1 THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ... - SSRN

9 downloads 28026 Views 196KB Size Report
regulatory compliance issues in volatile environments. Keywords: enterprise risk management, organizational strategic flexibility, control environment,.
THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE

Vicky Arnold University of Central Florida University of Melbourne Tanya Benford University of Central Florida Joseph Canada University of Central Florida Steve G. Sutton University of Central Florida University of Melbourne

March 2009

* This research was funded by the Institute of Internal Auditors – Research Foundation. The authors wish to thank the IIARF for their generous funding and support of our research. We would also like to thank Maggie Abernethy, Vairam Arunachalam, Mary Curtis, Michael Davern, Fred Davis, Carlin Dowling, Don Finn, Clark Hampton, Kevin Kobelsky, Anne Lillis, Elaine Mauldin, Aldi Masli, Vern Richardson, Jake Rose, Patrick Wheeler, workshop participants at the University of Arkansas, University of Melbourne, University of Missouri, and the University of North Texas, as well as participants at the 2008 Asia-Pacific Research Symposium on Accounting Information Systems, 2008 International Conference on Enterprise Systems, Accounting and Logistics, and 2009 AAA Information Systems Section Mid-Year Meeting for their helpful feedback on earlier versions. We are also appreciative of research assistance provided by Randy Kuhn. 1

Electronic copy available at: http://ssrn.com/abstract=1371231

THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE Abstract The impact of new regulatory requirements for internal control reporting on an organizations’ ability to maintain strategic flexibility has been debated extensively. This paper uses a systems perspective to examine the relationship between an organizations’ pre-regulatory effectiveness of enterprise risk management (ERM) processes and their reactiveness to new regulatory mandates. This focus on ERM processes first examines the influence of ERM on the ex ante development of organization structures (i.e. information technology systems compatibility and organizational strategic flexibility). These structures are then examined for their influence on the use of appropriate actions (i.e. control environment and comprehensive compliance processes) to mitigate the difficulty of compliance. Data were collected on these main constructs and related influential constructs from chief audit executives representing a broad range of North American organizations. We specifically focus on Section 404 of the U.S. Sarbanes-Oxley Act of 2002 (hereafter, SOX 404). Structural modeling was used to test the relationships simultaneously and to understand the predictive behavior of the various attributes. First, the results reveal a strong positive relationship between the effectiveness of ERM and strategic flexibility which is partially mediated by IT compatibility—the ability to capture and share data across an enterprise. Second, the results show a strong positive relationship between strategic flexibility and use of effective implementation processes for new compliance requirements over internal control reporting, but the relationship is fully mediated by the strength of an organization’s control environment. Third, our structural model allows us to identify both direct effects of ERM effectiveness on the strength of the control environment and the indirect effects of ERM effectiveness on control environment via the interrelationships with IT compatibility and strategic flexibility. Measurement of these indirect effects captures a more complete view as to the influence of ERM effectiveness on the strength of the control environment; the combined direct and indirect effects increase by 16% the variance in strength of control environment explained by ERM. In brief, our research finds that organizations with effective ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates, while organizations that lacked effective ERM processes prior to SOX 404 compliance had weaker implementation processes and had a more difficult experience in complying with the mandates. These findings provide key insights into the importance of ERM for creating an organizational form that can effectively deal with regulatory compliance issues in volatile environments. Keywords: enterprise risk management, organizational strategic flexibility, control environment, IT compatibility, internal control, management control systems, Sarbanes-Oxley Act. Data Availability: Data are available upon request subject to institutional review board restrictions.

2

Electronic copy available at: http://ssrn.com/abstract=1371231

THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE I. INTRODUCTION Many countries have recently implemented a myriad of internal control reporting mandates for public companies.1 Arguably, the most pervasive of these new mandates was the Sarbanes-Oxley Act of 2002 (SOX), enacted by the U.S. Congress in July, 2002, with global implications for public companies who wished to be registered on the U.S. stock exchanges. Since that time, there has been a substantial backlash including allegations that the SOX Act is ‘quack legislation’ (Romano 2005) and a myriad of questions as to whether the corporate governance provisions have a justifiable cost-benefit (e.g. DeFond and Francis 2005). There have also been questions of whether the burden of SOX regulatory requirements would irreversibly weaken the U.S. stock exchanges’ financial market leadership position (BloombergSchumer-McKinsey Report, 2007). One of the more controversial components of the law is Section 404 with its mandates for broad reaching internal controls over financial reporting that must be attested to by management and opined upon by an auditor. As a result, the U.S. SEC held numerous hearings about this provision and the implementation of 404 requirements was repeatedly delayed—particularly for small and medium sized enterprises and foreign registrants.2 Among the major concerns of the SEC were complaints by smaller enterprises that these internal control and risk management processes would impede the enterprise’s ability to react to market changes due to resulting restrictions in organizational flexibility (Katz 2006). Preliminary evidence from several case studies of smaller firms required to file as accelerated filers suggests 1

Global internal control reporting regulations include Canada’s National Instrument 52-109 (NI 52-109), the U.S. Sarbanes-Oxley Act of 2002 (SOX 404), the Australian Corporate Law Economic Reform Program Act (CLERP 9), the EU 8th Directive, the French Lois sur la Securite Financiere (LSF), the Italian Legislative Decree 231 and Decree 262, and Japan’s Financial Instruments and Exchange Law (“J-SOX”) (E&Y 2008a). 2 These so called non-accelerated filers are currently being phased into 404 reporting requirements with management’s report on controls required for fiscal year-ends on or after July 15, 2007, and the auditor’s opinion on management’s report being required for fiscal year-ends on or after July 15, 2008.

1

this may be the case for some firms depending on their existing organizational structures and processes (Arnold et al., 2007). We explore these concerns through an empirical evaluation of companies that have completed the SOX 404 reporting process to evaluate how organizational structures and processes impact the difficulty of adhering to the newly mandated compliance requirements. Specifically, we examine the relationship between effective ERM practices and the facilitation of organizational strategic flexibility, and the subsequent impact of organizational strategic flexibility on the development of effective compliance implementation processes and difficulty in meeting compliance objectives. In examining these relationships, we consider the mediating roles of information technology (IT) systems and the organization’s control environment. The conceptual model presented is a generalized model that explains how these organizational structures and processes facilitate compliance with new regulatory mandates. In developing our conceptual model, we specifically address concerns voiced regarding the relationship between control structures and organizational strategic flexibility from a systems perspective. We adopt the conceptual foundations from theory on capability-building for entrepreneurial alertness (e.g. ERM) which views strategic organizational flexibility as the key to organizations’ success in volatile business environments (Sambamurthy et al. 2003). We build upon Sambamurthy et al.’s model by incorporating research on management control systems (see Langfield-Smith 1997 and Chenhall 2003 for reviews). This integration helps explain the relationship between strategic flexibility and management control and how ERM and organizational flexibility facilitate the development of effective processes for responding to new regulatory mandates—in this case, new internal control reporting mandates. While early studies seem to indicate that control systems did not facilitate strategic decisions in organizations, recent

