Вы находитесь на странице: 1из 17
The current issue and full text archive of this journal is available at www.emeraldinsight.com/0140-9174.htm

The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0140-9174.htm

MRN

31,10

758

at www.emeraldinsight.com/0140-9174.htm MRN 31,10 758 Challenges in enhancing enterprise resource planning systems

Challenges in enhancing enterprise resource planning systems for compliance with Sarbanes-Oxley Act and analogous Canadian legislation

Vinod Kumar and Raili Pollanen

Sprott School of Business, Carleton University, Ottawa, Canada, and

Bharat Maheshwari

Odette School of Business, University of Windsor, Windsor, Canada

Abstract

Purpose – This paper aims to examine major challenges faced by companies in enhancing their enterprise resource planning (ERP) systems for compliance with regulatory internal control requirements, specifically those imposed by the Sarbanes–Oxley Act (SOX) of 2002 and analogous Canadian legislation. Design/methodology/approach – Data were collected through case studies of four medium-sized and large companies that use ERP systems and that have operations in the USA and Canada, thus being subject to SOX and/or similar Canadian regulations. Findings – The companies faced some technical, process and cultural challenges in implementing regulatory control compliance. In all companies, existing ERP systems were not able to meet all control requirements without some modifications or add-on applications. Control implementations have been long, complicated and costly processes, which are not fully completed. Detailed analyses and documentation of existing systems, controls and processes were required in all companies. The protection of systems security and the segregation of duties were perceived to be major technical obstacles. Cultural factors resulted in additional challenges, notably resistance to change. Research limitations/implications – The findings of this study enhance the understanding of ERP systems design features, processes and challenges in implementing regulatory controls. As such, they provide a foundation for further empirical studies and for building models of ERP systems effectiveness in implementing effective controls. Practical implications – The study provides managers insight into challenges in enhancing ERP systems for regulatory control compliance. Lessons learned can contribute to the development and sharing of best practices and to overall organizational effectiveness. Originality/value – Using an interdisciplinary approach, the study provides new evidence on the extent to which ERP systems meet regulatory internal control requirements. Keywords Manufacturing resource planning, Legislation, United States of America, Canada Paper type Research paper

Introduction Several empirical studies of enterprise resource planning (ERP) adopting companies suggest that the implementation of ERP software is just the beginning of a company’s

Management Research News Vol. 31 No. 10, 2008 pp. 758-773 # Emerald Group Publishing Limited

0140-9174

DOI 10.1108/01409170810908516

This research project has been sponsored partly by the Canadian Academic Accounting Association under its CAAA-SAP research grant program. A previous version of this paper was presented at the Administrative Sciences Association of Canada (ASAC) Annual Conference, Information Systems Division, Ottawa, Canada, 2-5 June 2007, where it was awarded an honourable mention in the best-paper competition.

ERP program, and that companies need to continuously enhance their ERP systems and business processes in order to achieve desired organizational performance objectives (Markus and Tanis, 2000; Davenport, 2000; Beheshti, 2006). During the last few years, a new urgency to this need has been provided by the Sarbanes–Oxley Act (SOX) (US Congress, 2002) and similar subsequent regulations in other countries, such as Canada. This act, named after its two initiators, Senator Paul Sarbanes and Representative Michael Oxley, imposed widespread changes in the manner public companies must manage and report on their performance. It requires senior management to certify and report on the adequacy and effectiveness of internal controls over financial reporting in an effort to improve the quality and reliability of financial information. These requirements have forced companies to focus on enhancing their systems and processes, not just controlling and certifying the outputs of their systems and processes. ERP systems can provide key technical tools and solutions for collecting, analyzing and reporting relevant information for implementing internal controls, such as those required by SOX. However, the implementation of technical systems can be complicated and often requires adjustments to organizational structures, processes, norms and employee skills, which can vary in different environments. In large organizations, such efforts can be further complicated by differences in geographic distance, culture, existing technology and systems and political and regulatory environment in different countries. Inadequate attention to these factors can pose serious challenges for successful implementation. In addition, smaller companies may find it difficult to obtain adequate resources to support these efforts. Although the Committee of Sponsoring Organizations (COSO) framework (Committee of Sponsoring Organizations of the Treadway Commission, 1992) provides general principles for effective internal controls and the control objectives for information technology (COBIT) framework (Information Technology Governance Institute (ITGI), 2004) provides evaluation criteria for information technology (IT) controls, only limited research exists on how to help managers and researchers understand control implementation challenges and to enhance ERP systems for control purposes in today’s competitive business environment. This paper aims to uncover the breadth of possible challenges faced by medium- sized and large companies in enhancing their ERP systems for compliance with regulatory internal control requirements through case studies of four multi-site ERP- adopting companies with major operations in the USA and Canada. Very little academic research has been conducted on compliance, particularly, how ERP systems facilitate, and can be enhanced to facilitate, control implementation. Although some work on feasibility of implementing a continuous audit framework through ERP and importance of a control framework for successful ERP systems implementation have been studied, specific legislative control requirements and how ERP systems can help implement them has not (Kuhn and Sutton, 2006; Grabski and Leech, 2007). This study attempts to bridge this gap by providing some empirical evidence to address this issue. It provides both managers and researchers some insight into successes and challenges in enhancing ERP systems for this purpose, which, in turn, can contribute to the development of best practices and models of ERP systems effectiveness in implementing regulatory control requirements. The background section examines regulatory internal control requirements in the USA and Canada, specifically, those imposed by SOX and analogous Canadian legislation. The method section outlines the case study method used and profiles the

Enhancing ERP systems

759

MRN

31,10

760

four case organizations. The results section details the findings of the study for the four organizations and discusses their significance. Finally, the conclusion provides an overall summary and identifies possible managerial implications and opportunities for future research.

