The impact of new regulatory requirements for internal control reporting on an organization's ability to maintain strategic flexibility has been debated in the popular press extensively. This paper tests theory from strategic management to examine the relationship between an organizations' pre-regulatory strength of strategic enterprise risk management (ERM) processes and their ability to react to new regulatory mandates. In the context of companies' adoption of SOX Section 404 internal control reporting requirements, we examine organizations' pre-SOX ERM processes, ERM supporting technologies, and organizational flexibility in order to better understand the antecedents to the difficulty encountered in meeting SOX 404 requirements. Using responses from 113 Chief Audit Executives (CAEs), we find that organizations with stronger strategic ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates. On the other hand, organizations using weaker ERM processes, which focused on control compliance, experienced more difficulty. These findings provide key insights into the importance of strategic ERM in effectively complying with new regulatory controls in volatile environments.
Many countries have recently implemented internal control reporting mandates for public companies.1 Arguably, the most pervasive of these new mandates was the Sarbanes–Oxley Act of 2002 (SOX), enacted by the U.S. Congress, with global implications for public companies registered on the U.S. stock exchanges. Since that time, there has been a substantial backlash including allegations that the SOX Act is ‘quack legislation’ (Romano, 2005) and a myriad of questions as to whether the corporate governance provisions have a justifiable cost-benefit (e.g., DeFond and Francis, 2005). There have also been questions of whether the burden of SOX regulatory requirements would irreversibly weaken the U.S. stock exchanges' financial market leadership position (Bloomberg-Schumer-McKinsey Report, 2007).
One of the more controversial components of the law is Section 404 with its mandates for broad reaching internal controls over financial reporting that must be attested to by management and opined upon by an auditor. As a result, the U.S. SEC held numerous hearings about this provision and the implementation of 404 requirements was repeatedly delayed—particularly for small and medium sized enterprises and foreign registrants.2 Among the major concerns of the SEC were complaints by smaller enterprises that these internal control and risk management processes would impede the enterprise's ability to react to market changes due to resulting restrictions in organizational flexibility (Katz, 2006). Preliminary evidence from several case studies of smaller firms required to file as accelerated filers suggests this may be the case for some firms depending on their existing organizational structures and processes (Arnold et al., 2007).
We explore these concerns through an empirical evaluation of companies that have completed the SOX 404 reporting process to evaluate how organizational structures and processes impact the difficulty of adhering to newly mandated compliance requirements. Specifically, we examine the relationship between strategic ERM practices and organizational flexibility, as well as the subsequent impact of organizational flexibility on the effectiveness of SOX 404 implementation processes and difficulty in achieving compliance. In examining these relationships, we consider the mediating roles of ERM supporting information technology (IT) systems and the organization's control environment. The conceptual model presented is a generalized model that explains how these organizational structures and processes facilitate compliance with new regulatory mandates.
In developing our conceptual model, we specifically address concerns voiced regarding the relationship between control structures and organizational flexibility from a strategic management perspective. We adopt the conceptual foundations from theory on capability-building for entrepreneurial alertness (e.g., ERM) which views strategic organizational flexibility as the key to organizations' success in volatile business environments (Sambamurthy et al., 2003). We build upon Sambamurthy et al.'s model by incorporating research on management control systems (see Langfield-Smith, 1997 and Chenhall, 2003 for reviews). This integration helps explain the relationship between organizational flexibility and management control, and the ability of ERM and organizational flexibility to facilitate the development of effective processes for responding to new regulatory mandates—in this case, new internal control reporting mandates. While early studies seem to indicate that control systems did not facilitate strategic decisions in organizations, recent studies consistently find the opposite. If broader-based measures rather than just financial measures are used, management control systems actually serve as vital informers for strategic decision making with more control information being desired in more flexible environments (Simons, 1990, Davila, 2000, Ahrens and Chapman, 2004, Ditillo, 2004 and Chenhall and Euske, 2007).
The results of our study provide several contributions to the literature and have implications for the discourse on the benefits of mandates for internal control reporting. First, we establish a strong link between the strength of ERM processes3 and organizational flexibility while identifying the critical mediating effect of ERM supporting IT systems. Second, we establish a strong link between organizational flexibility and organizational reactiveness to new regulatory mandates—in this case mandates related to effective internal control systems. Importantly, we also identify the mediating effect of the control environment on the ability of flexible organizations to implement effective compliance processes. Third, the overall results provide evidence of a direct relationship between the strength of ERM processes and the organization's control environment. Additionally the impact of ERM on IT systems and organizational flexibility has a substantial indirect effect on the overall control environment. Finally, while prior research has focused primarily on the organizational factors that facilitate the development of ERM (e.g., Kleffner et al., 2003, Liebenberg and Hoyt, 2003 and Beasley et al., 2005), we focus on how the strength of ERM processes impact organizational structure and the organization's ability to respond to changes in the business environment. Specifically, we examine how stronger ERM increases organizational flexibility and IT integration in order to facilitate an organization's ability to react to new regulatory mandates.
The remainder of this paper is presented in four parts. Section 2 expands upon the underlying theory and prior related literature that provides the conceptual development of the hypotheses and overall research model. The third and fourth sections provide the research methods and results of the model and hypotheses testing. The fifth and final section provides an overview of the results and the implications for future research.