2

studies consistently find the opposite. If broader-based measures, rather than just financial measures, are used, management control systems actually serve as vital informers for strategic decision making with more control information being desired in more flexible environments (Simons 1990; Davila 2000; Ahrens and Chapman 2004; Ditillo 2004; Chenhall and Euske 2007). The results of our study provide several contributions to the literature and have implications for the discourse on the benefits of mandates for internal control reporting. First, we establish a strong link between effective ERM and organizational strategic flexibility while identifying the critical mediating effect of strong IT systems. Second, we establish a strong link between organizational strategic flexibility and organizational reactiveness to new regulatory mandates—in this case mandates related to effective internal control systems. Importantly, we also identify the mediating effect of the control environment on the ability of flexible organizations to implement effective compliance processes. Third, the overall results provide evidence of a direct relationship between effective ERM processes and the organization’s control environment. Additionally there is also a substantial indirect effect due to the impact of ERM on IT systems and organizational strategic flexibility that help explain overall control environment development. Finally, while prior research has focused primarily on the organizational factors that facilitate the development of ERM (e.g. Kleffner et al. 2003; Liebenberg and Hoyt 2003; Beasley et al. 2005), we focus on how the effectiveness of ERM from a strategic benefits perspective impacts organizational structure and its ability to respond to changes in the business environment—i.e., how effective, strategic-oriented ERM benefits an organization. The remainder of this paper is presented in four parts. Section two expands upon the underlying theory and prior related literature that provides the conceptual development of the

3

hypotheses and overall research model. The third and fourth sections provide the research methods and results of the model and hypotheses testing. The fifth and final section provides an overview of the results and the implications for future research. II. BACKGROUND AND HYPOTHESES Arnold et al. (2007), using four case studies of companies that had recently completed SOX 404 compliance, provide preliminary insight into the effect of regulatory compliance efforts on organizational processes and performance. Their findings indicate that all four firms adopted some level of ERM processes in addressing SOX 404 compliance efforts. However, two of the four firms had substantial difficulty in meeting compliance requirements; and both of these firms felt that newly implemented risk management processes and internal control procedures hindered their customer cycle times putting them at a competitive disadvantage. They primarily viewed the control structures as limiting their flexibility to react strategically. On the other hand, the other two firms endured far less stress during their compliance efforts. Each had a strong system of internal controls; and, each established procedures very early on for addressing the required changes under the new regulatory mandates. These results raise questions regarding whether there are structural differences between the four firms that contributed to differing experiences in implementation difficulty and different perceptions on the impact in terms of organizational flexibility. Based on prior case research showing the perceived influence of ERM practices and organizational structure on companies’ ability to address the new mandates (Arnold et al. 2007), we develop a research model that integrates a strategic view of ERM (Treasury Board 2001; Sambamurthy et al. 2003; COSO 2004) with organizational theory perspectives on

4

organizations’ ability to maintain flexibility and react to regulatory change (e.g. Volberda 1996; Sambamurthy et al. 2003; Palanisamy 2005). ERM as A Basis for Entrepreneurial Alertness Theory on capability building and entrepreneurial action is premised on the resource based view of the firm where information technology (IT) is viewed as not having strategic value by itself, but rather as a resource that can be shaped and refined to become an enabler of organizational flexibility that in turn facilitates competitive action (Sambamurthy et al. 2003). The key to the theory, however, is entrepreneurial alertness, which is the capability to explore the marketplace and identify opportunities for action. Entrepreneurial alertness drives the evolution of IT systems to facilitate the organization’s strategic flexibility, thus creating an indirect as well as a direct effect of entrepreneurial alertness on the development of strategic flexibility. Similarly, entrepreneurial alertness, by enabling strategic flexibility, also supports the organization’s ability to respond to changes in the environment through execution of competitive actions. Thus, competitive actions are not only supported directly by entrepreneurial alertness but also indirectly through strategic flexibility (Sambamurthy et al. 2003). Entrepreneurial alertness includes both strategic foresight (i.e. the ability to foresee risks and opportunities) and systemic insight (i.e. the ability to use foresight to shape competitive actions that provide advantage) (Sambamurthy et al. 2003). ERM represents perhaps the strongest form of entrepreneurial alertness with its focus on integrating risk management processes at an enterprise-wide level in order to provide a uniform capability for responding to risks and seizing opportunities. The Treasury Board of Canada (2001) was one of the early advocates of integrated risk management (i.e. ERM) and defines ERM as “…a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making 5

strategic decisions that contribute to the achievement of an organization's overall corporate objectives” (p. 10). While everyone in the organization has some responsibility for ERM, an organization’s Board of Directors has overall responsibility for ensuring risks are managed, but in practice the management team is generally delegated with the responsibility (Institute of Internal Auditors 2004). As such, ERM integrates risk management activities while elevating its status as a key component of the firm’s overall strategy thus enabling the organization to respond strategically to both risks and opportunities (Liebenberg and Hoyt 2003). In building an organization’s risk profile, information and knowledge must be aggregated across the strategic and operational levels to assist managers in understanding the range of risks (internally and externally) and the related opportunities (Treasury Board 2001, p. 15). To facilitate the aggregation of information and knowledge across the organization, the Treasury Board recognizes the need to consider potential technological solutions to support on-going activities that facilitate risk awareness and management through information sharing (Treasury Board 2001, p. 31). From a theoretical perspective, ERM can be viewed as fundamental to the evolution of IT systems, organizational strategic flexibility, and competitive actions that may result in either necessary responses to risks or the potential to seize opportunities. The conceptual model is shown in Figure 1. [Insert Figure 1 about here] Background and Hypotheses While the need for risk management was strongly advocated in Canada prior to the major U.S. corporate failures in 2002 (e.g. Enron and WorldCom), the passage of SOX in the U.S. led the Committee of Sponsoring Organizations of the Treadway Committee (COSO 2004) to 6

release a revised internal control framework that adopted ERM concepts and took a more strategic view of control processes. This framework expanded the scope of its earlier framework (COSO 1992) to focus more comprehensively on ERM. While COSO’s ERM framework has become the guiding directive adopted by the vast majority of organizations (particularly in the U.S.) complying with SOX 404, the implementation in many cases focused on the underlying internal control framework and not the strategic organizational-level risk management processes characterized by ERM. While internal control is an integral part of ERM from a COSO (2004, 25) point of view, ERM is broader than internal control as it focuses more fully on risk and risk management. Still, in the face of SOX 404 requirements, many organizations have focused on procedural aspects of control and have not implemented effective, strategically-oriented ERM processes or have only implemented minimal processes (Beasley et al. 2005; E&Y 2008a). Surveys reveal ERM as the major issue currently being addressed by audit committees (E&Y 2008a; KPMG 2008). Likewise, the October 2008 joint meeting of the European and North American Audit Committee Leadership Networks highlights both the urgency to develop effective ERM processes and the on-going struggle many organizations face when implementing effective ERM practices. ERM frequently continues to be hampered by a narrow, business-unit view of risk that persists among top management (EACLN and NAACLN 2008). In order to achieve ERM objectives, relevant information must be “identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities” (COSO 2004, 25). Levine (2004) notes that from an implementation perspective, the information needs of ERM necessitate the availability of IT systems that provide a true, unified picture of risk across the organization. Information and knowledge must be

