Content uploaded by Julia Mundy
Author content
All content in this area was uploaded by Julia Mundy on Jan 28, 2017
Content may be subject to copyright.
1
The Use of an ERP System to Facilitate Regulatory Compliance
Information Systems Management, 30:182–197, 2013
Copyright © Taylor & Francis Group, LLC
ISSN: 1058-0530 print / 1934-8703 online
DOI: 10.1080/10580530.2013.794601
Julia Mundy*
Centre for Governance, Risk and Accountability
Business School
The University of Greenwich
Park Row Greenwich London SE10 9LS UK
[T] +44 20 8331 9695
Email: j.mundy@greenwich.ac.uk
Carys A. Owen**
Omega
*Corresponding Author
** ‘Omega’ is a pseudonym for the organization at which the study was conducted and at
which the second-named author is employed on a full-time basis
Author bios
Dr Julia Mundy is a principal lecturer in the Centre for Governance, Risk and Accountability
at the University of Greenwich. She received her PhD from the University of Melbourne. Her
research addresses various issues related to management control within organisations.
Carys Owen has a degree in Accounting in Financial Information Systems and is part-
qualified in CIMA. She is employed on a full-time basis at Omega as an Analyst responsible
for transactional processing, sales auditing and system process improvements, and
maintaining reconciliation software.
Short Abstract
This paper reports the findings of a case study conducted in a multinational organization that
aims to investigate how an enterprise resource planning system (ERP) can facilitate control
over reporting processes and thus ensure compliance with regulatory requirements. The
findings demonstrate how the use of an ERP to comply with financial regulation can impact
organizational roles. In particular, IT managers must ensure that the ERP addresses
regulatory requirements for internal control over financial reporting.
Keywords: ERP, regulation, compliance, internal control, financial reporting, Sarbanes-Oxley
Act
2
The Use of an ERP System to Facilitate Regulatory Compliance
Extended Abstract
This study explores how an enterprise resource planning system (ERP) can facilitate
compliance with regulatory requirements. An exploratory case study drawing on data
collected from one subsidiary of a large multinational organization was employed to
investigate how IT and accounting managers use a proprietary ERP to mitigate weaknesses
and thus ensure compliance with the Sarbanes-Oxley Act 2002 (SOX), legislation that is
designed to improve internal controls over financial reporting. The findings demonstrate how
managers can use an ERP to develop effective internal controls for the most common
material weaknesses reported under SOX, thus providing insights into the crucial role of IT
as a facilitator of control and reporting processes, and, more specifically, into the role, use
and purpose of ERPs in relation to regulatory compliance. While the study presents the
largely unproblematic use of an ERP for the purpose of complying with SOX, the nature and
demands of SOX can impact the role of both IT and accounting managers. In particular, IT
managers have a vital role to play in ensuring that accountants’ requirements in relation to
internal control over financial reporting are addressed through the ERP.
Keywords: ERP, regulation, compliance, internal control, financial reporting, Sarbanes-Oxley
Act
3
INTRODUCTION
In the wake of several major accounting and corruption scandals that occurred throughout the
1990s, organizations are now increasingly required to demonstrate good corporate financial
governance through compliance with a range of financial legislation and regulation, such as
the Sarbanes-Oxley Act 2002 and International Financial Reporting Standards (Tryfonas &
Kearney, 2008; Worster, Weirich & Andera, 2011). The risk of large penalties for non-
compliance with these regulations (Rice, Weber & Wu, 2012; Zhang, 2007) suggests that
firms have a strong incentive to implement processes that can systematise and formalise the
collection and reporting of information in order to minimise errors and thus support
compliance efforts.
This study explores how an enterprise resource planning system (ERP) can be used by
managers to establish control over accounting and finance processes for compliance and
regulatory purposes. Although it is now a decade since the Sarbanes-Oxley Act of 2002
(SOX) was introduced, this legislation is used as the focus of the compliance issue for several
reasons. First, two central sections of SOX require senior managers to attest to the
effectiveness of the company’s internal control processes, thus providing an opportunity to
explore how firms use IT to secure compliance with accounting legislation (Krishnan &
Visvanathan, 2007; Rice et al., 2012). Second, there are potentially severe penalties for
companies who do not comply, or who are perceived by investors not to comply, with its
requirements (Rice et al., 2012; Zhang, 2007)
1
, indicating the criticality to organizations of
implementing systems that facilitate effective control processes. Third, ten years after its
implementation and despite the high penalties, there is evidence that some firms are not fully
1
Penalties range from SEC sanctions, adverse market reactions, class action lawsuits, and management and
auditor turnover (Rice et al., 2012; Zhang, 2007).
4
disclosing their control weaknesses (Rice & Weber, 2012), thus highlighting the importance
of internal processes that reduce the potential for misreporting, whether due to lack of
managerial probity or competence. Fourth, the tools used by companies to comply with the
requirements of SOX is of interest to both academics and practitioner keen to understand
more about the role of IT in managing compliance with legislation.
The study aims to contribute to extant research in several ways. First, it addresses recent calls
in the literature for research at the interface between IT and accounting in order to understand
more about the crucial role of IT in supporting regulatory compliance (eg., Arnold, Benford,
Canada & Sutton, 2011b; Kumar, Pollanen & Maheshwari, 2008). While IT has been long-
established as a means to automate and standardise a variety of business processes, little is
known about its use by managers to ensure compliance with legislation (Granlund, 2011;
Grant, Miller & Fatima, 2008; Mauldin & Ruchala, 1999; Tseu, 2005). Furthermore, by
employing a field study this study aims to investigate managers’ use of IT in a way that
avoids the over-simplified interpretations of practice that can be an outcome of survey-based
research (Granlund, 2011). Second, the study investigates how an ERP can enhance the
effectiveness of internal control processes (Granlund, 2011; Hyvönen, 2003; Mauldin &
Ruchala, 1999), thus contributing to a timely debate about the role, use, and purpose of ERPs
by addressing questions about their capacity to meet the requirements of legislative
compliance (eg. Granlund, 2011; Worster et al., 2011). A range of IT solutions is available to
support accounting and finance processes, but the transaction-oriented nature of ERPs makes
them particularly appropriate to this task (Dechow & Mouritsen, 2005; Rom & Rohde, 2007).
ERPs also provide functionality for the audit of accounting processes (Tryfonas & Kearney,
2008) so are ideally suited for an investigation into the use of IT for managing compliance
and governance concerns. However, firms often fail to customise their ERPs to the specific
5
requirements of the business, instead implementing them in a standardised form according to
‘best practice’ or what has been provided by vendors (Tryfonas & Kearney, 2008). In this
way, managers can fail to exploit the extensive capabilities of ERPs, rendering them less
flexible and user-friendly with regard to reporting and analysis than they might be (Light,
Holland & Wills, 2001; Rom & Rohde, 2007). The study also raises questions about the
respective roles of IT and accounting managers in using IT to manage compliance issues,
thus contributing to a discussion about the practical consequences of ERPs on accounting and
finance processes (Granlund & Malmi, 2002).
The study reports the findings of an investigation into how one firm uses an ERP to facilitate
compliance with the Act’s requirements in relation to the use of internal controls over
financial reporting. The findings suggest that these IT systems can adequately support
compliance requirements. However, while the study presents a largely unproblematic picture
of the use of an ERP for this purpose, a number of other issues are raised, such as the role of
IT managers in relation to accounting staff and the possibility of conflicting uses of the ERP
for other business activities. The study therefore adds to existing knowledge into best
practices and models of ERP effectiveness in complying with legislation.
The next section discusses the relevant requirements of SOX, followed by an overview of the
main internal control weaknesses that occur in relation to financial reporting, and a
consideration of how the use of IT, and in particular, ERPs, can support managers in their
attempts to support compliance with SOX. The method section is then presented, followed by
the findings and discussion. The paper ends with some concluding comments.
