Electronic copy available at: http://ssrn.com/abstract=1371231

1

THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE

Vicky Arnold University of Central Florida

University of Melbourne

Tanya Benford University of Central Florida

Joseph Canada

University of Central Florida

Steve G. Sutton University of Central Florida

University of Melbourne

March 2009

* This research was funded by the Institute of Internal Auditors Research Foundation. The authors wish to thank the IIARF for their generous funding and support of our research. We would also like to thank Maggie Abernethy, Vairam Arunachalam, Mary Curtis, Michael Davern, Fred Davis, Carlin Dowling, Don Finn, Clark Hampton, Kevin Kobelsky, Anne Lillis, Elaine Mauldin, Aldi Masli, Vern Richardson, Jake Rose, Patrick Wheeler, workshop participants at the University of Arkansas, University of Melbourne, University of Missouri, and the University of North Texas, as well as participants at the 2008 Asia-Pacific Research Symposium on Accounting Information Systems, 2008 International Conference on Enterprise Systems, Accounting and Logistics, and 2009 AAA Information Systems Section Mid-Year Meeting for their helpful feedback on earlier versions. We are also appreciative of research assistance provided by Randy Kuhn.

Electronic copy available at: http://ssrn.com/abstract=1371231

2

THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE

Abstract

The impact of new regulatory requirements for internal control reporting on an organizations ability to maintain strategic flexibility has been debated extensively. This paper uses a systems perspective to examine the relationship between an organizations pre-regulatory effectiveness of enterprise risk management (ERM) processes and their reactiveness to new regulatory mandates. This focus on ERM processes first examines the influence of ERM on the ex ante development of organization structures (i.e. information technology systems compatibility and organizational strategic flexibility). These structures are then examined for their influence on the use of appropriate actions (i.e. control environment and comprehensive compliance processes) to mitigate the difficulty of compliance. Data were collected on these main constructs and related influential constructs from chief audit executives representing a broad range of North American organizations. We specifically focus on Section 404 of the U.S. Sarbanes-Oxley Act of 2002 (hereafter, SOX 404). Structural modeling was used to test the relationships simultaneously and to understand the predictive behavior of the various attributes. First, the results reveal a strong positive relationship between the effectiveness of ERM and strategic flexibility which is partially mediated by IT compatibilitythe ability to capture and share data across an enterprise. Second, the results show a strong positive relationship between strategic flexibility and use of effective implementation processes for new compliance requirements over internal control reporting, but the relationship is fully mediated by the strength of an organizations control environment. Third, our structural model allows us to identify both direct effects of ERM effectiveness on the strength of the control environment and the indirect effects of ERM effectiveness on control environment via the interrelationships with IT compatibility and strategic flexibility. Measurement of these indirect effects captures a more complete view as to the influence of ERM effectiveness on the strength of the control environment; the combined direct and indirect effects increase by 16% the variance in strength of control environment explained by ERM. In brief, our research finds that organizations with effective ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates, while organizations that lacked effective ERM processes prior to SOX 404 compliance had weaker implementation processes and had a more difficult experience in complying with the mandates. These findings provide key insights into the importance of ERM for creating an organizational form that can effectively deal with regulatory compliance issues in volatile environments. Keywords: enterprise risk management, organizational strategic flexibility, control environment, IT compatibility, internal control, management control systems, Sarbanes-Oxley Act. Data Availability: Data are available upon request subject to institutional review board restrictions.

1

THE ROLE OF ENTERPRISE RISK MANAGEMENT AND ORGANIZATIONAL STRATEGIC FLEXIBILITY IN EASING NEW REGULATORY COMPLIANCE

I. INTRODUCTION

Many countries have recently implemented a myriad of internal control reporting

mandates for public companies.1 Arguably, the most pervasive of these new mandates was the

Sarbanes-Oxley Act of 2002 (SOX), enacted by the U.S. Congress in July, 2002, with global

implications for public companies who wished to be registered on the U.S. stock exchanges.

