The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0140-9174.htm

MRN
31,10
Challenges in enhancing
enterprise resource planning
systems for compliance with
758 Sarbanes-Oxley Act and
analogous Canadian legislation
Vinod Kumar and Raili Pollanen
Sprott School of Business, Carleton University, Ottawa, Canada, and
Bharat Maheshwari
Odette School of Business, University of Windsor, Windsor, Canada
Abstract
Purpose – This paper aims to examine major challenges faced by companies in enhancing their
enterprise resource planning (ERP) systems for compliance with regulatory internal control
requirements, specifically those imposed by the Sarbanes–Oxley Act (SOX) of 2002 and analogous
Canadian legislation.
Design/methodology/approach – Data were collected through case studies of four medium-sized
and large companies that use ERP systems and that have operations in the USA and Canada, thus
being subject to SOX and/or similar Canadian regulations.
Findings – The companies faced some technical, process and cultural challenges in implementing
regulatory control compliance. In all companies, existing ERP systems were not able to meet all
control requirements without some modifications or add-on applications. Control implementations
have been long, complicated and costly processes, which are not fully completed. Detailed analyses
and documentation of existing systems, controls and processes were required in all companies. The
protection of systems security and the segregation of duties were perceived to be major technical
obstacles. Cultural factors resulted in additional challenges, notably resistance to change.
Research limitations/implications – The findings of this study enhance the understanding of
ERP systems design features, processes and challenges in implementing regulatory controls. As such,
they provide a foundation for further empirical studies and for building models of ERP systems
effectiveness in implementing effective controls.
Practical implications – The study provides managers insight into challenges in enhancing ERP
systems for regulatory control compliance. Lessons learned can contribute to the development and
sharing of best practices and to overall organizational effectiveness.
Originality/value – Using an interdisciplinary approach, the study provides new evidence on the
extent to which ERP systems meet regulatory internal control requirements.
Keywords Manufacturing resource planning, Legislation, United States of America, Canada
Paper type Research paper

Introduction
Several empirical studies of enterprise resource planning (ERP) adopting companies
suggest that the implementation of ERP software is just the beginning of a company’s

Management Research News
Vol. 31 No. 10, 2008
pp. 758-773
# Emerald Group Publishing Limited
0140-9174
DOI 10.1108/01409170810908516
This research project has been sponsored partly by the Canadian Academic Accounting
Association under its CAAA-SAP research grant program. A previous version of this paper
was presented at the Administrative Sciences Association of Canada (ASAC) Annual
Conference, Information Systems Division, Ottawa, Canada, 2-5 June 2007, where it was
awarded an honourable mention in the best-paper competition.
ERP program, and that companies need to continuously enhance their ERP systems Enhancing ERP
and business processes in order to achieve desired organizational performance
objectives (Markus and Tanis, 2000; Davenport, 2000; Beheshti, 2006). During the last
systems
few years, a new urgency to this need has been provided by the Sarbanes–Oxley Act
(SOX) (US Congress, 2002) and similar subsequent regulations in other countries, such
as Canada. This act, named after its two initiators, Senator Paul Sarbanes and
Representative Michael Oxley, imposed widespread changes in the manner public
companies must manage and report on their performance. It requires senior
759
management to certify and report on the adequacy and effectiveness of internal
controls over financial reporting in an effort to improve the quality and reliability of
financial information. These requirements have forced companies to focus on
enhancing their systems and processes, not just controlling and certifying the outputs
of their systems and processes.
ERP systems can provide key technical tools and solutions for collecting, analyzing
and reporting relevant information for implementing internal controls, such as those
required by SOX. However, the implementation of technical systems can be
complicated and often requires adjustments to organizational structures, processes,
norms and employee skills, which can vary in different environments. In large
organizations, such efforts can be further complicated by differences in geographic
distance, culture, existing technology and systems and political and regulatory
environment in different countries. Inadequate attention to these factors can pose
serious challenges for successful implementation. In addition, smaller companies may
find it difficult to obtain adequate resources to support these efforts. Although the
Committee of Sponsoring Organizations (COSO) framework (Committee of Sponsoring
Organizations of the Treadway Commission, 1992) provides general principles for
effective internal controls and the control objectives for information technology
(COBIT) framework (Information Technology Governance Institute (ITGI), 2004)
provides evaluation criteria for information technology (IT) controls, only limited
research exists on how to help managers and researchers understand control
implementation challenges and to enhance ERP systems for control purposes in
today’s competitive business environment.
This paper aims to uncover the breadth of possible challenges faced by medium-
sized and large companies in enhancing their ERP systems for compliance with
regulatory internal control requirements through case studies of four multi-site ERP-
adopting companies with major operations in the USA and Canada. Very little
academic research has been conducted on compliance, particularly, how ERP systems
facilitate, and can be enhanced to facilitate, control implementation. Although some
work on feasibility of implementing a continuous audit framework through ERP and
importance of a control framework for successful ERP systems implementation have
been studied, specific legislative control requirements and how ERP systems can help
implement them has not (Kuhn and Sutton, 2006; Grabski and Leech, 2007). This study
attempts to bridge this gap by providing some empirical evidence to address this issue.
It provides both managers and researchers some insight into successes and challenges
in enhancing ERP systems for this purpose, which, in turn, can contribute to the
development of best practices and models of ERP systems effectiveness in
implementing regulatory control requirements.
The background section examines regulatory internal control requirements in the
USA and Canada, specifically, those imposed by SOX and analogous Canadian
legislation. The method section outlines the case study method used and profiles the
MRN four case organizations. The results section details the findings of the study for the four
organizations and discusses their significance. Finally, the conclusion provides an
31,10 overall summary and identifies possible managerial implications and opportunities for
future research.