6
SARBANES OXLEY ACT 2002 AND ITS REQUIREMENTS FOR REPORTING
CONTROLS OVER FINANCIAL REPORTING
In response to a number of high profile accounting scandals that adversely impacted public
trust in the US stock market, US Congress in 2002 passed the Sarbanes Oxley Act (SOX)
(Arnold, Bedard, Phillips & Sutton, 2011a; Haworth & Pietron, 2006). SOX is a corporate
responsibility law, applicable to all firms registered with the Securities & Exchange
Commission (SEC), that aims to improve the quality of financial reporting. SOX seeks to
enhance the reliability and accuracy of financial reports by imposing requirements on internal
controls over financial reporting (Kumar et al., 2008; Mock, Sun, Srivastava & Vasarhelyi,
2009).
Compliance with SOX’s eleven sections requires senior managers and their independent
auditors to provide assurances in relation to the design, implementation, use, testing, and
evaluation of controls that relate to various aspects of financial reporting, including the
production of financial statements (Maurizio, Girolami & Jones, 2007). Executives must
assess internal controls in terms of risks of any material weaknesses that prevent the controls
from operating effectively to protect the firm’s assets. They are required to acknowledge
formally that they have reviewed the assurances and the financial statements and must attest
that no information has been omitted (Petra & Loukatos, 2009).
The two main sections of SOX that relate to internal control over financial reporting, and
which therefore form the focus of the current study, are sections 404 (SOX 404) and 302
(SOX 302). These sections are intended to ensure that companies establish and maintain
internal controls with the aim of enhancing corporate accountability, rebuilding shareholder
7
confidence, protecting the public from fraud, and restoring trust in the financial reporting
system (Haworth & Pietron, 2006).
SOX 404 requires executives and their auditors to confirm the effectiveness and adequacy of
the firm’s internal controls over financial reporting (Chang, Wu & Chang; 2008; Mock et al.,
2009). Its core requirement is an annual report detailing the internal controls in place and
assessing the effectiveness of these controls, including the identification of any flaws in the
control system (Arnold et al., 2011a). Specifically, companies are required to issue an
internal control report that includes the following: a statement of management’s
responsibility for establishing and maintaining adequate internal control over financial
reporting; management’s assessment of the effectiveness of the company’s internal control
over financial reporting; a statement identifying the framework used by management to
evaluate the effectiveness of the company’s internal control over financial reporting; and a
statement that the external auditor has issued an attestation report on management’s
assessment (Maurizio et al., 2007). The company’s independent auditor must then issue a
separate opinion, also publicly disclosed, that attests over the management’s assertions with
regard to the effectiveness or weaknesses of the internal controls over financial reporting
(Stoel & Muhanna, 2011). The reports required under SOX 404 reports are intended to enable
investors to compare companies according to the reliability of their controls over the financial
reporting system (Arnold et al., 2011a).
The SEC’s requirements for SOX 302 focus on the integrity of financial reporting and
safeguarding of assets. Its core requirement is a quarterly report on any known or suspected
weaknesses or deficiencies in internal controls over financial reporting (Maurizio et al., 2007;
Mock et al., 2009). Certifications and sub-certifications should attest that the reports do not
8
include any misleading or untrue statements and that they present an honest representation of
the financial condition of the company (Brown & Nasuti, 2005). These declarations include
statements of accuracy of account balances and compliance with policies and procedures. A
list of all deficiencies in internal control and information on any fraudulent activities is also
required, together with any related factors that could have a negative effect on the use and
effective operation of controls.
INTERNAL CONTROLS OVER FINANCIAL REPORTING
Internal controls over financial reporting can be divided into two categories: non-IT and IT
controls (Stoel & Muhanna, 2011). Non-IT controls include general accounting internal
controls, such as those incorporating the processes, methodologies, and methods used to
account for financial transactions and the preparation of financial statements, as well as the
competence and reliability of senior management, and regulatory reporting compliance. IT
internal controls are concerned specifically with the IT systems, processes and infrastructure
that are used to capture, process and record raw transactional data of an accounting or
financial nature (Stoel & Muhanna, 2011).
Internal control problems are categorised by the Public Company Accounting Oversight
Board (PCAOB) into material weaknesses, significant deficiencies, or control deficiencies
(PCAOB, 2007). Publicly-listed firms are required under SOX 404 to disclose only material
weaknesses, considered to be the most serious category due to the potential risk of an
undetected material misstatement in the reported financial accounts (Arnold et al., 2011a;
Mock et al., 2009). A study conducted by Ge and McVay (2005) identified nine material
weaknesses that relate to SOX 302 as reported by a large sample of companies across a range
of industries:
9
1) Account specific: these relate to making inappropriate accounting adjustments, such as bad
debts and accounting for accruals. Potential weaknesses include inadequate classification of
fixed assets. Complex accounts, such as income tax and derivatives, are more likely to lead to
deficiencies in internal controls, although the majority of weaknesses affect the accounts
receivable, accounts payable and inventory accounts (Doyle, Ge & McVay, 2007; Ge &
McVay, 2005). Material weaknesses are also likely to arise when internal control processes
provide inadequate guidance on the appropriate application of accounting rules (Stoel &
Muhanna, 2011).
2) Period-end reporting: includes inadequate period end reporting processes; specifically, the
lack of control over new accounting principles, record keeping and controls relating to
authorization and review of transactions, together with inconsistent use of accounting policies
and a need for improved review of journal entries and file documentation (Ge & McVay,
2005). The vast majority of errors are likely to involve accounting documentation policies
and procedures, in particular those relating to revenue recognition, inventory and costs of
sales and financial statement errors (Grant et al., 2008). The number and/or size of year-end
adjustments are one indication of a potential material weakness in financial reporting (Stoel
& Muhanna, 2011).
3) Segregation of duties (SOD): for example, segregation between payroll and other
accounting employees. Segregation of duties is a significant factor related to efficient internal
control because integrated roles could lead to manipulation of financial statements (Foster,
Ornstein & Shastri, 2007). Terminating the access of ex-employees is essential as avoiding
SOD disagreements is a major concern for SOX auditors, particularly in high-risk companies
such as multinational organizations where there are large numbers of employees and systems
access must be continually monitored and reviewed (Doyle et al., 2007).
10
4) Training: lack of financial reporting expertise, including an absence of appropriate
technical skills among staff, is a key reason for accounting errors and misstatements (Foster
et al, 2007; Ge & McVay, 2005; Stoel & Muhanna, 2011). Unqualified staff can result in a
failure to identify and solve accounting problems as well as a failure to perform effective
reviews. Auditing and accounting staff must be adequately trained in the use of any
information technology that is used to manage accounting processes (Chang et al., 2008).
5) Revenue recognition: relates to the design and review of revenue-recognition policies and
contracting policies.
6) Account reconciliation: relates to issues with accounting reconciliations and review
procedures, as well as weaknesses in determining procedures associated with accruals and
provisions.
7) Subsidiary specific: relates to the timely completion of statutory filings in foreign
countries as well as inconsistencies in the application of company policies among business
units and segments.
8) Senior management: generally associated with a part-time CFO or ineffective control
management.
9) Technology: this concerns the security of systems used for the entry and maintenance of
accounting records. As financial reporting data in publicly listed firms is inevitably stored in
computer-based systems, the controls are incorporated into each firm’s IT processes
(Haworth & Pietron, 2006).Wider access must be restricted to those whose duties require
access in order to prevent fraud (Chang et al., 2008). Potential systemic weaknesses include
inadequate programme controls and lack of oversight over access (Stoel & Muhanna, 2011).
Common IT control flaws include insufficient review of audit trails, inadequate segregation
of duties over applications, excessive access to systems and databases and lack of access
controls, failure to cease old accounts and set up new ones, and unhurried review of
11
transactions to identity irregular journal entries (Tseu, 2005). IT controls have a significant
impact on financial reporting, with accounting errors occurring at a greater rate in companies
that report IT deficiencies (Grant et al., 2008). Firms that report IT internal control
weaknesses are also more likely to report worse financial performance than firms that do not
report internal control weaknesses (Stoel & Muhanna, 2011). Firms with experienced IT
managers, with a Chief Information Officer, and with a higher percentage of independent
board directors are less likely to report IT material weaknesses (Li, Lim & Wang, 2007).