Background This section examines major regulatory internal control requirements in the USA and Canada and some key enablers and barriers of their effective implementation. However, it should be noted that, as these requirements in both countries are complex, only a broad general overview is possible in this paper.

Regulatory internal control requirements The SOX (2002). SOX introduced sweeping and permanent changes to the manner in which public companies must conduct their business. SOX is an outcome-oriented legislation that specifies outcomes for compliance and penalties for non-compliance, with compliance standards and their administration and enforcement being delegated to the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). As practically, no implementation guidelines were available in the early stages, SOX implementation required a great deal of professional judgement by systems officers, accountants and consultants. Although Auditing Standard No. 2 (replaced by Standard No. 5, PCAOB, 2007) provided standards for conducting audits of internal control over financial reporting, it came too late to help in the initial implementation of SOX. Moreover, SOX compliance is an ongoing and dynamic process that requires significant ongoing restructuring of systems and processes. As new knowledge develops and best practices evolve, controls, systems and processes require refinement. Consequently, companies may find that compliant processes one year may become non-compliant in subsequent years, and progress made on previously non-compliant processes can result in compliance in subsequent years. Canadian legislation. The impact of SOX is not limited to the USA or to US companies. Following the US lead, other countries have also implemented, or are in the process of implementation, similar legislation. As a major trading partner and neighboring country, Canada has been placed in a unique position of having to implement similar legislation in an effort for Canadian companies to maintain their competitiveness and reputation. As securities regulation in Canada is under provincial jurisdiction, the Canadian securities administrators (CSA) collaborated with the provincial securities administrators and legislators to facilitate the enactment of uniform provincial legislation, now ratified by each provincial legislature. These legislative requirements are stipulated in a series of documents, called multilateral instruments (MIs) and national policies (NP). In addition, two new oversight agencies were created in Canada: the Canadian Public Accountability Board (CPAB), an independent nonprofit organization, to oversee public auditing firms and public company audits, and the Auditing and Assurance Standards Oversight Council (AASOC) to oversee the activities of the professional accounting board responsible for setting auditing and assurance standards in Canada. An overview of the US and Canadian regulatory regimes is provided in Table I. Stakeholder responsibilities. Compliance with the regulatory internal control requirements in both the USA and Canada involves significant changes to the roles of managers, external auditors and audit committees, as well as to financial information

required to be reported. In particular, the new legislated responsibilities imposed on the Chief Executive Officers (CEOs) and the Chief Financial Officers (CFOs) in both countries have unprecedented implications for management and corporate governance. Under SOX (Section 302 and 404) and the Canadian requirements (MI 52-109 (CSA, 2004a)), the CEOs and CFOs are required to report on internal control effectiveness in addition to traditional periodic financial reports and certify that:

They have reviewed the reports, that they do not contain untrue statements or omit material facts making them misleading, and that they fairly represent the financial condition and operating results of the company for the reporting period.

(2) They are responsible for establishing and maintaining internal control over financial reporting and procedures for disclosing relevant information to management.

(1)

Enhancing ERP systems

761

(3)

They have designed, evaluated and reported on the effectiveness of internal control over financial reporting, as well as disclosure procedures to management.

(4)

They have disclosed significant changes in internal control or other factors that occurred after evaluation and any actions taken to correct significant deficiencies and weaknesses.

Under SOX (Section 302), the CEOs and CFOs are required to disclose to the audit committee and the external auditor any significant deficiencies and material weaknesses in internal control over financial reporting, and any fraud by managers or employees who play significant roles in internal control. Additional requirements related to auditor independence, corporate governance and penalties are stipulated in other sections (e.g. Sections 201, 204, 301, 802 and 807). On the other hand, in Canada, the requirements for audit committees and corporate governance are addressed in separate instruments (MI 52-110; NP 58-201 (CSA, 2004b, 2005)), and the Assurance Handbook of the Canadian Institute of Chartered Accountants establishes standards for auditor communication with the audit committee. Another key difference is that SOX (Section 404) requires a public company’s external auditor to certify and to report on the adequacy of management’s internal control assessment; whereas, there is no such requirement for Canadian companies under the Canadian legislation. It is also important to note that, although SOX is a US law, all companies that trade on the US stock exchanges and the foreign subsidiaries of US companies must also

Authority

USA

Canada

Legislation and

SOX (2002) Auditing Standard No. 5 (PCAOB, 2007)

MI

52-109 – certification of disclosure in issuer’s

standards

annual and interim filings

 

MI

52-110 – audit committees

 

NP

58-201 –corporate governance guidelines

Assurance Handbook of Canadian Institute of

 

Chartered Accountants

Legislative and

SEC

CPAB

Table I.

oversight agencies

PCAOB

AASOC

Overview of USA and Canadian regulatory regimes

 

CSA

Provincial Securities Commissions

MRN

31,10

762

comply with it. This requirement results in large Canadian companies that are cross- listed in the USA also being subject to SOX. Although these Canadian companies are technically exempt from the corresponding Canadian requirements, they are still required to file copies of their US SOX reports with the Canadian authorities. In spite of the different regulatory regimes and somewhat different roles of auditors, the core requirements imposed by SOX and Canadian legislation on senior management are very similar, and compliance with the regulations of both countries requires equal managerial effort in implementing, certifying and reporting on the effectiveness of internal controls over financial reporting. Therefore, establishing and maintaining effective internal control is equally critical to managers of both Canadian and US public companies.

