the Sarbanes–Oxley Act (SOX) of 2002 and analogous
Canadian legislation.
Design/methodology/approach – Data were collected through case studies of four medium-sized
and large companies that use ERP systems and that have operations in the USA and Canada, thus
being subject to SOX and/or similar Canadian regulations.
Findings – The companies faced some technical, process and cultural challenges in implementing
regulatory control compliance. In all companies, existing ERP systems were not able to meet all
control requirements without some modifications or add-on applications. Control implementations
have been long, complicated and costly processes, which are not fully completed. Detailed analyses
and documentation of existing systems, controls and processes were required in all companies. The
protection of systems security and the segregation of duties were perceived to be major technical
obstacles. Cultural factors resulted in additional challenges, notably resistance to change.
Research limitations/implications – The findings of this study enhance the understanding of
ERP systems design features, processes and challenges in implementing regulatory controls. As such,
they provide a foundation for further empirical studies and for building models of ERP systems
effectiveness in implementing effective controls.
Practical implications – The study provides managers insight into challenges in enhancing ERP
systems for regulatory control compliance. Lessons learned can contribute to the development and
sharing of best practices and to overall organizational effectiveness.
Originality/value – Using an interdisciplinary approach, the study provides new evidence on the
extent to which ERP systems meet regulatory internal control requirements.
Keywords Manufacturing resource planning, Legislation, United States of America, Canada
Paper type Research paper
Introduction
Several empirical studies of enterprise resource planning (ERP) adopting companies
suggest that the implementation of ERP software is just the beginning of a company’s
This research project has been sponsored partly by the Canadian Academic Accounting
Management Research News
Vol. 31 No. 10, 2008 Association under its CAAA-SAP research grant program. A previous version of this paper
pp. 758-773 was presented at the Administrative Sciences Association of Canada (ASAC) Annual
# Emerald Group Publishing Limited
0140-9174
Conference, Information Systems Division, Ottawa, Canada, 2-5 June 2007, where it was
DOI 10.1108/01409170810908516 awarded an honourable mention in the best-paper competition.
ERP program, and that companies need to continuously enhance their ERP systems Enhancing ERP
and business processes in order to achieve desired organizational performance
objectives (Markus and Tanis, 2000; Davenport, 2000; Beheshti, 2006). During the last
systems
few years, a new urgency to this need has been provided by the Sarbanes–Oxley Act
(SOX) (US Congress, 2002) and similar subsequent regulations in other countries, such
as Canada. This act, named after its two initiators, Senator Paul Sarbanes and
Representative Michael Oxley, imposed widespread changes in the manner public
companies must manage and report on their performance. It requires senior
759
management to certify and report on the adequacy and effectiveness of internal
controls over financial reporting in an effort to improve the quality and reliability of
financial information. These requirements have forced companies to focus on
enhancing their systems and processes, not just controlling and certifying the outputs
of their systems and processes.
ERP systems can provide key technical tools and solutions for collecting, analyzing
and reporting relevant information for implementing internal controls, such as those
required by SOX. However, the implementation of technical systems can be
complicated and often requires adjustments to organizational structures, processes,
norms and employee skills, which can vary in different environments. In large
organizations, such efforts can be further complicated by differences in geographic
distance, culture, existing technology and systems and political and regulatory
environment in different countries. Inadequate attention to these factors can pose
serious challenges for successful implementation. In addition, smaller companies may
find it difficult to obtain adequate resources to support these efforts. Although the
Committee of Sponsoring Organizations (COSO) framework (Committee of Sponsoring
Organizations of the Treadway Commission, 1992) provides general principles for
effective internal controls and the control objectives for information technology
(COBIT) framework (Information Technology Governance Institute (ITGI), 2004)
provides evaluation criteria for information technology (IT) controls, only limited
research exists on how to help managers and researchers understand control
implementation challenges and to enhance ERP systems for control purposes in
today’s competitive business environment.