Weaknesses relating to company-level aspects, such as IT, training, and senior management,
tend to be more serious than other types of weaknesses because they are systemic in nature
and more difficult to audit (Doyle et al., 2007). They also have a high association with
company failure so are reasonably rare among publicly-listed organizations; instead, the vast
majority of weaknesses are related to the specificities of the accounting and finance processes
(Doyle et al., 2007; Ge & McVay, 2005). Among these, period-end adjustments or processes
represent a significant problem for many organizations (Huang, 2009).
The scale and scope of potential weaknesses to which a firm may be subject points to the
benefits of an automated system that can provide senior executives with the assurances
required to attest to the effectiveness of a firm’s internal controls. The following section
discusses the use of IT in facilitating compliance with SOX.
THE USE OF IT TO COMPLY WITH SOX REQUIREMENTS FOR INTERNAL
CONTROL OVER FINANCIAL REPORTING
Effective governance, risk and compliance processes require knowledge of the regulatory
standards, the available data, and the processes that provide the data (Worster et al, 2011).
12
There is little formal guidance available to managers on how to ensure the effectiveness of
their internal controls over financial reporting (Grant et al, 2008). However, the PCAOB has
introduced auditing standards aimed at ensuring effective audits in relation to SOX 302 and
404. These standards identify the processes and procedures, whether manual or automated,
that should be audited in order to evaluate the effectiveness of internal controls over financial
reporting. In particular, Auditing Standard number 5 (Audit of Internal Control over Financial
Reporting) requires auditors to assess management’s evaluation of the effectiveness of the
information systems and accounting records used to initiate, authorise, process, record, and
report transactions (PCAOB, 2007). The same standard also requires auditors to assess the
processes in place to manage specific risks to a company’s internal control over financial
reporting, such as those arising from the reliance on systems using inaccurate data or
inaccurately processing data, or from unauthorised access to data that might lead to
unauthorised changes or loss of data. Auditing Standard number 12 (Identifying and
Assessing Risks of Material Misstatement) requires auditors to assess managers’ evaluation
of the extent to which controls are subject to human intervention or are automated: “an
automated control would generally be expected to be lower risk if relevant information
technology general controls are effective.” (PCAOB, 2007).
Although senior executives are not subject to the auditing standards issued by the PCOAB,
their independent auditors are. The substantive nature of these requirements, and the range
and level of potential penalties associated with non-compliance (Rice et al., 2012; Zhang,
2007), suggest that senior managers and their organizations have strong incentives to employ
a sophisticated technology that can facilitate efficient, effective, and reliable control over
financial reporting processes. Such technologies can in turn expedite the audit process, thus
increasing the likelihood that the auditors will approve the financial statements.
13
SOX does not require companies to implement IT in order to manage their internal control
processes. However, since most financial transactions involve IT systems, PCAOB Auditing
Standard no. 5 requires that the controls over IT processes should be examined (PCAOB,
2007). Controls are required to ensure that IT provides managers with the necessary
assurance to attest to the regulators the effectiveness of their internal controls.
In order to ensure full compliance with SOX, firms must develop and maintain systems that
produce reliable data and that facilitate self-audit and testing on a continual basis
(Damianides, 2005; Maurizio et al., 2007). The SEC advises a top-down process to
implementing financial reporting controls, and recommends, but does not mandate, the use of
automated processes in order to minimise errors and therefore improve the timeliness of
internal control processes (Grant et al., 2008; Petra & Loukatos, 2009).
Compliance with SOX requires full integration between systems that may exist in different
parts of the business. Regulation has become an increasingly important factor in firms’
decisions to implement new technology that can support compliance activities, such as the
disclosure of information, self-audits, and processes for self-testing on a continual basis
(Hyvönen, 2003; Granlund, 2011). However, the evidence suggests that this is not easy for
firms to achieve. Many firms, including large companies, supplement their formal IT systems
with simple data interfaces, such as Excel spreadsheets that are under the manual control of
individual employees (Maurizio et al., 2007). Furthermore, when the system does not fully
reflect the organization’s underlying activities and processes, then employees may
circumvent authorised procedures by creating their own solutions (Dechow & Mourtisen,
2005). Firm-specific issues such as legacy systems, the unique determinants of internal
14
control weaknesses, and aspects such as company norms and employee skills, also impact the
ability of companies to develop effective internal control processes over financial reporting
(Doyle et al., 2007; Kumar et al., 2008; Maurizio et al., 2007).
Only 3 years after the introduction of SOX, 90% of firms responding to a survey by
PricewaterhouseCoopers claimed that their company made effective or satisfactory use of IT
to comply with SOX 404 (Williams, 2005). A variety of IT solutions , such as neural
networks, intelligence systems, corporate computing, data warehouses, executive portals,
strategic enterprise management (SEM) suites, and best of breed (BOB) systems all provide
elements that can support a firm’s internal controls (Granlund, 2011; Rom & Rohde 2007).
Eighty per cent of the Fortune 500 were reported in 2005 to have an ERP (Nasuti & Brown,
2005), suggesting that, from the earliest days of SOX, this specific IT solution has had a role
in supporting a firm’s control environment. These systems, already an established means of
managing accounting and finance transactions, came to prominence during the 1990s as a
solution to company-wide problems, such as Y2K concerns and the introduction of the Euro,
and thus proved a popular choice for firms aiming to improve the controls over their financial
processes (Hyvönen, 2003). The next section explores how ERPs can facilitate the control
over accounting and finance processes.
HOW ERPS CAN SUPPORT ACCOUNTING AND FINANCE CONTROL PROCESSES
FOR COMPLIANCE PURPOSES
An ERP is a strategic information system that integrates real-time data and processes of an
organization into one system accessible by managers from different parts of the businesses
(Chang et al., 2008; Dechow & Mouritsen, 2005). It consists of a real-time database that
needs only one single entry of data to be input in order for the information to be seen by any
15
department in the business that has access to the system. It automates business processes by
incorporating data from a range of functions including manufacturing, supply chain
management, human resources, financials and customer relationship management (Spathis,
2006). The integration of processes within a company and data sharing among employees
aims to allow flexible strategic decision-making and provide timely and accurate information
that is particularly relevant to the quality of accounting and financial processes (Chang et al.,
2008; Kumar et al., 2008; O’Brien & Marakas, 2006).
The strict requirements for record keeping and the capacity to drill down to transaction-level
detail required under SOX suggest that ERP systems can be beneficial in facilitating
compliance. ERPs help firms to comply with SOX by automating business processes, most
critically those associated with financial reporting (Maurizio et al., 2007). ERPs are not only
useful but can be critical in establishing processes that facilitate the collection, analysis, and
reporting of information required by SOX (Brown & Nasuti, 2005; Kumar et al., 2008). For
example, they can be designed to minimise or eliminate human access to data where such
access can potentially corrupt data or otherwise lead to errors that will hinder compliance.
They can also ensure data integrity through processes, such as validation steps, that produce
consistent and reconcilable data (Maurizio et al., 2007).
Prior research into the use of ERPs has demonstrated how they can enhance the efficiency,
accuracy, and reliability of reporting processes (Hyvönen, 2003). Their use increases the
flexibility of information provision and produces financial statements that are more reliable
and relevant (Spathis & Constandinides, 2004). They are a useful means to organise, monitor,
and control the processes that provide information against which compliance is tracked, and
they can facilitate the creation of different types of financial reports (Worster et al., 2011). An
16
ERP system can thus aid significantly in the timeliness of the complex and lengthy processes
involving SOX compliance (Mock et al., 2009).
