ArticlePDF Available

The Use of an ERP System to Facilitate Regulatory Compliance



This article reports the findings of a case study conducted in a multinational organization that aims to investigate how an enterprise resource planning system (ERP) can facilitate control over reporting processes and thus ensure compliance with regulatory requirements. The findings demonstrate how the use of an ERP to comply with financial regulation can impact organizational roles. In particular, IT managers must ensure that the ERP addresses regulatory requirements for internal control over financial reporting.
The Use of an ERP System to Facilitate Regulatory Compliance
Information Systems Management, 30:182197, 2013
Copyright © Taylor & Francis Group, LLC
ISSN: 1058-0530 print / 1934-8703 online
DOI: 10.1080/10580530.2013.794601
Julia Mundy*
Centre for Governance, Risk and Accountability
Business School
The University of Greenwich
Park Row Greenwich London SE10 9LS UK
[T] +44 20 8331 9695
Carys A. Owen**
*Corresponding Author
** ‘Omega’ is a pseudonym for the organization at which the study was conducted and at
which the second-named author is employed on a full-time basis
Author bios
Dr Julia Mundy is a principal lecturer in the Centre for Governance, Risk and Accountability
at the University of Greenwich. She received her PhD from the University of Melbourne. Her
research addresses various issues related to management control within organisations.
Carys Owen has a degree in Accounting in Financial Information Systems and is part-
qualified in CIMA. She is employed on a full-time basis at Omega as an Analyst responsible
for transactional processing, sales auditing and system process improvements, and
maintaining reconciliation software.
Short Abstract
This paper reports the findings of a case study conducted in a multinational organization that
aims to investigate how an enterprise resource planning system (ERP) can facilitate control
over reporting processes and thus ensure compliance with regulatory requirements. The
findings demonstrate how the use of an ERP to comply with financial regulation can impact
organizational roles. In particular, IT managers must ensure that the ERP addresses
regulatory requirements for internal control over financial reporting.
Keywords: ERP, regulation, compliance, internal control, financial reporting, Sarbanes-Oxley
The Use of an ERP System to Facilitate Regulatory Compliance
Extended Abstract
This study explores how an enterprise resource planning system (ERP) can facilitate
compliance with regulatory requirements. An exploratory case study drawing on data
collected from one subsidiary of a large multinational organization was employed to
investigate how IT and accounting managers use a proprietary ERP to mitigate weaknesses
and thus ensure compliance with the Sarbanes-Oxley Act 2002 (SOX), legislation that is
designed to improve internal controls over financial reporting. The findings demonstrate how
managers can use an ERP to develop effective internal controls for the most common
material weaknesses reported under SOX, thus providing insights into the crucial role of IT
as a facilitator of control and reporting processes, and, more specifically, into the role, use
and purpose of ERPs in relation to regulatory compliance. While the study presents the
largely unproblematic use of an ERP for the purpose of complying with SOX, the nature and
demands of SOX can impact the role of both IT and accounting managers. In particular, IT
managers have a vital role to play in ensuring that accountants’ requirements in relation to
internal control over financial reporting are addressed through the ERP.
Keywords: ERP, regulation, compliance, internal control, financial reporting, Sarbanes-Oxley
In the wake of several major accounting and corruption scandals that occurred throughout the
1990s, organizations are now increasingly required to demonstrate good corporate financial
governance through compliance with a range of financial legislation and regulation, such as
the Sarbanes-Oxley Act 2002 and International Financial Reporting Standards (Tryfonas &
Kearney, 2008; Worster, Weirich & Andera, 2011). The risk of large penalties for non-
compliance with these regulations (Rice, Weber & Wu, 2012; Zhang, 2007) suggests that
firms have a strong incentive to implement processes that can systematise and formalise the
collection and reporting of information in order to minimise errors and thus support
compliance efforts.
This study explores how an enterprise resource planning system (ERP) can be used by
managers to establish control over accounting and finance processes for compliance and
regulatory purposes. Although it is now a decade since the Sarbanes-Oxley Act of 2002
(SOX) was introduced, this legislation is used as the focus of the compliance issue for several
reasons. First, two central sections of SOX require senior managers to attest to the
effectiveness of the company’s internal control processes, thus providing an opportunity to
explore how firms use IT to secure compliance with accounting legislation (Krishnan &
Visvanathan, 2007; Rice et al., 2012). Second, there are potentially severe penalties for
companies who do not comply, or who are perceived by investors not to comply, with its
requirements (Rice et al., 2012; Zhang, 2007)
, indicating the criticality to organizations of
implementing systems that facilitate effective control processes. Third, ten years after its
implementation and despite the high penalties, there is evidence that some firms are not fully
Penalties range from SEC sanctions, adverse market reactions, class action lawsuits, and management and
auditor turnover (Rice et al., 2012; Zhang, 2007).
disclosing their control weaknesses (Rice & Weber, 2012), thus highlighting the importance
of internal processes that reduce the potential for misreporting, whether due to lack of
managerial probity or competence. Fourth, the tools used by companies to comply with the
requirements of SOX is of interest to both academics and practitioner keen to understand
more about the role of IT in managing compliance with legislation.
The study aims to contribute to extant research in several ways. First, it addresses recent calls
in the literature for research at the interface between IT and accounting in order to understand
more about the crucial role of IT in supporting regulatory compliance (eg., Arnold, Benford,
Canada & Sutton, 2011b; Kumar, Pollanen & Maheshwari, 2008). While IT has been long-
established as a means to automate and standardise a variety of business processes, little is
known about its use by managers to ensure compliance with legislation (Granlund, 2011;
Grant, Miller & Fatima, 2008; Mauldin & Ruchala, 1999; Tseu, 2005). Furthermore, by
employing a field study this study aims to investigate managers’ use of IT in a way that
avoids the over-simplified interpretations of practice that can be an outcome of survey-based
research (Granlund, 2011). Second, the study investigates how an ERP can enhance the
effectiveness of internal control processes (Granlund, 2011; Hyvönen, 2003; Mauldin &
Ruchala, 1999), thus contributing to a timely debate about the role, use, and purpose of ERPs
by addressing questions about their capacity to meet the requirements of legislative
compliance (eg. Granlund, 2011; Worster et al., 2011). A range of IT solutions is available to
support accounting and finance processes, but the transaction-oriented nature of ERPs makes
them particularly appropriate to this task (Dechow & Mouritsen, 2005; Rom & Rohde, 2007).
ERPs also provide functionality for the audit of accounting processes (Tryfonas & Kearney,
2008) so are ideally suited for an investigation into the use of IT for managing compliance
and governance concerns. However, firms often fail to customise their ERPs to the specific
requirements of the business, instead implementing them in a standardised form according to
‘best practice’ or what has been provided by vendors (Tryfonas & Kearney, 2008). In this
way, managers can fail to exploit the extensive capabilities of ERPs, rendering them less
flexible and user-friendly with regard to reporting and analysis than they might be (Light,
Holland & Wills, 2001; Rom & Rohde, 2007). The study also raises questions about the
respective roles of IT and accounting managers in using IT to manage compliance issues,
thus contributing to a discussion about the practical consequences of ERPs on accounting and
finance processes (Granlund & Malmi, 2002).
The study reports the findings of an investigation into how one firm uses an ERP to facilitate
compliance with the Act’s requirements in relation to the use of internal controls over
financial reporting. The findings suggest that these IT systems can adequately support
compliance requirements. However, while the study presents a largely unproblematic picture
of the use of an ERP for this purpose, a number of other issues are raised, such as the role of
IT managers in relation to accounting staff and the possibility of conflicting uses of the ERP
for other business activities. The study therefore adds to existing knowledge into best
practices and models of ERP effectiveness in complying with legislation.
The next section discusses the relevant requirements of SOX, followed by an overview of the
main internal control weaknesses that occur in relation to financial reporting, and a
consideration of how the use of IT, and in particular, ERPs, can support managers in their
attempts to support compliance with SOX. The method section is then presented, followed by
the findings and discussion. The paper ends with some concluding comments.
In response to a number of high profile accounting scandals that adversely impacted public
trust in the US stock market, US Congress in 2002 passed the Sarbanes Oxley Act (SOX)
(Arnold, Bedard, Phillips & Sutton, 2011a; Haworth & Pietron, 2006). SOX is a corporate
responsibility law, applicable to all firms registered with the Securities & Exchange
Commission (SEC), that aims to improve the quality of financial reporting. SOX seeks to
enhance the reliability and accuracy of financial reports by imposing requirements on internal
controls over financial reporting (Kumar et al., 2008; Mock, Sun, Srivastava & Vasarhelyi,
Compliance with SOX’s eleven sections requires senior managers and their independent
auditors to provide assurances in relation to the design, implementation, use, testing, and
evaluation of controls that relate to various aspects of financial reporting, including the
production of financial statements (Maurizio, Girolami & Jones, 2007). Executives must
assess internal controls in terms of risks of any material weaknesses that prevent the controls
from operating effectively to protect the firm’s assets. They are required to acknowledge
formally that they have reviewed the assurances and the financial statements and must attest
that no information has been omitted (Petra & Loukatos, 2009).
The two main sections of SOX that relate to internal control over financial reporting, and
which therefore form the focus of the current study, are sections 404 (SOX 404) and 302
(SOX 302). These sections are intended to ensure that companies establish and maintain
internal controls with the aim of enhancing corporate accountability, rebuilding shareholder
confidence, protecting the public from fraud, and restoring trust in the financial reporting
system (Haworth & Pietron, 2006).