Background
This section examines major regulatory internal control requirements in the USA and
760 Canada and some key enablers and barriers of their effective implementation. However,
it should be noted that, as these requirements in both countries are complex, only a
broad general overview is possible in this paper.

Regulatory internal control requirements

The SOX (2002). SOX introduced sweeping and permanent changes to the manner in
which public companies must conduct their business. SOX is an outcome-oriented
legislation that specifies outcomes for compliance and penalties for non-compliance,
with compliance standards and their administration and enforcement being delegated
to the Securities and Exchange Commission (SEC) and the Public Company
Accounting Oversight Board (PCAOB). As practically, no implementation guidelines
were available in the early stages, SOX implementation required a great deal of
professional judgement by systems officers, accountants and consultants. Although
Auditing Standard No. 2 (replaced by Standard No. 5, PCAOB, 2007) provided
standards for conducting audits of internal control over financial reporting, it came too
late to help in the initial implementation of SOX. Moreover, SOX compliance is an
ongoing and dynamic process that requires significant ongoing restructuring of
systems and processes. As new knowledge develops and best practices evolve,
controls, systems and processes require refinement. Consequently, companies may find
that compliant processes one year may become non-compliant in subsequent years,
and progress made on previously non-compliant processes can result in compliance in
subsequent years.
Canadian legislation. The impact of SOX is not limited to the USA or to US
companies. Following the US lead, other countries have also implemented, or are in the
process of implementation, similar legislation. As a major trading partner and
neighboring country, Canada has been placed in a unique position of having to
implement similar legislation in an effort for Canadian companies to maintain their
competitiveness and reputation. As securities regulation in Canada is under provincial
jurisdiction, the Canadian securities administrators (CSA) collaborated with the
provincial securities administrators and legislators to facilitate the enactment of
uniform provincial legislation, now ratified by each provincial legislature. These
legislative requirements are stipulated in a series of documents, called multilateral
instruments (MIs) and national policies (NP). In addition, two new oversight agencies
were created in Canada: the Canadian Public Accountability Board (CPAB), an
independent nonprofit organization, to oversee public auditing firms and public
company audits, and the Auditing and Assurance Standards Oversight Council
(AASOC) to oversee the activities of the professional accounting board responsible for
setting auditing and assurance standards in Canada. An overview of the US and
Canadian regulatory regimes is provided in Table I.
Stakeholder responsibilities. Compliance with the regulatory internal control
requirements in both the USA and Canada involves significant changes to the roles of
managers, external auditors and audit committees, as well as to financial information
required to be reported. In particular, the new legislated responsibilities imposed on the Enhancing ERP
Chief Executive Officers (CEOs) and the Chief Financial Officers (CFOs) in both systems
countries have unprecedented implications for management and corporate governance.
Under SOX (Section 302 and 404) and the Canadian requirements (MI 52-109 (CSA,
2004a)), the CEOs and CFOs are required to report on internal control effectiveness in
addition to traditional periodic financial reports and certify that:
(1) They have reviewed the reports, that they do not contain untrue statements or 761
omit material facts making them misleading, and that they fairly represent the
financial condition and operating results of the company for the reporting
period.
(2) They are responsible for establishing and maintaining internal control over
financial reporting and procedures for disclosing relevant information to
management.
(3) They have designed, evaluated and reported on the effectiveness of internal
control over financial reporting, as well as disclosure procedures to
management.
(4) They have disclosed significant changes in internal control or other factors that
occurred after evaluation and any actions taken to correct significant
deficiencies and weaknesses.
Under SOX (Section 302), the CEOs and CFOs are required to disclose to the audit
committee and the external auditor any significant deficiencies and material
weaknesses in internal control over financial reporting, and any fraud by managers or
employees who play significant roles in internal control. Additional requirements
related to auditor independence, corporate governance and penalties are stipulated in
other sections (e.g. Sections 201, 204, 301, 802 and 807). On the other hand, in Canada,
the requirements for audit committees and corporate governance are addressed in
separate instruments (MI 52-110; NP 58-201 (CSA, 2004b, 2005)), and the Assurance
Handbook of the Canadian Institute of Chartered Accountants establishes standards
for auditor communication with the audit committee. Another key difference is that
SOX (Section 404) requires a public company’s external auditor to certify and to report
on the adequacy of management’s internal control assessment; whereas, there is no
such requirement for Canadian companies under the Canadian legislation.
It is also important to note that, although SOX is a US law, all companies that trade
on the US stock exchanges and the foreign subsidiaries of US companies must also

Authority USA Canada

Legislation and SOX (2002) MI 52-109 – certification of disclosure in issuer’s

standards Auditing Standard annual and interim filings
No. 5 (PCAOB, 2007) MI 52-110 – audit committees
NP 58-201 –corporate governance guidelines
Assurance Handbook of Canadian Institute of
Chartered Accountants
Legislative and SEC CPAB Table I.
oversight agencies PCAOB AASOC Overview of USA and
CSA Canadian regulatory
Provincial Securities Commissions regimes
MRN comply with it. This requirement results in large Canadian companies that are cross-
listed in the USA also being subject to SOX. Although these Canadian companies are
31,10 technically exempt from the corresponding Canadian requirements, they are still
required to file copies of their US SOX reports with the Canadian authorities. In spite of
the different regulatory regimes and somewhat different roles of auditors, the core
requirements imposed by SOX and Canadian legislation on senior management are
very similar, and compliance with the regulations of both countries requires equal
762 managerial effort in implementing, certifying and reporting on the effectiveness of
internal controls over financial reporting. Therefore, establishing and maintaining
effective internal control is equally critical to managers of both Canadian and US public
companies.