ERPs are unlikely to meet the SOX 302 and 404 requirements without modifications based
on the unique idiosyncrasies of each company (Kumar et al., 2008). For example, segregation
of duties is one area that is likely to require clarification under a SOX regime. Staff
responsibilities must be divided so that no other employee is responsible for an associated set
of duties or transactions. Consequently, employers will need to authorise systems access for
employees, in turn leading to questions about appropriate levels of systems security (Kumar
et al, 2008). Firms must also ascertain a satisfactory level of password control for users so
that flexibility and ease of use are balanced against a potential loss of systems security.
An ERP system that is used to facilitate compliance with SOX is subject itself to the SOX
process. This is because the definition of internal control over financial reporting as required
under SOX includes any policies and procedures used to record and maintain financial data
and records (Stoel & Muhanna, 2011). In order to comply with SOX, ERP systems must
themselves be continuously monitored and evaluated to ensure that controls are updated as
required. For example, systems used by staff must be monitored and access withdrawn when
it is no longer required. Recent studies indicate that companies may inappropriately copy an
existing account instead of creating a new one to reflect the job requirements of the new user
(eg., Kumar et al, 2008). This potentially increases the number of users with inappropriate
access, thus compromising a firm’s internal control procedures.
Prior studies indicate some potential problems in the use of an ERP for supporting
compliance with financial regulations. ERPs are not easily able to cope with major changes in
17
organizational structure eg. a new legal or business entity (Granlund, 2011). This means that
they are not necessarily the least risky or cost-effective solution for a user-friendly and
flexible approach to reporting and control (Hyvönen, 2003; Light et al., 2001; Rom & Rohde,
2007). Problems can develop either when managers implement their own solutions or when
‘best practice’ is dictated rather than incorporating managers’ preferred choices (Quattrone &
Hopper, 2001).
Against this backdrop, the aim of the current paper is to explore how managers use one
particular type of IT, namely an ERP, to manage accounting and finance processes required
for compliance and regulatory purposes. The following section presents the research design
employed in the current study in order to address this research question.
RESEARCH DESIGN
Recent studies have called for more in-depth research in order to enhance our understanding
of the role of ERP systems in complying with the requirements of SOX (eg., Arnold et al.,
2011a; Kumar et al., 2008). Consequently, an exploratory case study was employed in the
current study in order to use a natural setting to obtain greater insights into the topic of
interest (Hair, Money & Samouel, 2003; Yin, 2003).
The case study was conducted at the UK subsidiary of Omega
2
, a multinational organization
in the entertainment industry. Omega is an appropriate research site for several reasons. It
implemented an ERP some years prior to the introduction of SOX. The ERP was therefore an
established part of the Omega’s processes, thus permitting an investigation into how the
managers’ use the ERP to deal with the subsequent requirements of SOX. The ERP in use
2
The name of the organization has been changed for reasons of confidentiality.
18
within Omega is SAP, one of the main proprietary ERPs currently available. Responsibility
for managing SAP belongs to the International Sustainment Team, which comprises a
number of IT experts. The primary users of SAP are in a separate group called Shared
Accounting Services, who also have responsibility for SOX compliance. Furthermore,
Omega has several firm characteristics - the presence of a Chief Information Officer, a high
proportion of independent board members, and large size - that reduce the likelihood of IT
material weaknesses (Li et al., 2007). These factors suggested that Omega presents an ideal
opportunity to explore how managers use an ERP system for the purposes of complying with
the requirements of SOX.
Data were collected from a range of sources. Semi-structured interviews were conducted with
a number of relevant managers in order to obtain insights and depth into the phenomenon of
interest in this study (Bryman & Bell, 2007). A semi-structured interview guide was used to
ensure that all relevant themes were covered in each interview and to help minimise the
potential for interviewer-induced bias (Minichiello, Aroni, Timewell & Alexander, 1995).
The protocol for this guide is shown in Appendix A. The focus of the interviews was on the
use of the ERP for internal control over financial reporting. Open ended questions were used
to enable deeper exploration into initial responses, to gain a thorough answer and
perspectives of the interviewee, and to uncover issues that the researcher had not previously
considered (Bryman & Bell, 2007). The interviews were captured and recorded on a digital
voice recorder, and data were transcribed verbatim and in full (McCracken, 1988). The
participants were subsequently offered the opportunity to read and comment on the
transcripts.
19
Due to the nature of the study, appropriate participants were not readily identifiable prior to
data collection. The snowball technique, or referral sample, was therefore used, in which
interviewees were invited to recommend other participants who possess useful knowledge
regarding the topic area (Cooper & Schindler, 2006; Hair et al., 2003). Accounting tasks are
no longer the preserve of accounting and research should therefore be expanded to include
those, such as IS managers, who are also involved in accounting processes (Granlund &
Malmi, 2002; Rom & Rohde, 2007; Scapens & Jazayeri, 2003). Following Kumar et al.
(2008), the first interview was therefore with a senior systems manager in order to gain initial
insights and an overall view. He provided referrals to a systems manager and senior process
analyst, both of whom interact with the ERP via its accounting and finance processes on a
daily basis. A separate stream of interviews was organised through a senior accounting
manager within the Shared Accounting Services Department. The senior accounting manager
has direct contact with the SOX auditors. Again, a snowball sample was used to give a
sample of people who possessed the necessary knowledge to contribute to the study. The
senior accounting manager provided referrals to other accountants. Excluding several new
recruits who had been in place in either of the teams for less than two months, a number of
other potential interviewees were also approached but they subsequently cancelled on a
number of occasions. Although the use of snowball sampling introduces the potential for bias
because participants are more likely to recommend other participants who are similar or who
share similar views (Zikmund, 2003), further attempts to identify other participants delivered
the same group of names as had already been identified as being the in-house experts in the
ERP and its use for SOX compliance. In total ten people were interviewed for an average of
one hour each (Appendix B), each of whom had daily involvement with the accounting and
finance processes, either from an accounting or an IT perspective. An organizational structure
of the two units in which the interviewees worked is shown in Appendix C. The study is
20
therefore based on a small sample but one that contains an informed group of managers
within the target population.
In addition to the data collected via interviews, one of the senior accountants provided some
sample reports prepared for the SOX auditors that detailed areas of risk in several business
units and the controls and procedures in place to deal with these risks (see Appendix D for a
sample of the data). This provided useful evidence of the types of reports generated by
Omega’s ERP that indicate the types of internal controls implemented in order to facilitate
compliance with SOX. Although the focus of the current study is on the use of an ERP to
facilitate compliance with SOX rather than on the auditing process as conducted by the
independent auditors, this report was used alongside the interviews to identify other areas for
discussion and to clarify the information provided by the participants. The researchers were
not given access to the full set of internal reports, so the data contained in the sample reports
were used to explore how the ERP was used to implement the controls. The advantage of
using documentation analysis is that it can be used without intruding on the participants and
can be re-checked to ensure reliability (Hair et al., 2003). This facilitates triangulation of data
by providing an alternative perspective on the topic under investigation. However,
researchers can arrive at false conclusions if they lack sufficient understanding or if data is
drawn from poor quality sources that affect the credibility and authenticity of the content
(Bryman & Bell, 2007). This risk was mitigated in the current study by the knowledge of one
of the researchers who was employed in a part-time capacity at Omega.
Other secondary data were collected from publicly disclosed annual documents that show that
Omega’s senior management have consistently reported their satisfaction with the
effectiveness of the company’s internal control over financial reporting, and that their
21
independent auditors have attested to this on the basis of their audit. This provided further
evidence of the effectiveness of the ERP in use at Omega, allowing the investigation to focus
on managers’ use of the system to ensure compliance with SOX.
Analysis of the data began with a search for underlying themes (Miles & Huberman, 1994).
An initial list of themes was established from the framework used for the interview guide,
however further analysis revealed that predominant in participants’ discussions was a focus
on areas in which there were perceived to be the highest potential for material weaknesses in
internal controls over financial reporting at Omega. These areas were identified as controls
over the segregation of duties, controls over period-end reporting processes, account specific,
and account reconciliation. These then formed the themes for the coding process. All the data
were then independently coded by the researchers against each of these themes and any
differences in coding were discussed until a consensus was reached. Due to the broad scope
of the coding, very few differences arose and these were readily resolved by referring back to
the definitions outlined in earlier sections of this paper. The quotes provided in the following
section are merely representative comments taken from the data. However, they were
combined with several additional related comments in coming up with the overall themes.