SOX 404 requires executives and their auditors to confirm the effectiveness and adequacy of
the firm’s internal controls over financial reporting (Chang, Wu & Chang; 2008; Mock et al.,
2009). Its core requirement is an annual report detailing the internal controls in place and
assessing the effectiveness of these controls, including the identification of any flaws in the
control system (Arnold et al., 2011a). Specifically, companies are required to issue an
internal control report that includes the following: a statement of management’s
responsibility for establishing and maintaining adequate internal control over financial
reporting; management’s assessment of the effectiveness of the company’s internal control
over financial reporting; a statement identifying the framework used by management to
evaluate the effectiveness of the company’s internal control over financial reporting; and a
statement that the external auditor has issued an attestation report on management’s
assessment (Maurizio et al., 2007). The company’s independent auditor must then issue a
separate opinion, also publicly disclosed, that attests over the management’s assertions with
regard to the effectiveness or weaknesses of the internal controls over financial reporting
(Stoel & Muhanna, 2011). The reports required under SOX 404 reports are intended to enable
investors to compare companies according to the reliability of their controls over the financial
reporting system (Arnold et al., 2011a).
The SEC’s requirements for SOX 302 focus on the integrity of financial reporting and
safeguarding of assets. Its core requirement is a quarterly report on any known or suspected
weaknesses or deficiencies in internal controls over financial reporting (Maurizio et al., 2007;
Mock et al., 2009). Certifications and sub-certifications should attest that the reports do not
include any misleading or untrue statements and that they present an honest representation of
the financial condition of the company (Brown & Nasuti, 2005). These declarations include
statements of accuracy of account balances and compliance with policies and procedures. A
list of all deficiencies in internal control and information on any fraudulent activities is also
required, together with any related factors that could have a negative effect on the use and
effective operation of controls.
Internal controls over financial reporting can be divided into two categories: non-IT and IT
controls (Stoel & Muhanna, 2011). Non-IT controls include general accounting internal
controls, such as those incorporating the processes, methodologies, and methods used to
account for financial transactions and the preparation of financial statements, as well as the
competence and reliability of senior management, and regulatory reporting compliance. IT
internal controls are concerned specifically with the IT systems, processes and infrastructure
that are used to capture, process and record raw transactional data of an accounting or
financial nature (Stoel & Muhanna, 2011).
Internal control problems are categorised by the Public Company Accounting Oversight
Board (PCAOB) into material weaknesses, significant deficiencies, or control deficiencies
(PCAOB, 2007). Publicly-listed firms are required under SOX 404 to disclose only material
weaknesses, considered to be the most serious category due to the potential risk of an
undetected material misstatement in the reported financial accounts (Arnold et al., 2011a;
Mock et al., 2009). A study conducted by Ge and McVay (2005) identified nine material
weaknesses that relate to SOX 302 as reported by a large sample of companies across a range
of industries:
1) Account specific: these relate to making inappropriate accounting adjustments, such as bad
debts and accounting for accruals. Potential weaknesses include inadequate classification of
fixed assets. Complex accounts, such as income tax and derivatives, are more likely to lead to
deficiencies in internal controls, although the majority of weaknesses affect the accounts
receivable, accounts payable and inventory accounts (Doyle, Ge & McVay, 2007; Ge &
McVay, 2005). Material weaknesses are also likely to arise when internal control processes
provide inadequate guidance on the appropriate application of accounting rules (Stoel &
Muhanna, 2011).
2) Period-end reporting: includes inadequate period end reporting processes; specifically, the
lack of control over new accounting principles, record keeping and controls relating to
authorization and review of transactions, together with inconsistent use of accounting policies
and a need for improved review of journal entries and file documentation (Ge & McVay,
2005). The vast majority of errors are likely to involve accounting documentation policies
and procedures, in particular those relating to revenue recognition, inventory and costs of
sales and financial statement errors (Grant et al., 2008). The number and/or size of year-end
adjustments are one indication of a potential material weakness in financial reporting (Stoel
& Muhanna, 2011).
3) Segregation of duties (SOD): for example, segregation between payroll and other
accounting employees. Segregation of duties is a significant factor related to efficient internal
control because integrated roles could lead to manipulation of financial statements (Foster,
Ornstein & Shastri, 2007). Terminating the access of ex-employees is essential as avoiding
SOD disagreements is a major concern for SOX auditors, particularly in high-risk companies
such as multinational organizations where there are large numbers of employees and systems
access must be continually monitored and reviewed (Doyle et al., 2007).
4) Training: lack of financial reporting expertise, including an absence of appropriate
technical skills among staff, is a key reason for accounting errors and misstatements (Foster
et al, 2007; Ge & McVay, 2005; Stoel & Muhanna, 2011). Unqualified staff can result in a
failure to identify and solve accounting problems as well as a failure to perform effective
reviews. Auditing and accounting staff must be adequately trained in the use of any
information technology that is used to manage accounting processes (Chang et al., 2008).
5) Revenue recognition: relates to the design and review of revenue-recognition policies and
contracting policies.
6) Account reconciliation: relates to issues with accounting reconciliations and review
procedures, as well as weaknesses in determining procedures associated with accruals and
7) Subsidiary specific: relates to the timely completion of statutory filings in foreign
countries as well as inconsistencies in the application of company policies among business
units and segments.
8) Senior management: generally associated with a part-time CFO or ineffective control
9) Technology: this concerns the security of systems used for the entry and maintenance of
accounting records. As financial reporting data in publicly listed firms is inevitably stored in
computer-based systems, the controls are incorporated into each firm’s IT processes
(Haworth & Pietron, 2006).Wider access must be restricted to those whose duties require
access in order to prevent fraud (Chang et al., 2008). Potential systemic weaknesses include
inadequate programme controls and lack of oversight over access (Stoel & Muhanna, 2011).
Common IT control flaws include insufficient review of audit trails, inadequate segregation
of duties over applications, excessive access to systems and databases and lack of access
controls, failure to cease old accounts and set up new ones, and unhurried review of
transactions to identity irregular journal entries (Tseu, 2005). IT controls have a significant
impact on financial reporting, with accounting errors occurring at a greater rate in companies
that report IT deficiencies (Grant et al., 2008). Firms that report IT internal control
weaknesses are also more likely to report worse financial performance than firms that do not
report internal control weaknesses (Stoel & Muhanna, 2011). Firms with experienced IT
managers, with a Chief Information Officer, and with a higher percentage of independent
board directors are less likely to report IT material weaknesses (Li, Lim & Wang, 2007).
Weaknesses relating to company-level aspects, such as IT, training, and senior management,
tend to be more serious than other types of weaknesses because they are systemic in nature
and more difficult to audit (Doyle et al., 2007). They also have a high association with
company failure so are reasonably rare among publicly-listed organizations; instead, the vast
majority of weaknesses are related to the specificities of the accounting and finance processes
(Doyle et al., 2007; Ge & McVay, 2005). Among these, period-end adjustments or processes
represent a significant problem for many organizations (Huang, 2009).
The scale and scope of potential weaknesses to which a firm may be subject points to the
benefits of an automated system that can provide senior executives with the assurances
required to attest to the effectiveness of a firm’s internal controls. The following section
discusses the use of IT in facilitating compliance with SOX.
Effective governance, risk and compliance processes require knowledge of the regulatory
standards, the available data, and the processes that provide the data (Worster et al, 2011).
There is little formal guidance available to managers on how to ensure the effectiveness of
their internal controls over financial reporting (Grant et al, 2008). However, the PCAOB has
introduced auditing standards aimed at ensuring effective audits in relation to SOX 302 and
404. These standards identify the processes and procedures, whether manual or automated,
that should be audited in order to evaluate the effectiveness of internal controls over financial
reporting. In particular, Auditing Standard number 5 (Audit of Internal Control over Financial
Reporting) requires auditors to assess management’s evaluation of the effectiveness of the
information systems and accounting records used to initiate, authorise, process, record, and
report transactions (PCAOB, 2007). The same standard also requires auditors to assess the
processes in place to manage specific risks to a company’s internal control over financial
reporting, such as those arising from the reliance on systems using inaccurate data or
inaccurately processing data, or from unauthorised access to data that might lead to
unauthorised changes or loss of data. Auditing Standard number 12 (Identifying and
Assessing Risks of Material Misstatement) requires auditors to assess managers’ evaluation
of the extent to which controls are subject to human intervention or are automated: “an
automated control would generally be expected to be lower risk if relevant information
technology general controls are effective.” (PCAOB, 2007).
Although senior executives are not subject to the auditing standards issued by the PCOAB,
their independent auditors are. The substantive nature of these requirements, and the range
and level of potential penalties associated with non-compliance (Rice et al., 2012; Zhang,
2007), suggest that senior managers and their organizations have strong incentives to employ
a sophisticated technology that can facilitate efficient, effective, and reliable control over
financial reporting processes. Such technologies can in turn expedite the audit process, thus
increasing the likelihood that the auditors will approve the financial statements.
SOX does not require companies to implement IT in order to manage their internal control
processes. However, since most financial transactions involve IT systems, PCAOB Auditing
Standard no. 5 requires that the controls over IT processes should be examined (PCAOB,
2007). Controls are required to ensure that IT provides managers with the necessary
assurance to attest to the regulators the effectiveness of their internal controls.
In order to ensure full compliance with SOX, firms must develop and maintain systems that
produce reliable data and that facilitate self-audit and testing on a continual basis
(Damianides, 2005; Maurizio et al., 2007). The SEC advises a top-down process to
implementing financial reporting controls, and recommends, but does not mandate, the use of
automated processes in order to minimise errors and therefore improve the timeliness of
internal control processes (Grant et al., 2008; Petra & Loukatos, 2009).