7

aggregated across strategic and operational levels of the enterprise to assist managers in understanding and assessing the existing range of internal and external risks (Treasury Board 2001, p. 15). Thus, one of the fundamental challenges of implementing ERM is aggregating the underlying data required to monitor the various components of organizational risk (Lam 2003). This need for data is highlighted in Ernst and Young’s (2008b) prescribed approach for developing effective ERM. The firm notes the importance of designing and developing the desired ERM processes and, once these processes have been deployed, assessing the degree of alignment and coordination across the organization in assessing, improving and monitoring risks and controls (p. 6). Two key components of this alignment and coordination process are the leveraging of IT and the development of governance processes that start with the ‘tone at the top’ to create an appropriate control environment (p. 4-5). Of interest at this point is the focus on IT where Ernst and Young (2008b) asserts that IT must be effectively leveraged to support the organization’s risk framework. This includes making any necessary changes to assure IT systems effectively support risk identification and assessment as well as facilitate monitoring of risks to recognize adverse trends proactively (p. 5). This leveraging of IT based on ERM strategies is consistent with that put forth in the theory on capability building and entrepreneurial alertness (Sambamurthy et al. 2003). The focus on enterprise wide data availability is indicative of the need for organizational information systems that have high IT compatibility. Byrd and Turner (2000) define IT compatibility as the ability to share any type of information across any type of technology component. In essence, it suggests a transparency of information that allows access to critical data from anywhere within the organization through linked and integrated information systems. While core enterprise systems may exist in organizations even before ERM efforts evolve, IT

8

research highlights the needs to assimilate technology in order to garner strategic benefit (Sambamurthy and Zmud 1999). With enterprise systems in particular, involvement and pressure from top management to drive assimilation and shape IT processes to support strategic processes is critical (Liang et al. 2007). Given the importance placed on information flow, we expect that increased effectiveness of ERM processes will be indicative of top management involvement and desire for increased IT compatibility. This leads to the first hypothesis: H1: As the effectiveness of ERM increases, IT compatibility will increase. As previously noted, one of the major concerns has been the impact of control procedures that are implemented as a part of an organization’s ERM strategy on the flexibility of the organization and its ability to react strategically to changes in the business environment. Organizational strategic flexibility is reflective of an ability to respond appropriately and timely to a wide variety of changes in the competitive environment, and is a function of managerial capabilities and the responsiveness of the organization (Volberda 1996). Palanisamy (2005) notes the importance of IT flexibility in facilitating such responsiveness by an organization’s management. Without easy accessibility of organization-wide data on performance and capabilities, it is difficult for an organization to understand and respond to new market, product, or service opportunities and to understand shifts in customer preferences and needs— opportunities that require increased organizational flexibility to respond effectively and efficiently. Based on Byrd and Turner’s (2000) dissection of the components of IT flexibility, the IT compatibility component is critical to supporting management’s ability to react and thereby maintain strategic flexibility. This is also consistent with Chapman and Kihn’s (2009) findings that centralized data that is accessible organization-wide increased organizational flexibility. Research in management control systems on facilitating organizational strategic flexibility provides two key pieces to understanding the relationships between ERM, IT 9

compatibility, and strategic flexibility. First, Chenhall and Euske (2007) specifically note the role of risk management processes in the successful adaptation of strategic direction. Second, the literature points to the importance of diverse, readily available information. Abernethy and Brownell (1999) show a relationship between the type of information needed and the strategic orientation of the firm, with more strategically oriented firms requiring more dynamic information. Further, strategically oriented firms demand broader scope information (Bouwens and Abernethy 2000), and this broad scope information is highly important to organizational flexibility (Abernethy and Lillis 1995). In combination, these two perspectives suggest that ERM processes are important to supporting organizational strategic flexibility. As theorized by Sambamurthy et al (2003), this relationship occurs through high levels of IT compatibility that provide broad scope information readily retrievable to support strategic decision making. This leads to the second and third hypotheses: H2: As IT compatibility increases, organizational strategic flexibility will increase. H3: The positive effect of ERM processes on organizational strategic flexibility is mediated by the level of IT compatibility. As noted earlier, Ernst and Young (2008b) highlights the importance of establishing the proper tone at the top of the organization to assure that the control culture of the organization is brought in alignment with a risk management perspective. The control environment of the firm must evolve to a form compatible with the ERM strategies and processes. The control environment is the foundation for all other components of internal control, providing discipline and structure. In terms of the theory, the control environment embodies a type of competitive action that a firm must execute to facilitate reaction to identified risks and opportunities (Sambamurthy et al. 2003).

10

Similarly, Volberda (1996) notes that an organization can only continue to act flexibly if conditions are developed to maintain the organizations’ controllability and responsiveness. “If management tries to increase the flexibility mix beyond the limits of organizational conditions, the controllability of the organization will diminish.” (Volberda 1996, 363). The managerial control literature similarly points to the importance of effective managerial control as necessary to support strategic flexibility (Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; NaranjoGil and Hartmann 2006; 2007). Thus, an organization that maintains a consistent state of strong organizational strategic flexibility will only do so if it uses that strategic flexibility to develop and maintain an effective control environment that promotes discipline and structure. This leads to the fourth and fifth hypotheses: H4: As ERM effectiveness increases, the strength of the control environment will also increase. H5: Higher levels of organizational strategic flexibility will promote stronger control environments. Faced with new regulatory compliance requirements, an organization must react quickly in order to put the processes in place to achieve compliance effectively and efficiently. By definition, organizational strategic flexibility is the ability to respond appropriately and timely to changes in the competitive environment (Volberda 1996). The introduction of new regulation is reflective of such a change in the competitive environment. Thus, more flexible organizations would be expected to react to regulatory changes by implementing appropriate and timely processes to achieve compliance. Amburgey and Miner (1992) view this ability to react to change by implementing appropriate and timely processes as strategic momentum. In terms of organizational change, strategic momentum is the tendency to maintain or expand the emphasis and direction of prior strategic actions in reacting to current strategic challenges (Amburgey and Miner 1992). The 11

experience with change that comes with organizations having high levels of strategic flexibility provides the ability to incorporate core routines for facilitating change into the structural inertia (i.e. culture) of the firm (Amburgey et al. 1993). High levels of strategic flexibility coupled with a culture prepared to address change are perceived to be even more critical when the forces driving the change are intensified (Grewal and Tansuhaj 2001). Arnold et al. (2007) observe this facilitating link between a change culture and the ability to adapt to control requirements under SOX 404 mandates in two of the four firms they studied. The inertia that allows firms to adapt and repetitively apply change routines (Amburgey et al. 1993) is consistent with the organizational culture required within regulatory environments that mandate on-going processes that facilitate compliance. This compliance culture, which must become engrained in the organizational culture, accordingly influences the control consciousness of the organization’s people—i.e. the control environment (COSO 1992). This creation of a strong control environment should have a direct effect on the viability of compliance implementation processes. Arnold et al. (2007) note the importance of a strong “tone at the top” for facilitating the change in culture required for implementing SOX 404 compliance mandates. Hence, while organizational strategic flexibility should facilitate the development of effective implementation processes, the impact is likely increased (decreased) in the presence (absence) of a strong control environment. The control environment is a critical catalyst for successfully implementing strategic compliance processes. This leads to the sixth and seventh hypotheses: H6: A stronger control environment will lead to more effective SOX compliance implementation processes. H7: Higher levels of organizational strategic flexibility will promote stronger SOX compliance implementation processes, but this relationship will be mediated by the strength of the control environment.

