نقش مدیریت ریسک بنگاه های استراتژیک و انعطاف پذیری سازمانی در کاهش رعایت مقررات جدید
|کد مقاله||سال انتشار||مقاله انگلیسی||ترجمه فارسی||تعداد کلمات|
|762||2011||18 صفحه PDF||سفارش دهید||9860 کلمه|
Publisher : Elsevier - Science Direct (الزویر - ساینس دایرکت)
Journal : International Journal of Accounting Information Systems, Volume 12, Issue 3, September 2011, Pages 171–188
The impact of new regulatory requirements for internal control reporting on an organization's ability to maintain strategic flexibility has been debated in the popular press extensively. This paper tests theory from strategic management to examine the relationship between an organizations' pre-regulatory strength of strategic enterprise risk management (ERM) processes and their ability to react to new regulatory mandates. In the context of companies' adoption of SOX Section 404 internal control reporting requirements, we examine organizations' pre-SOX ERM processes, ERM supporting technologies, and organizational flexibility in order to better understand the antecedents to the difficulty encountered in meeting SOX 404 requirements. Using responses from 113 Chief Audit Executives (CAEs), we find that organizations with stronger strategic ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates. On the other hand, organizations using weaker ERM processes, which focused on control compliance, experienced more difficulty. These findings provide key insights into the importance of strategic ERM in effectively complying with new regulatory controls in volatile environments.
Many countries have recently implemented internal control reporting mandates for public companies.1 Arguably, the most pervasive of these new mandates was the Sarbanes–Oxley Act of 2002 (SOX), enacted by the U.S. Congress, with global implications for public companies registered on the U.S. stock exchanges. Since that time, there has been a substantial backlash including allegations that the SOX Act is ‘quack legislation’ (Romano, 2005) and a myriad of questions as to whether the corporate governance provisions have a justifiable cost-benefit (e.g., DeFond and Francis, 2005). There have also been questions of whether the burden of SOX regulatory requirements would irreversibly weaken the U.S. stock exchanges' financial market leadership position (Bloomberg-Schumer-McKinsey Report, 2007). One of the more controversial components of the law is Section 404 with its mandates for broad reaching internal controls over financial reporting that must be attested to by management and opined upon by an auditor. As a result, the U.S. SEC held numerous hearings about this provision and the implementation of 404 requirements was repeatedly delayed—particularly for small and medium sized enterprises and foreign registrants.2 Among the major concerns of the SEC were complaints by smaller enterprises that these internal control and risk management processes would impede the enterprise's ability to react to market changes due to resulting restrictions in organizational flexibility (Katz, 2006). Preliminary evidence from several case studies of smaller firms required to file as accelerated filers suggests this may be the case for some firms depending on their existing organizational structures and processes (Arnold et al., 2007). We explore these concerns through an empirical evaluation of companies that have completed the SOX 404 reporting process to evaluate how organizational structures and processes impact the difficulty of adhering to newly mandated compliance requirements. Specifically, we examine the relationship between strategic ERM practices and organizational flexibility, as well as the subsequent impact of organizational flexibility on the effectiveness of SOX 404 implementation processes and difficulty in achieving compliance. In examining these relationships, we consider the mediating roles of ERM supporting information technology (IT) systems and the organization's control environment. The conceptual model presented is a generalized model that explains how these organizational structures and processes facilitate compliance with new regulatory mandates. In developing our conceptual model, we specifically address concerns voiced regarding the relationship between control structures and organizational flexibility from a strategic management perspective. We adopt the conceptual foundations from theory on capability-building for entrepreneurial alertness (e.g., ERM) which views strategic organizational flexibility as the key to organizations' success in volatile business environments (Sambamurthy et al., 2003). We build upon Sambamurthy et al.'s model by incorporating research on management control systems (see Langfield-Smith, 1997 and Chenhall, 2003 for reviews). This integration helps explain the relationship between organizational flexibility and management control, and the ability of ERM and organizational flexibility to facilitate the development of effective processes for responding to new regulatory mandates—in this case, new internal control reporting mandates. While early studies seem to indicate that control systems did not facilitate strategic decisions in organizations, recent studies consistently find the opposite. If broader-based measures rather than just financial measures are used, management control systems actually serve as vital informers for strategic decision making with more control information being desired in more flexible environments (Simons, 1990, Davila, 2000, Ahrens and Chapman, 2004, Ditillo, 2004 and Chenhall and Euske, 2007). The results of our study provide several contributions to the literature and have implications for the discourse on the benefits of mandates for internal control reporting. First, we establish a strong link between the strength of ERM processes3 and organizational flexibility while identifying the critical mediating effect of ERM supporting IT systems. Second, we establish a strong link between organizational flexibility and organizational reactiveness to new regulatory mandates—in this case mandates related to effective internal control systems. Importantly, we also identify the mediating effect of the control environment on the ability of flexible organizations to implement effective compliance processes. Third, the overall results provide evidence of a direct relationship between the strength of ERM processes and the organization's control environment. Additionally the impact of ERM on IT systems and organizational flexibility has a substantial indirect effect on the overall control environment. Finally, while prior research has focused primarily on the organizational factors that facilitate the development of ERM (e.g., Kleffner et al., 2003, Liebenberg and Hoyt, 2003 and Beasley et al., 2005), we focus on how the strength of ERM processes impact organizational structure and the organization's ability to respond to changes in the business environment. Specifically, we examine how stronger ERM increases organizational flexibility and IT integration in order to facilitate an organization's ability to react to new regulatory mandates. The remainder of this paper is presented in four parts. Section 2 expands upon the underlying theory and prior related literature that provides the conceptual development of the hypotheses and overall research model. The third and fourth sections provide the research methods and results of the model and hypotheses testing. The fifth and final section provides an overview of the results and the implications for future research.