Compliance with SOX requires full integration between systems that may exist in different
parts of the business. Regulation has become an increasingly important factor in firms’
decisions to implement new technology that can support compliance activities, such as the
disclosure of information, self-audits, and processes for self-testing on a continual basis
(Hyvönen, 2003; Granlund, 2011). However, the evidence suggests that this is not easy for
firms to achieve. Many firms, including large companies, supplement their formal IT systems
with simple data interfaces, such as Excel spreadsheets that are under the manual control of
individual employees (Maurizio et al., 2007). Furthermore, when the system does not fully
reflect the organization’s underlying activities and processes, then employees may
circumvent authorised procedures by creating their own solutions (Dechow & Mourtisen,
2005). Firm-specific issues such as legacy systems, the unique determinants of internal
control weaknesses, and aspects such as company norms and employee skills, also impact the
ability of companies to develop effective internal control processes over financial reporting
(Doyle et al., 2007; Kumar et al., 2008; Maurizio et al., 2007).
Only 3 years after the introduction of SOX, 90% of firms responding to a survey by
PricewaterhouseCoopers claimed that their company made effective or satisfactory use of IT
to comply with SOX 404 (Williams, 2005). A variety of IT solutions , such as neural
networks, intelligence systems, corporate computing, data warehouses, executive portals,
strategic enterprise management (SEM) suites, and best of breed (BOB) systems all provide
elements that can support a firm’s internal controls (Granlund, 2011; Rom & Rohde 2007).
Eighty per cent of the Fortune 500 were reported in 2005 to have an ERP (Nasuti & Brown,
2005), suggesting that, from the earliest days of SOX, this specific IT solution has had a role
in supporting a firm’s control environment. These systems, already an established means of
managing accounting and finance transactions, came to prominence during the 1990s as a
solution to company-wide problems, such as Y2K concerns and the introduction of the Euro,
and thus proved a popular choice for firms aiming to improve the controls over their financial
processes (Hyvönen, 2003). The next section explores how ERPs can facilitate the control
over accounting and finance processes.
An ERP is a strategic information system that integrates real-time data and processes of an
organization into one system accessible by managers from different parts of the businesses
(Chang et al., 2008; Dechow & Mouritsen, 2005). It consists of a real-time database that
needs only one single entry of data to be input in order for the information to be seen by any
department in the business that has access to the system. It automates business processes by
incorporating data from a range of functions including manufacturing, supply chain
management, human resources, financials and customer relationship management (Spathis,
2006). The integration of processes within a company and data sharing among employees
aims to allow flexible strategic decision-making and provide timely and accurate information
that is particularly relevant to the quality of accounting and financial processes (Chang et al.,
2008; Kumar et al., 2008; O’Brien & Marakas, 2006).
The strict requirements for record keeping and the capacity to drill down to transaction-level
detail required under SOX suggest that ERP systems can be beneficial in facilitating
compliance. ERPs help firms to comply with SOX by automating business processes, most
critically those associated with financial reporting (Maurizio et al., 2007). ERPs are not only
useful but can be critical in establishing processes that facilitate the collection, analysis, and
reporting of information required by SOX (Brown & Nasuti, 2005; Kumar et al., 2008). For
example, they can be designed to minimise or eliminate human access to data where such
access can potentially corrupt data or otherwise lead to errors that will hinder compliance.
They can also ensure data integrity through processes, such as validation steps, that produce
consistent and reconcilable data (Maurizio et al., 2007).
Prior research into the use of ERPs has demonstrated how they can enhance the efficiency,
accuracy, and reliability of reporting processes (Hyvönen, 2003). Their use increases the
flexibility of information provision and produces financial statements that are more reliable
and relevant (Spathis & Constandinides, 2004). They are a useful means to organise, monitor,
and control the processes that provide information against which compliance is tracked, and
they can facilitate the creation of different types of financial reports (Worster et al., 2011). An
ERP system can thus aid significantly in the timeliness of the complex and lengthy processes
involving SOX compliance (Mock et al., 2009).
ERPs are unlikely to meet the SOX 302 and 404 requirements without modifications based
on the unique idiosyncrasies of each company (Kumar et al., 2008). For example, segregation
of duties is one area that is likely to require clarification under a SOX regime. Staff
responsibilities must be divided so that no other employee is responsible for an associated set
of duties or transactions. Consequently, employers will need to authorise systems access for
employees, in turn leading to questions about appropriate levels of systems security (Kumar
et al, 2008). Firms must also ascertain a satisfactory level of password control for users so
that flexibility and ease of use are balanced against a potential loss of systems security.
An ERP system that is used to facilitate compliance with SOX is subject itself to the SOX
process. This is because the definition of internal control over financial reporting as required
under SOX includes any policies and procedures used to record and maintain financial data
and records (Stoel & Muhanna, 2011). In order to comply with SOX, ERP systems must
themselves be continuously monitored and evaluated to ensure that controls are updated as
required. For example, systems used by staff must be monitored and access withdrawn when
it is no longer required. Recent studies indicate that companies may inappropriately copy an
existing account instead of creating a new one to reflect the job requirements of the new user
(eg., Kumar et al, 2008). This potentially increases the number of users with inappropriate
access, thus compromising a firm’s internal control procedures.
Prior studies indicate some potential problems in the use of an ERP for supporting
compliance with financial regulations. ERPs are not easily able to cope with major changes in
organizational structure eg. a new legal or business entity (Granlund, 2011). This means that
they are not necessarily the least risky or cost-effective solution for a user-friendly and
flexible approach to reporting and control (Hyvönen, 2003; Light et al., 2001; Rom & Rohde,
2007). Problems can develop either when managers implement their own solutions or when
‘best practice’ is dictated rather than incorporating managers’ preferred choices (Quattrone &
Hopper, 2001).
Against this backdrop, the aim of the current paper is to explore how managers use one
particular type of IT, namely an ERP, to manage accounting and finance processes required
for compliance and regulatory purposes. The following section presents the research design
employed in the current study in order to address this research question.
Recent studies have called for more in-depth research in order to enhance our understanding
of the role of ERP systems in complying with the requirements of SOX (eg., Arnold et al.,
2011a; Kumar et al., 2008). Consequently, an exploratory case study was employed in the
current study in order to use a natural setting to obtain greater insights into the topic of
interest (Hair, Money & Samouel, 2003; Yin, 2003).
The case study was conducted at the UK subsidiary of Omega
, a multinational organization
in the entertainment industry. Omega is an appropriate research site for several reasons. It
implemented an ERP some years prior to the introduction of SOX. The ERP was therefore an
established part of the Omega’s processes, thus permitting an investigation into how the
managers’ use the ERP to deal with the subsequent requirements of SOX. The ERP in use
The name of the organization has been changed for reasons of confidentiality.
within Omega is SAP, one of the main proprietary ERPs currently available. Responsibility
for managing SAP belongs to the International Sustainment Team, which comprises a
number of IT experts. The primary users of SAP are in a separate group called Shared
Accounting Services, who also have responsibility for SOX compliance. Furthermore,
Omega has several firm characteristics - the presence of a Chief Information Officer, a high
proportion of independent board members, and large size - that reduce the likelihood of IT
material weaknesses (Li et al., 2007). These factors suggested that Omega presents an ideal
opportunity to explore how managers use an ERP system for the purposes of complying with
the requirements of SOX.
Data were collected from a range of sources. Semi-structured interviews were conducted with
a number of relevant managers in order to obtain insights and depth into the phenomenon of
interest in this study (Bryman & Bell, 2007). A semi-structured interview guide was used to
ensure that all relevant themes were covered in each interview and to help minimise the
potential for interviewer-induced bias (Minichiello, Aroni, Timewell & Alexander, 1995).
The protocol for this guide is shown in Appendix A. The focus of the interviews was on the
use of the ERP for internal control over financial reporting. Open ended questions were used
to enable deeper exploration into initial responses, to gain a thorough answer and
perspectives of the interviewee, and to uncover issues that the researcher had not previously
considered (Bryman & Bell, 2007). The interviews were captured and recorded on a digital
voice recorder, and data were transcribed verbatim and in full (McCracken, 1988). The
participants were subsequently offered the opportunity to read and comment on the
Due to the nature of the study, appropriate participants were not readily identifiable prior to
data collection. The snowball technique, or referral sample, was therefore used, in which
interviewees were invited to recommend other participants who possess useful knowledge
regarding the topic area (Cooper & Schindler, 2006; Hair et al., 2003). Accounting tasks are
no longer the preserve of accounting and research should therefore be expanded to include
those, such as IS managers, who are also involved in accounting processes (Granlund &
Malmi, 2002; Rom & Rohde, 2007; Scapens & Jazayeri, 2003). Following Kumar et al.
(2008), the first interview was therefore with a senior systems manager in order to gain initial
insights and an overall view. He provided referrals to a systems manager and senior process
analyst, both of whom interact with the ERP via its accounting and finance processes on a
daily basis. A separate stream of interviews was organised through a senior accounting
manager within the Shared Accounting Services Department. The senior accounting manager
has direct contact with the SOX auditors. Again, a snowball sample was used to give a
sample of people who possessed the necessary knowledge to contribute to the study. The
senior accounting manager provided referrals to other accountants. Excluding several new
recruits who had been in place in either of the teams for less than two months, a number of
other potential interviewees were also approached but they subsequently cancelled on a
number of occasions. Although the use of snowball sampling introduces the potential for bias
because participants are more likely to recommend other participants who are similar or who
share similar views (Zikmund, 2003), further attempts to identify other participants delivered
the same group of names as had already been identified as being the in-house experts in the
ERP and its use for SOX compliance. In total ten people were interviewed for an average of
one hour each (Appendix B), each of whom had daily involvement with the accounting and
finance processes, either from an accounting or an IT perspective. An organizational structure
of the two units in which the interviewees worked is shown in Appendix C. The study is
therefore based on a small sample but one that contains an informed group of managers
within the target population.