Implementing regulatory internal control requirements COSO framework. A control framework developed by COSO (1992) has been used widely as a foundation for implementing and evaluating internal control[1]. Although the PCAOB has suggested the use of the COSO framework for implementing SOX, it does not endorse a specific framework. The COSO framework identifies three general control objectives: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with laws and regulations. In addition, it outlines five control components that are important for achieving these objectives: control environment (e.g. norms, values and competencies), risk assessment (e.g. economic, industry and operating risk), control activities (e.g. authorizations, reconciliations and performance reviews), information and communication (e.g. collecting, analyzing, reporting relevant information) and monitoring (e.g. systems monitoring, surveillance and supervision). As such, the COSO framework allows the mapping of key control procedures for each control component against the control objectives. For example, expenditure authorizations, verifications and reconciliations are control activities that contribute to the reliability of financial reporting – a key objective of SOX. ERP systems and IT. ERP systems provide the primary means for implementing SOX requirements, particularly in large companies. ERP systems are comprehensive packaged software applications that automate and integrate organizational business processes across functional areas. They constitute one of the most significant and widely adopted innovations in management information systems (Al-Mashari, 2002). Such systems must be designed with their impact on the company’s business model and competitive capabilities in mind (Beheshti, 2006), and their implementation requires the alignment of IT and corporate strategies, and often also entails major changes to organizational structure and culture (Presley, 2006). ERP systems are also dynamic and continuously evolving (Bititci et al. , 2000). For example, technological developments and organizational learning can result in new needs and opportunities for the redesign and continuous development of ERP systems. In addition, regulations can vary in different environments and evolve as experience accumulates (Bratton, 2003). Such dynamic environments require the continuous monitoring, evaluation, and adjustment of systems, processes and controls. The tools provided by ERP systems can help develop and manage effective controls. For example, password-protected data access and automatic data verification enhance data security and reliability. However, enhancing ERP systems for SOX compliance also often requires significant reconfiguration and additional design, evaluation and reporting features (Colman, 2006; Damianides, 2004; Chan, 2004). ERP systems must effectively record accounting transactions, track key performance measures for

evaluating internal controls, report them to individuals responsible, flag any violations for investigation and provide tools for evaluating and benchmarking such information (Kumar et al. , forthcoming). They must also enable companies to provide frequent, timely and integrated financial and non-financial reports to management, regulators and auditors on control compliance (Matolcsy et al. , 2005). With such demands, technical features may need to be enhanced. The key technical features of ERP systems, which heavily rely on advanced IT, include scalable client server software architecture, supported by a common relational database and a single development environment. Such features are important, as they are capable of facilitating the real- time integrated processing and management of information across all functional areas, as well as supply chain and customer relationships management (Kumar et al., 2003; Davenport, 2000; Kakouris and Polychronopoulos, 2005). In the IT-driven ERP systems, ensuring effective control over IT environment is critical for implementing SOX compliance (Kumar et al., forthcoming). The COBIT framework (ITGI, 2004) has commonly been used for evaluating controls over IT. In addition to more generic controls, it specifically addresses control needs imposed by SOX. The framework identifies 34 control objectives in four areas: plan and organize, acquire and implement, deliver and support and monitor and evaluate. It also maps them against the five COSO (1992) control components. The framework facilitates SOX compliance by helping align the control requirements of SOX and the IT features necessary for implementing them. Nonetheless, several implementation challenges can still exist. Implementation challenges. Companies can face several interrelated challenges in configuring or modifying their systems to comply with regulatory internal controls. Some challenges are technical, whereas others are more structural and cultural but still can have a significant impact on the success of technical implementations. For example, Brown and Nasuti (2005) discussed technical problems related to designing, implementing and managing enterprise architecture. They reported that CIOs have cited problems with data structures, inadequate security and differences in infrastructure as important challenges to SOX compliance. Network security and control over the outsourcing of programming have been particularly important concerns. Nonetheless, a well-known survey by Deloitte and Touche (cited in Brown and Nasuti, 2005, p. 316) found that people-related issues accounted for 62 per cent of problems in ERP implementations, with process- and IT-related issues accounting for only 16 and 12 per cent, respectively. It is obvious that technical solutions alone are not sufficient for successful implementation, but that cultural and structural problems must also be resolved. Several studies have examined systems implementation challenges related to organizational structure and culture. For example, Mills et al. (1995) noted that organizational culture can be a key organizational constraint in implementing new systems and processes. As beliefs, values and norms evolve slowly, employees can resist change, particularly, if it is implemented quickly. In addition to the technical inflexibility of ERP systems, Kennerley and Neely (2002) found inappropriate organizational culture, ineffective processes and the lack of skills to be important barriers to systems evolution. These forces resulted in ad hoc systems, resistance to change and inappropriate measurement and reward systems. Bourne et al. (2002) identified major inhibiting forces to be technical difficulties related to IT, the complexity of related processes, and reluctance to measurement and exposing problems. In addition to high costs, Sohal et al. (2001) also found the lack of top

Enhancing ERP systems

763

MRN

31,10

764

management support to be a major impediment. All challenges can be further amplified for companies operating in several countries, subject to different geographic, social and regulatory environments.