12

Finally, more effective SOX compliance implementation processes should reduce the difficulty in achieving compliance. This is the eighth and final hypothesis: H8: A stronger SOX compliance implementation process will result in less difficulty achieving compliance. This final hypothesis serves primarily as a control to assure that higher perceived levels of activity actually result in tangible benefits. Figure 2 graphically presents the hypothesized relationships and visually captures the interrelationships among the various constructs. In terms of the theory on capability building and entrepreneurial alertness, the research model expands upon the competitive actions portion of the conceptual model to consider in greater detail the activities necessary for an effective response to the given regulatory change. [Insert Figure 2 about here] III. RESEARCH METHOD A field survey method was adopted for this study in order to identify and understand the relationships as they exist within a set of organizations. Partial least square (PLS) analysis (SmartPLS 2.0 Beta 2005) was used to validate the study constructs and to test the relationships hypothesized in the conceptual model presented in Figure 2. The following sub-sections elaborate on the participants, instrument development and validation, and the method of analysis. Participants The Institute of Internal Auditors Research Foundation (IIARF) hosted the survey employed in this study. An invitation to participate was sent by the IIARF to 1,383 members identified as “Chief Audit Executives” or the equivalent. A total of two hundred fifty-one members completed the survey for a total response rate of 18.1%; 139 (55.6%) were employed at organizations that have completed the SOX 404 compliance process, 111 (44.4%) were 13

employed at organizations that either are not subject to SOX 404 compliance or have not completed the compliance process, and 1 participant did not respond to this question. While all invitees were identified by the IIA as the chief audit executives in their organizations, responses were screened based on the demographics in order to identify anyone that did not appear to fit the sample profile. Of the 139 respondents at organizations that had completed the SOX compliance process, two indicated they were staff auditors with less than five years experience and one individual, also with less than five years experience, did not respond to the question related to position. The data from these three respondents were excluded from further analyses. Data from the remaining 136 respondents were examined for completeness. In one case, the participant responded to less than 30% of the survey and in another case the participant omitted all items related to one variable of interest; these cases were also dropped from further analyses. A test of overall randomness found that remaining missing data was missing completely at random (MCAR) (chi-square = 314.933 df = 386 p-value = 0.997) and the expectation maximization algorithm (EM) (SPSS 15.0 2006) was used to calculate replacement values as necessary (Hair et al. 2006). Respondents were afforded the option of selecting “N/A Don’t Know” for each of the survey measures. The “N/A Don’t Know” responses were examined to assess the magnitude and pattern (if any) to these data. Twenty-one of the participants selected “N/A Don’t Know” for more than 10% of the survey items and these respondents’ data were all excluded from further analyses3. The remaining “not applicable” responses were evaluated and found to be completely at random (MCAR chi-square = 336.007 df = 312 p-value = 0.168) and EM (SPSS 15.0 2006) was used to calculate replacement values (Hair et al. 2006). All remaining analyses for the 3

The demographic data for these twenty-one respondents were examined to see if there was a concentration in a particular industry or some other participant demographic characteristic; however, these frequencies were similar to that of participants retained in the sample.

14

current study are based on the remaining 113 respondents employed at organizations that reported having completed at least 1 filing consistent with the requirements of SOX 404. Of the 113 respondents used in this study, 106 (93.81%) were employed at publicly traded companies and 92 (81.42%) had over ten years internal audit, accounting, finance and/or IT experience. Twenty-six (23.01%) were employed in manufacturing, 19 (16.81%) in financial services/real estate, 12 (10.62%) in technology, 11 (9.73%) in insurance, and 10 (8.85%) in utilities. Seventy-eight (69.03%) of the survey respondents were male and 33 (29.20%) were female (2 did not respond to this item). Demographic data is shown in Table 1. [Insert Table 1 here] Survey Instrument The online survey was divided into two sections; the first section captured measures of the latent variables employed in this study. The second section of the survey instrument collected respondents’ demographic information. The structural model, which is shown in Figure 3, includes five latent variables with reflective item measures (i.e. effectiveness of ERM, IT compatibility, organizational strategic flexibility, control environment, and SOX implementation difficulty) and one latent variable with formative item measures (i.e., the SOX compliance implementation process). Descriptive statistics as well as the individual items for the construct measures are presented in Table 2. [Insert Figure 3 and Table 2 here] ERM is an organizational process that enables firms to holistically identify, assess and measure the potential impact of risks that can affect firm value. The five ERM item measures used in the current study were developed to reflect participants’ assessment of the effectiveness of their firm’s enterprise risk management procedures at a strategic level. Specifically, these

15

measures were developed to reflect top management’s role in risk management, as top management must develop consistency of operational objectives and goals throughout the organization by implementing risk management processes that provide consistent and reliable information about both organizational risks and opportunities. Additionally, ERM ensures that control processes identify risks that may affect the achievement of objectives, and that the identified risks are complimented with appropriate responses. The item measures for the ERM Process construct shown in Table 2 reflect a clear picture of an organization’s internal strategic environment with a focus on achieving the strategic benefits that should be derived from effective ERM strategies and processes (Treasury Board 2001; E&Y 2008b; COSO 2004). IT compatibility is a sub-component of Byrd and Turner’s (2000) technical IT infrastructure flexibility construct and measures the organizations’ ability to share information across various technology components. The item measures for IT compatibility were adapted from Byrd and Turner (2000). However over 10% of the respondents indicated that two of the Byrd and Turner (2000) item measures were not applicable for their organization. As a result, these items were dropped from further analysis. While all item measures are included in Table 2, descriptive statistics are only shown for the four item measures retained. Organizational strategic flexibility reflects the organization’s ability to respond to the opportunities and challenges of a competitive environment (Sanchez 1995). Four item measures of organizational strategic flexibility are employed in the current study. These measures are adapted from those validated by Cannon and St. John (2004) and focus on organizations’ strategic accommodation of market/product changes. The control environment construct reflects the organization’s corporate environment as it relates to internal controls. The five item measures in the current study for the control

16

environment were derived from COSO’s original ‘Internal Control — Integrated Framework” (1992). COSO (1992) specifically mentions integrity and ethical values in the form of tone at the top and an enforceable code of conduct, commitment to competence, active board of directors, and appropriate organizational structure. Overall a strong control environment consists of strong tone at the top supported by an organizational structure that encourages ethical behavior. This organizational structure includes active communication between internal audit and the board of directors/audit committee, enforceability of the code of conduct (item3) and anonymous reporting mechanisms. The item measures for control environment shown in table 2 are reflective of a strong control environment. The facets of organizational process change that are combined to form the construct for SOX compliance implementation process include leadership, teamwork, change in organizational culture and technology support functions. These item measures, which are shown in Table 2, were derived from organizational and business process change ‘best practices’ and case study results (Kettinger and Grover 1995; Ungan 2005; Arnold et al. 2007). Data Analysis As shown in Figure 3, four of the constructs in the structural model are both exogenous and endogenous. In addition, the SOX compliance implementation process construct is formative rather than reflective, thus partial least squares (SmartPLS 2.0 beta 2005) is used for data analysis and to assess construct convergent and discriminant validity. Convergent Validity The measures used to assess the convergent validity of the reflective constructs employed in this study are factor loadings, variance extracted, and construct composite reliability. The factor loadings and cross loadings are presented in Table 3; the factor loadings for the constructs