نتیجه گیری انگلیسی
This research study was motivated in part by the discourse over the potential negative impacts of new global internal control reporting mandates and, in part, by the need for a better understanding of the relationship between strategic ERM, IT compatibility, and organizational flexibility on both the development of a strong control environment and compliance difficulty. Critics of SOX 404 requirements in particular have often pointed to a loss in organizational flexibility as a cost of regulatory compliance and advocated rescinding this key aspect of the corporate governance initiatives put in place by the Act. While our model specifically focuses on SOX 404 compliance requirements, the conceptual foundations of the model are more generalized and the models applicability theoretically should also extend to organizational responses to other new regulatory compliance requirements. In formulating the conceptual model, consideration was given to the findings of Arnold et al. (2007) in their case analysis of four small and medium-sized organizations' experiences in implementing SOX 404 compliance processes. Two of the four organizations had difficult implementation experiences and two exhibited relatively minor difficulty in implementation. On the surface, these case studies would seem to highlight conflicting evidence regarding the actual existence of the concerns that have been raised—i.e., reduced organizational flexibility and hindered competitiveness. A deeper examination of the documented cases, however, provides evidence that the differences in experiences among the companies could be driven by organizational culture and/or existing ERM strategies. In this study, we develop a conceptual model that investigates the effects of organizational culture and ERM processes on compliance. The model relies heavily on the theory of capability building and entrepreneurial alertness while integrating that theory with the managerial control systems literature in order to better understand the facilitation of competitive actions required to respond to the new regulatory mandates. The theoretical relationships between the four main constructs are better understood as a result of identifying the mediating constructs that influence the nature of the relationships among the constructs. Testing of the model, based on the reported organizational structures and experiences provided by 113 chief audit executives from organizations having completed and reported upon SOX 404 compliance requirements for internal controls, yields strong explanatory power and significant relationships that are in line with the hypothesized relationships. Thus, the conceptual model appears to provide a sound basis for understanding how various organizational structures and processes affect the level of compliance difficulty experienced across a range of organizations. First, we find that the strength of strategic ERM processes is very predictive of organizations' flexibility, but that this relationship is partially mediated by IT compatibility—the ability to access and utilize enterprise-wide data from across all organizational systems. Second, we find that an organizations' flexibility is positively related to their ability to implement effective processes for addressing compliance with new regulations, but that this relationship is fully mediated—in this case by the strength of the control environment. Third, our findings significantly enhance the theoretical understanding of the relationship between strategic ERM and the strength of the control environment by identifying not only a strong direct effect, but also finding a strong indirect effect via the organizational structures and processes supported by ERM. This indirect effect increases the explanatory power of ERM by 16% in terms of explaining the variance in the strength of organizations' control environment. In summary, the results provide evidence that organizations with strong strategic ERM processes prior to SOX 404 mandates faced fewer obstacles in implementing the processes necessary to meet internal control requirements. On the other hand, the organizations that did not have strong ERM processes in place incurred the greatest difficulty in implementing effective compliance processes—the very organizations for which the Act was deemed so important. There are limitations of the current study that should be considered when reflecting upon the results. Many of these limitations are related to scope and also provide guidance on future research needs. First, our responses were taken entirely from chief audit executives. Their views on the SOX 404 compliance experience may not be reflective of other chief executives in the organization. Future studies may wish to consider multiple respondents for each organization in order to get a more diverse perspective on the experiences. Second, our study considers a limited set of organizational structures and processes, and additional organizational characteristics may likely aid in further explaining the attributes and relationships that were observed in this study. Organizations are complex entities and substantial research is required to uncover the myriad of complex interrelationships that drive organizational behavior and performance. As the strategic ERM movement continues to evolve, organizations' strategy is increasingly intertwined with IT systems and future research should consider other aspects of IT that facilitate strategic ERM efforts. Third, our study relies on the responses of chief audit executives, which necessarily narrows our representation to organizations that have at least one in-house internal auditor. Given the large market for consulting services to assist with compliance efforts, a relatively small subset of organizations still do not have an internal audit function in-house. While this has become much rarer in the post-SOX era, future research should consider expanding the scope to these organizations as well. Overall, the research reported here provides an initial view into the effect of organizational structures and processes on the ability to meet regulatory compliance mandates. The relationships are strong and significant, the interrelationships complex, and the findings highly insightful in terms of understanding the importance of strategic ERM in effectively dealing with volatile environments.