Implementing regulatory internal control requirements

COSO framework. A control framework developed by COSO (1992) has been used
widely as a foundation for implementing and evaluating internal control[1]. Although
the PCAOB has suggested the use of the COSO framework for implementing SOX, it
does not endorse a specific framework. The COSO framework identifies three general
control objectives: the effectiveness and efficiency of operations, the reliability of
financial reporting, and compliance with laws and regulations. In addition, it outlines
five control components that are important for achieving these objectives: control
environment (e.g. norms, values and competencies), risk assessment (e.g. economic,
industry and operating risk), control activities (e.g. authorizations, reconciliations and
performance reviews), information and communication (e.g. collecting, analyzing,
reporting relevant information) and monitoring (e.g. systems monitoring, surveillance
and supervision). As such, the COSO framework allows the mapping of key control
procedures for each control component against the control objectives. For example,
expenditure authorizations, verifications and reconciliations are control activities that
contribute to the reliability of financial reporting – a key objective of SOX.
ERP systems and IT. ERP systems provide the primary means for implementing
SOX requirements, particularly in large companies. ERP systems are comprehensive
packaged software applications that automate and integrate organizational business
processes across functional areas. They constitute one of the most significant and
widely adopted innovations in management information systems (Al-Mashari, 2002).
Such systems must be designed with their impact on the company’s business model
and competitive capabilities in mind (Beheshti, 2006), and their implementation
requires the alignment of IT and corporate strategies, and often also entails major
changes to organizational structure and culture (Presley, 2006). ERP systems are also
dynamic and continuously evolving (Bititci et al., 2000). For example, technological
developments and organizational learning can result in new needs and opportunities
for the redesign and continuous development of ERP systems. In addition, regulations
can vary in different environments and evolve as experience accumulates (Bratton,
2003). Such dynamic environments require the continuous monitoring, evaluation, and
adjustment of systems, processes and controls.
The tools provided by ERP systems can help develop and manage effective controls.
For example, password-protected data access and automatic data verification enhance
data security and reliability. However, enhancing ERP systems for SOX compliance
also often requires significant reconfiguration and additional design, evaluation and
reporting features (Colman, 2006; Damianides, 2004; Chan, 2004). ERP systems must
effectively record accounting transactions, track key performance measures for
evaluating internal controls, report them to individuals responsible, flag any violations Enhancing ERP
for investigation and provide tools for evaluating and benchmarking such information
(Kumar et al., forthcoming). They must also enable companies to provide frequent,
systems
timely and integrated financial and non-financial reports to management, regulators
and auditors on control compliance (Matolcsy et al., 2005). With such demands,
technical features may need to be enhanced. The key technical features of ERP
systems, which heavily rely on advanced IT, include scalable client server software
architecture, supported by a common relational database and a single development
763
environment. Such features are important, as they are capable of facilitating the real-
time integrated processing and management of information across all functional areas,
as well as supply chain and customer relationships management (Kumar et al., 2003;
Davenport, 2000; Kakouris and Polychronopoulos, 2005).
In the IT-driven ERP systems, ensuring effective control over IT environment is
critical for implementing SOX compliance (Kumar et al., forthcoming). The COBIT
framework (ITGI, 2004) has commonly been used for evaluating controls over IT. In
addition to more generic controls, it specifically addresses control needs imposed by
SOX. The framework identifies 34 control objectives in four areas: plan and organize,
acquire and implement, deliver and support and monitor and evaluate. It also maps
them against the five COSO (1992) control components. The framework facilitates SOX
compliance by helping align the control requirements of SOX and the IT features
necessary for implementing them. Nonetheless, several implementation challenges can
still exist.
Implementation challenges. Companies can face several interrelated challenges in
configuring or modifying their systems to comply with regulatory internal controls.
Some challenges are technical, whereas others are more structural and cultural but still
can have a significant impact on the success of technical implementations. For
example, Brown and Nasuti (2005) discussed technical problems related to designing,
implementing and managing enterprise architecture. They reported that CIOs have
cited problems with data structures, inadequate security and differences in
infrastructure as important challenges to SOX compliance. Network security and
control over the outsourcing of programming have been particularly important
concerns. Nonetheless, a well-known survey by Deloitte and Touche (cited in Brown
and Nasuti, 2005, p. 316) found that people-related issues accounted for 62 per cent of
problems in ERP implementations, with process- and IT-related issues accounting for
only 16 and 12 per cent, respectively. It is obvious that technical solutions alone are not
sufficient for successful implementation, but that cultural and structural problems
must also be resolved.
Several studies have examined systems implementation challenges related to
organizational structure and culture. For example, Mills et al. (1995) noted that
organizational culture can be a key organizational constraint in implementing new
systems and processes. As beliefs, values and norms evolve slowly, employees can
resist change, particularly, if it is implemented quickly. In addition to the technical
inflexibility of ERP systems, Kennerley and Neely (2002) found inappropriate
organizational culture, ineffective processes and the lack of skills to be important
barriers to systems evolution. These forces resulted in ad hoc systems, resistance to
change and inappropriate measurement and reward systems. Bourne et al. (2002)
identified major inhibiting forces to be technical difficulties related to IT, the
complexity of related processes, and reluctance to measurement and exposing
problems. In addition to high costs, Sohal et al. (2001) also found the lack of top
MRN management support to be a major impediment. All challenges can be further
amplified for companies operating in several countries, subject to different geographic,
31,10 social and regulatory environments.