In addition to the data collected via interviews, one of the senior accountants provided some
sample reports prepared for the SOX auditors that detailed areas of risk in several business
units and the controls and procedures in place to deal with these risks (see Appendix D for a
sample of the data). This provided useful evidence of the types of reports generated by
Omega’s ERP that indicate the types of internal controls implemented in order to facilitate
compliance with SOX. Although the focus of the current study is on the use of an ERP to
facilitate compliance with SOX rather than on the auditing process as conducted by the
independent auditors, this report was used alongside the interviews to identify other areas for
discussion and to clarify the information provided by the participants. The researchers were
not given access to the full set of internal reports, so the data contained in the sample reports
were used to explore how the ERP was used to implement the controls. The advantage of
using documentation analysis is that it can be used without intruding on the participants and
can be re-checked to ensure reliability (Hair et al., 2003). This facilitates triangulation of data
by providing an alternative perspective on the topic under investigation. However,
researchers can arrive at false conclusions if they lack sufficient understanding or if data is
drawn from poor quality sources that affect the credibility and authenticity of the content
(Bryman & Bell, 2007). This risk was mitigated in the current study by the knowledge of one
of the researchers who was employed in a part-time capacity at Omega.
Other secondary data were collected from publicly disclosed annual documents that show that
Omega’s senior management have consistently reported their satisfaction with the
effectiveness of the company’s internal control over financial reporting, and that their
independent auditors have attested to this on the basis of their audit. This provided further
evidence of the effectiveness of the ERP in use at Omega, allowing the investigation to focus
on managers’ use of the system to ensure compliance with SOX.
Analysis of the data began with a search for underlying themes (Miles & Huberman, 1994).
An initial list of themes was established from the framework used for the interview guide,
however further analysis revealed that predominant in participants discussions was a focus
on areas in which there were perceived to be the highest potential for material weaknesses in
internal controls over financial reporting at Omega. These areas were identified as controls
over the segregation of duties, controls over period-end reporting processes, account specific,
and account reconciliation. These then formed the themes for the coding process. All the data
were then independently coded by the researchers against each of these themes and any
differences in coding were discussed until a consensus was reached. Due to the broad scope
of the coding, very few differences arose and these were readily resolved by referring back to
the definitions outlined in earlier sections of this paper. The quotes provided in the following
section are merely representative comments taken from the data. However, they were
combined with several additional related comments in coming up with the overall themes.
The findings reported in this paper thus represent a summarised output of analysis conducted
on the data collected (O’Dwyer, 2003). The next section presents the findings in relation to
the themes developed during this process.
Internal controls over segregation of duties (SOD)
Several interviewees from the Sustainment Team, as well as from Shared Accounting
Services, discussed their use of SAP to ensure a clear segregation of duties according to
SOX. For example, one manager reported:
[We use] SAP to restrict access and to control the job roles
assigned to each employee.
[Senior Sustainment Manager]
SAP’s functionality is therefore used to ensure that there are no violations in the control over
SOD. In addition, the Senior Finance Process Analyst noted that SAP allows the protection of
confidential data, such as human resources master data. This area of SAP requires special
access into the system, known as data level access, which limits an employee’s ability to
access parts of the system relating to transactions, company codes, profit centres and business
areas. He also revealed that:
During the governance process for requesting new job roles, any request will be checked
thoroughly for SOD violations. If the request contains violations, these will have to be
explained and approved by multiple instances.
[Senior Finance Process Analyst]
Omega’s processes also mitigate concerns about controls for SOD over software programs
that are associated with access to account and financial reporting records. One analyst
reported that SAP is used to continually monitor access to systems and databases. For
Access to transaction codes in the system that an employee needs in order to fulfil duties described in their job
example, there are different logon policies for different user groups, such as employees and
customers, and different authorisation policies depending on the type and level of access
required. There are also controls for maintaining and changing passwords, such as a periodic
password reset. Employees are expressly forbidden from sharing their passwords with anyone
else, either internal or external to the company.
Periodic reviews are undertaken to ensure that access to particular data is still required, eg. by
asking managers to verify the names and access of staff in their departments. This provides a
check over employees who have moved within Omega and whose access to particular
systems may need to be changed or terminated. Finally, Omega’s SAP is linked to its HR
systems, which enable the IT managers to terminate the accounts of ex-employees or ex-
vendors. This is further backed up by a periodic check on accounts that have not been
accessed for a specified period of time.
Internal controls over period-end reporting/closing processes
Omega’s accounting staff use various functionalities within SAP to manage and enhance the
period end reporting process. Period end reporting includes record keeping and controls
relating to authorisation and review of transactions. One of the Accounting Managers stated
that SAP’s integrated reporting allows Omega’s managers to report easily on all transactions
across various products and lines of business. He reported that this feature was flexible
enough to create reports to meet specific reporting requirements, and that they used it to
review transactions through a report specifically designed to meet the SOX auditor’s
In terms of authorisation and review of transactions, potential weaknesses relating to
standards for review of journal entries and related file documentation are carefully managed
through the use of the ERP system. A senior accountant reported that:
“SAP allows various types of automated workflow such as high volume journals and POs
[purchase orders]. This ensures the necessary approvals…[if an accountant] posts a journal
of over $1m, this can only be ‘parked’, it then workflows to their manager to be released.”
[Senior Accountant 2]
This ensures that specific transactions are reviewed by the appropriate senior level and that
all transactions are continually reviewed to identify improper journal entries. The Senior
Finance Process Analyst also mentioned that they use SAP in a similar way to issue travel
and expenses approvals and also for the backup of claims. The Senior Finance Process
Analyst explained that, while SAP has not yet been customised for the upload of
documentation of all journals:
“SAP allows us to access historic data, archives, archive data and keep it permanently”.
[Senior Finance Process Analyst]
This allows sufficient review of audit trails, which reduces the risk of one potential area of
weakness. Outstanding issues during the period-end reporting process are easily managed via
SAP’s automated processes:
“Once a month a list is automatically sent to us with transactions that have not been
processed so end-users must delete or process theseWe Sustainment - can control posting
periods in which a document is posted…centrally control access to posting periods to ensure
they are reflected in correct periods…and also ensure that there are no remaining unposted
entries at the end of each period”.
[Senior Sustainment Manager]
Omega has customised its use of SAP to facilitate interface with other systems, which is
particularly crucial at the period end closing process. Accuracy and completeness are high
priorities under SOX so interfaces with Omega’s various bank accounts and with supplier
accounts are essential to creating a true picture of Omega’s financial records:
The bank sends data which SAP processes. So there are automatic postings of bank
transactions to make sure the cash control account is complete.”
[Senior Accountant 3]
“When a vendor is created in SAP, it is interfaced into a front of house system to ensure the
two are in line”.
[Sustainment Manager]
In addition, Senior Accountant 2 mentioned that the flexibility of SAP in providing data in
different formats, for example, in word processing documents or spreadsheets, allows
managers to use the data in a format that is most appropriate for the particular reporting
requirement that they are attempting to fulfil. For example, sometimes data is presented in
Excel tables and includes various calculations, while on other occasions it is used in
document form.
Internal controls over account specific processes
Several of the accountants noted internal controls over account specific processes as a critical
area of concern for their auditors. An important aspect of Omega’s use of SAP is therefore to
provide the controls that ensure adequate capture of transactions in terms of completeness of
the entries recorded. One accountant pointed out the facility to specify particular settings for
different accounts, for example:
“The account may require data in certain fields, such as specifying a ‘Trading Partner’, or
‘Cost Centre’, or specific tax settings, for example, whether the entry requires input or output
[Senior Accountant 1]
These accounts are configured so that all entries must contain the necessary information and
will not permit posting unless they are complete. This ensures completeness and stops any
invalid entries being recorded in the system. However, a useful facility in SAP allows
managers to circumvent the need for every end-user to have a detailed understanding of
Omega’s Chart of Accounts while still ensuring accuracy of journal entry:
It allows non-finance and accounting users to create financial entries without having to
have detailed finance and accounting knowledge. Casual buyers, for example, don’t know
which GL [general ledger] to use. So when a casual buyer enters the shopping cart, they
select ‘commodity codes’ which are linked to GL…This is similar to T&E claims; when the
employee enters their claim the entry defaults to the T&E account”.
[Senior Finance Process Analyst]
Account Reconciliation
The accountants reported that account reconciliation is another important area for the SOX
auditors. The Senior Accountants and the Accounting Manager remarked on the usefulness of
SAP’s Account Reconciliation Tool to ensure that accounts are properly reviewed for
The tool [allows us] to ensure that account reconciliations are reviewed, approved and
leaves a proper audit trail for these steps…[T]he backup to the reconciliations is stored
[Senior Accountant 2]
There are also recognised procedures for monitoring balances. A particular tool in SAP
…the segment and managers in the US [to] review accounts as an additional measure”.
[Accounting Manager 1]
Thus managers in the US headquarters have centralised access and additional controls over
those operating in the local systems in the UK subsidiary. Omega uses this as evidence of its
control over review procedures as well as providing a process for monitoring account
balances. SAP is customised by Omega’s managers to ensure that accounts are reviewed by
the appropriate level of management.
The sample reports provided by one of the senior accountants details the key areas of concern
for the SOX auditors and the types of control to which these concerns are related. For
example, it indicates that, for sales and inventory, the SOX auditors are particularly interested
in the accuracy and completeness of accounts. These reports have been developed over time
in line with the independent auditors, and help them to anticipate those areas that the SOX
auditors are most likely to test. The sample data provided in Appendix D gives detailed
information on the internal controls, associated risks, frequency of checking for certain
transactions and journal entries, and also named individuals responsible for each process,
control, and testing (these have been removed in the sample shown in Appendix D). It can be
seen that these generally fall into the four main categories discussed above.
Table 1 below provides a summary of Omega’s use of SAP to ensure compliance with SOX.