This paper aims to uncover the breadth of possible challenges faced by medium-
sized and large companies in enhancing their ERP systems for compliance with
regulatory internal control requirements through case studies of four multi-site ERP-
adopting companies with major operations in the USA and Canada. Very little
academic research has been conducted on compliance, particularly, how ERP systems
facilitate, and can be enhanced to facilitate, control implementation. Although some
work on feasibility of implementing a continuous audit framework through ERP and
importance of a control framework for successful ERP systems implementation have
been studied, specific legislative control requirements and how ERP systems can help
implement them has not (Kuhn and Sutton, 2006; Grabski and Leech, 2007). This study
attempts to bridge this gap by providing some empirical evidence to address this issue.
It provides both managers and researchers some insight into successes and challenges
in enhancing ERP systems for this purpose, which, in turn, can contribute to the
development of best practices and models of ERP systems effectiveness in
implementing regulatory control requirements.
The background section examines regulatory internal control requirements in the
USA and Canada, specifically, those imposed by SOX and analogous Canadian
legislation. The method section outlines the case study method used and profiles the
MRN four case organizations. The results section details the findings of the study for the four
organizations and discusses their significance. Finally, the conclusion provides an
31,10 overall summary and identifies possible managerial implications and opportunities for
future research.
Background
This section examines major regulatory internal control requirements in the USA and
760 Canada and some key enablers and barriers of their effective implementation. However,
it should be noted that, as these requirements in both countries are complex, only a
broad general overview is possible in this paper.
Method
This exploratory study aims to identify a wide range of challenges faced by both
medium-sized and large companies in complying with recent US and Canadian
764 financial reporting regulations. Given its exploratory nature, the study utilizes a case
method. Case studies were conducted in four multi-site ERP-adopting companies with
major operations in the capital region of Ottawa, Canada. Semi-structured focus group
and individual interviews were conducted with senior systems managers or directors.
Some data were also collected through secondary sources, such as company websites.
For confidentiality reasons, the companies cannot be identified, and they will be
referred to only as Companies A, B, C and D. At the time of the study, all four
companies had established ERP systems in place, and they had already implemented
significant internal controls in order to comply with the required deadlines [2]. In the
remainder of this section, a brief profile of each of the four companies is provided.
Implementation processes
All four companies approached their control implementations in a systematic manner.
In all companies, control implementation required the identification, analysis and
evaluation of business processes and assigning responsibility for processes. Company Enhancing ERP
D analyzed approximately 600 processes and eliminated outdated, inconsistent and
duplicate processes across its acquired companies. Companies B, C and D matched
systems
processes and process owners and designed access controls and authorizations
accordingly. In spite of the lack of clear rules and guidelines, at least initially,
Companies B and D appeared to be quite successful at formalizing existing controls
and processes and implementing necessary new controls, with the help of auditors and
consultants. At the time of this study, their implementations were reportedly ~80-95
767
per cent complete for IT, although significant work still remained to be completed in
some functional areas. The degree of completion in Companies A and C was
significantly lower, reportedly in the 60-70 per cent range, and they were still
struggling with some requirements, such as assessing control effectiveness. Delayed
implementation in these two companies is understandable, given their extended
compliance deadline for control effectiveness certification by management – two years
later than for SOX. The results for process-related challenges are summarized in
Table III.
All companies spent significant time and resources at documenting their control
systems, which is a key requirement for SOX compliance. Due to staff shortages and
inadequate expertise in all four companies, Companies B, C and D used the services of
major auditing/consulting firms to develop and document controls. Nonetheless,
Company A completed this phase with help from only its internal auditors and audit
committee. The documentation of controls and processes creates an ‘‘audit trail’’, which
enables processes to be reliably repeated and process ownership and accountability
established. An audit trail is also necessary for granting a ‘‘clean audit opinion’’ on the
effectiveness of internal controls and processes by auditors, as required by SOX. It is
Risk analysis necessary Business process Process flow analysis Analysis of 600
Analysis of business analyses necessary needed processes required
processes required Establishing process Matching business Redundant or duplicate
Major focus on ownership required processes with process processes in acquired
formalizing and Consultants used for owners problematic companies
documenting controls designing and Control assessment User information needs
Enhanced control documenting controls procedures required matched with access
assessment procedures Inadequate monitoring Inadequate internal authorization
needed systems and expertise and staff 60 new controls and
Lack of control compliance reporting Lack of adequate enhanced control
implementation Rigorous testing, guidance and changing assessment procedures
guidance evaluation, and refining deadlines necessary
Inadequate staff and of controls needed Lack of coordination External auditors
expertise Lack of global among functions, e.g. IS required for designing
Audit committee coordination in and finance and documenting
consulted, but external implementing common Auditing firm needed controls
consultants not used global database of to document controls Unclear initial
controls Control implementation requirements and
Challenges in control complicated by being changing timelines
implementation as part part of quality Slow control
of broader change management program implementation as part Table III.