Method
This exploratory study aims to identify a wide range of challenges faced by both
medium-sized and large companies in complying with recent US and Canadian
764 financial reporting regulations. Given its exploratory nature, the study utilizes a case
method. Case studies were conducted in four multi-site ERP-adopting companies with
major operations in the capital region of Ottawa, Canada. Semi-structured focus group
and individual interviews were conducted with senior systems managers or directors.
Some data were also collected through secondary sources, such as company websites.
For confidentiality reasons, the companies cannot be identified, and they will be
referred to only as Companies A, B, C and D. At the time of the study, all four
companies had established ERP systems in place, and they had already implemented
significant internal controls in order to comply with the required deadlines [2]. In the
remainder of this section, a brief profile of each of the four companies is provided.

Case A ( large Canadian company)

This case study involved one of the largest forest product companies in Canada, with
more than 10,000 employees across Canada, USA and Europe and with annual
revenues of more than 3 billion US dollars. The company implemented financial and
supply chain modules of Oracle’s ERP applications in July 2002. Listed on the Toronto
stock exchange (TSX), this company has recently undergone an initiative to comply
with the Canadian internal control regulations.

Case B ( large multinational company)

The subject of this case study was one of the largest telecommunication companies in
the world, with more than 50,000 employees worldwide and more than 10 billion US
dollars in annual revenues. The company used multiple ERP applications from two
leading ERP vendors, Oracle and SAP. Some applications were inherited from merged
companies and were still being used. Listed on multiple bourses in the USA, Europe
and Asia, and with operations in more than 100 countries, this company had recently
undergone a complex initiative for SOX compliance.

Case C (medium-sized Canadian company)

This case study focuses on a medium-sized Canadian company in the professional
services sector, with more than 2,000 employees in the USA and Canada. Listed on the
TSX, this company had revenues of over 150 million US dollars in the last fiscal year. It
started using SAP’s ERP applications in 1999, when it was experiencing unprecedented
growth during the ‘‘dot com’’ boom. At the time of the study, the company was
undergoing the requisite changes for complying with the Canadian regulations.

Case D (medium-sized multinational company)

The subject of this case study is a medium-sized multinational company in the
telecommunication industry, with more than 750 employees, over 150 million US
dollars in annual revenues, and operations in Canada, the USA and Europe. The
company, with a strong reputation in its niche market, started using SAP’s ERP
applications in 1998 after acquiring a company in the USA that had been using them.
Listed on both the New York stock exchange and the TSX, the company has recently Enhancing ERP
undergone an initiative for SOX compliance.
systems
Results and discussion
Major findings are discussed in this section under three themes: systems and
technology, implementation processes and culture and behaviours. These themes
reflect implementation challenges considered important by the respondents, and they
are consistent with the challenges raised by others, as discussed in the literature
765
review. However, other categorizations may also be possible.

Systems and technology

All four companies had established ERP systems in place before commencing their
control implementation projects. Companies C and D use SAP; Company A uses Oracle;
and Company B had used SAP in some countries and Oracle in others, but later
switched to SAP for all its control implementations. The respondent from this
company noted that the switch was made in order to improve systems coordination
and security. In Companies B and D, significant modifications were needed to the
standard modules to implement some SOX requirements, whereas current systems
were noted to be quite adequate for addressing control needs in Company A. In
particular, Company B presents a unique example of information systems (IS)
integration challenges and complexities posed by rapid growth in a fast-changing
industry through mergers and acquisitions. Being a smaller company, some difficulties
were encountered in Company C with making changes to its ERP system to meet its
control needs. The respondent from this company noted that it is too complicated and
expensive to change to other systems after a commitment is made to a certain
application. The results for systems and technology challenges are summarized in
Table II.
Ensuring systems integrity was considered critical in all four companies. However,
in some cases, the inflexibility of the existing systems required compromise solutions.
Modifications in ERP systems were not possible for some requirements, and possible