The findings reported in this paper thus represent a summarised output of analysis conducted
on the data collected (O’Dwyer, 2003). The next section presents the findings in relation to
the themes developed during this process.
22
FINDINGS
Internal controls over segregation of duties (SOD)
Several interviewees from the Sustainment Team, as well as from Shared Accounting
Services, discussed their use of SAP to ensure a clear segregation of duties according to
SOX. For example, one manager reported:
“[We use] SAP to restrict access and to control the job roles
3
assigned to each employee.”
[Senior Sustainment Manager]
SAP’s functionality is therefore used to ensure that there are no violations in the control over
SOD. In addition, the Senior Finance Process Analyst noted that SAP allows the protection of
confidential data, such as human resources master data. This area of SAP requires special
access into the system, known as data level access, which limits an employee’s ability to
access parts of the system relating to transactions, company codes, profit centres and business
areas. He also revealed that:
“During the governance process for requesting new job roles, any request will be checked
thoroughly for SOD violations. If the request contains violations, these will have to be
explained and approved by multiple instances.”
[Senior Finance Process Analyst]
Omega’s processes also mitigate concerns about controls for SOD over software programs
that are associated with access to account and financial reporting records. One analyst
reported that SAP is used to continually monitor access to systems and databases. For
3
Access to transaction codes in the system that an employee needs in order to fulfil duties described in their job
description.
23
example, there are different logon policies for different user groups, such as employees and
customers, and different authorisation policies depending on the type and level of access
required. There are also controls for maintaining and changing passwords, such as a periodic
password reset. Employees are expressly forbidden from sharing their passwords with anyone
else, either internal or external to the company.
Periodic reviews are undertaken to ensure that access to particular data is still required, eg. by
asking managers to verify the names and access of staff in their departments. This provides a
check over employees who have moved within Omega and whose access to particular
systems may need to be changed or terminated. Finally, Omega’s SAP is linked to its HR
systems, which enable the IT managers to terminate the accounts of ex-employees or ex-
vendors. This is further backed up by a periodic check on accounts that have not been
accessed for a specified period of time.
Internal controls over period-end reporting/closing processes
Omega’s accounting staff use various functionalities within SAP to manage and enhance the
period end reporting process. Period end reporting includes record keeping and controls
relating to authorisation and review of transactions. One of the Accounting Managers stated
that SAP’s integrated reporting allows Omega’s managers to report easily on all transactions
across various products and lines of business. He reported that this feature was flexible
enough to create reports to meet specific reporting requirements, and that they used it to
review transactions through a report specifically designed to meet the SOX auditor’s
requests.
24
In terms of authorisation and review of transactions, potential weaknesses relating to
standards for review of journal entries and related file documentation are carefully managed
through the use of the ERP system. A senior accountant reported that:
“SAP allows various types of automated workflow such as high volume journals and POs
[purchase orders]. This ensures the necessary approvals…[if an accountant] posts a journal
of over $1m, this can only be ‘parked’, it then workflows to their manager to be released.”
[Senior Accountant 2]
This ensures that specific transactions are reviewed by the appropriate senior level and that
all transactions are continually reviewed to identify improper journal entries. The Senior
Finance Process Analyst also mentioned that they use SAP in a similar way to issue travel
and expenses approvals and also for the backup of claims. The Senior Finance Process
Analyst explained that, while SAP has not yet been customised for the upload of
documentation of all journals:
“SAP allows us to access historic data, archives, archive data and keep it permanently”.
[Senior Finance Process Analyst]
This allows sufficient review of audit trails, which reduces the risk of one potential area of
weakness. Outstanding issues during the period-end reporting process are easily managed via
SAP’s automated processes:
“Once a month a list is automatically sent to us with transactions that have not been
processed so end-users must delete or process these…We – Sustainment - can control posting
25
periods in which a document is posted…centrally control access to posting periods to ensure
they are reflected in correct periods…and also ensure that there are no remaining unposted
entries at the end of each period”.
[Senior Sustainment Manager]
Omega has customised its use of SAP to facilitate interface with other systems, which is
particularly crucial at the period end closing process. Accuracy and completeness are high
priorities under SOX so interfaces with Omega’s various bank accounts and with supplier
accounts are essential to creating a true picture of Omega’s financial records:
“The bank sends data which SAP processes. So there are automatic postings of bank
transactions to make sure the cash control account is complete.”
[Senior Accountant 3]
“When a vendor is created in SAP, it is interfaced into a front of house system to ensure the
two are in line”.
[Sustainment Manager]
In addition, Senior Accountant 2 mentioned that the flexibility of SAP in providing data in
different formats, for example, in word processing documents or spreadsheets, allows
managers to use the data in a format that is most appropriate for the particular reporting
requirement that they are attempting to fulfil. For example, sometimes data is presented in
Excel tables and includes various calculations, while on other occasions it is used in
document form.
26
Internal controls over account specific processes
Several of the accountants noted internal controls over account specific processes as a critical
area of concern for their auditors. An important aspect of Omega’s use of SAP is therefore to
provide the controls that ensure adequate capture of transactions in terms of completeness of
the entries recorded. One accountant pointed out the facility to specify particular settings for
different accounts, for example:
“The account may require data in certain fields, such as specifying a ‘Trading Partner’, or
‘Cost Centre’, or specific tax settings, for example, whether the entry requires input or output
tax”.
[Senior Accountant 1]
These accounts are configured so that all entries must contain the necessary information and
will not permit posting unless they are complete. This ensures completeness and stops any
invalid entries being recorded in the system. However, a useful facility in SAP allows
managers to circumvent the need for every end-user to have a detailed understanding of
Omega’s Chart of Accounts while still ensuring accuracy of journal entry:
“It allows non-finance and accounting users to create financial entries without having to
have detailed finance and accounting knowledge. Casual buyers, for example, don’t know
which GL [general ledger] to use. So when a casual buyer enters the shopping cart, they
select ‘commodity codes’ which are linked to GL…This is similar to T&E claims; when the
employee enters their claim the entry defaults to the T&E account”.
[Senior Finance Process Analyst]
27
Account Reconciliation
The accountants reported that account reconciliation is another important area for the SOX
auditors. The Senior Accountants and the Accounting Manager remarked on the usefulness of
SAP’s Account Reconciliation Tool to ensure that accounts are properly reviewed for
accuracy:
“The tool [allows us] to ensure that account reconciliations are reviewed, approved and
leaves a proper audit trail for these steps…[T]he backup to the reconciliations is stored
online”.
[Senior Accountant 2]
There are also recognised procedures for monitoring balances. A particular tool in SAP
permits:
“…the segment and managers in the US [to] review accounts as an additional measure”.
[Accounting Manager 1]
Thus managers in the US headquarters have centralised access and additional controls over
those operating in the local systems in the UK subsidiary. Omega uses this as evidence of its
control over review procedures as well as providing a process for monitoring account
balances. SAP is customised by Omega’s managers to ensure that accounts are reviewed by
the appropriate level of management.
The sample reports provided by one of the senior accountants details the key areas of concern
for the SOX auditors and the types of control to which these concerns are related. For
28
example, it indicates that, for sales and inventory, the SOX auditors are particularly interested
in the accuracy and completeness of accounts. These reports have been developed over time
in line with the independent auditors, and help them to anticipate those areas that the SOX
auditors are most likely to test. The sample data provided in Appendix D gives detailed
information on the internal controls, associated risks, frequency of checking for certain
transactions and journal entries, and also named individuals responsible for each process,
control, and testing (these have been removed in the sample shown in Appendix D). It can be
seen that these generally fall into the four main categories discussed above.
Table 1 below provides a summary of Omega’s use of SAP to ensure compliance with SOX.