management initiatives of change management Control implementation
initiatives process challenges
MRN comparable to an audit trail that all these companies are already required to use
routinely for standard financial reporting under generally accepted accounting
31,10 principles. The respondents from Companies B and D emphasized the importance of a
clear audit trail. Although the respondents from the other two companies did not
specifically comment on this point, creating a transparent audit trail was also their
implicit objective based on their other comments. Company B established a global
reporting system for control information that can promote the transparency of controls
768 and control processes.
In addition to documenting controls, SOX compliance also requires the ongoing
monitoring and evaluation of control systems in order to ensure their continuous
operating effectiveness. Controls and related processes may require adjustment based
on feedback provided by monitoring and evaluation processes. All four companies
used the COBIT framework for evaluating IT controls and then proceeded to rectify
any control weaknesses. Perhaps the best examples were provided by the respondent
from Company B, in which managers are now required to authorize systems access for
employees in their departments, systems use patterns are continuously monitored, and
systems access withdrawn for non-use. In other words, each manager is required to
authorize each employee’s access to the databases that are necessary for carrying out
his or her job responsibilities, but, if these databases are not actually used within a
prescribed time limit, the system will automatically deny subsequent access attempts.
As another example, an account for a new user was often created by copying an
existing user’s account, instead of creating a new account that reflects the job
responsibilities of the new user. In some cases, this practice resulted in allowing access
to non-essential data. In order to address this problem, among some others, the
company established a report that matched key transactions types against user
accounts, and then allowed the users access only to data necessary for performing their
job responsibilities.
Control implementations have been lengthy and costly processes in all four
companies. Systems implementation costs, particularly control documentation costs,
accounted for a large proportion of the total implementation costs. In addition,
increased ongoing systems monitoring, evaluation and auditing costs were expected to
occur in future years. In companies B, C and D, control implementation was a part of
broader ‘‘quality management’’ or ‘‘change management’’ implementation initiatives.
Company D reportedly spent ~3 per cent of its revenues on compliance projects. The
respondent from this company attributed the high costs, at least partly, to the fact that
the company had to refine some controls and processes several times, because some
rules changed and even consultants were learning as implementation proceeded.
However, it may be difficult to attribute costs directly to SOX compliance apart from
the other initiatives that occurred simultaneously in this company. Generally, the
relatively heavier financial burden for smaller companies was also magnified by the
lack of adequate support by the systems vendors, who focused their main attention to
implementations in larger and more lucrative companies. Furthermore, the control
implementation processes were heavily influenced by various cultural and behavioural
factors, as discussed in the next section.
Conclusion
This study examined major challenges faced by four large and medium-sized public
companies in enhancing their ERP systems for compliance with regulatory internal
control requirements, notably SOX. It provides evidence of some technical, process and
cultural challenges faced by these companies. The findings reveal several common
challenges encountered in all companies, but also some challenges that are unique in
their organizational and cultural environments. Many of these challenges are similar to
those discussed in the ERP systems implementation literature. However, some
additional challenges relate to specific legislative requirements associated with, such
as compliance deadlines and the lack of guidance.
Although all four companies used ERP systems, their technical systems
requirements varied somewhat. In addition, depending on specific control requirements
and the stage of their implementation, some companies encountered greater technical
challenges than others. Significant modifications were needed to the standard modules
in Companies B and D, and some solutions outside ERP systems were also required due
to systems inflexibility or the high costs of system modifications for some applications.
Configuring the systems to meet its control needs was a specific challenge in Company
C. Ensuring proper systems security and the segregation of duties were common
challenges facing all four companies.