Company A Company B Company C Company D

Segregation of duties Incompatibilities Some technical Segregation of duties

problematic in finance, between two ERP difficulties with difficult technically for
as clerks typically applications initially segregation of duties some functions without
handle several used Some problems with significant
functions Some changes not configuring ERP customization
Only minor systems possible or too system to meet control Some processes and
adjustments reportedly expensive in ERP needs controls not user
needed to meet new systems Data security concerns friendly to implement
control requirements Significant with remote systems using ERP
Systems and customization and/or access Lack of interactive
technology external add-on Major systems changes forms for some
requirements for systems needed too complicated and/or processes
control implementation Security vulnerabilities expensive after
not clearly understood of add-on systems commitment to ERP
Difficulties with application made Table II.
segregation of duties, Systems and technology
e.g. for different clerks challenges
MRN only at prohibitively high costs for some others. Company D discovered its ERP system
not to be ‘‘user friendly’’ for implementing some requirements, for example, it lacked
31,10 interactive forms for some applications. On the other hand, the respondent from
Company B expressed concerns about the security of remote access, particularly
adequate password control for bolt-ons introduced to meet some specific needs of local
operations. However, as such systems are generally managed locally, they opened the
door for some system vulnerabilities, for example, unclear process responsibilities and
766 inadequate data security. These comments demonstrate that for some systems
flexibility is important, and that companies adopted bolt-ons in many cases to achieve
the desired flexibility when it was not available in their ERP system. However, the need
for flexibility has to be carefully balanced with increased costs and the potential loss of
systems security.
In particular, the segregation of related duties, which is essential for effective SOX
compliance, posed significant difficulties in all four companies. It involves dividing
staff responsibilities so that no individual is responsible for processing and recording a
related set of business transactions. The objective of this requirement is to prevent an
individual from stealing or misappropriating assets and then falsifying records to
cover up. For example, one individual should not be responsible for handling cash
receipts, making deposits and recording-related transactions. Challenges associated
with the segregation of duties were partly technical and partly structural. For example,
the finance and accounting function was typically not large enough to warrant several
clerks to properly segregate duties in accordance with SOX. If one clerk is responsible
for multiple functions, he/she needs access to all related databases, which is
inconsistent with the notion of segregation. In Company B, technical challenges were
mitigated by the fact that it has an ERP competency centre with more than 50
employees dedicated to providing support to users. In spite of significant in-house
support and a large employee base, even it encountered difficulties in segregating
duties in its smaller units, for example, in those with one clerk responsible for both the
‘‘accounts payable’’ and ‘‘accounts receivable’’ functions.
In general, the respondents from Companies A and C believed that adequate
controls were already in place, and that the major objective was formalizing control
systems and documenting controls and related processes. The respondent from
Company C noted that, ‘‘. . .we believe what we are doing is right and now it is a matter
of documenting it and getting approval. . .’’ On the other hand, significant new controls
were needed in Companies B and D to comply with SOX. In Company D, approximately
60 new control processes were reportedly required, many of them related to inventory
management. In Company B, significant additional controls were required to ensure
proper systems access and change authorizations, as well as the accuracy of input and
output data. It should be noted, however, that Companies B and D were more advanced
in their control implementations, being subject to SOX, than Companies A and D, being
subject to the Canadian regulations. In addition, Company A did not use external
consultants in its control implementation. It is possible that these two companies may
not have been aware of all control requirements and their possible pitfalls, yet.
Additional challenges may surface, as their implementation processes progress and are
subjected to closer scrutiny by regulators.

Implementation processes
All four companies approached their control implementations in a systematic manner.
In all companies, control implementation required the identification, analysis and
evaluation of business processes and assigning responsibility for processes. Company Enhancing ERP
D analyzed approximately 600 processes and eliminated outdated, inconsistent and
duplicate processes across its acquired companies. Companies B, C and D matched
systems
processes and process owners and designed access controls and authorizations
accordingly. In spite of the lack of clear rules and guidelines, at least initially,
Companies B and D appeared to be quite successful at formalizing existing controls
and processes and implementing necessary new controls, with the help of auditors and
consultants. At the time of this study, their implementations were reportedly ~80-95
767
per cent complete for IT, although significant work still remained to be completed in
some functional areas. The degree of completion in Companies A and C was
significantly lower, reportedly in the 60-70 per cent range, and they were still
struggling with some requirements, such as assessing control effectiveness. Delayed
implementation in these two companies is understandable, given their extended
compliance deadline for control effectiveness certification by management – two years
later than for SOX. The results for process-related challenges are summarized in
Table III.
All companies spent significant time and resources at documenting their control
systems, which is a key requirement for SOX compliance. Due to staff shortages and
inadequate expertise in all four companies, Companies B, C and D used the services of
major auditing/consulting firms to develop and document controls. Nonetheless,
Company A completed this phase with help from only its internal auditors and audit
committee. The documentation of controls and processes creates an ‘‘audit trail’’, which
enables processes to be reliably repeated and process ownership and accountability
established. An audit trail is also necessary for granting a ‘‘clean audit opinion’’ on the
effectiveness of internal controls and processes by auditors, as required by SOX. It is

Company A Company B Company C Company D

Risk analysis necessary Business process Process flow analysis Analysis of 600
Analysis of business analyses necessary needed processes required
processes required Establishing process Matching business Redundant or duplicate
Major focus on ownership required processes with process processes in acquired
formalizing and Consultants used for owners problematic companies
documenting controls designing and Control assessment User information needs
Enhanced control documenting controls procedures required matched with access
assessment procedures Inadequate monitoring Inadequate internal authorization
needed systems and expertise and staff 60 new controls and
Lack of control compliance reporting Lack of adequate enhanced control
implementation Rigorous testing, guidance and changing assessment procedures
guidance evaluation, and refining deadlines necessary
Inadequate staff and of controls needed Lack of coordination External auditors
expertise Lack of global among functions, e.g. IS required for designing
Audit committee coordination in and finance and documenting
consulted, but external implementing common Auditing firm needed controls
consultants not used global database of to document controls Unclear initial
controls Control implementation requirements and
Challenges in control complicated by being changing timelines
implementation as part part of quality Slow control
of broader change management program implementation as part Table III.
management initiatives of change management Control implementation
initiatives process challenges
MRN comparable to an audit trail that all these companies are already required to use
routinely for standard financial reporting under generally accepted accounting
31,10 principles. The respondents from Companies B and D emphasized the importance of a
clear audit trail. Although the respondents from the other two companies did not
specifically comment on this point, creating a transparent audit trail was also their
implicit objective based on their other comments. Company B established a global
reporting system for control information that can promote the transparency of controls
768 and control processes.
In addition to documenting controls, SOX compliance also requires the ongoing
monitoring and evaluation of control systems in order to ensure their continuous
operating effectiveness. Controls and related processes may require adjustment based
on feedback provided by monitoring and evaluation processes. All four companies
used the COBIT framework for evaluating IT controls and then proceeded to rectify
any control weaknesses. Perhaps the best examples were provided by the respondent
from Company B, in which managers are now required to authorize systems access for
employees in their departments, systems use patterns are continuously monitored, and
systems access withdrawn for non-use. In other words, each manager is required to
authorize each employee’s access to the databases that are necessary for carrying out
his or her job responsibilities, but, if these databases are not actually used within a
prescribed time limit, the system will automatically deny subsequent access attempts.
As another example, an account for a new user was often created by copying an
existing user’s account, instead of creating a new account that reflects the job
responsibilities of the new user. In some cases, this practice resulted in allowing access
to non-essential data. In order to address this problem, among some others, the
company established a report that matched key transactions types against user
accounts, and then allowed the users access only to data necessary for performing their
job responsibilities.
Control implementations have been lengthy and costly processes in all four
companies. Systems implementation costs, particularly control documentation costs,
accounted for a large proportion of the total implementation costs. In addition,
increased ongoing systems monitoring, evaluation and auditing costs were expected to
occur in future years. In companies B, C and D, control implementation was a part of
broader ‘‘quality management’’ or ‘‘change management’’ implementation initiatives.
Company D reportedly spent ~3 per cent of its revenues on compliance projects. The
respondent from this company attributed the high costs, at least partly, to the fact that
the company had to refine some controls and processes several times, because some
rules changed and even consultants were learning as implementation proceeded.
However, it may be difficult to attribute costs directly to SOX compliance apart from
the other initiatives that occurred simultaneously in this company. Generally, the
relatively heavier financial burden for smaller companies was also magnified by the
lack of adequate support by the systems vendors, who focused their main attention to
implementations in larger and more lucrative companies. Furthermore, the control
implementation processes were heavily influenced by various cultural and behavioural
factors, as discussed in the next section.