[Insert Table 1 here]
In summary, Omega uses its ERP system in a number of ways to establish and maintain
internal control processes over financial reporting. The ERP system is used to facilitate the
segregation of duties with controls that restrict access and management of job roles for each
employee. It also eases the closing process at period end through the creation of customised
reports. Managers are able to review transactions with regard to journals, purchase orders and
travel and expense claims. File documentation is kept in the system for backup, although the
findings from the case study indicated this is not yet possible for journal transactions. The
Sustainment Team controls posting periods in order to reflect transactions in the correct
period, while the accountants make use of interfaces with banks and vendors to keep the cash
control account up to date and complete. There are controls to ensure adequate and complete
capture of transactions and an account reconciliation tool which is used to allow easy review
and management of accounts.
The findings from the current study provide evidence of Omega’s use of its ERP system to
ensure compliance with the requirements of SOX.
The case discussed in this paper presents a largely effective picture of the use of an ERP
system in the subsidiary of one multinational organization in relation to internal control over
reporting in order to comply with SOX. Omega’s ERP is set up and used to facilitate
compliance with SOX, and no major issues or concerns with the use of SAP for this purpose
were reported. This is confirmed by Omega’s publicly available reports and accounts, which
includes the attestations by senior executives of effective internal controls. In line with prior
research (eg., Ge & McVay, 2005), the findings indicate that account specific and period end
reconciliations are critical areas of concern for Omega’s SOX auditors. The findings suggest
that Omega’s use of an ERP system helps to prevent common weaknesses such as the non-
termination of old user accounts. Working closely with the independent auditors also helps to
facilitate the audit process. While the data might reflect participants’ views of the way SAP is
supposed to work rather than actual practice, the publicly disclosed reports support the
impression given by the participants that Omega’s use of IT to manage internal controls over
financial reporting is effective.
Although the investigation into Omega’s use of an ERP to facilitate compliance with SOX
did not highlight any problems, there are several underlying issues that warrant further
First, those working with SAP directly, specifically, the Senior Finance Process Analyst, the
Sustainment Manager and the Senior Sustainment Manager, were less knowledgeable than
the accountants about SOX and struggled to understand which elements of the ERP could be
associated with the SOX requirements on internal control over financial reporting. In
contrast, the accountants were able to draw on their experiences as end-users of SAP and
relate these to their knowledge of SOX audits. This indicates that accountants play a crucial
role in ensuring that IT is able to meet both internal and external requirements. Consistent
with prior studies (eg., Caglio, 2003), the findings indicate that the use of an ERP has the
potential to remove certain practices and forms of knowledge from specific job positions, in
this case, the IT managers, and instead embed it in the system. This, in turn, can expand the
areas of knowledge possessed by the accountants into the realms of the IT experts, with
concomitant implications for the role of IT experts and the training of accountants within
organizations that are using or seeking to implement ERP systems (Caglio, 2003). In contrast
to the findings from previous studies (eg., Dechow & Mourtisen, 2005; Scapens & Jazayeri,
2003), there was little evidence in the current study of IT managers taking over the role of the
Second, the focus on a very specific use of an ERP has excluded an investigation into
alternative uses of an ERP that may conflict with its use as a tool for complying with SOX.
Whereas prior studies (eg. Granlund & Malmi, 2002) found companies have faced problems
in attempting to fit an ERP to their existing practices, the current study did not raise any such
concerns. It is not clear to what extent the SOX requirements are privileged over other
organizational issues and processes, although Omega’s ERP has been in use for some years
prior to the introduction of SOX. However, ERP systems are likely to have a limited impact
on other critical internal processes, such as those concerned with management accounting
(Scapens & Jazayeri, 2003).
Third, by using an ERP system to manage its internal control processes over financial
reporting Omega may benefit from the credibility accorded to such systems (Arnold et al.,
2011a), and the prescriptive ‘one-size fits all’ approach promoted by their respective
manufacturers (Clemmons & Simon, 2001; Granlund, 2011). Under SOX, companies are
encouraged to use automated processes to facilitate compliance with the requirements of the
Act. The use of SAP, a market leader in ERP systems, may increase the confidence of the
SOX auditors in Omega’s IT processes (Chan, Lee & Seow, 2008). As has been suggested in
prior research (eg. Dillard et al., 2005; Worster et al., 2011), by using a system that is also in
use in many other large companies, Omega is able implicitly to abdicate some of its
responsibility for the IT aspects of internal control over financial reporting to the
manufacturer of its ERP, namely, SAP.
The aim of this study was to explore how one organization uses its ERP system to facilitate
compliance with SOX, specifically, those aspects concerned with internal control over
financial reporting. Prior studies have found that material weaknesses in internal control have
been reported against the segregation of duties, period end reporting, account specific
processes and account reconciliation (Ge & McVay, 2005; Foster et al, 2007), potentially
resulting in severe penalties. How managers use an ERP system to mitigate these weaknesses
is therefore of interest to both researchers and practitioners.
In line with calls in the literature for more in-depth research into the relation between the use
of ERP systems and regulatory compliance (Arnold et al., 2011b; Kumar et al., 2008), the
current study employed a case study method to explore the issues arising in one organization
that uses an ERP to facilitate compliance with SOX. The findings demonstrate how an ERP
system, such as SAP, can help with the significant issues of segregation of duties, period end
reporting, account specific and account reconciliation that are demanded under compliance
with SOX 302 and 404. Such findings provide insights into the critical role of IT as a
facilitator of control and reporting processes, an area of increasing importance due to
concerns over the internal governance of financial management. They also shed light on the
role, use, and purpose of one particular type of IT, an ERP, in relation to regulatory
The findings also enhance knowledge of the practical consequences of ERPs on accounting
and finance processes by demonstrating how the nature of and demands of SOX can impact
the respective roles of IT and accounting professionals in using IT to manage compliance
issues. While both accountants and external providers of ERP systems have expert
knowledge of SOX and its requirements, IT managers have a vital role to play in ensuring
that accountants’ company-specific requests in relation to internal control over financial
reporting are addressed through the ERP system. In this sense, they are also an important
conduit between the firm and its ERP vendors, who may otherwise seek to install
standardised versions that are not easily modifiable to the firm’s specific requirements.
The findings from the study indicate several areas for further research. First, Omega’s ERP is
set up and used in such a way to ensure compliance with SOX. ERPs are not easily modified
or adapted to organizational preferences (Granlund, 2011; Dechow & Mouritsen, 2005), so
further research could be conducted on a longitudinal basis to establish the extent to which
other externalities impact on the use of an ERP for the purposes of regulatory compliance (cf.
Arnold et al., 2011b). Furthermore, the study could be replicated in companies of various size
and across a range of industries to investigate whether the different uses of an ERP system
lead to different internal procedures and controls. In addition, further research could compare
different proprietary brands of ERP systems in order to ascertain whether there are any
differences in their uses for the purpose of compliance with SOX.
Finally, this paper presents a case study of largely successful use of an ERP system to
facilitate compliance with SOX. This contrasts with those studies exploring the
implementation of new systems. As such, the current study can be regarded as an ‘impact
study’ (Scapens & Jazayeri, 2003), in which the outcome is an indication of the challenges
and opportunities presented by a particular situation. The case study reported in this paper
aims to provide a credible and plausible account of how one firm uses SAP to ensure that it
fulfils its requirements with regard to SOX 404 and 302. However, several limitations exist.
In common with other case studies, the study is subject to the usual limitations of
subjectiveness, non-representativeness and non-systematic design (Bryman & Bell, 2007;
Cooper & Schindler, 2006). As far as possible, these concerns were mitigated through a
systematic approach to data collection and analysis.
In summary, this study has sought to enhance knowledge of the use of IT for compliance with
new legislation. It is hoped that the findings will motivate further research in this important
area at the interface of IT, accounting, business processes, and financial regulation.
Arnold, V., Bedard, J.C., Phillips, J.R., & Sutton, S.G. (2011a). Do Section 404
Disclosures Affect Investors' Perceptions of Information Systems Reliability and
Stock Price Predictions? International Journal of Accounting Information Systems,
12, 243258.
Arnold, V., Benford, T., Canada, J., & Sutton, S.G. (2011b). The Role of Strategic Enterprise
Risk Management and Organizational Flexibility in Easing New Regulatory
Compliance. International Journal of Accounting Information Systems, 12, 171188.
Brown, W. & Nasuti, F., (2005). What ERP Systems Can Tell Us About Sarbanes Oxley.
Information Management and Computer Security, 13(4), 311-327.
Bryman, A. & Bell, E. (2007). Business Research Methods. Oxford University Press. 2nd Ed.
Caglio, A. (2003). Enterprise Resource Planning Systems and Accountants: Towards
Hybridization? European Accounting Review, 12(1), 123-153.
Chan, K.C., Lee, P., & Seow, G. S. (2008). Why Did Management and Auditors Fail to
Identify Ineffective Internal Controls in Their Initial SOX 404 Reviews? Review of
Accounting and Finance, 7(4), 338-354.
Chang, S., Wu, C.-C., & Chang, I.-C. (2008). The Development of a Computer Auditing
System Sufficient for Sarbanes-Oxley Section 404 A Study on the Purchasing and
Expenditure Cycle of the ERP System. Information Systems Management, 25, 211
Clemmons, S. & Simon, S.J. (2001). Control and Coordination in Global ERP
Configuration. Business Process Management Journal, 7(3), 205-215.
Cooper, D. R. & Schindler, P. S. (2006). Business Research Methods. McGraw and Hill
International Education. 9th Ed.
Damianides, M., (2005). Sarbanes-Oxley and IT Governance: New Guidance on IT control
and Compliance. Information Systems Management, 22(1), 77-85.