Since that time, there has been a substantial backlash including allegations that the SOX Act is

quack legislation (Romano 2005) and a myriad of questions as to whether the corporate

governance provisions have a justifiable cost-benefit (e.g. DeFond and Francis 2005). There

have also been questions of whether the burden of SOX regulatory requirements would

irreversibly weaken the U.S. stock exchanges financial market leadership position (Bloomberg-

Schumer-McKinsey Report, 2007). One of the more controversial components of the law is

Section 404 with its mandates for broad reaching internal controls over financial reporting that

must be attested to by management and opined upon by an auditor. As a result, the U.S. SEC

held numerous hearings about this provision and the implementation of 404 requirements was

repeatedly delayedparticularly for small and medium sized enterprises and foreign registrants.2

Among the major concerns of the SEC were complaints by smaller enterprises that these internal

control and risk management processes would impede the enterprises ability to react to market

changes due to resulting restrictions in organizational flexibility (Katz 2006). Preliminary

evidence from several case studies of smaller firms required to file as accelerated filers suggests 1 Global internal control reporting regulations include Canadas National Instrument 52-109 (NI 52-109), the U.S. Sarbanes-Oxley Act of 2002 (SOX 404), the Australian Corporate Law Economic Reform Program Act (CLERP 9), the EU 8th Directive, the French Lois sur la Securite Financiere (LSF), the Italian Legislative Decree 231 and Decree 262, and Japans Financial Instruments and Exchange Law (J-SOX) (E&Y 2008a). 2 These so called non-accelerated filers are currently being phased into 404 reporting requirements with managements report on controls required for fiscal year-ends on or after July 15, 2007, and the auditors opinion on managements report being required for fiscal year-ends on or after July 15, 2008.

2

this may be the case for some firms depending on their existing organizational structures and

processes (Arnold et al., 2007).

We explore these concerns through an empirical evaluation of companies that have

completed the SOX 404 reporting process to evaluate how organizational structures and

processes impact the difficulty of adhering to the newly mandated compliance requirements.

Specifically, we examine the relationship between effective ERM practices and the facilitation of

organizational strategic flexibility, and the subsequent impact of organizational strategic

flexibility on the development of effective compliance implementation processes and difficulty

in meeting compliance objectives. In examining these relationships, we consider the mediating

roles of information technology (IT) systems and the organizations control environment. The

conceptual model presented is a generalized model that explains how these organizational

structures and processes facilitate compliance with new regulatory mandates.

In developing our conceptual model, we specifically address concerns voiced regarding

the relationship between control structures and organizational strategic flexibility from a systems

perspective. We adopt the conceptual foundations from theory on capability-building for

entrepreneurial alertness (e.g. ERM) which views strategic organizational flexibility as the key to

organizations success in volatile business environments (Sambamurthy et al. 2003). We build

upon Sambamurthy et al.s model by incorporating research on management control systems (see

Langfield-Smith 1997 and Chenhall 2003 for reviews). This integration helps explain the

relationship between strategic flexibility and management control and how ERM and

organizational flexibility facilitate the development of effective processes for responding to new

regulatory mandatesin this case, new internal control reporting mandates. While early studies

seem to indicate that control systems did not facilitate strategic decisions in organizations, recent

3

studies consistently find the opposite. If broader-based measures, rather than just financial

measures, are used, management control systems actually serve as vital informers for strategic

decision making with more control information being desired in more flexible environments

(Simons 1990; Davila 2000; Ahrens and Chapman 2004; Ditillo 2004; Chenhall and Euske

2007).

The results of our study provide several contributions to the literature and have

implications for the discourse on the benefits of mandates for internal control reporting. First, we

establish a strong link between effective ERM and organizational strategic flexibility while

identifying the critical mediating effect of strong IT systems. Second, we establish a strong link

between organizational strategic flexibility and organizational reactiveness to new regulatory

mandatesin this case mandates related to effective internal control systems. Importantly, we

also identify the mediating effect of the control environment on the ability of flexible

organizations to implement effective compliance processes. Third, the overall results provide

evidence of a direct relationship between effective ERM processes and the organizations control

environment. Additionally there is also a substantial indirect effect due to the impact of ERM on

IT systems and organizational strategic flexibility that help explain overall control environment

development. Finally, while prior research has focused primarily on the organizational factors

that facilitate the development of ERM (e.g. Kleffner et al. 2003; Liebenberg and Hoyt 2003;

Beasley et al. 2005), we focus on how the effectiveness of ERM from a strategic benefits

perspective impacts organizational structure and its ability to respond to changes in the business

environmenti.e., how effective, strategic-oriented ERM benefits an organization.