Culture and behaviours

In addition to new controls and systems modifications, successful internal control
implementations also often required the enhancement of employee skills and
organizational structures, but these change initiatives encountered significant
resistance in all four companies. In Company A, general resistance to change was Enhancing ERP
noted. The loss of data access and authority seemed to cause significant problems to systems
some managers in Companies B and D, who previously had more liberal data access
privileges. Company D also encountered some problems with the acceptance of process
responsibilities by users. As control implementations required restructuring and
eliminating some processes, some job responsibilities changed and security procedures
generally increased. Some users did not perceive the new control measures beneficial
and resented increased restrictions placed on their jobs. In Company D, resistance was
769
more severe by users in other countries, who appeared to have had more difficulties in
understanding and accepting the cultures and business practices of different countries.
Major cultural and behavioural challenges discovered are summarized in Table IV.
Differences in rules and business conduct in different countries was another
important cultural factor. For example, foreign countries may have diverse accounting
rules requiring different information or similar information reported in different ways.
The respondent from Company B noted different, and sometimes conflicting,
terminology, rules and regulations to pose a great challenge for its global financial
reporting systems. In addition, the respondent from Company A noted some
restrictions on information that can be reported and accessed on the internet in its
Asian operations, whereas Canadian regulations require the transparent reporting of
financial information for public companies in a publicly accessible on-line database. In
order to facilitate the global coordination and dissemination of information throughout
its control implementation processes, Company B established a cross-functional global
implementation team. In order to manage these processes, it developed common
reporting rules and a centralized global reporting system for control information.
Centralized controls, however, were not without some resistance in foreign countries, as
they were accompanied with increased rigidity and perceived as serving the needs of
the head office.
In other cases, compliance with the regulations of foreign countries can also affect
the culture of the host country, by forcing local operations to adopt different processes
and ways of doing business. For example, Company B had to reconcile the different
interpretations of user acceptance testing, technology sharing and information access

Company A Company B Company C Company D

General resistance to Different regulations, Lack of clear objectives Perceived loss of

change accounting standards, and guidance frustrated authority due to
Control information not and terminologies in process owners increased systems
perceived important for different countries Some individuals just security and restricted
internal purposes complicated global ‘‘going through the data access
Major control objective reporting motions’’, not taking Resistance by
limited to ‘‘clean audit Different codes of control implementation individuals to
opinion’’ conduct complicated seriously accepting
Some individuals did collaboration and responsibility for
not understand or information and processes
appreciate importance technology sharing on Cultural resistance
of control global projects greater in merged
implementation Centralized approach foreign companies that
to change had different systems Table IV.
management created and norms Cultural and behavioural
resistance challenges
MRN in some European and North American countries. On the other hand, Company D
experienced differences in European and North American practices for inventory
31,10 management, outsourcing and accounting for research and development expenditures.
After the acquisitions of some European companies, the head office reportedly had
difficulties accepting some rules and processes proposed by European managers. Some
cultural sensitivity and compromises were required on the part of all parties to
successfully manage these cultural differences.
770 In Companies A and C, the objectives of SOX were not clear, at least initially, and
resulted in a perception of control implementation being a non-beneficial activity by
some. In Company A, control information was not considered particularly important
for purposes other than reporting to regulators, with a ‘‘clean audit opinion’’ reportedly
being a primary objective. As such, the company is overlooking potential for control
information also to be a useful managerial tool and may not take its control
implementation efforts seriously enough. On the other hand, the lack of proper
implementation guidelines provoked frustration by users in Company C, who were
requested to participate in SOX implementation but did not have adequate
information, guidance and skills. At least in some cases, such weaknesses were
exhibited in the users just ‘‘going through motions’’ without necessarily understanding
reasons for, or fully being engaged, in the processes. Some of these behaviours are
undoubtedly related to the fact that Company A proceeded with its implementation
with only internal expertise, and Company C summoned the help of consultants only
after experiencing difficulties with its internal process analyses.