Dechow, N. & Mouritsen J. (2005). Enterprise Resource Planning Systems, Management
Control and the Quest for Integration. Accounting, Organizations and Society, 30,
Dillard, J. F., Ruchala, L., & Yuthas, K. (2005). Enterprise Resource Planning Systems: A
Physical Manifestation of Administrative Evil. International Journal of Accounting
Information Systems, 6(2), 107-127.
Doyle, J., Ge, W., & McVay, S., (2007). Determinants of Weaknesses in Internal Control
over Financial Reporting. Journal of Accounting and Economics, 44(1-2), 193-223.
Foster, B. P., Ornstein, W., Shastri, T., (2007). Audit Costs, Material Weaknesses Under
SOX Section 404. Managerial Auditing Journal. 22(7), 661-673.
Ge, W. & McVay, S. (2005). The Disclosure of Material Weaknesses in Internal Control
After the Sarbanes Oxley Act. Accounting Horizons, 19(3), 137-158.
Granlund, M. (2011). Extending AIS Research to Management Accounting and Control
Issues: A Research Note. International Journal of Accounting Information Systems,
12, 3-19.
Granlund, M. & Malmi, T. (2002). Moderate impact of ERPS on Management Accounting: A
Lag or Permanent Outcome? Management Accounting Research, 2002, 13, 299321.
Grant, G. H., Miller, K., C., Fatima, A., (2008). The effect of IT controls on internal
reporting. Managerial Auditing Journal. 23(8), 803-823.
Hair, J. F., Money, A. H., Samouel, P. (2003). Research Methods for Business. John Wiley &
Haworth, D.A. & Pietron, L. R. (2006). Sarbanes-Oxley Achieving Compliance by Starting
with ISO 17799. Information Systems Management, 23(1), 73-87.
Huang, H., (2009). Sarbanes Oxley Section 404 Compliance: Recent Changes in US Traded
Foreign Firms’ Internal Control Reporting. Managerial Auditing Journal. 24(6), 584-
Hyvönen,T. (2003). Management Accounting and Information Systems: ERP Versus BoB.
European Accounting Review, 12(1), 155173.
Krishnan, G. V. & Visvanathan, G. (2007). Reporting Internal Control Deficiencies in the
Post-Sarbanes-Oxley Era: The Role of Auditors and Corporate Governance.
International Journal of Auditing, 11, 7390.
Kumar, V., Pollanen, R., & Maheshwari, B. (2008). Challenges in Enhancing Enterprise
Resource Planning Systems for Compliance with Sarbanes Oxley Act and Analogous
Canadian Legislation. Management Research News, 31(10), 758-773.
Li, C., Lim, J.H., & Wang, Q. (2007). Internal and External Influences on IT Control
Governance. International Journal of Accounting Information Systems, 8, 225239.
Light, B., Holland, C. P., & Wills, K. (2001). ERP and Best of Breed: A Comparative
Analysis. Business Process Management Journal, 7(3), 216 -224.
Mauldin, E. G. & Ruchala, L. V. (1999). Towards a Meta-Theory of Accounting Information
Systems. Accounting, Organizations and Society, 24, 317-331.
Maurizio, A., Girolami, L., & Jones, P. (2007). EAI and SOA: Factors and Methods
Influencing the Integration of Multiple ERP Systems (in an SAP Environment) to
Comply with the Sarbanes-Oxley Act. Journal of Enterprise Information
Management, 20(1), 14-31.
McCracken, G. D. (1988). The Long Interview (Vol. 13). California: Sage Publications.
Miles, M. B., & Huberman, A. M. (1994). Qualitative Data Analysis: An Expanded
Sourcebook (2nd ed.). California: Sage Publications.
Minichiello, V., Aroni, R., Timewell, E., & Alexander, L. (1995). Indepth Interviewing:
Principles, Techniques, Analysis (2nd ed.). Melbourne: Addison Wesley Longman.
Mock, T.J., Sun, L., Srivastava, R.P., & Vasarhelyi, M. (2009). An Evidential Reasoning
Approach to Sarbanes-Oxley Mandated Internal Control Risk Assessment
International. Journal of Accounting Information Systems,10, 6578.
O’Brien, J. A. & Marakas, G. M. (2006). Management Information Systems. 7th Edition.
McGraw-Hill Irwin.
O’Dwyer, B. (2003). Conceptions of Corporate Social Responsibility: The Nature of
Managerial Capture. Accounting, Auditing & Accountability Journal, 16(4), 523-557.
Petra, S. T. & Loukatos, G. (2009). The Sarbanes Oxley Act of 2002: A Five Year
Retrospective. Corporate Governance, 9(2), 120-132.
PCAOB (Public Company Accounting Oversight Board). (2007). Available from
Quattrone P. & Hopper T. (2001). What does organizational change mean? Speculations on a
taken for granted category. Management Accounting Research, 12(4), 403-435.
Rice, S. and Weber, D. (2012). How Effective Is Internal Control Reporting under SOX 404?
Determinants of the (Non-)Disclosure of Existing Material Weaknesses. Journal of
Accounting Research, 50(3), 811-843.
Rice, S., Weber, D. & Wu, B. (2012). Does SOX 404 Have Teeth? Consequences of the
Failure to Report Existing Internal Control Weaknesses. Working paper, University of
Rom, A. & Rohde, C. (2007). Management accounting and integrated information systems: A
literature review, International Journal of Accounting Information Systems, 8, 4068.
Scapens, R. W. & Jazayeri, M. (2003). ERP Systems and Management Accounting
Change: Opportunities or Impacts? A Research Note, European Accounting Review,
12(1), 201-233.
Spathis, C., (2006). Enterprise Systems Implementation and Accounting Benefits. Journal of
Enterprise Information Management, 19(1), 67-82.
Spathis, C. & Constantinides, S. (2004). Enterprise resource planning systems' impact on
accounting processes. Business Process Management Journal, 10(2), 234 247.
Stoel, M.D. & Muhanna, W. A. (2011). IT Internal Control Weaknesses and Firm
Performance: An Organizational Liability Lens. International Journal of Accounting
Information Systems, 12, 280304.
Tryfonas, T. & Kearney, R. (2008). Standardising business application security assessments
with pattern-driven audit automations. Computer Standards & Interfaces, 30, 262
Tseu, M. (2005). Managing IT Compliance: Sustainability and Simplicity for Future
Audits, Internal Auditing, 20(5), 16-21.
Williams, K. (2005) Does Technology Aid SOX 404 Compliance? Strategic Finance, 87(5),
Worster, A., Weirich, T. R., & Andera, A. (2011). ERP Systems: A Lost Opportunity. The
Journal of Corporate Accounting & Finance, July/August, 69-77.
Yin, R. K. (2003). Case Study Research: Design and Methods, 3rd ed. Thousand Oaks, CA:
Sage Publications, Inc.
Zhang, I. X. (2007). Economic consequences of the SarbanesOxley Act of 2002. Journal
of Accounting and Economics, 44, 74115.
Zikmund, W. (2003). Business Research Methods. Thomson South Western. 7th Ed.
Appendix A - Interview Guide
Protocol used for questions to ask participants:
1) Demographic data
2) Job role and responsibilities in relation to SAP and/or SOX
3) The use of SAP in Omega for accounting and finance processes/operations in relation
to SOX
How used in different business units/departments
Processes involved
Policies and procedures for use
Use of manual or backup processes to support
Employees involved in inputting data or using output
4) The use of SAP for facilitating compliance with SOX and mitigating material
Identifying main areas of potential weaknesses (eg. segregration of duties, period-end
reporting, account reconciliation)
Audit process
Appendix B List of interviewees
in role
Length of Interview
Senior Sustainment Manager
10 years
45 mins
Sustainment Manager Finance
6 years
75 mins
Senior Finance Process Analyst
4 years
60 mins
Accounting Manager 1
8 years
50 mins
Accounting Manager 2
5 years
55 mins
Senior Accountant 1
6 years
60 mins
Senior Accountant 2
5 years
70 mins
Senior Accountant 3
5 years
60 mins
Accountant 1
10 years
50 mins
Accountant 2
4 years
75 mins
Appendix C Organizational Structure
Sustainment Team
Shared Accounting Services

Supplementary resource (1)

... Aloini, Dulmin, and Mininno (2007) Develop a continuous auditing system for automated controls and testing C162, C412, C417, C421, C427, C430, C446, C447, C548, C551, C556, C567, C727, C730, C791, C995, C1002, C1003, C1120, C1130 Grabski, Leech, and Schmidt (2011); Kuhn Jr and Sutton (2010); Mundy and Owen (2013); Nwankpa and Datta (2012); Salmeron and Lopez (2010); Spekle, van Elten, and Kruis (2007); Define, execute, and evaluate risks based on system development life cycle C012, C024, C069, C074, C077, C083, C225, C241, C358, C424, C532, C602, C641, C697, C705, C852, C869, C990, C1051, C147 ...
... al. (2000);McGinnis and Huang (2007);Mundy and Owen (2013);Muscatello and Parente (2006);Nfuka and Rusu (2013);Ng, Gable, and Chan (2002);Nwankpa and Datta (2012);Ruivo, Oliveira, and Neto (2014); Lopez (2010, 2012); Sarkis and Sundarraj (2006); Sasidharan et al. (2012); Scheer and Habermann (2000); Stratman and Roth (2002); Teittinen, Pellinen, and Järvenpää (2013); Tomblin (2010); Uwizeyemungu and Raymond (2012); Wang and Chen (2006) Establish an independent audit department C036, C231 Chang et al. (2014); Jans, Alles, and Vasarhelyi (2013) Set up a compensation system C353, C612, C800, C1012 Kouki, Poulin, and Pellerin (2010); Nah and Delgado (2006); Salmeron and Lopez (2010); Staehr (2010) Provide IT governance awareness and training C667, C666, C830, C849, C882 Nfuka and Rusu ...