Method This exploratory study aims to identify a wide range of challenges faced by both medium-sized and large companies in complying with recent US and Canadian financial reporting regulations. Given its exploratory nature, the study utilizes a case method. Case studies were conducted in four multi-site ERP-adopting companies with major operations in the capital region of Ottawa, Canada. Semi-structured focus group and individual interviews were conducted with senior systems managers or directors. Some data were also collected through secondary sources, such as company websites. For confidentiality reasons, the companies cannot be identified, and they will be referred to only as Companies A, B, C and D. At the time of the study, all four companies had established ERP systems in place, and they had already implemented significant internal controls in order to comply with the required deadlines [2]. In the remainder of this section, a brief profile of each of the four companies is provided.

Case A (large Canadian company) This case study involved one of the largest forest product companies in Canada, with more than 10,000 employees across Canada, USA and Europe and with annual revenues of more than 3 billion US dollars. The company implemented financial and supply chain modules of Oracle’s ERP applications in July 2002. Listed on the Toronto stock exchange (TSX), this company has recently undergone an initiative to comply with the Canadian internal control regulations.

Case B (large multinational company) The subject of this case study was one of the largest telecommunication companies in the world, with more than 50,000 employees worldwide and more than 10 billion US dollars in annual revenues. The company used multiple ERP applications from two leading ERP vendors, Oracle and SAP. Some applications were inherited from merged companies and were still being used. Listed on multiple bourses in the USA, Europe and Asia, and with operations in more than 100 countries, this company had recently undergone a complex initiative for SOX compliance.

Case C (medium-sized Canadian company) This case study focuses on a medium-sized Canadian company in the professional services sector, with more than 2,000 employees in the USA and Canada. Listed on the TSX, this company had revenues of over 150 million US dollars in the last fiscal year. It started using SAP’s ERP applications in 1999, when it was experiencing unprecedented growth during the ‘‘dot com’’ boom. At the time of the study, the company was undergoing the requisite changes for complying with the Canadian regulations.

Case D (medium-sized multinational company) The subject of this case study is a medium-sized multinational company in the telecommunication industry, with more than 750 employees, over 150 million US dollars in annual revenues, and operations in Canada, the USA and Europe. The company, with a strong reputation in its niche market, started using SAP’s ERP applications in 1998 after acquiring a company in the USA that had been using them.

Listed on both the New York stock exchange and the TSX, the company has recently undergone an initiative for SOX compliance.

Results and discussion Major findings are discussed in this section under three themes: systems and technology, implementation processes and culture and behaviours. These themes reflect implementation challenges considered important by the respondents, and they are consistent with the challenges raised by others, as discussed in the literature review. However, other categorizations may also be possible.

Enhancing ERP systems

765

Systems and technology All four companies had established ERP systems in place before commencing their control implementation projects. Companies C and D use SAP; Company A uses Oracle; and Company B had used SAP in some countries and Oracle in others, but later switched to SAP for all its control implementations. The respondent from this company noted that the switch was made in order to improve systems coordination and security. In Companies B and D, significant modifications were needed to the standard modules to implement some SOX requirements, whereas current systems were noted to be quite adequate for addressing control needs in Company A. In particular, Company B presents a unique example of information systems (IS) integration challenges and complexities posed by rapid growth in a fast-changing industry through mergers and acquisitions. Being a smaller company, some difficulties were encountered in Company C with making changes to its ERP system to meet its control needs. The respondent from this company noted that it is too complicated and expensive to change to other systems after a commitment is made to a certain application. The results for systems and technology challenges are summarized in Table II. Ensuring systems integrity was considered critical in all four companies. However, in some cases, the inflexibility of the existing systems required compromise solutions. Modifications in ERP systems were not possible for some requirements, and possible

Company A

Company B

Company C

Company D

Segregation of duties problematic in finance, as clerks typically handle several functions Only minor systems adjustments reportedly needed to meet new control requirements Systems and technology requirements for control implementation not clearly understood

Incompatibilities between two ERP applications initially used Some changes not possible or too expensive in ERP systems Significant customization and/or external add-on systems needed

Some technical difficulties with segregation of duties Some problems with configuring ERP system to meet control needs

Segregation of duties difficult technically for some functions without significant customization Some processes and controls not user friendly to implement

Data security concerns with remote systems

access Major systems changes forms for some too complicated and/or processes

using ERP Lack of interactive

Security vulnerabilities expensive after

 

of add-on systems Difficulties with segregation of duties, e.g. for different clerks

commitment to ERP application made

Table II.