The remainder of this paper is presented in four parts. Section two expands upon the

underlying theory and prior related literature that provides the conceptual development of the

4

hypotheses and overall research model. The third and fourth sections provide the research

methods and results of the model and hypotheses testing. The fifth and final section provides an

overview of the results and the implications for future research.

II. BACKGROUND AND HYPOTHESES

Arnold et al. (2007), using four case studies of companies that had recently completed

SOX 404 compliance, provide preliminary insight into the effect of regulatory compliance

efforts on organizational processes and performance. Their findings indicate that all four firms

adopted some level of ERM processes in addressing SOX 404 compliance efforts. However, two

of the four firms had substantial difficulty in meeting compliance requirements; and both of these

firms felt that newly implemented risk management processes and internal control procedures

hindered their customer cycle times putting them at a competitive disadvantage. They primarily

viewed the control structures as limiting their flexibility to react strategically. On the other hand,

the other two firms endured far less stress during their compliance efforts. Each had a strong

system of internal controls; and, each established procedures very early on for addressing the

required changes under the new regulatory mandates. These results raise questions regarding

whether there are structural differences between the four firms that contributed to differing

experiences in implementation difficulty and different perceptions on the impact in terms of

organizational flexibility.

Based on prior case research showing the perceived influence of ERM practices and

organizational structure on companies ability to address the new mandates (Arnold et al. 2007),

we develop a research model that integrates a strategic view of ERM (Treasury Board 2001;

Sambamurthy et al. 2003; COSO 2004) with organizational theory perspectives on

5

organizations ability to maintain flexibility and react to regulatory change (e.g. Volberda 1996;

Sambamurthy et al. 2003; Palanisamy 2005).

ERM as A Basis for Entrepreneurial Alertness

Theory on capability building and entrepreneurial action is premised on the resource

based view of the firm where information technology (IT) is viewed as not having strategic value

by itself, but rather as a resource that can be shaped and refined to become an enabler of

organizational flexibility that in turn facilitates competitive action (Sambamurthy et al. 2003).

The key to the theory, however, is entrepreneurial alertness, which is the capability to explore

the marketplace and identify opportunities for action. Entrepreneurial alertness drives the

evolution of IT systems to facilitate the organizations strategic flexibility, thus creating an

indirect as well as a direct effect of entrepreneurial alertness on the development of strategic

flexibility. Similarly, entrepreneurial alertness, by enabling strategic flexibility, also supports the

organizations ability to respond to changes in the environment through execution of competitive

actions. Thus, competitive actions are not only supported directly by entrepreneurial alertness but

also indirectly through strategic flexibility (Sambamurthy et al. 2003).

Entrepreneurial alertness includes both strategic foresight (i.e. the ability to foresee risks

and opportunities) and systemic insight (i.e. the ability to use foresight to shape competitive

actions that provide advantage) (Sambamurthy et al. 2003). ERM represents perhaps the

strongest form of entrepreneurial alertness with its focus on integrating risk management

processes at an enterprise-wide level in order to provide a uniform capability for responding to

risks and seizing opportunities. The Treasury Board of Canada (2001) was one of the early

advocates of integrated risk management (i.e. ERM) and defines ERM as

a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making

6

strategic decisions that contribute to the achievement of an organization's overall corporate objectives (p. 10).

While everyone in the organization has some responsibility for ERM, an organizations Board of

Directors has overall responsibility for ensuring risks are managed, but in practice the

management team is generally delegated with the responsibility (Institute of Internal Auditors

2004). As such, ERM integrates risk management activities while elevating its status as a key

component of the firms overall strategy thus enabling the organization to respond strategically

to both risks and opportunities (Liebenberg and Hoyt 2003).

In building an organizations risk profile, information and knowledge must be aggregated

across the strategic and operational levels to assist managers in understanding the range of risks

(internally and externally) and the related opportunities (Treasury Board 2001, p. 15). To

facilitate the aggregation of information and knowledge across the organization, the Treasury

Board recognizes the need to consider potential technological solutions to support on-going

activities that facilitate risk awareness and management through information sharing (Treasury

Board 2001, p. 31).

From a theoretical perspective, ERM can be viewed as fundamental to the evolution of IT

systems, organizational strategic flexibility, and competitive actions that may result in either

necessary responses to risks or the potential to seize opportunities. The conceptual model is

shown in Figure 1.