17

with reflective item measures all exceed 0.70 and are higher than related cross-loadings (Chin 1998; Hair et al. 2006). In addition, as shown in Table 4, the variance extracted for each reflective construct exceeds 0.50 and the construct composite reliability exceeds 0.70 (Fornell and Larcker 1981; Hair et al. 2006). Together these results support the convergent validity of the reflective constructs in the structural model (Fornell and Larcker 1981; Chin 1998; Hair et al. 2006). Measures of internal consistency are not appropriate for validating formative constructs (Hair et al. 2006). [Insert Tables 3 and 4 here] Discriminant Validity The average variance extracted for each latent variable was compared with the related squared inter-construct correlations to assess discriminant validity (Hair et al. 2006). All of the average variance extracted estimates were greater than the associated squared inter-construct correlations (Table 5), which suggests that discriminate validity is not a problem for the reflective constructs in the model. Additionally, as shown in Table 6, each inter-construct correlation is also less than 0.85, which is another indicator of discriminant validity (Kline 2005). [Insert Tables 5 and 6 here] Formative Construct Validity Formative measures form a composite index, thus, ensuring that the indicators do not overweight any particular aspect of the construct is important(Chin 1998; Diamantopoulos et al. 2008). Variance inflation factors were calculated for each of the six indicators of the construct for SOX compliance implementation process, using a measure of SOX implementation difficulty. The VIF for one of the measures of SOX implementation process, “Our organization

18

developed a formal approach to implementing SOX”, was 4.4 (not shown), which exceeded the recommended threshold of 3.3 (Diamantopoulos and Siguaw 2006; Petter et al. 2007). All six item measures for this construct were reviewed; removing this item did not affect the construct content validity (Hair et al. 2006; Petter et al. 2007). As shown in Table 3, the variance inflation factors for the remaining measures of this construct were all less than 2.0, and they were retained in the model (Hair et al. 2006). IV. RESULTS The purpose of this study was to examine the influence of ERM effectiveness on the effective leveraging of IT systems, development of organizational strategic flexibility, and the resulting reactiveness to new regulatory mandates over internal control reporting. The research model theorized in the current study posits that factors impacting compliance implementation processes include effectiveness of ERM, the level of IT compatibility, the organization’s strategic flexibility, and the strength of the organization’s control environment. Because this model includes a formative construct, parametric testing is not appropriate; bootstrapping (1000 samples with replacement) was used to calculate model t-statistics and standard errors (Diamantopoulos and Winklhofer 2001). The construct R2, standardized path coefficients, and p-values are presented in Figure 3 (SmartPLS 2.0 beta 2005). H1 posits that ERM is an antecedent of IT compatibility. The results indicate that the standardized path coefficient (+0.6014) is significant (p-value=0.001) and in the hypothesized direction, providing support for H1. R2 for IT compatibility is 0.362 suggesting that ERM explains 36.2% of the variation in IT compatibility. Consistent with prescribed ERM strategies, these results support the view that the ability to share information across the organization is a critical and necessary outcome of implementing effective ERM processes.

19

H2 posits that IT compatibility facilitates organizational strategic flexibility. The standardized path coefficient of H2 (+0.3406) is also significant (p-value=0.001) in the hypothesized direction. As shown in Figure 3, R2 for organizational strategic flexibility is 0.273. This finding supports both the underlying theory on the relationship between ERM and strategic flexibility as well as being consistent with prior managerial control research that suggests that maintenance of flexible organizational structures requires easy access to organizational wide information that facilitates monitoring (Abernathy and Lillis 1995; Abernathy and Brownell 1999; and Bouwens and Abernathy 2000.) H3 posits that IT compatibility mediates the impact of ERM on organizational strategic flexibility. Consistent with Baron and Kenney (1986) the three conditions that must be met to support a mediation effect are evaluated. The first condition requires a significant relationship between ERM and IT compatibility; tests of H1 provide support for this condition. The next condition requires a significant relationship between IT compatibility and organizational strategic flexibility; tests of H2 provide support for this condition. The third condition requires that a significant relationship between ERM and organizational strategic flexibility become less significant when a relationship between ERM and IT compatibility is included in the model. In other words, for IT compatibility to mediate the impact of ERM on organizational strategic flexibility, H1 and H2 should have significant path coefficients while the coefficient for H3 diminishes. Figure 4 indicates a significant relationship (p-value=.001) between ERM and organizational strategic flexibility when the direct relationship between those two variables is tested. When IT compatibility is included in the model the relationship between ERM and organizational strategic flexibility, although still significant (p-value=.01) diminishes by almost 50% indicating that IT compatibility partially mediates the effect of ERM on organizational

20

strategic flexibility. Results of the Goodman I version of the Sobel test (z-value = 3.356, p-value =0.0008) confirm the partial mediation effect. The identification and support of this mediating effect is a major finding as it explains the interrelationship between three disparate literatures: (1) conceptualizations on ERM (Treasury Board 2001, COSO 2004; E&Y 2008b), (2) findings in the managerial control literature on the importance of broad based information to support flexible organizations, and (3) findings in the strategic management literature on the critical role of managerial control and IT capability on organizational strategic flexibility. [Insert Figure 4 here] H4 posits that improvements in ERM will lead to control environment improvements. The standardized path coefficient (+0.6347) is significant (p-value = .001), providing support for H4. ERM also impacts control environment through organizational strategic flexibility, thus the total effect of ERM on control environment is 0.73822 (i.e. 0.6347 + (0.2408*0.2323) + (0.6014*0.3406*0.2323)). By including organizational components impacted by ERM in the research model (i.e. IT compatibility and organizational flexibility), our model reveals that the total effect of ERM on control environment is substantially higher than the simple direct effect of 0.6347. H5 posits that improved organizational flexibility is associated with an improved control environment. Figure 3 indicates that the standardized path coefficient between organizational strategic flexibility and control environment (+0.2323) is significant (p-value=0.001) in the hypothesized direction, providing support for H5.This finding is consistent with theorizations from a strategy perspective (Volberda 1996); findings in prior managerial control studies (Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartmann 2006), and the underlying theory on ERM facilitation of competitive actions. All have postulated that

21

flexible organizations are only sustainable if they develop strong controls, and our research results show that a strong control environment represents one such control mechanism for facilitating and supporting organizations’ ability to respond in an effective and timely manner. H6 posits that the quality of the control environment influences the SOX compliance implementation process. The standardized path coefficient between control environment and SOX 404 compliance implementation process (+0.4979) is significant (p-value=0.001) and in the hypothesized direction, providing support for H6. This finding provides additional support for the finding that a strong “tone at the top” that facilitates a change in culture has a substantial influence over the organization’s proficiency in implementing SOX 404 compliance processes (Arnold et al. 2007). H7 posits that control environment mediates the impact of organizational strategic flexibility on SOX compliance implementation process. As noted previously, three conditions must be met to support a mediation effect (Baron and Kenney 1986). The first condition requires a significant relationship between organizational strategic flexibility and control environment; tests for H5 provide support for this condition. The next condition requires a significant relationship between control environment and SOX compliance implementation process; tests of H6 provide support for this condition. The third condition, which requires that a significant relationship between organizational strategic flexibility and SOX compliance implementation process become less significant when a relationship between organizational strategic flexibility and control environment is included in the model, also exists. As shown in Figure 5, the coefficient between organizational strategic flexibility and SOX 404 compliance implementation process is significant (p-value=.001) but diminishes when control environment is included (pvalue=0.10). The results of the Goodman I version of the Sobel test (z-value = 3.0096 p-value