Conclusion
This study examined major challenges faced by four large and medium-sized public
companies in enhancing their ERP systems for compliance with regulatory internal
control requirements, notably SOX. It provides evidence of some technical, process and
cultural challenges faced by these companies. The findings reveal several common
challenges encountered in all companies, but also some challenges that are unique in
their organizational and cultural environments. Many of these challenges are similar to
those discussed in the ERP systems implementation literature. However, some
additional challenges relate to specific legislative requirements associated with, such
as compliance deadlines and the lack of guidance.
Although all four companies used ERP systems, their technical systems
requirements varied somewhat. In addition, depending on specific control requirements
and the stage of their implementation, some companies encountered greater technical
challenges than others. Significant modifications were needed to the standard modules
in Companies B and D, and some solutions outside ERP systems were also required due
to systems inflexibility or the high costs of system modifications for some applications.
Configuring the systems to meet its control needs was a specific challenge in Company
C. Ensuring proper systems security and the segregation of duties were common
challenges facing all four companies.
As to implementation processes, all four companies have expended significant effort
and resources on their control compliance projects. Compliance implementation was
accomplished as a part of broader change management initiatives in Companies B, C
and D, and has been a long and costly process in all companies. Companies B and D
were more advanced in their implementations, as they were subject to earlier
compliance deadlines than Companies A and C. All four companies used a systematic
process-oriented approach to their control implementations. For example, they
conducted detailed process analyses, documented controls and processes, and used an Enhancing ERP
established framework for evaluating IT controls. However, the degree of external help systems
used varied, with Companies B and D using external consultants extensively, whereas
Company C used them to a lesser degree, and Company A relied solely on the expertise
of its staff, internal auditors and the audit committee.
Finally, all four companies cited some resistance to their control implementations.
Some resistance related to the lack of proper guidelines, with greater initial effects felt 771
in Companies A and C that started their implementations without the expertise of
consultants. In Company B, significant resistance related to the centralized approach to
implementing controls, which entailed establishing common controls and a single
reporting system for its numerous global operations. Resistance in Company D was
magnified by the recent acquisitions of foreign companies with different rules,
regulations, and cultures. In Companies A and C, resistance appeared to stem more
from differences in attitudes, organizational culture and processes used, as opposed to
differences in national culture in more geographically diverse Companies B and D.
The four companies have apparently been quite successful in addressing their
control implementation challenges encountered, and they consider their progress quite
satisfactory. However, some additional work is required in all companies to complete
their control compliance initiatives. Additional adjustments will undoubtedly be
needed in the future in response to systems monitoring and evaluation feedback, as
well as auditor evaluations and possible future changes in regulatory requirements.
Although the findings of this study are exploratory, they raise relevant issues for
consideration by systems, finance and operations managers when enhancing their ERP
systems and processes for regulatory control compliance, as well as can form a
foundation for researchers in building models of ERP systems effectiveness in
implementing effective controls. Further research would be beneficial in order to study
longer term progress and the effects of compliance initiatives after all compliance
requirements have been implemented.

Notes
1. COSO is a voluntary organization, consisting of five American Accounting and
Financial Executives Institutes. Its objective is to improve financial reporting quality.
2. The effective compliance dates for all case companies are for fiscal years ending in 2006
(after 14 July 2006 for SOX and after 29 June 2006 for Canadian regulations), with the
exception that, under the Canadian regulations, Canadian companies have extra two
years to comply with the management control effectiveness evaluation requirements.
The applicable auditor certification deadline under SOX was extended (to fiscal years
ending after 14 July 2007), and auditor certification is not required at all under the
current Canadian regulations.