Systems and technology challenges

MRN

31,10

766

only at prohibitively high costs for some others. Company D discovered its ERP system not to be ‘‘user friendly’’ for implementing some requirements, for example, it lacked interactive forms for some applications. On the other hand, the respondent from Company B expressed concerns about the security of remote access, particularly adequate password control for bolt-ons introduced to meet some specific needs of local operations. However, as such systems are generally managed locally, they opened the door for some system vulnerabilities, for example, unclear process responsibilities and inadequate data security. These comments demonstrate that for some systems flexibility is important, and that companies adopted bolt-ons in many cases to achieve the desired flexibility when it was not available in their ERP system. However, the need for flexibility has to be carefully balanced with increased costs and the potential loss of systems security. In particular, the segregation of related duties, which is essential for effective SOX compliance, posed significant difficulties in all four companies. It involves dividing staff responsibilities so that no individual is responsible for processing and recording a related set of business transactions. The objective of this requirement is to prevent an individual from stealing or misappropriating assets and then falsifying records to cover up. For example, one individual should not be responsible for handling cash receipts, making deposits and recording-related transactions. Challenges associated with the segregation of duties were partly technical and partly structural. For example, the finance and accounting function was typically not large enough to warrant several clerks to properly segregate duties in accordance with SOX. If one clerk is responsible for multiple functions, he/she needs access to all related databases, which is inconsistent with the notion of segregation. In Company B, technical challenges were mitigated by the fact that it has an ERP competency centre with more than 50 employees dedicated to providing support to users. In spite of significant in-house support and a large employee base, even it encountered difficulties in segregating duties in its smaller units, for example, in those with one clerk responsible for both the ‘‘accounts payable’’ and ‘‘accounts receivable’’ functions. In general, the respondents from Companies A and C believed that adequate controls were already in place, and that the major objective was formalizing control systems and documenting controls and related processes. The respondent from Company C noted that, ‘‘ we believe what we are doing is right and now it is a matter of documenting it and getting approval ’’ On the other hand, significant new controls were needed in Companies B and D to comply with SOX. In Company D, approximately 60 new control processes were reportedly required, many of them related to inventory management. In Company B, significant additional controls were required to ensure proper systems access and change authorizations, as well as the accuracy of input and output data. It should be noted, however, that Companies B and D were more advanced in their control implementations, being subject to SOX, than Companies A and D, being subject to the Canadian regulations. In addition, Company A did not use external consultants in its control implementation. It is possible that these two companies may not have been aware of all control requirements and their possible pitfalls, yet. Additional challenges may surface, as their implementation processes progress and are subjected to closer scrutiny by regulators.

Implementation processes All four companies approached their control implementations in a systematic manner. In all companies, control implementation required the identification, analysis and

evaluation of business processes and assigning responsibility for processes. Company D analyzed approximately 600 processes and eliminated outdated, inconsistent and duplicate processes across its acquired companies. Companies B, C and D matched processes and process owners and designed access controls and authorizations accordingly. In spite of the lack of clear rules and guidelines, at least initially, Companies B and D appeared to be quite successful at formalizing existing controls and processes and implementing necessary new controls, with the help of auditors and consultants. At the time of this study, their implementations were reportedly ~80-95 per cent complete for IT, although significant work still remained to be completed in some functional areas. The degree of completion in Companies A and C was significantly lower, reportedly in the 60-70 per cent range, and they were still struggling with some requirements, such as assessing control effectiveness. Delayed implementation in these two companies is understandable, given their extended compliance deadline for control effectiveness certification by management – two years later than for SOX. The results for process-related challenges are summarized in Table III. All companies spent significant time and resources at documenting their control systems, which is a key requirement for SOX compliance. Due to staff shortages and inadequate expertise in all four companies, Companies B, C and D used the services of major auditing/consulting firms to develop and document controls. Nonetheless, Company A completed this phase with help from only its internal auditors and audit committee. The documentation of controls and processes creates an ‘‘audit trail’’, which enables processes to be reliably repeated and process ownership and accountability established. An audit trail is also necessary for granting a ‘‘clean audit opinion’’ on the effectiveness of internal controls and processes by auditors, as required by SOX. It is

Enhancing ERP systems

767

Company A

Company B

Company C

Company D

Risk analysis necessary Business process

 

Analysis of business processes required Major focus on formalizing and documenting controls Enhanced control assessment procedures needed Lack of control implementation guidance Inadequate staff and expertise Audit committee consulted, but external consultants not used

analyses necessary Establishing process ownership required Consultants used for designing and documenting controls Inadequate monitoring systems and compliance reporting Rigorous testing,

Process flow analysis needed Matching business

processes with process processes in acquired

Analysis of 600 processes required Redundant or duplicate

owners problematic Control assessment procedures required Inadequate internal expertise and staff Lack of adequate

companies User information needs matched with access authorization 60 new controls and enhanced control

guidance and changing assessment procedures

evaluation, and refining deadlines

necessary

of controls needed Lack of global coordination in

Lack of coordination

External auditors

among functions, e.g. IS required for designing

and finance

and documenting

implementing common Auditing firm needed

controls

global database of controls Challenges in control

to document controls

Unclear initial

 

Control implementation requirements and

complicated by being

changing timelines Slow control implementation as part of change management initiatives

implementation as part part of quality

of broader change management initiatives

management program

Table III.