As to implementation processes, all four companies have expended significant effort
and resources on their control compliance projects. Compliance implementation was
accomplished as a part of broader change management initiatives in Companies B, C
and D, and has been a long and costly process in all companies. Companies B and D
were more advanced in their implementations, as they were subject to earlier
compliance deadlines than Companies A and C. All four companies used a systematic
process-oriented approach to their control implementations. For example, they
conducted detailed process analyses, documented controls and processes, and used an Enhancing ERP
established framework for evaluating IT controls. However, the degree of external help systems
used varied, with Companies B and D using external consultants extensively, whereas
Company C used them to a lesser degree, and Company A relied solely on the expertise
of its staff, internal auditors and the audit committee.
Finally, all four companies cited some resistance to their control implementations.
Some resistance related to the lack of proper guidelines, with greater initial effects felt 771
in Companies A and C that started their implementations without the expertise of
consultants. In Company B, significant resistance related to the centralized approach to
implementing controls, which entailed establishing common controls and a single
reporting system for its numerous global operations. Resistance in Company D was
magnified by the recent acquisitions of foreign companies with different rules,
regulations, and cultures. In Companies A and C, resistance appeared to stem more
from differences in attitudes, organizational culture and processes used, as opposed to
differences in national culture in more geographically diverse Companies B and D.
The four companies have apparently been quite successful in addressing their
control implementation challenges encountered, and they consider their progress quite
satisfactory. However, some additional work is required in all companies to complete
their control compliance initiatives. Additional adjustments will undoubtedly be
needed in the future in response to systems monitoring and evaluation feedback, as
well as auditor evaluations and possible future changes in regulatory requirements.
Although the findings of this study are exploratory, they raise relevant issues for
consideration by systems, finance and operations managers when enhancing their ERP
systems and processes for regulatory control compliance, as well as can form a
foundation for researchers in building models of ERP systems effectiveness in
implementing effective controls. Further research would be beneficial in order to study
longer term progress and the effects of compliance initiatives after all compliance
requirements have been implemented.
Notes
1. COSO is a voluntary organization, consisting of five American Accounting and
Financial Executives Institutes. Its objective is to improve financial reporting quality.
2. The effective compliance dates for all case companies are for fiscal years ending in 2006
(after 14 July 2006 for SOX and after 29 June 2006 for Canadian regulations), with the
exception that, under the Canadian regulations, Canadian companies have extra two
years to comply with the management control effectiveness evaluation requirements.
The applicable auditor certification deadline under SOX was extended (to fiscal years
ending after 14 July 2007), and auditor certification is not required at all under the
current Canadian regulations.
References
Al-Mashari, M. (2002), ‘‘Enterprise resource planning (ERP) systems: a research agenda’’,
Industrial Management and Data Systems, Vol. 102 No. 3, pp. 165-70.
Beheshti, H.M. (2006), ‘‘What managers should know about ERP/ERP II’’, Management Research
News, Vol. 29 No. 4, pp. 184-93.
Bititci, U.S., Turner, T. and Begemann, C. (2000), ‘‘Dynamics of performance measurement
systems’’, International Journal of Operations & Production Management, Vol. 20 No. 6,
pp. 692-704.
MRN Bourne, M., Neely, A., Platts, K. and Mills, J. (2002), ‘‘The success and failure of performance
measurement initiatives: perceptions of participating managers’’, International Journal of
31,10 Operations & Production Management, Vol. 22 No. 11, pp. 1288-310.
Bratton, W.W. (2003), ‘‘Enron, Sarbanes–Oxley and accounting: rules versus principles versus
rents’’, Villanova Law Review, Vol. 48 No. 4, p. 1023.
Brown, W. and Nasuti, F. (2005), ‘‘What ERP systems can tell about Sarbanes–Oxley’’,
772 Information Management and Computer Security, Vol. 13 No. 4, pp. 311-27.
Canadian Securities Administrators (CSA) (2004a), ‘‘Multilateral instrument 52-109 –
certification of disclosure in issuers’ annual and interim filings’’, available at:
www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/rule_20040326_52-109-cert.pdf
(accessed 21 April 2007).
Canadian Securities Administrators (CSA) (2004b), ‘‘Multilateral instrument 52-110 – audit
committees’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/
rule_20040326_52-110-audit-comm.jsp (accessed 21 April 2007).
Canadian Securities Administrators (CSA) (2005), ‘‘National policy 58-201 – corporate
governance guidelines’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/
Part5/rule_20050617_58-201_corp-gov-guidelines.pdf (accessed 21 April 2007).