[Insert Table 1 here]
In summary, Omega uses its ERP system in a number of ways to establish and maintain
internal control processes over financial reporting. The ERP system is used to facilitate the
segregation of duties with controls that restrict access and management of job roles for each
employee. It also eases the closing process at period end through the creation of customised
reports. Managers are able to review transactions with regard to journals, purchase orders and
travel and expense claims. File documentation is kept in the system for backup, although the
findings from the case study indicated this is not yet possible for journal transactions. The
Sustainment Team controls posting periods in order to reflect transactions in the correct
period, while the accountants make use of interfaces with banks and vendors to keep the cash
control account up to date and complete. There are controls to ensure adequate and complete
capture of transactions and an account reconciliation tool which is used to allow easy review
and management of accounts.
29
DISCUSSION
The findings from the current study provide evidence of Omega’s use of its ERP system to
ensure compliance with the requirements of SOX.
The case discussed in this paper presents a largely effective picture of the use of an ERP
system in the subsidiary of one multinational organization in relation to internal control over
reporting in order to comply with SOX. Omega’s ERP is set up and used to facilitate
compliance with SOX, and no major issues or concerns with the use of SAP for this purpose
were reported. This is confirmed by Omega’s publicly available reports and accounts, which
includes the attestations by senior executives of effective internal controls. In line with prior
research (eg., Ge & McVay, 2005), the findings indicate that account specific and period end
reconciliations are critical areas of concern for Omega’s SOX auditors. The findings suggest
that Omega’s use of an ERP system helps to prevent common weaknesses such as the non-
termination of old user accounts. Working closely with the independent auditors also helps to
facilitate the audit process. While the data might reflect participants’ views of the way SAP is
supposed to work rather than actual practice, the publicly disclosed reports support the
impression given by the participants that Omega’s use of IT to manage internal controls over
financial reporting is effective.
Although the investigation into Omega’s use of an ERP to facilitate compliance with SOX
did not highlight any problems, there are several underlying issues that warrant further
discussion.
30
First, those working with SAP directly, specifically, the Senior Finance Process Analyst, the
Sustainment Manager and the Senior Sustainment Manager, were less knowledgeable than
the accountants about SOX and struggled to understand which elements of the ERP could be
associated with the SOX requirements on internal control over financial reporting. In
contrast, the accountants were able to draw on their experiences as end-users of SAP and
relate these to their knowledge of SOX audits. This indicates that accountants play a crucial
role in ensuring that IT is able to meet both internal and external requirements. Consistent
with prior studies (eg., Caglio, 2003), the findings indicate that the use of an ERP has the
potential to remove certain practices and forms of knowledge from specific job positions, in
this case, the IT managers, and instead embed it in the system. This, in turn, can expand the
areas of knowledge possessed by the accountants into the realms of the IT experts, with
concomitant implications for the role of IT experts and the training of accountants within
organizations that are using or seeking to implement ERP systems (Caglio, 2003). In contrast
to the findings from previous studies (eg., Dechow & Mourtisen, 2005; Scapens & Jazayeri,
2003), there was little evidence in the current study of IT managers taking over the role of the
accountants.
Second, the focus on a very specific use of an ERP has excluded an investigation into
alternative uses of an ERP that may conflict with its use as a tool for complying with SOX.
Whereas prior studies (eg. Granlund & Malmi, 2002) found companies have faced problems
in attempting to fit an ERP to their existing practices, the current study did not raise any such
concerns. It is not clear to what extent the SOX requirements are privileged over other
organizational issues and processes, although Omega’s ERP has been in use for some years
prior to the introduction of SOX. However, ERP systems are likely to have a limited impact
31
on other critical internal processes, such as those concerned with management accounting
(Scapens & Jazayeri, 2003).
Third, by using an ERP system to manage its internal control processes over financial
reporting Omega may benefit from the credibility accorded to such systems (Arnold et al.,
2011a), and the prescriptive ‘one-size fits all’ approach promoted by their respective
manufacturers (Clemmons & Simon, 2001; Granlund, 2011). Under SOX, companies are
encouraged to use automated processes to facilitate compliance with the requirements of the
Act. The use of SAP, a market leader in ERP systems, may increase the confidence of the
SOX auditors in Omega’s IT processes (Chan, Lee & Seow, 2008). As has been suggested in
prior research (eg. Dillard et al., 2005; Worster et al., 2011), by using a system that is also in
use in many other large companies, Omega is able implicitly to abdicate some of its
responsibility for the IT aspects of internal control over financial reporting to the
manufacturer of its ERP, namely, SAP.
CONCLUDING COMMENTS
The aim of this study was to explore how one organization uses its ERP system to facilitate
compliance with SOX, specifically, those aspects concerned with internal control over
financial reporting. Prior studies have found that material weaknesses in internal control have
been reported against the segregation of duties, period end reporting, account specific
processes and account reconciliation (Ge & McVay, 2005; Foster et al, 2007), potentially
resulting in severe penalties. How managers use an ERP system to mitigate these weaknesses
is therefore of interest to both researchers and practitioners.
32
In line with calls in the literature for more in-depth research into the relation between the use
of ERP systems and regulatory compliance (Arnold et al., 2011b; Kumar et al., 2008), the
current study employed a case study method to explore the issues arising in one organization
that uses an ERP to facilitate compliance with SOX. The findings demonstrate how an ERP
system, such as SAP, can help with the significant issues of segregation of duties, period end
reporting, account specific and account reconciliation that are demanded under compliance
with SOX 302 and 404. Such findings provide insights into the critical role of IT as a
facilitator of control and reporting processes, an area of increasing importance due to
concerns over the internal governance of financial management. They also shed light on the
role, use, and purpose of one particular type of IT, an ERP, in relation to regulatory
compliance.
The findings also enhance knowledge of the practical consequences of ERPs on accounting
and finance processes by demonstrating how the nature of and demands of SOX can impact
the respective roles of IT and accounting professionals in using IT to manage compliance
issues. While both accountants and external providers of ERP systems have expert
knowledge of SOX and its requirements, IT managers have a vital role to play in ensuring
that accountants’ company-specific requests in relation to internal control over financial
reporting are addressed through the ERP system. In this sense, they are also an important
conduit between the firm and its ERP vendors, who may otherwise seek to install
standardised versions that are not easily modifiable to the firm’s specific requirements.
The findings from the study indicate several areas for further research. First, Omega’s ERP is
set up and used in such a way to ensure compliance with SOX. ERPs are not easily modified
or adapted to organizational preferences (Granlund, 2011; Dechow & Mouritsen, 2005), so
33
further research could be conducted on a longitudinal basis to establish the extent to which
other externalities impact on the use of an ERP for the purposes of regulatory compliance (cf.
Arnold et al., 2011b). Furthermore, the study could be replicated in companies of various size
and across a range of industries to investigate whether the different uses of an ERP system
lead to different internal procedures and controls. In addition, further research could compare
different proprietary brands of ERP systems in order to ascertain whether there are any
differences in their uses for the purpose of compliance with SOX.
Finally, this paper presents a case study of largely successful use of an ERP system to
facilitate compliance with SOX. This contrasts with those studies exploring the
implementation of new systems. As such, the current study can be regarded as an ‘impact
study’ (Scapens & Jazayeri, 2003), in which the outcome is an indication of the challenges
and opportunities presented by a particular situation. The case study reported in this paper
aims to provide a credible and plausible account of how one firm uses SAP to ensure that it
fulfils its requirements with regard to SOX 404 and 302. However, several limitations exist.
In common with other case studies, the study is subject to the usual limitations of
subjectiveness, non-representativeness and non-systematic design (Bryman & Bell, 2007;
Cooper & Schindler, 2006). As far as possible, these concerns were mitigated through a
systematic approach to data collection and analysis.
In summary, this study has sought to enhance knowledge of the use of IT for compliance with
new legislation. It is hoped that the findings will motivate further research in this important
area at the interface of IT, accounting, business processes, and financial regulation.