22

=0.003) confirm the full mediation effect. Thus, control environment fully mediates the effect of organizational strategic flexibility on SOX compliance implementation process. Consistent with Volberda (1996) this additional major finding demonstrates that the usefulness of organizations’ strategic flexibility in facilitating responsiveness to new regulatory mandates is heavily dependent on the strength of the control environment. The last hypothesis, H8, posits an inverse relationship between the SOX compliance implementation process and the amount of difficulty experienced by the organization during the implementation process. To obtain a measure of SOX implementation difficulty, participants were asked to respond to the following statement “The change that was required for our organization to comply with SOX was difficult to implement.” A formative construct is by definition unidentified (Hair et al. 2006), thus the SOX difficulty construct provides model identification and supports the nomological validity of the formative SOX compliance implementation process construct. The results indicate that the standardized path coefficient -0.3065) is significant (p-value=0.01) and in the hypothesized direction, providing support for H8. [Insert Figure 5 here] V. DISCUSSION This research study was motivated in part by the discourse over the potential negative impacts of new global internal control reporting mandates and, in part, by the need for a better understanding of the relationship between ERM, IT capatibility, and organizational strategic flexibility on both the development of a strong control environment and compliance difficulty. Critics of SOX 404 requirements in particular have often pointed to a loss in strategic flexibility as a cost of regulatory compliance and advocated rescinding this key aspect of the corporate

23

governance initiatives put in place by the Act. While our model specifically focuses on SOX 404 compliance requirements, the conceptual foundations of the model are more generalized and the models applicability theoretically should also extend to organizational responses to other new regulatory compliance requirements. In formulating the conceptual model, consideration was given to the findings of Arnold et al. (2007) in their case analysis of four small and medium-sized organizations’ experiences in implementing SOX 404 compliance processes. Two of the four organizations had difficult implementation experiences and two exhibited relatively minor difficulty in implementation. On the surface, these case studies would seem to highlight conflicting evidence regarding the actual existence of the concerns that have been raised—i.e. reduced strategic flexibility and hindered competitiveness. A deeper examination of the documented cases, however, provides evidence that the differences in experiences among the companies could be driven by organizational culture and/or existing ERM strategies. In this study, we develop a conceptual model that investigates the effects of organizational culture and ERM processes on compliance. The model relies heavily on the theory of capability building and entrepreneurial alertness while integrating that theory with the managerial control systems literature in order to better understand the facilitation of competitive actions required to respond to the new regulatory mandates. The theoretical relationships between the four main constructs are better understood as a result of identifying the mediating constructs that influence the nature of the relationships among the constructs. Testing of the model, based on the reported organizational structures and experiences provided by 113 chief audit executives from organizations having completed and reported upon SOX 404 compliance requirements for internal controls, yields strong explanatory power and significant relationships

24

that are in line with the hypothesized relationships. Thus, the conceptual model appears to provide a sound basis for understanding how various organizational structures and processes affect the level of compliance difficulty experienced across a range of organizations. First, we find that the effectiveness of ERM processes is very predictive of organizations’ strategic flexibility, but that this relationship is partially mediated by IT compatibility—the ability to access and utilize enterprise wide data from across all organizational systems. Second, we find that an organizations’ strategic flexibility is positively related to their ability to implement effective processes for addressing compliance with new regulations, but that this relationship is fully mediated—in this case by the strength of the control environment. Third, our findings significantly enhance the theoretical understanding of the relationship between ERM and the strength of the control environment by identifying not only a strong direct effect, but also finding a strong indirect effect via the organizational structures and processes supported by ERM. This indirect effect increases the explanatory power of ERM by 16% in terms of explaining the variance in the strength of organizations’ control environment. In summary, the results provide evidence that organizations with strong ERM processes prior to SOX 404 mandates faced fewer obstacles in implementing the processes necessary to meet internal control requirements. On the other hand, the organizations that did not have effective ERM processes in place incurred the greatest difficulty in implementing effective compliance processes—the very organizations for which the Act was deemed so important. There are limitations of the current study that should be considered when reflecting upon the results. Many of these limitations are related to scope and also provide guidance on future research needs. First, our responses were taken entirely from chief audit executives. Their views on the SOX compliance experience may not be reflective of other chief executives in the

25

organization. Future studies may wish to consider multiple respondents for each organization in order to get a more diverse perspective on the experiences. Second, our study considers a limited set of organizational structures and processes, and additional organizational characteristics may likely aid in further explaining the attributes and relationships that were observed in this study. Organizations are complex entities and substantial research is required to uncover the myriad of complex interrelationships that drive organizational behavior and performance. Third, our study relies on the responses of chief audit executives which necessarily narrows our representation to organizations that have at least one in-house internal auditor. Given the large market for consulting services to assist with compliance efforts, there will be a relatively small subset of organizations that still do not have an internal audit function in-house. While this has become much rarer in the post-SOX era, future research should consider expanding the scope to these organizations as well. Overall, the research reported here provides an initial view into the effect of organizational structures and processes on the ability to meet regulatory compliance mandates. The relationships are strong and significant, the interrelationships complex, and the findings highly insightful in terms of understanding the importance of ERM in effectively dealing with volatile environments.

26

FIGURE 1 Strategic ERM Processes and the Impact on Organizational Structures and Competitive Action

Strategic ERM Processes

Leveraging of IT Systems

Strategic Flexibility

27

Competitive Action

FIGURE 2 Drivers of Sarbanes-Oxley 404 Compliance Difficulty

Organizational Strategic Flexibility

Information Technology Compatibility H2

H7 H1

Enterprise Risk Management

H5

H3

H4

H6

Control Environment

28

Sarbanes-Oxley 404 Compliance Implementation Process

H8

Sarbanes-Oxley 404 Compliance difficulty

FIGURE 3 Structural Model

29

FIGURE 4 Structural Model Test of Mediating Effects of Information Technology Compatibility

30

FIGURE 5 Structural Model Test of Mediating Effects of the Control Environment

Organizational Strategic Flexibility

Organizational Strategic Flexibility

H7 +0.382***

H5 +0.467***

Sarbanes-Oxley 404 Compliance Implementation Process

H7 +0.167

Control Environment H6 +0.410***

* P-value < 0.05 (one-tailed t-statistic > 1.645) ** P-value 2.236) *** P-value < 0.001 (one-tailed t-statistic > 3.090)

31

Sarbanes-Oxley 404 Compliance Implementation Process

Table 1 - Participant Demographics Category

Frequency N = 113

Gender Male Female Not answered Age 25 to 40 years 40+ years Not answered Experience 3 to 10 years 10+ years Industry Manufacturing Financial services / real estate Technology Insurance carriers / agents Utilities Wholesale/retail Transportation Communication Health All other Organizational Structure Publicly traded Not publicly traded Not answered

32

Percentage

78 33 2

69.03% 29.20% 1.77%

28 84 1

24.78% 74.34% 0.88%

21 92

18.58% 81.42%

26 19 12 11 10 6 6 4 3 16

23.01% 16.81% 10.62% 9.73% 8.85% 5.31% 5.31% 3.54% 2.64% 14.16%

106 6 1

93.81% 5.31% 0.88%

Table 2 - Descriptive Statistics – Construct Measures Minimum

Mean

Median Maximum

Std dev.