Control implementation process challenges

MRN

31,10

768

comparable to an audit trail that all these companies are already required to use routinely for standard financial reporting under generally accepted accounting principles. The respondents from Companies B and D emphasized the importance of a clear audit trail. Although the respondents from the other two companies did not specifically comment on this point, creating a transparent audit trail was also their implicit objective based on their other comments. Company B established a global reporting system for control information that can promote the transparency of controls and control processes. In addition to documenting controls, SOX compliance also requires the ongoing monitoring and evaluation of control systems in order to ensure their continuous operating effectiveness. Controls and related processes may require adjustment based on feedback provided by monitoring and evaluation processes. All four companies used the COBIT framework for evaluating IT controls and then proceeded to rectify any control weaknesses. Perhaps the best examples were provided by the respondent from Company B, in which managers are now required to authorize systems access for employees in their departments, systems use patterns are continuously monitored, and systems access withdrawn for non-use. In other words, each manager is required to authorize each employee’s access to the databases that are necessary for carrying out his or her job responsibilities, but, if these databases are not actually used within a prescribed time limit, the system will automatically deny subsequent access attempts. As another example, an account for a new user was often created by copying an existing user’s account, instead of creating a new account that reflects the job responsibilities of the new user. In some cases, this practice resulted in allowing access to non-essential data. In order to address this problem, among some others, the company established a report that matched key transactions types against user accounts, and then allowed the users access only to data necessary for performing their job responsibilities. Control implementations have been lengthy and costly processes in all four companies. Systems implementation costs, particularly control documentation costs, accounted for a large proportion of the total implementation costs. In addition, increased ongoing systems monitoring, evaluation and auditing costs were expected to occur in future years. In companies B, C and D, control implementation was a part of broader ‘‘quality management’’ or ‘‘change management’’ implementation initiatives. Company D reportedly spent ~3 per cent of its revenues on compliance projects. The respondent from this company attributed the high costs, at least partly, to the fact that the company had to refine some controls and processes several times, because some rules changed and even consultants were learning as implementation proceeded. However, it may be difficult to attribute costs directly to SOX compliance apart from the other initiatives that occurred simultaneously in this company. Generally, the relatively heavier financial burden for smaller companies was also magnified by the lack of adequate support by the systems vendors, who focused their main attention to implementations in larger and more lucrative companies. Furthermore, the control implementation processes were heavily influenced by various cultural and behavioural factors, as discussed in the next section.

Culture and behaviours In addition to new controls and systems modifications, successful internal control implementations also often required the enhancement of employee skills and organizational structures, but these change initiatives encountered significant

resistance in all four companies. In Company A, general resistance to change was noted. The loss of data access and authority seemed to cause significant problems to some managers in Companies B and D, who previously had more liberal data access privileges. Company D also encountered some problems with the acceptance of process responsibilities by users. As control implementations required restructuring and eliminating some processes, some job responsibilities changed and security procedures generally increased. Some users did not perceive the new control measures beneficial and resented increased restrictions placed on their jobs. In Company D, resistance was more severe by users in other countries, who appeared to have had more difficulties in understanding and accepting the cultures and business practices of different countries. Major cultural and behavioural challenges discovered are summarized in Table IV. Differences in rules and business conduct in different countries was another important cultural factor. For example, foreign countries may have diverse accounting rules requiring different information or similar information reported in different ways. The respondent from Company B noted different, and sometimes conflicting, terminology, rules and regulations to pose a great challenge for its global financial reporting systems. In addition, the respondent from Company A noted some restrictions on information that can be reported and accessed on the internet in its Asian operations, whereas Canadian regulations require the transparent reporting of financial information for public companies in a publicly accessible on-line database. In order to facilitate the global coordination and dissemination of information throughout its control implementation processes, Company B established a cross-functional global implementation team. In order to manage these processes, it developed common reporting rules and a centralized global reporting system for control information. Centralized controls, however, were not without some resistance in foreign countries, as they were accompanied with increased rigidity and perceived as serving the needs of the head office. In other cases, compliance with the regulations of foreign countries can also affect the culture of the host country, by forcing local operations to adopt different processes and ways of doing business. For example, Company B had to reconcile the different interpretations of user acceptance testing, technology sharing and information access

Enhancing ERP systems

769

Company A

Company B

Company C

Company D

General resistance to change Control information not perceived important for internal purposes Major control objective limited to ‘‘clean audit opinion’’ Some individuals did not understand or appreciate importance of control implementation

Different regulations, accounting standards, and terminologies in different countries complicated global reporting Different codes of conduct complicated collaboration and information and technology sharing on global projects Centralized approach to change management created resistance

Lack of clear objectives Perceived loss of and guidance frustrated authority due to

 

process owners Some individuals just ‘‘going through the motions’’, not taking control implementation seriously

increased systems security and restricted data access Resistance by individuals to accepting responsibility for processes Cultural resistance greater in merged foreign companies that had different systems and norms

Table IV.

 

Cultural and behavioural challenges

MRN

31,10

770

in some European and North American countries. On the other hand, Company D experienced differences in European and North American practices for inventory management, outsourcing and accounting for research and development expenditures. After the acquisitions of some European companies, the head office reportedly had difficulties accepting some rules and processes proposed by European managers. Some cultural sensitivity and compromises were required on the part of all parties to successfully manage these cultural differences. In Companies A and C, the objectives of SOX were not clear, at least initially, and resulted in a perception of control implementation being a non-beneficial activity by some. In Company A, control information was not considered particularly important for purposes other than reporting to regulators, with a ‘‘clean audit opinion’’ reportedly being a primary objective. As such, the company is overlooking potential for control information also to be a useful managerial tool and may not take its control implementation efforts seriously enough. On the other hand, the lack of proper implementation guidelines provoked frustration by users in Company C, who were requested to participate in SOX implementation but did not have adequate information, guidance and skills. At least in some cases, such weaknesses were exhibited in the users just ‘‘going through motions’’ without necessarily understanding reasons for, or fully being engaged, in the processes. Some of these behaviours are undoubtedly related to the fact that Company A proceeded with its implementation with only internal expertise, and Company C summoned the help of consultants only after experiencing difficulties with its internal process analyses.