34
References
Arnold, V., Bedard, J.C., Phillips, J.R., & Sutton, S.G. (2011a). Do Section 404
Disclosures Affect Investors' Perceptions of Information Systems Reliability and
Stock Price Predictions? International Journal of Accounting Information Systems,
12, 243–258.
Arnold, V., Benford, T., Canada, J., & Sutton, S.G. (2011b). The Role of Strategic Enterprise
Risk Management and Organizational Flexibility in Easing New Regulatory
Compliance. International Journal of Accounting Information Systems, 12, 171–188.
Brown, W. & Nasuti, F., (2005). What ERP Systems Can Tell Us About Sarbanes Oxley.
Information Management and Computer Security, 13(4), 311-327.
Bryman, A. & Bell, E. (2007). Business Research Methods. Oxford University Press. 2nd Ed.
Caglio, A. (2003). Enterprise Resource Planning Systems and Accountants: Towards
Hybridization? European Accounting Review, 12(1), 123-153.
Chan, K.C., Lee, P., & Seow, G. S. (2008). Why Did Management and Auditors Fail to
Identify Ineffective Internal Controls in Their Initial SOX 404 Reviews? Review of
Accounting and Finance, 7(4), 338-354.
Chang, S., Wu, C.-C., & Chang, I.-C. (2008). The Development of a Computer Auditing
System Sufficient for Sarbanes-Oxley Section 404 — A Study on the Purchasing and
Expenditure Cycle of the ERP System. Information Systems Management, 25, 211–
229.
Clemmons, S. & Simon, S.J. (2001). Control and Coordination in Global ERP
Configuration. Business Process Management Journal, 7(3), 205-215.
Cooper, D. R. & Schindler, P. S. (2006). Business Research Methods. McGraw and Hill
International Education. 9th Ed.
35
Damianides, M., (2005). Sarbanes-Oxley and IT Governance: New Guidance on IT control
and Compliance. Information Systems Management, 22(1), 77-85.
Dechow, N. & Mouritsen J. (2005). Enterprise Resource Planning Systems, Management
Control and the Quest for Integration. Accounting, Organizations and Society, 30,
691–733.
Dillard, J. F., Ruchala, L., & Yuthas, K. (2005). Enterprise Resource Planning Systems: A
Physical Manifestation of Administrative Evil. International Journal of Accounting
Information Systems, 6(2), 107-127.
Doyle, J., Ge, W., & McVay, S., (2007). Determinants of Weaknesses in Internal Control
over Financial Reporting. Journal of Accounting and Economics, 44(1-2), 193-223.
Foster, B. P., Ornstein, W., Shastri, T., (2007). Audit Costs, Material Weaknesses Under
SOX Section 404. Managerial Auditing Journal. 22(7), 661-673.
Ge, W. & McVay, S. (2005). The Disclosure of Material Weaknesses in Internal Control
After the Sarbanes Oxley Act. Accounting Horizons, 19(3), 137-158.
Granlund, M. (2011). Extending AIS Research to Management Accounting and Control
Issues: A Research Note. International Journal of Accounting Information Systems,
12, 3-19.
Granlund, M. & Malmi, T. (2002). Moderate impact of ERPS on Management Accounting: A
Lag or Permanent Outcome? Management Accounting Research, 2002, 13, 299–321.
Grant, G. H., Miller, K., C., Fatima, A., (2008). The effect of IT controls on internal
reporting. Managerial Auditing Journal. 23(8), 803-823.
Hair, J. F., Money, A. H., Samouel, P. (2003). Research Methods for Business. John Wiley &
Sons.
36
Haworth, D.A. & Pietron, L. R. (2006). Sarbanes-Oxley Achieving Compliance by Starting
with ISO 17799. Information Systems Management, 23(1), 73-87.
Huang, H., (2009). Sarbanes Oxley Section 404 Compliance: Recent Changes in US Traded
Foreign Firms’ Internal Control Reporting. Managerial Auditing Journal. 24(6), 584-
598.
Hyvönen,T. (2003). Management Accounting and Information Systems: ERP Versus BoB.
European Accounting Review, 12(1), 155–173.
Krishnan, G. V. & Visvanathan, G. (2007). Reporting Internal Control Deficiencies in the
Post-Sarbanes-Oxley Era: The Role of Auditors and Corporate Governance.
International Journal of Auditing, 11, 73–90.
Kumar, V., Pollanen, R., & Maheshwari, B. (2008). Challenges in Enhancing Enterprise
Resource Planning Systems for Compliance with Sarbanes Oxley Act and Analogous
Canadian Legislation. Management Research News, 31(10), 758-773.
Li, C., Lim, J.H., & Wang, Q. (2007). Internal and External Influences on IT Control
Governance. International Journal of Accounting Information Systems, 8, 225–239.
Light, B., Holland, C. P., & Wills, K. (2001). ERP and Best of Breed: A Comparative
Analysis. Business Process Management Journal, 7(3), 216 -224.
Mauldin, E. G. & Ruchala, L. V. (1999). Towards a Meta-Theory of Accounting Information
Systems. Accounting, Organizations and Society, 24, 317-331.
Maurizio, A., Girolami, L., & Jones, P. (2007). EAI and SOA: Factors and Methods
Influencing the Integration of Multiple ERP Systems (in an SAP Environment) to
Comply with the Sarbanes-Oxley Act. Journal of Enterprise Information
Management, 20(1), 14-31.
McCracken, G. D. (1988). The Long Interview (Vol. 13). California: Sage Publications.
37
Miles, M. B., & Huberman, A. M. (1994). Qualitative Data Analysis: An Expanded
Sourcebook (2nd ed.). California: Sage Publications.
Minichiello, V., Aroni, R., Timewell, E., & Alexander, L. (1995). Indepth Interviewing:
Principles, Techniques, Analysis (2nd ed.). Melbourne: Addison Wesley Longman.
Mock, T.J., Sun, L., Srivastava, R.P., & Vasarhelyi, M. (2009). An Evidential Reasoning
Approach to Sarbanes-Oxley Mandated Internal Control Risk Assessment
International. Journal of Accounting Information Systems,10, 65–78.
O’Brien, J. A. & Marakas, G. M. (2006). Management Information Systems. 7th Edition.
McGraw-Hill Irwin.
O’Dwyer, B. (2003). Conceptions of Corporate Social Responsibility: The Nature of
Managerial Capture. Accounting, Auditing & Accountability Journal, 16(4), 523-557.
Petra, S. T. & Loukatos, G. (2009). The Sarbanes Oxley Act of 2002: A Five Year
Retrospective. Corporate Governance, 9(2), 120-132.
PCAOB (Public Company Accounting Oversight Board). (2007). Available from
http://pcaobus.org/Standards/Auditing/Pages/default.aspx
Quattrone P. & Hopper T. (2001). What does organizational change mean? Speculations on a
taken for granted category. Management Accounting Research, 12(4), 403-435.
Rice, S. and Weber, D. (2012). How Effective Is Internal Control Reporting under SOX 404?
Determinants of the (Non-)Disclosure of Existing Material Weaknesses. Journal of
Accounting Research, 50(3), 811-843.
Rice, S., Weber, D. & Wu, B. (2012). Does SOX 404 Have Teeth? Consequences of the
Failure to Report Existing Internal Control Weaknesses. Working paper, University of
Connecticut.
Rom, A. & Rohde, C. (2007). Management accounting and integrated information systems: A
literature review, International Journal of Accounting Information Systems, 8, 40–68.
38
Scapens, R. W. & Jazayeri, M. (2003). ERP Systems and Management Accounting
Change: Opportunities or Impacts? A Research Note, European Accounting Review,
12(1), 201-233.
Spathis, C., (2006). Enterprise Systems Implementation and Accounting Benefits. Journal of
Enterprise Information Management, 19(1), 67-82.
Spathis, C. & Constantinides, S. (2004). Enterprise resource planning systems' impact on
accounting processes. Business Process Management Journal, 10(2), 234 – 247.