1. Our organization performs a thorough enterprise-wide risk assessment at least once a year

1

3.65

4.00

5

1.314

2. The strength of our internal control system enhances our organization’s ability to identity events that may affect the achievement of our objectives

1

3.04

3.00

5

1.109

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks

1

3.02

3.00

5

1.257

4. Management has effective processes to respond to identified risks

1

3.02

3.00

5

1.134

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organization’s well-being.

1

3.13

3.00

5

1.128

1. Remote, branch, and mobile offices have easy access to data from the home or central office

1

2.48

2.00

5

1.188

2. Our organization's ability to make rapid IT change is high

1

3.39

3.00

5

1.145

3. Information is shared seamlessly across our organization, regardless of the location

1

3.01

3.00

5

1.214

4. Our user interfaces provide transparent access to all applications.

1

2.96

3.00

5

1.105

Enterprise Risk Management (ERM) Process

IT Compatibility

33

5. Our organization offers a wide variety of types of information to end users (e.g. multimedia) (D) 6. Data received by our organization from electronic links with supplychain partners are reliable (D) Organizational Strategic Flexibility 1. Our organization has difficulty maximizing new market opportunities (RC)

1

2.50

2.00

5

1.127

2. Our organization is able to introduce new products/services

1

2.18

2.00

5

0.967

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)

1

2.29

2.00

5

1.027

4. Our organization is able to manage the impact of serving new classes of customers

1

2.42

2.00

5

0.975

1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk

1

2.65

3.00

5

1.034

2. The board of directors actively interacts with internal auditors

1

2.53

2.00

5

1.391

3. Our organization has an enforceable formal code of conduct

1

2.21

2.00

5

1.285

4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior

1

2.50

2.00

5

1.409

5. The actions of management support a strong internal control environment

1

2.29

2.00

5

1.080

Control Environment

34

SOX Compliance Implementation Process 1. Top management provided committed leadership in the implementation of SOX requirements

1

1.58

1.00

5

0.822

2. Our organization developed a formal approach to implementing SOX requirements

1

1.33

1.00

5

0.558

3. Our organization assembled an effective team to lead the SOX implementation process

1

1.44

1.00

5

0.704

4. Our organization experienced a change in organizational culture as a result of implementing SOX requirements

1

2.36

2.00

5

1.240

5. Our organization had a “champion” leading the SOX implementation process

1

1.52

1.00

5

0.790

6. The IT function in our organization effectively supported the necessary changes for SOX compliance

1

1.99

2.00

5

1.007

1

2.96

3.0

5

1.117

SOX Implementation Difficulty 1. The change that was required for our organization to comply with SOX was difficult to implement.

(RC) – reverse coded (D) – Items dropped due to volume of “not applicable/don’t know” responses; items not included in data analyses Scale: 1 = Strongly Agree to 5 = Strongly Disagree

35

Table 3 - Item Loadings and Cross Loadings Latent Variable With Formative Indicators

Latent Variables with Reflective Indicators

SOX Organizational Compliance IT Strategic SOX Implementation Compatibility Flexibility Difficulty Process

Control Environment

Enterprise Risk Management

CE1

0.799948

0.587382

0.520346

0.443651

-0.30446

0.433958

CE2

0.817297

0.645214

0.430881

0.418776

-0.35895

0.408118

CE3

0.779757

0.526933

0.491482

0.384745

-0.3615

0.435451

CE4

0.741822

0.487143

0.374668

0.299003

-0.20409

0.337813

CE5

0.770664

0.618163

0.504355

0.444200

-0.34635

0.489083

ERM1

0.480316

0.735474

0.376448

0.227031

-0.05027

0.119125

ERM2

0.681789

0.872316

0.538702

0.433014

-0.37431

0.421941

ERM3

0.685408

0.888451

0.559818

0.361941

-0.3129

0.333831

ERM4

0.671748

0.939087

0.575135

0.494995

-0.30959

0.451344

ERM5

0.659149

0.897131

0.53242

0.372234

-0.29524

0.363645

IFC1

0.48294

0.512423

0.835917

0.413831

-0.26963

0.238095

IFC3

0.522344

0.483832

0.881748

0.341684

-0.30837

0.308309

IFC5

0.518378

0.498639

0.816921

0.460071

-0.27521

0.384329

IFC6

0.510228

0.545117

0.868262

0.424306

-0.28279

0.278661

OF1rc

0.377564

0.241598

0.385518

0.732945

-0.22762

0.265035

OF2

0.383514

0.285678

0.337121

0.788538

-0.12844

0.317927

36

Variance Inflation Factor

OF3rc

0.314371

0.342347

0.331338

0.773228

-0.03544

0.113477

OF4

0.45194

0.447844

0.398181

0.729167

-0.19754

0.306636

PERF3

-0.40847

-0.32467

-0.33331

-0.20395

1

-0.30648

SOXD1

0.430316

0.213079

0.25

0.130866

-0.18184

0.622641

1.5281

SOXD3

0.327479

0.214426

0.22585

0.291656

-0.0642

0.572628

1.7013

SOXD4

-0.24126

-0.22535

-0.11766

-0.21609

0.2156

-0.56392

1.0298

SOXD5

0.158904

0.034334

0.104942

0.153982

-0.02945

0.286873

1.4648

SOXD6

0.205493

0.239005

0.294668

0.164783

-0.15986

0.444248

1.3613

37

Table 4 - Tests of Convergent Validity Factor Loading

Variable Measures Enterprise Risk Management (ERM) Process 1. Our organization performs a thorough enterprise-wide risk assessment at least once a year (D)

0.7355

2. The strength of our internal control system enhances our organization’s ability to identity events that may affect the achievement of our objectives

0.8723

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks

0.8885

4. Management has effective processes to respond to identified risks

0.9391

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organization’s well-being.

0.8971

IT Compatibility 1. Remote, branch, and mobile offices have easy access to data from the home or central office

0.8359

2. Our organization's ability to make rapid IT change is high

0.8817

3. Information is shared seamlessly across our organization, regardless of the location

0.8169

4. Our user interfaces provide transparent access to all applications.

0.8683

38

Construct Composite Reliability

Average Variance Extracted

0.9389

0.7556

0.9131

0.7244

Organizational Strategic Flexibility 1. Our organization has difficulty maximizing new market opportunities (RC)

0.7329

2. Our organization is able to introduce new products/services

0.7885

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)

0.7732

4. Our organization is able to manage the impact of serving new classes of customers (D)

0.7292

Control Environment 1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk

0.7999

2. The board of directors actively interacts with internal auditors

0.8173

3. Our organization has an enforceable formal code of conduct

0.7798

4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior (D)

0.7418

5. The actions of management support a strong internal control environment

0.7707

(D) – dropped and not included in analyses of construct validity (RC) – reverse coded

39

0.8423

0.5721

0.8874

0.6120

Table 5 - Test of Discriminant Validity Organizational Strategic IT Flexibility Compatibility Average Variance Extracted 0.5721 0.7244

ERM 0.7556

Control Environment 0.6120

SQUARED INTER-CONSTRUCT CORRELATIONS Organizational Strategic Flexibility

1.0000

IT Compatibility

0.2356

1.0000

ERM

0.1985

0.3617

1.0000

Control Environment

0.2654

0.3577

0.5449

40

1.0000

Table 6 - Latent Variable Correlations SOX Enterprise Organizational Compliance Control Risk IT Strategic SOX Implementation Environment Management Compatibility Flexibility Difficulty Process Control Environment