References
Al-Mashari, M. (2002), ‘‘Enterprise resource planning (ERP) systems: a research agenda’’,
Industrial Management and Data Systems, Vol. 102 No. 3, pp. 165-70.
Beheshti, H.M. (2006), ‘‘What managers should know about ERP/ERP II’’, Management Research
News, Vol. 29 No. 4, pp. 184-93.
Bititci, U.S., Turner, T. and Begemann, C. (2000), ‘‘Dynamics of performance measurement
systems’’, International Journal of Operations & Production Management, Vol. 20 No. 6,
pp. 692-704.
MRN Bourne, M., Neely, A., Platts, K. and Mills, J. (2002), ‘‘The success and failure of performance
measurement initiatives: perceptions of participating managers’’, International Journal of
31,10 Operations & Production Management, Vol. 22 No. 11, pp. 1288-310.
Bratton, W.W. (2003), ‘‘Enron, Sarbanes–Oxley and accounting: rules versus principles versus
rents’’, Villanova Law Review, Vol. 48 No. 4, p. 1023.
Brown, W. and Nasuti, F. (2005), ‘‘What ERP systems can tell about Sarbanes–Oxley’’,
772 Information Management and Computer Security, Vol. 13 No. 4, pp. 311-27.
Canadian Securities Administrators (CSA) (2004a), ‘‘Multilateral instrument 52-109 –
certification of disclosure in issuers’ annual and interim filings’’, available at:
www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/rule_20040326_52-109-cert.pdf
(accessed 21 April 2007).
Canadian Securities Administrators (CSA) (2004b), ‘‘Multilateral instrument 52-110 – audit
committees’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/
rule_20040326_52-110-audit-comm.jsp (accessed 21 April 2007).
Canadian Securities Administrators (CSA) (2005), ‘‘National policy 58-201 – corporate
governance guidelines’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/
Part5/rule_20050617_58-201_corp-gov-guidelines.pdf (accessed 21 April 2007).
Chan, S. (2004), ‘‘Sarbanes–Oxley: the IT dimension’’, Internal Auditor, pp. 31-3.
Colman, R. (2006), ‘‘Sarbanes–Oxley in review’’, CMA Management, pp. 20-5.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), Internal
Control – Integrated Framework, (Two-Volume Ed., 1994), AICPA, Jersey City, NJ.
Damianides, M. (2004), ‘‘How does SOX change IT?’’, Journal of Corporate Accounting and
Finance (Wiley), pp. 35-41.
Davenport, T.H. (2000), Mission Critical: Realizing the Promise of Enterprise Systems, Harvard
Business School Press, Boston, MA.
Grabski, S.V. and Leech, S.A. (2007), ‘‘Complementary controls and ERP implementation
success’’, International Journal of Accounting Information Systems, Vol. 8 No. 1, pp. 17-39.
IT Governance Institute (ITGI) (2004), ‘‘IT control objectives for Sarbanes–Oxley: the importance
of IT in the design, implementation and sustainability of internal control over disclosure
and financial reporting’’, available at: www.itgi.org/template_ITGI.cfm?template=/
ContentManagement/ContentDisplay.cfm&ContentID=24235 (accessed 17 October 2006).
Kakouris, A.P. and Polychronopoulos, G. (2005), ‘‘Enterprise resource planning (ERP) system:
an effective tool for production management’’, Management Research News, Vol. 28 No. 6,
pp. 66-78.
Kennerley, M. and Neely, A. (2002), ‘‘A framework of factors affecting the evolution of
performance measurement systems’’, International Journal of Operations & Production
Management, Vol. 22 No. 11, pp. 1222-45.
Kuhn Jr., J.R. and Sutton, S.J. (2006), ‘‘Learning from Worldcom: implications for fraud detection
through continuous assurance’’, Journal of Emerging Technologies in Accounting, Vol. 3,
No. 1, pp. 61-80.
Kumar, V., Maheshwari, B. and Kumar, U. (2003), ‘‘An investigation of critical management issues
in ERP implementation: empirical evidence from Canadian organizations’’, Technovation,
Vol. 23 No. 9, pp. 793-807.
Kumar, V., Pollanen, R. and Maheshawari, B. (forthcoming), ‘‘Enterprise systems effectiveness in
implementing internal controls in global environment’’, in Ferran, C. and Salim, R. (Eds),
Enterprise Resource Planning for Global Economies: Managerial Issues and Challenges,
Idea Group Publishing, Hershey, PA.
Markus, M.L. and Tanis, C. (2000), ‘‘The enterprise system experience: from adoption to success’’, Enhancing ERP
in Zmud, R.W. (Ed.), Framing the Domains of IT Management: Projecting the Future
through the Past, Pineflex Educational Resources Inc., Cincinnati, OH. systems
Matolcsy, Z.P., Booth, P. and Wieder, B. (2005), ‘‘Economic benefits of enterprise resource
planning systems: some empirical evidence’’, Accounting and Finance, Vol. 45, pp. 439-56.
Mills, J., Platts, K. and Gregory, M. (1995), ‘‘A framework for design of manufacturing strategy
processes: a contingency approach’’, International Journal of Operations and Production
Management, Vol. 15 No. 4, pp. 17-49. 773
Presley, A. (2006), ‘‘ERP investment analysis using the strategic alignment model’’, Management
Research News, Vol. 29 No. 5, pp. 273-84.
Public Company Accounting Oversight Board (PCAOB) (2007), ‘‘Auditing standard no. 5: an
audit of internal control over financial reporting that is integrated with an audit of
financial statements’’, available at: www.pcaobus.org/Rules/Rules_of_the_Board/
Auditing_Standard_5.pdf (accessed 5 august 2007).
Sohal, A.S., Moss, S. and Ng, L. (2001), ‘‘Comparing IT success in manufacturing and service
industries’’, International Journal of Operations andProduction Management, Vol. 21
No. 1/2, pp. 30-45.
US Congress (2002), ‘‘Sarbanes-Oxley Act’’, available at: www.sec.gov/about/laws/soa2002.pdf
(accessed 29 October 2006).

About the authors

Vinod Kumar is a professor of Technology, Innovation, and Operations Management and a
former Director of the Sprott School of Business (1995-2005), Carleton University. He has
published more than 150 articles in refereed journals and proceedings and is the recipient of
Carleton University’s Scholarly Achievement Award twice and the Research Achievement
Award three times. He has led several research projects funded by the Social Sciences and
Humanities Research Council (SSHRC), the Natural Sciences and Engineering Research Council
(NSERC), Industry Canada and the Ontario Research and Development Challenge Fund
(ORDCF). He has won 12 best paper awards and is on the editorial boards of two international
journals.
Raili Pollanen is an assistant professor of Accounting and a former accounting area
coordinator (2001-2006) at the Sprott School of Business, Carleton University. She has expertise
in accounting, management control, and performance measurement systems in both private and
public sectors. Her recent research has been funded by the Canadian Academic Accounting
Association (CAAA), the Canadian Institute of Chartered Accountants (CICA), the Canadian
Financial Executives Research Foundation (CFERF), and the Association of Canadian Financial
Officers (ACFO). Her research has been published in numerous academic and professional
journals, books, conference proceedings, and professional reports.
Bharat Maheshwari is a lecturer at the Odette School of Business, University of Windsor and
a PhD candidate at the Sprott School of Business, Carleton University. He is an author/coauthor
of several peer-reviewed articles and has over ten years of experience in information systems and
operations management. He has lead engineering teams in industry and coordinated e-Business
research activities at the Sprott School of Business. He was the chair of the operations
management division at the 2007 ASAC conference and is a key member of the Ontario Research
Network of e-Commerce (ORNEC) at Carleton University.

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.