Chan, S. (2004), ‘‘Sarbanes–Oxley: the IT dimension’’, Internal Auditor, pp. 31-3.
Colman, R. (2006), ‘‘Sarbanes–Oxley in review’’, CMA Management, pp. 20-5.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), Internal
Control – Integrated Framework, (Two-Volume Ed., 1994), AICPA, Jersey City, NJ.
Damianides, M. (2004), ‘‘How does SOX change IT?’’, Journal of Corporate Accounting and
Finance (Wiley), pp. 35-41.
Davenport, T.H. (2000), Mission Critical: Realizing the Promise of Enterprise Systems, Harvard
Business School Press, Boston, MA.
Grabski, S.V. and Leech, S.A. (2007), ‘‘Complementary controls and ERP implementation
success’’, International Journal of Accounting Information Systems, Vol. 8 No. 1, pp. 17-39.
IT Governance Institute (ITGI) (2004), ‘‘IT control objectives for Sarbanes–Oxley: the importance
of IT in the design, implementation and sustainability of internal control over disclosure
and financial reporting’’, available at: www.itgi.org/template_ITGI.cfm?template=/
ContentManagement/ContentDisplay.cfm&ContentID=24235 (accessed 17 October 2006).
Kakouris, A.P. and Polychronopoulos, G. (2005), ‘‘Enterprise resource planning (ERP) system:
an effective tool for production management’’, Management Research News, Vol. 28 No. 6,
pp. 66-78.
Kennerley, M. and Neely, A. (2002), ‘‘A framework of factors affecting the evolution of
performance measurement systems’’, International Journal of Operations & Production
Management, Vol. 22 No. 11, pp. 1222-45.
Kuhn Jr., J.R. and Sutton, S.J. (2006), ‘‘Learning from Worldcom: implications for fraud detection
through continuous assurance’’, Journal of Emerging Technologies in Accounting, Vol. 3,
No. 1, pp. 61-80.
Kumar, V., Maheshwari, B. and Kumar, U. (2003), ‘‘An investigation of critical management issues
in ERP implementation: empirical evidence from Canadian organizations’’, Technovation,
Vol. 23 No. 9, pp. 793-807.
Kumar, V., Pollanen, R. and Maheshawari, B. (forthcoming), ‘‘Enterprise systems effectiveness in
implementing internal controls in global environment’’, in Ferran, C. and Salim, R. (Eds),
Enterprise Resource Planning for Global Economies: Managerial Issues and Challenges,
Idea Group Publishing, Hershey, PA.
Markus, M.L. and Tanis, C. (2000), ‘‘The enterprise system experience: from adoption to success’’, Enhancing ERP
in Zmud, R.W. (Ed.), Framing the Domains of IT Management: Projecting the Future
through the Past, Pineflex Educational Resources Inc., Cincinnati, OH. systems
Matolcsy, Z.P., Booth, P. and Wieder, B. (2005), ‘‘Economic benefits of enterprise resource
planning systems: some empirical evidence’’, Accounting and Finance, Vol. 45, pp. 439-56.
Mills, J., Platts, K. and Gregory, M. (1995), ‘‘A framework for design of manufacturing strategy
processes: a contingency approach’’, International Journal of Operations and Production
Management, Vol. 15 No. 4, pp. 17-49. 773
Presley, A. (2006), ‘‘ERP investment analysis using the strategic alignment model’’, Management
Research News, Vol. 29 No. 5, pp. 273-84.
Public Company Accounting Oversight Board (PCAOB) (2007), ‘‘Auditing standard no. 5: an
audit of internal control over financial reporting that is integrated with an audit of
financial statements’’, available at: www.pcaobus.org/Rules/Rules_of_the_Board/
Auditing_Standard_5.pdf (accessed 5 august 2007).
Sohal, A.S., Moss, S. and Ng, L. (2001), ‘‘Comparing IT success in manufacturing and service
industries’’, International Journal of Operations andProduction Management, Vol. 21
No. 1/2, pp. 30-45.
US Congress (2002), ‘‘Sarbanes-Oxley Act’’, available at: www.sec.gov/about/laws/soa2002.pdf
(accessed 29 October 2006).