... ;Daneva (2004);;Grabski, Leech, and Schmidt (2011);Kouki, Poulin, and Pellerin (2010);Mundy and Owen (2013);Nfuka and Rusu (2013);Ng, Gable, and Chan (2002);Ruivo, Oliveira, and Neto (2014); Lopez (2010, 2012); Sarkis and Sundarraj (2006); Sedera and Gable (2010); Somers and Nelson (2004); Tomblin (2010); Tsai et al. (2011); Wagner and Newell (2007); Zhu et al. (2010) Ensure Benefits Delivery Improve customer relationships by setting up a communication channel C040, C685, C686, C886, C892, C897, C937, C938, C947, C1078 Chang et al. (2011); Ng, Gable, and Chan (2002); Sarkis and Sundarraj (2006); Scheer and Habermann (2000); Sedera and Gable (2010); Tomblin (2010) Evaluate companies' benefits C038, C157, C158, C165, C206, C253, C254, C435, C455, C456, C457, C491, C658, C693, C702, C703, C762, C865, C874, C1015, C1087, C1152 Chang et al. (2011); Grabski, Leech, and Schmidt (2011); Hofmann (2008); Ifinedo (2011); Jans, Alles, and Vasarhelyi (2013); Kuhn Jr and Sutton (2010); Markus et al. (2000); Nfuka and Rusu (2013); Ng, Gable, and Chan (2002); Nicolaou (2004); Ruivo, Oliveira, and Neto (2014); Salmeron and Lopez (2012); Sarkis and Sundarraj (2006); Staehr (2010); Tomblin ...
Our understanding of relevant internal controls at the post-implementation phase remains limited in spite of general guidance from professional frameworks or standards. In this study, based on the COBIT 5 framework, we reviewed 56 studies from relevant academic journals from 1998 to 2014 to form an initial list of information technology (IT) internal control items for the post-implementation phase of enterprise resource planning (ERP) systems. An expert survey was conducted to validate the list, and 45 control items were ranked using the Delphi method. The proposed items may assist companies and auditors in focusing on essential internal control issues during the ERP system post-implementation phase.
... The extensive development in the application of technological innovation tools in business operations plays a vital role in enhancing automation and standardization of processes and effective performance of firms (Mundy & Owen, 2013;Saracina, 2011); and the accounting function the foremost to experience computerization among all business functions (Doost, as cited in Amidu et al. 2011). The accounting function also remains the most automated business function, following the development, introduction, and implementation of various accounting software packages such as Sage/Peachtree, QuickBooks, Tally, Busy, and several other accounting software, in the last two decades. ...
... The forgoing studies buttress Mundy and Owen's (2013) position that computerized accounting systems possess internal control capabilities that could strengthen firms' internal control processes if optimally implemented and utilized. These results also support the work of Sajady et al. (2008). ...
Full-text available
The prevalence of diverse accounting software or computerized accounting systems and the increased usage of such systems amongst small and medium enterprises (SMEs) in Nigeria, and the need to present decision-useful financial reports by SMEs motivated the researcher to undertake this project. The study, therefore, sought to ascertain the relationship between computerized accounting systems and financial reporting quality in small and medium enterprises in Nigeria, as well as the moderating effect of organizational culture on such a relationship. The researcher modeled the independent (predictor) variable, computerized accounting systems (CAS) with five formative constructs, namely internal controls, automated data-processing, relational database, automated reporting, and enhancing technologies. The dependent (criterion) variable, financial reporting quality (FRQ), was modeled using five dimensions, namely relevance, faithful representation, comparability, verifiability, and understandability; while the moderating variable, organizational culture (OCT) was modeled with three constructs, namely people orientation, innovation, and outcome orientation. The systematic modeling of the hypothesized relationships resulted in testing ten hypotheses. The researcher obtained qualitative data from exploring extant literature and analyzed the same using the MAXQDA Analytics Pro software (2020), which aided the development of the study constructs and research instrument. Quantitative data were collected using a web-based self-completed questionnaire from a sample of 370 firms randomly selected from SMEs in the South-South region of Nigeria, of which 223 completed questionnaires were found useful for the study. The quantitative data were analyzed using SPSS-Statistics software and SPSS-Amos (structural equation modeling) software. The study’s findings showed that CAS usage has a positive and significant relationship with financial reporting quality in terms of relevance, faithful representation, comparability, verifiability, and understandability. CAS is also indicated as a good predictor of financial reporting quality. The study also indicated that organizational culture positively and significantly affects the relationship between CAS and FRQ. Therefore, all the ten null hypotheses were rejected. The study findings also showed that the enhancing technologies component of CAS contributed most (30.4%) to the predictive power of CAS, while the relational database component contributed the least (16.9%). More so, innovation contributed the most (41.4%) to organizational culture’s moderating power, while people-orientation contributed the least (28%). Consequently, the researcher concluded that computerized accounting systems enhance the quality of financial reporting information. Hence, there is a need to encourage SMEs to adopt computerized accounting systems to improve their financial reporting quality. Management and those performing accounting functions in SMEs and finance and accounting scholars would find the results of this study extremely useful. The researcher has suggested areas for further studies that would help extend and, or, validate the study’s findings.
... 211). ERP systems are also found to facilitate auditing and regulatory compliance [47,49]. IS research on how corporate governance affects the benefits and costs of IT investments has started to gain attention recently and is still at its early stage. ...
... The major benefits of ERP to accounting are increased flexibility in information generation, increased integration of accounting applications, improved quality of reports, improved decisions on better accounting information and reduced account closure time [34]. These benefits may enhance control over reporting processes and thus ensure regulatory compliance as what Mundy and Owen [47] report in a case study on a multi-national organization. EIS implementation is also found to improve the quality and efficiency of auditors' work [49]. ...
Full-text available
Enterprise information systems (EIS) improve access to information, process optimization and system integration. Such enhanced information processing capabilities have varying effects on firm financial performance under different corporate governance aspects. We examine such interacting effects with data of Chinese listed companies during 2008 and 2013. Our empirical study shows that EIS implementation is associated with higher financial performance when the firm’s ownership is more concentrated or the CEO assumes a dual role as the chair of the board of directors. EIS implementation is associated with lower financial performance when the firm is a state-owned enterprise or within a business group. This study contributes to literature in IT business value in general and research in enterprise systems in particular by expanding our understandings about the varying impacts of EIS under different corporate governance aspects.
... Itang (2020), while conceptualizing the structural characteristics of computerized accounting systems, indicated internal controls as one of the functional components of computerized accounting systems; and this supports the position of Mundy and Owen (2013) that computerized accounting systems help to prevent common internal control weaknesses in firms. Mundy and Owen (2013) indicated that such internal controls include those that incorporate processes and methodologies for accounting for financial transactions and financial statements preparation. In its user guide titled "Internal Control for Small Businesses to Reduce the Risk of Fraud", Intuit (2009) provides details of internal controls inherent in QuickBooks accounting software and their implementation procedures. ...
Full-text available
This research aimed to identify the computerized accounting systems employed by Nigerian SMEs, examine the extent to which Nigerian SMEs utilize the built-in internal control features in their computerized accounting systems, as well as explore the perceived reasons for the underutilization of any of the computerized accounting systems internal control features. The researcher employed the survey methodology in the conduct of the study, and data was collected using questionnaire administered to the an accounting officer in each of the 370 firms randomly selected from the population of SMEs in the south-south region of Nigeria. The research data was analyzed using frequencies, mean, standard deviation, and the one-sample T-test statistics. The results of the study indicate that Nigerian SMEs employ various accounting software in the performance of their accounting function, with QuickBooks, Peachtree (Sage 50), and MS-Navision being the most used. The study also indicate that Nigerian SMEs optimally utilize the built-in internal control features in their computerized accounting systems. The reasons for the underutilization of a few of the internal control features by firms are indicated in the study to include lack of awareness of the availability of the internal control features in their accounting systems, limited number of accounting staff, and lack of formal internal control policies. This study extends the body of knowledge in accounting, and its results would be useful to those in the academia, management and accounting personnel of SMEs, and other practitioners. Areas for further research have been suggested to confirm and extend the outcome of this study.
... The use of IT is critical in managing non-compliance with laws and regulations related to employees' tasks (Arnold et al., 2011;Kumar et al., 1993;Mundy and Owen, 2013). From the perspective compliance, IT relatedness improves the efficacy of compliance process, which contributes to having a timely discussion on the exploitation of compliance knowledge (Granlund, 2011). ...
Full-text available
This paper tries to closely look at compliance knowledge relatedness and IT relatedness based on Tanriverdi’s ‘relatedness’ concept. Also, this paper’s main focus lies on how knowledge relatedness and IT relatedness influence compliance performance through compliance knowledge exploitation. The present study conducted a full-scale survey and finalized questionnaire was sent to compliance managers of 187 Korean multi-business firms. This study found (1) the impact of compliance knowledge relatedness on compliance performance, (2) the mediating role of knowledge exploitation on the relationship between compliance knowledge relatedness and compliance performance, and (3) the interaction effect of IT relatedness and compliance knowledge relatedness on knowledge exploitation. This paper contributes to both academic and business world by widening applicability of theories and providing guidelines conducive to improved compliance performance of corporations.
... Research has long suggested the importance of appropriate IT architecture [Kuk and Janssen (2013)], especially when used as the basis for employing novel information systems in unique circumstances [e.g. Mundy and Owen (2013) ; Soja and Pekosz (2013)] . As shown in our cases, design of the IT architecture was an important requirement for all of the project teams. ...