1.0000

Enterprise Risk Management

0.7382

1.0000

IT Compatibility

0.5980

0.6014

1.0000

Organizational Strategic Flexibility

0.5151

0.4456

0.4854

1.0000

SOX Difficulty

-0.4085

-0.3247

-0.3333

-0.2040

1.0000

SOX Compliance Implementation Process

0.5429

0.4053

0.3561

0.3439

-0.3065

41

1.0000

REFERENCES Abernethy, M.A. and P. Brownell. 1999. The role of budgets in organizations facing strategic change: an exploratory study. Accounting Organizations and Society 24: 189-204. Abernethy, M.A. and A.M. Lillis. 1995. The impact of manufacturing flexibility on management control systems design. Accounting Organizations and Society 20(4): 241-258. Ahrens, T. and C.S. Chapman. 2004. Accounting for flexibility and efficiency: a field study in management control systems in a restaurant chain. Contemporary Accounting Research 21(2): 271-301. Amburgey, T.L and A.S. Miner. 1992. Strategic Momentum: The Effects of Repetitive, Positional, and Contextual Momentum on Merger Activity. Strategic Management Journal (13): 335-348. Amburgey, T.L., D. Kelly, and W.P. Barnett. 1993. Resetting the Clock: The Dynamics of Organizational Change and Failure. Administrative Science Quarterly (38): 51-73. Arnold, V., T. S. Benford, J. Canada, J. R. Kuhn Jr., and S. G. Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting. Vol. 4 No. 1 103-121. Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations. Journal of Personality and Social Psychology. Vol. 51, No. 6, 1173-1182. Beasley, M.S., R. Clune, and D.R. Hermanson. 2005. Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24: 521-531. Bloomsberg, M. R., C.E. Schumer, and McKinsey and Company. 2007. Sustaining New York’s and the US’ Global Financial Services Leadership (New York: McKinsey and Company). Bouwens, J. and M. A. Abernethy. 2000. The consequences of customization on management accounting system design. Accounting Organizations and Society 25: 221-241. Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of information technology infrastructure: Exploratory Analysis of a Construct. Journal of Management Information Systems; Summer Vol. 17, No. 1, 167-208. Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy and Plant Level Flexibility. International Journal of Production Research, 42(10): pp 1987-2007. Chapman, C.S. and L-A. Kihn. (2009). Information system integration, enabling control and performance. Accounting Organizations and Society 34(2): 151-169.

42

Chenhall, R.H. 2003. Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting Organizations and Society 28: 127-168. Chenhall, R. H. and K.J. Euske. 2007. The role of management control systems in planned organizational change: an analysis of two organizations. Accounting Organizations and Society 32: 601-637. Chin, W.W. 1998. The Partial Least Squares Approach to Structural Equation Modeling. Mosern Methods for Business Research. Marcoulides, G.A. Lawrence Erlbaum associates, New Jersey, USA: 295-336. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control — Integrated Framework. American Institute of Certified Public Accountants. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management – Integrated Framework. (Committee of Sponsoring Organizations of the Treadway Commission, AICPA: New York). Davila, T. 2000. An empirical study on the drivers of management control systems’ design in new product development. Accounting Organizations and Society 25: 383-409. DeFond, M.L. and J.R. Francis. 2005. Audit research after Sarbanes-Oxley. AUDITING: A Journal of Practice and Theory 24(supplement): 5-30. Diamantopoulos, A., and J.A. Siguaw. 2006. Formative Versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration, British Journal of Management 17: pp. 263-282. _________, P. Riefler and K.P. Roth. 2008. Advancing formative measurement models. Journal of Business Research. (In Press). __________and H.M. Winklhofer. 2001. Index Construction with Formative Indicators:An Alternative to Scale Development. Journal of Marketing Research 38 (2): 269-277 Ditillo, A. 2004. Dealing with uncertainty in knowledge-intensive firms: the role of management control systems as knowledge integration mechanisms. Accounting Organizations and Society 29: 401-421. EACLN and NAACLN. 2008. Enterprise Risk: Recurring Challenges and New Considerations for the Audit Committee. ViewPoints for the Audit Committee Leadership Summit 8 (31 October 2008). Ernst and Young. 2008a. Internal Controls: From Compliance to Competitive Edge (EYGM Limited).

43

_____________. 2008b. The Future of Risk Management and Internal Control (EYGM Limited). Fornell, C. and D. F. Larcker. 1981. Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research, Vol. 18, No. 1 39-50. Grewal, R. and P. Tansuhaj. 2001. Building organizational capabilities for managing economic crisis: the role of market orientation and strategic flexibility. Journal of Marketing 65 (April): 67-80. Institute of Internal Auditors. 2004. The Role of Internal Audit in Enterprise-wide Risk Management. London: The Institute of Internal Auditors UK and Ireland. Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle River, NJ: Pearson Education Inc Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com (May 02). Kettinger, W. K. and V. Grover. 1995. Toward a Theory of Business Change Management. Journal of Management Information Systems. Vol. 12. No. 1 9-30. Kleffner, A., R. Lee, and B. McGannon. 2003. The effect of corporate governance on the use of enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6(1): 53-73. Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling, Second Edition. (The Guilford Press: New York) KPMG. 2008. International Survey of Audit Committee Members (Audit Committee Institute, London). Lam, J. 2003. Enterprise Risk Management. Hoboken, NJ: John Wiley & Sons, Inc. Langfield-Smith, K. (1997). Manaement control systems and strategy: a critical review. Accounting Organizations and Society 22(2): 207-232. Levine, R. 2004. Risk management systems: understanding the need. EDPACS 32(2): 1-13. Liang, H., Saraf, N., Hu, Q., & Xue, Y. 2007. Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly 31(4): 59-88. Liebenberg, A. and R. Hoyt. 2003. The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6(1): 37-52. Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams use management accounting systems to implement strategy. Journal of Management Accounting Research 18: 21-53. 44

Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting systems, top management team heterogeneity and strategic change. Accounting Organizations and Society 32: 735-756. Palanisamy, R. 2005. Strategic information systems planning model for building flexibility and success. Industrial Management and Data Systems 105(1): 63-81. Petter, S., D. Straub., and A. Rai. 2007. Specifying Formative Constructs in Information Systems Research. MIS Quarterly. 31 (4): 623-656. Ringle, C. M., S. Wende and A. Will. 2005. SmartPLS 2.0 (beta), www.smartpls.de. Romano, R. 2005. The Sarbanes-Oxley Act and the making of quack corporate governance. The Yale Law Review 114: 1521-1611. Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27 (2): 237-263. Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for information technology governance: a theory of multiple contingencies. MIS Quarterly 23(2): pp.261-290. Sanchez, R. 1995. Strategic Flexibility in Product Competition. Strategic Management Journal, 16: pp 135-159. Simons, R. 1990. The role of management control systems in creating competitive advantage: a new perspective. Accounting Organizations and Society 15(1/2): 127-143. Treasury Board. 2001. Integrated Risk Management Framework. (Treasury Board, Canadian Government, Ottawa). Ungan, M. 2005. Management support for the adoption of manufacturing best practices: key factors. International Journal of Production Research. Vol. 43, No. 18, 3803–3820. Volberda, H.W. 1996. Toward the flexible form: how to remain vital in hypercompetitive environments. Organization Science 7(4): 359-374.

45