Stoel, M.D. & Muhanna, W. A. (2011). IT Internal Control Weaknesses and Firm
Performance: An Organizational Liability Lens. International Journal of Accounting
Information Systems, 12, 280–304.
Tryfonas, T. & Kearney, R. (2008). Standardising business application security assessments
with pattern-driven audit automations. Computer Standards & Interfaces, 30, 262–
270.
Tseu, M. (2005). Managing IT Compliance: Sustainability and Simplicity for Future
Audits, Internal Auditing, 20(5), 16-21.
Williams, K. (2005) Does Technology Aid SOX 404 Compliance? Strategic Finance, 87(5),
23-25.
Worster, A., Weirich, T. R., & Andera, A. (2011). ERP Systems: A Lost Opportunity. The
Journal of Corporate Accounting & Finance, July/August, 69-77.
Yin, R. K. (2003). Case Study Research: Design and Methods, 3rd ed. Thousand Oaks, CA:
Sage Publications, Inc.
Zhang, I. X. (2007). Economic consequences of the Sarbanes–Oxley Act of 2002. Journal
of Accounting and Economics, 44, 74–115.
Zikmund, W. (2003). Business Research Methods. Thomson South Western. 7th Ed.
39
Appendix A - Interview Guide
Protocol used for questions to ask participants:
1) Demographic data
2) Job role and responsibilities in relation to SAP and/or SOX
3) The use of SAP in Omega for accounting and finance processes/operations in relation
to SOX
Prompts:
How used in different business units/departments
Processes involved
Policies and procedures for use
Use of manual or backup processes to support
Employees involved in inputting data or using output
Problems/issues/concerns?
4) The use of SAP for facilitating compliance with SOX and mitigating material
weaknesses
Prompts:
Identifying main areas of potential weaknesses (eg. segregration of duties, period-end
reporting, account reconciliation)
Audit process
Problems/issues/concerns?
40
Appendix B – List of interviewees
Position
Gender
Experience
in role
Length of Interview
Senior Sustainment Manager
M
10 years
45 mins
Sustainment Manager Finance
M
6 years
75 mins
Senior Finance Process Analyst
F
4 years
60 mins
Accounting Manager 1
F
8 years
50 mins
Accounting Manager 2
M
5 years
55 mins
Senior Accountant 1
M
6 years
60 mins
Senior Accountant 2
F
5 years
70 mins
Senior Accountant 3
M
5 years
60 mins
Accountant 1
F
10 years
50 mins
Accountant 2
M
4 years
75 mins
41
Appendix C – Organizational Structure
Sustainment Team
Shared Accounting Services
42
Appendix D
Omega’s Control Matrix for High Risk Processes
Process
Sub Process
Process
Objective
Business Risk
Control
Control Frequency
Control Type
Control
Assertions
Procedures
Revenue
Sales Polling
Polling of sales
data for all store
locations are
complete and
accurate.
Errors in polling are not
identified (duplicate
transactions, unreleased
sales, etc.).
G.3.2 On a daily basis, the
Retail Control Analysis
team reviews the polled
sales information for
accuracy and completeness.
The results of the review are
logged on a checklist.
Daily
Exception/Edit
Report
Completeness,
Accuracy
Select a sample of
business days within the
sampling period.
For each day selected,
obtain the Polled Sales
Checklist and verify that
a polling review was
performed and polling
errors were listed for
correction.
Revenue
Sales to Cash
Deposit
Reconciliation
Cash and credit
card
transactions
deposited are
correctly
recorded in
SAP.
Cash and credit card
transactions deposited are
incorrectly recorded in
SAP.
G.3.4 On a monthly basis,
to ensure that RECON has
correctly interfaced with
SAP for all cash and credit
card transactions deposited
in the bank, a Retail Control
Analyst verifies that the
results of the matching
process in RECON
reconcile to SAP. The
reconciliation is reviewed
and approved by the RCA
supervisor.
Monthly
Interface /
Conversion
Controls
Completeness,
Accuracy
Select a sample of
monthly reconciliations
within the sampling
period.
For each month selected,
obtain the reconciliation
and verify that variances
between SAP and
RECON are identified
and investigated. In
addition, confirm that
the reconciliation was
approved by the Retail
Control Analysis (RCA)
Supervisor.
43
Inventory
Cycle Counts
Maintain an
accurate
inventory
balance at the
stores.
Inaccurate inventory
balances are recorded at
the stores.
G.4.2 Store cycle counts are
performed on a weekly
basis and variances are
logged on the Monthly
Inventory Finances
spreadsheet.
Monthly
Reconciliation
Existence
Select a sample of
Monthly Inventory
Finances spreadsheets
within the sampling
period. For each
monthly spreadsheet,
select a sample of store
locations and verify that
cycle counts were
performed.
Inventory
Recording of
Inventory
Inventory
balances are
correctly
recorded in
SAP.
Inventory balances are
incorrectly recorded in
SAP.
G.4.6 The Stock Ledger is
reconciled monthly to SAP
G/L and reviewed by the
Accounting manager.
Monthly
Reconciliation
Completeness
Select a sample of
monthly 133005
Merchandise Inventory
reconciliation within the
sampling period.
For each month selected,
obtain the reconciliation
and verify that variances
between IP and SAP are
identified and
investigated. In
addition, confirm that
the reconciliation was
approved by the
Accounting Manager.
Inventory
COGS/Margin
Reconciliation
Cost of sales are
recorded timely
and accurately.
Cost of sales are not
recorded timely and
accurately.
G.4.8 The COGS/Margin is
reconciled monthly to SAP
G/L and reviewed by the
Accounting manager.
Monthly
Management
Review
Completeness,
Accuracy
Select a sample of
monthly reconciliations
within the sampling
period.
For each month selected,
obtain the analysis and
verify that variances
between IP and SAP are
identified and
investigated. In
addition, confirm that
the reconciliation was
approved by the
Accounting Manager.
44
Business
Unit Level
Controls
Business Unit
Level Controls
Management
monitors the
operations and
oversees the
control
environment
and risk
assessment
process.
Management is not aware
of the status of operations
and misstated financial
reporting occurs.
G.1.1 Results of each
Business Unit's Balance
Sheet deliverables (Q
Schedules) are compared to
prior year and are reviewed
quarterly by the Business
Unit Controller / Director.
Quarterly
Management
Review
Completeness,
Accuracy
1. Select 2 quarterly B/S
and P&L deliverables
and ensure that
schedules were reviewed
and approved by WDI
SAS Controller. Obtain a
copy of the recent
quarterly Management
Rep Letter, which
represent that results are
reviewed/approved, and
ensure signed by BU VP
Finance and WDI SAS
Controller.
Spread-
sheet
Controls
Spreadsheet
Controls
Spreadsheets
that have
material impact
on financial
reporting are
identified and
controlled
Errors on spreadsheets
that are relied upon for
significant entries to the
financial system could
result in material
misrepresentations
G.2.3 Segregation of Duties:
The spreadsheet is reviewed
by a person other than the
preparer including a review
for reasonableness and
completeness. Evidence of
this review is maintained by
a signature on the
spreadsheet (by both
preparer and reviewer). The
reviewer cannot be the
preparer.
Quarterly
Management
Review
Completeness,
Accuracy
Using the sampling
guidelines, select a
sample of spreadsheets
and verify the following:
1) Preparer and
Reviewer were two
different people 2)
Preparer and Reviewer
signed the spreadsheet to
evidence their review.
Operating
Income/
Loss
Operating
Income/Loss -
SAP Global
Template - PTC
BDC sessions
are cleared
timely resulting
in properly
stated accounts.
BDC sessions are not
cleared and result in
misstated accounts.
B.7.2 On at least a monthly
basis, all BDC G/L sessions
and A/P sessions (that are
not the responsibility of
DWSS) greater than $5,000
are cleared. (PTC 986)
Monthly
Reconciliation
None
Select a sample of open
BDC session reports sent
monthly by Corporate
Reporting during the
close and verify the
report shows no open
BDC sessions at the end
of the close period.