Conclusion This study examined major challenges faced by four large and medium-sized public companies in enhancing their ERP systems for compliance with regulatory internal control requirements, notably SOX. It provides evidence of some technical, process and cultural challenges faced by these companies. The findings reveal several common challenges encountered in all companies, but also some challenges that are unique in their organizational and cultural environments. Many of these challenges are similar to those discussed in the ERP systems implementation literature. However, some additional challenges relate to specific legislative requirements associated with, such as compliance deadlines and the lack of guidance. Although all four companies used ERP systems, their technical systems requirements varied somewhat. In addition, depending on specific control requirements and the stage of their implementation, some companies encountered greater technical challenges than others. Significant modifications were needed to the standard modules in Companies B and D, and some solutions outside ERP systems were also required due to systems inflexibility or the high costs of system modifications for some applications. Configuring the systems to meet its control needs was a specific challenge in Company C. Ensuring proper systems security and the segregation of duties were common challenges facing all four companies. As to implementation processes, all four companies have expended significant effort and resources on their control compliance projects. Compliance implementation was accomplished as a part of broader change management initiatives in Companies B, C and D, and has been a long and costly process in all companies. Companies B and D were more advanced in their implementations, as they were subject to earlier compliance deadlines than Companies A and C. All four companies used a systematic process-oriented approach to their control implementations. For example, they

conducted detailed process analyses, documented controls and processes, and used an established framework for evaluating IT controls. However, the degree of external help used varied, with Companies B and D using external consultants extensively, whereas Company C used them to a lesser degree, and Company A relied solely on the expertise of its staff, internal auditors and the audit committee. Finally, all four companies cited some resistance to their control implementations. Some resistance related to the lack of proper guidelines, with greater initial effects felt in Companies A and C that started their implementations without the expertise of consultants. In Company B, significant resistance related to the centralized approach to implementing controls, which entailed establishing common controls and a single reporting system for its numerous global operations. Resistance in Company D was magnified by the recent acquisitions of foreign companies with different rules, regulations, and cultures. In Companies A and C, resistance appeared to stem more from differences in attitudes, organizational culture and processes used, as opposed to differences in national culture in more geographically diverse Companies B and D. The four companies have apparently been quite successful in addressing their control implementation challenges encountered, and they consider their progress quite satisfactory. However, some additional work is required in all companies to complete their control compliance initiatives. Additional adjustments will undoubtedly be needed in the future in response to systems monitoring and evaluation feedback, as well as auditor evaluations and possible future changes in regulatory requirements. Although the findings of this study are exploratory, they raise relevant issues for consideration by systems, finance and operations managers when enhancing their ERP systems and processes for regulatory control compliance, as well as can form a foundation for researchers in building models of ERP systems effectiveness in implementing effective controls. Further research would be beneficial in order to study longer term progress and the effects of compliance initiatives after all compliance requirements have been implemented.

Notes

Enhancing ERP systems

771

1. COSO is a voluntary organization, consisting of five American Accounting and Financial Executives Institutes. Its objective is to improve financial reporting quality.

2. The effective compliance dates for all case companies are for fiscal years ending in 2006 (after 14 July 2006 for SOX and after 29 June 2006 for Canadian regulations), with the exception that, under the Canadian regulations, Canadian companies have extra two years to comply with the management control effectiveness evaluation requirements. The applicable auditor certification deadline under SOX was extended (to fiscal years ending after 14 July 2007), and auditor certification is not required at all under the current Canadian regulations.

References Al-Mashari, M. (2002), ‘‘Enterprise resource planning (ERP) systems: a research agenda’’, Industrial Management and Data Systems , Vol. 102 No. 3, pp. 165-70. Beheshti, H.M. (2006), ‘‘What managers should know about ERP/ERP II’’, Management Research News, Vol. 29 No. 4, pp. 184-93. Bititci, U.S., Turner, T. and Begemann, C. (2000), ‘‘Dynamics of performance measurement systems’’, International Journal of Operations & Production Management , Vol. 20 No. 6, pp. 692-704.

MRN

31,10

772

Bourne, M., Neely, A., Platts, K. and Mills, J. (2002), ‘‘The success and failure of performance measurement initiatives: perceptions of participating managers’’, International Journal of Operations & Production Management , Vol. 22 No. 11, pp. 1288-310.

Bratton, W.W. (2003), ‘‘Enron, Sarbanes–Oxley and accounting: rules versus principles versus rents’’, Villanova Law Review, Vol. 48 No. 4, p. 1023.

Brown, W. and Nasuti, F. (2005), ‘‘What ERP systems can tell about Sarbanes–Oxley’’,

Information Management and Computer Security, Vol. 13 No. 4, pp. 311-27.

Canadian Securities Administrators (CSA) (2004a), ‘‘Multilateral instrument 52-109 – certification of disclosure in issuers’ annual and interim filings’’, available at:

www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/rule_20040326_52-109-cert.pdf

(accessed 21 April 2007).

Canadian Securities Administrators (CSA) (2004b), ‘‘Multilateral instrument 52-110 – audit committees’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/ rule_20040326_52-110-audit-comm.jsp (accessed 21 April 2007).

Canadian Securities Administrators (CSA) (2005), ‘‘National policy 58-201 – corporate governance guidelines’’, available at: www.osc.gov.on.ca/Regulation/Rulemaking/Current/ Part5/rule_20050617_58-201_corp-gov-guidelines.pdf (accessed 21 April 2007).

Chan, S. (2004), ‘‘Sarbanes–Oxley: the IT dimension’’, Internal Auditor, pp. 31-3.

Colman, R. (2006), ‘‘Sarbanes–Oxley in review’’, CMA Management , pp. 20-5.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), Internal Control – Integrated Framework , (Two-Volume Ed., 1994), AICPA, Jersey City, NJ.