There is little guidance as to what general information processing capabilities are required to support organizations' cross-border business initiatives. We draw on the organizational information processing view to identify ways to enhance fit between information processing capabilities and needs, thereby reducing uncertainties. Using a multiple case study method, we examine four projects in an effort to uncover how organizations can innovate across borders to reduce these uncertainties.
Purpose Industry 4.0 has brought about a paradigm shift in value delivery with the introduction of disruptive technologies. This has resulted in efforts by organizations to re-invent their business processes and reskill their workforce while attempting to realize digital transformation. Quality management in the context of Industry 4.0 is still in its nascent stage with researchers trying to identify key and relevant components of quality management with respect to Industry 4.0. The current study attempts to address the knowledge gap through a literature review and subsequently provide a conceptual framework for quality in the digital transformation context. Design/methodology/approach An integrative literature review was conducted to analyze and abstract knowledge from the literature on Quality 4.0 and a conceptual framework was developed based on the review. Findings The review revealed the motivators, building blocks and challenges for Quality 4.0. The conceptual framework discusses the salient points relevant to Quality 4.0 with respect to the people, process and technology dimensions and their sub-dimensions that can be used to build 4.0 capabilities. The proposed framework is represented to depict the conceptualization and the relationships among its components. Originality/value This study aims to contribute to the model building efforts of researchers towards Quality 4.0. The points discussed here provide an actionable direction to augment the efforts of practitioners and organizations in quality management in the context of Industry 4.0, especially digital transformation.
Full-text available
The prevalence of diverse accounting software or computerized accounting systems and the increased usage of such systems amongst small and medium enterprises (SMEs) globally, as well as the need to present decision-useful financial reports by SMEs, motivated the researcher to undertake this project. The study, therefore, sought to ascertain the relationship between computerized accounting systems and financial reporting quality in small and medium enterprises in Nigeria. The researcher modeled computerized accounting systems (CAS) as the predictor variable with five formative constructs, namely internal controls, automated data-processing, relational database, automated reporting, and enhancing technologies. The dependent (criterion) variable, financial reporting quality (FRQ), was modeled with five dimensions, namely relevance, faithful representation, comparability, verifiability, and understandability. Five hypotheses relating to the extent to which computerized accounting systems influence financial reporting quality in terms of relevance, faithful representation, comparability, verifiability, and understandability, were tested. The study data were collected using a web-based self-completed questionnaire from a sample of 370 firms randomly selected from SMEs in the South-South region of Nigeria, of which 223 completed questionnaires (60.3%) were found useful for the study. The collected data were analyzed using descriptive statistics and structural equation modelling procedure with the aid of SPSS-Statistics and SPSS-Amos software. The study’s findings indicated that CAS usage has a significant positive influence on financial reporting quality in terms of relevance, faithful representation, comparability, verifiability, and understandability. CAS is also indicated to be a good predictor of financial reporting quality. Therefore, all five null hypotheses were rejected. The findings of the study also showed that the most impacted dimension of financial reporting quality by CAS is understandability, while the least impacted is verifiability. Consequently, the researcher concluded that computerized accounting systems significantly enhance the quality of financial reporting information. Hence, there is a need to encourage SMEs to adopt computerized accounting systems to improve their financial reporting quality. Management and those performing accounting functions in SMEs and finance and accounting scholars would find the results of this study extremely useful. The researcher has suggested areas for further studies that would help to validate and, or, extend the study’s findings.
Governance, Risk, and Compliance has become an emerging field within the IS academic community. Motivated by this research direction, the study capitalizes on the theoretical background of enterprise systems and extends the focus on governance, risk, and compliance systems’ implementation (enterprise value and lifecycle). Building upon expert views on governance, risk, and compliance IS implementation projects, the analysis indicates that the three value drivers of integration, optimization, and information should be considered throughout the whole governance, risk, and compliance IS implementation lifecycle.
Full-text available
Although Governance, Risk and Compliance (GRC) is an emerging field of study within the information systems (IS) academic community, the concept behind the acronym has to still be demystified and further investigated. The study investigates GRC systems in depth by (a) reviewing the literature on existing GRC studies, and (b) presenting a field study on views about GRC application by professional experts. The aim of this exploratory study is to understand the aspects and the nature of the GRC system following an enterprise systems approach. The result of this study is a framework of particular GRC characteristics that need to be taken into consideration when these systems are put in place. This framework includes specific areas such as: goals and objectives, purpose of the system, key stakeholders, methodology and requirements prior to implementation, critical success factors and problems/barriers. Further discussion about the issues, the concerns and the diverse views on GRC would assist in developing an agenda for the future research on the GRC field.
Full-text available
Furnishes a narrative reflecting an in-depth examination of managerial conceptions of corporate social responsibility (CSR) in the Irish context. The narrative locates itself within the debate surrounding the extent to which corporate management may capture social accountants’ efforts to promote a broad society-centred conception of CSR. Three key findings emerge from the narrative. First, there is evidence of a tendency for managers to interpret CSR in a constricted fashion consistent with corporate goals of shareholder wealth maximisation. Second, pockets of robust resistance to and defences of this narrow conception do, however, also emerge in the narrative. Third, the complexity of conceiving of a clear meaning for CSR, particularly for those exposed to the structural pressures encountered by these managers, is apparent. This is evident in the initial, somewhat contradictory, nature of many of the conceptions analysed. Reflects on these findings and considers their broad implications for social accountants’ attempts to promote greater society centred corporate accountability in Ireland.
Full-text available
Provides students, researchers and practitioners with a thorough exposition of the value of using in-depth interviewing in qualitative research. Examples of research are used across the disciplines to show its wide applications. Minichiello and Hays, University New England, Australia; Aroni, Monash University, Australia.
Full-text available
The advent of the IT-led era and the increased competition have forced companies to react to the new changes in order to remain competitive. Enterprise resource planning (ERP) systems offer distinct advantages in this new business environment as they lower operating costs, reduce cycle times and (arguably) increase customer satisfaction. This study examines, via an exploratory survey of 26 companies, the underlying reasons why companies choose to convert from conventional information systems (IS) to ERP systems and the changes brought in, particularly in the accounting process. The aim is not only to understand the changes and the benefits involved in adopting ERP systems compared with conventional IS, but also to establish the best way forward in future ERP applications. The empirical evidence confirms a number of changes in the accounting process introduced with the adoption of ERP systems.
Increasingly, managers must make decisions based on almost unlimited information. How can they navigate and organize this vast amount of data? Essentials of Business Research Methods provides research techniques for people who aren't data analysts. The authors offer a straightforward, hands-on approach to the vital managerial process of gathering and using data to make clear business decisions. They include critical topics, such as the increasing role of online research, ethical issues, data mining, customer relationship management, and how to conduct information-gathering activities more effectively in a rapidly changing business environment. This is the only text that includes a chapter on qualitative data analysis, and the coverage of quantitative data analysis is more extensive, and much easier to understand than in other texts. The book features a realistic continuing case throughout that enables students to see how business research information is used in the real world. It includes applied research examples in all chapters, as well as ethical dilemma mini cases, and exercises.
In order to further advance research within management accounting and integrated information systems (IIS), an understanding of what research has already been done and what research is needed is of particular importance. The purpose of this paper is to uncover, classify and interpret current research within management accounting and IIS. This is done partly to identify research gaps and propose directions for future research and partly to guide researchers and practitioners investigating and making decisions on how to better synthesise the two areas. Based on the strengths of existing frameworks covering elements of management accounting and IIS a new and more comprehensive theoretical framework is developed. This is used as a basis for classifying and presentation of the reviewed literature in structured form. The outcome of the review is an identification of research gaps and a proposal of research opportunities within different research paradigms and with the use of different methods.
Purpose – This paper aims to examine major challenges faced by companies in enhancing their enterprise resource planning (ERP) systems for compliance with regulatory internal control requirements, specifically those imposed by the Sarbanes–Oxley Act (SOX) of 2002 and analogous Canadian legislation. Design/methodology/approach – Data were collected through case studies of four medium-sized and large companies that use ERP systems and that have operations in the USA and Canada, thus being subject to SOX and/or similar Canadian regulations. Findings – The companies faced some technical, process and cultural challenges in implementing regulatory control compliance. In all companies, existing ERP systems were not able to meet all control requirements without some modifications or add-on applications. Control implementations have been long, complicated and costly processes, which are not fully completed. Detailed analyses and documentation of existing systems, controls and processes were required in all companies. The protection of systems security and the segregation of duties were perceived to be major technical obstacles. Cultural factors resulted in additional challenges, notably resistance to change. Research limitations/implications – The findings of this study enhance the understanding of ERP systems design features, processes and challenges in implementing regulatory controls. As such, they provide a foundation for further empirical studies and for building models of ERP systems effectiveness in implementing effective controls. Practical implications – The study provides managers insight into challenges in enhancing ERP systems for regulatory control compliance. Lessons learned can contribute to the development and sharing of best practices and to overall organizational effectiveness. Originality/value – Using an interdisciplinary approach, the study provides new evidence on the extent to which ERP systems meet regulatory internal control requirements.
The dominant market for enterprise resource planning (ERP) vendors has traditionally been the largest of multinational corporations. Until recently, most vendors (SAP, PeopleSoft, Oracle, etc.) have promoted a “one size fits all” solution built on “industry best practices.” This approach forced organizations to either conform to the “best practices” and configurations suggested by vendors and implementation consultants or embark on extremely costly reconfiguration of their ERP package. The study reviews the concepts of control, coordination, and their trade-offs plus Bartlett and Ghoshal’s topology of firm strategy. Human resource issues are introduced as examples of organization elements that may or may not conform to the enterprise design structure within coordination and control. Finally, the concepts of control and coordination and the Bartlett and Ghoshal topology are combined to create a firm strategic orientation which is then matched to an ideal ERP configuration or enterprise information architecture.