Damianides, M. (2004), ‘‘How does SOX change IT?’’, Journal of Corporate Accounting and Finance (Wiley) , pp. 35-41.

Davenport, T.H. (2000), Mission Critical: Realizing the Promise of Enterprise Systems , Harvard Business School Press, Boston, MA.

Grabski, S.V. and Leech, S.A. (2007), ‘‘Complementary controls and ERP implementation success’’, International Journal of Accounting Information Systems , Vol. 8 No. 1, pp. 17-39.

IT Governance Institute (ITGI) (2004), ‘‘IT control objectives for Sarbanes–Oxley: the importance of IT in the design, implementation and sustainability of internal control over disclosure and financial reporting’’, available at: www.itgi.org/template_ITGI.cfm?template=/ ContentManagement/ContentDisplay.cfm&ContentID=24235 (accessed 17 October 2006).

Kakouris, A.P. and Polychronopoulos, G. (2005), ‘‘Enterprise resource planning (ERP) system:

an effective tool for production management’’, Management Research News, Vol. 28 No. 6, pp. 66-78.

Kennerley, M. and Neely, A. (2002), ‘‘A framework of factors affecting the evolution of performance measurement systems’’, International Journal of Operations & Production Management, Vol. 22 No. 11, pp. 1222-45.

Kuhn Jr., J.R. and Sutton, S.J. (2006), ‘‘Learning from Worldcom: implications for fraud detection through continuous assurance’’, Journal of Emerging Technologies in Accounting, Vol. 3, No. 1, pp. 61-80.

Kumar, V., Maheshwari, B. and Kumar, U. (2003), ‘‘An investigation of critical management issues in ERP implementation: empirical evidence from Canadian organizations’’, Technovation , Vol. 23 No. 9, pp. 793-807.

Kumar, V., Pollanen, R. and Maheshawari, B. (forthcoming), ‘‘Enterprise systems effectiveness in implementing internal controls in global environment’’, in Ferran, C. and Salim, R. (Eds), Enterprise Resource Planning for Global Economies: Managerial Issues and Challenges , Idea Group Publishing, Hershey, PA.

Markus, M.L. and Tanis, C. (2000), ‘‘The enterprise system experience: from adoption to success’’, in Zmud, R.W. (Ed.), Framing the Domains of IT Management: Projecting the Future through the Past , Pineflex Educational Resources Inc., Cincinnati, OH. Matolcsy, Z.P., Booth, P. and Wieder, B. (2005), ‘‘Economic benefits of enterprise resource planning systems: some empirical evidence’’, Accounting and Finance , Vol. 45, pp. 439-56. Mills, J., Platts, K. and Gregory, M. (1995), ‘‘A framework for design of manufacturing strategy processes: a contingency approach’’, International Journal of Operations and Production Management, Vol. 15 No. 4, pp. 17-49. Presley, A. (2006), ‘‘ERP investment analysis using the strategic alignment model’’, Management Research News , Vol. 29 No. 5, pp. 273-84. Public Company Accounting Oversight Board (PCAOB) (2007), ‘‘Auditing standard no. 5: an audit of internal control over financial reporting that is integrated with an audit of financial statements’’, available at: www.pcaobus.org/Rules/Rules_of_the_Board/ Auditing_Standard_5.pdf (accessed 5 august 2007). Sohal, A.S., Moss, S. and Ng, L. (2001), ‘‘Comparing IT success in manufacturing and service industries’’, International Journal of Operations andProduction Management , Vol. 21 No. 1/2, pp. 30-45. US Congress (2002), ‘‘Sarbanes-Oxley Act’’, available at: www.sec.gov/about/laws/soa2002.pdf (accessed 29 October 2006).

Enhancing ERP systems

773

About the authors Vinod Kumar is a professor of Technology, Innovation, and Operations Management and a former Director of the Sprott School of Business (1995-2005), Carleton University. He has published more than 150 articles in refereed journals and proceedings and is the recipient of Carleton University’s Scholarly Achievement Award twice and the Research Achievement Award three times. He has led several research projects funded by the Social Sciences and Humanities Research Council (SSHRC), the Natural Sciences and Engineering Research Council (NSERC), Industry Canada and the Ontario Research and Development Challenge Fund (ORDCF). He has won 12 best paper awards and is on the editorial boards of two international journals. Raili Pollanen is an assistant professor of Accounting and a former accounting area coordinator (2001-2006) at the Sprott School of Business, Carleton University. She has expertise in accounting, management control, and performance measurement systems in both private and public sectors. Her recent research has been funded by the Canadian Academic Accounting Association (CAAA), the Canadian Institute of Chartered Accountants (CICA), the Canadian Financial Executives Research Foundation (CFERF), and the Association of Canadian Financial Officers (ACFO). Her research has been published in numerous academic and professional journals, books, conference proceedings, and professional reports. Bharat Maheshwari is a lecturer at the Odette School of Business, University of Windsor and a PhD candidate at the Sprott School of Business, Carleton University. He is an author/coauthor of several peer-reviewed articles and has over ten years of experience in information systems and operations management. He has lead engineering teams in industry and coordinated e-Business research activities at the Sprott School of Business. He was the chair of the operations management division at the 2007 ASAC conference and is a key member of the Ontario Research Network of e-Commerce (ORNEC) at Carleton University.

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com Or visit our web site for further details: www.emeraldinsight.com/reprints

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.