[Insert Figure 1 about here]

Background and Hypotheses

While the need for risk management was strongly advocated in Canada prior to the major

U.S. corporate failures in 2002 (e.g. Enron and WorldCom), the passage of SOX in the U.S. led

the Committee of Sponsoring Organizations of the Treadway Committee (COSO 2004) to

7

release a revised internal control framework that adopted ERM concepts and took a more

strategic view of control processes. This framework expanded the scope of its earlier framework

(COSO 1992) to focus more comprehensively on ERM.

While COSOs ERM framework has become the guiding directive adopted by the vast

majority of organizations (particularly in the U.S.) complying with SOX 404, the implementation

in many cases focused on the underlying internal control framework and not the strategic

organizational-level risk management processes characterized by ERM. While internal control is

an integral part of ERM from a COSO (2004, 25) point of view, ERM is broader than internal

control as it focuses more fully on risk and risk management. Still, in the face of SOX 404

requirements, many organizations have focused on procedural aspects of control and have not

implemented effective, strategically-oriented ERM processes or have only implemented minimal

processes (Beasley et al. 2005; E&Y 2008a).

Surveys reveal ERM as the major issue currently being addressed by audit committees

(E&Y 2008a; KPMG 2008). Likewise, the October 2008 joint meeting of the European and

North American Audit Committee Leadership Networks highlights both the urgency to develop

effective ERM processes and the on-going struggle many organizations face when implementing

effective ERM practices. ERM frequently continues to be hampered by a narrow, business-unit

view of risk that persists among top management (EACLN and NAACLN 2008).

In order to achieve ERM objectives, relevant information must be identified, captured,

and communicated in a form and timeframe that enables people to carry out their

responsibilities (COSO 2004, 25). Levine (2004) notes that from an implementation

perspective, the information needs of ERM necessitate the availability of IT systems that provide

a true, unified picture of risk across the organization. Information and knowledge must be

8

aggregated across strategic and operational levels of the enterprise to assist managers in

understanding and assessing the existing range of internal and external risks (Treasury Board

2001, p. 15). Thus, one of the fundamental challenges of implementing ERM is aggregating the

underlying data required to monitor the various components of organizational risk (Lam 2003).

This need for data is highlighted in Ernst and Youngs (2008b) prescribed approach for

developing effective ERM. The firm notes the importance of designing and developing the

desired ERM processes and, once these processes have been deployed, assessing the degree of

alignment and coordination across the organization in assessing, improving and monitoring risks

and controls (p. 6). Two key components of this alignment and coordination process are the

leveraging of IT and the development of governance processes that start with the tone at the top

to create an appropriate control environment (p. 4-5). Of interest at this point is the focus on IT

where Ernst and Young (2008b) asserts that IT must be effectively leveraged to support the

organizations risk framework. This includes making any necessary changes to assure IT systems

effectively support risk identification and assessment as well as facilitate monitoring of risks to

recognize adverse trends proactively (p. 5). This leveraging of IT based on ERM strategies is

consistent with that put forth in the theory on capability building and entrepreneurial alertness

(Sambamurthy et al. 2003).

The focus on enterprise wide data availability is indicative of the need for organizational

information systems that have high IT compatibility. Byrd and Turner (2000) define IT

compatibility as the ability to share any type of information across any type of technology

component. In essence, it suggests a transparency of information that allows access to critical

data from anywhere within the organization through linked and integrated information systems.

While core enterprise systems may exist in organizations even before ERM efforts evolve, IT

9

research highlights the needs to assimilate technology in order to garner strategic benefit

(Sambamurthy and Zmud 1999). With enterprise systems in particular, involvement and pressure

from top management to drive assimilation and shape IT processes to support strategic processes

is critical (Liang et al. 2007). Given the importance placed on information flow, we expect that

increased effectiveness of ERM processes will be indicative of top management involvement and

desire for increased IT compatibility. This leads to the first hypothesis:

H1: As the effectiveness of ERM increases, IT compatibility will increase.

As previously noted, one of the major concerns has been the impact of control procedures

that are implemented as a part of an organizations ERM strategy on the flexibility of the

organization and its ability to react strategically to changes in the business environment.

Organizational strategic flexibility is reflective of an ability to respond appropriately and timely

to a wide variety of changes in the competitive environment, and is a function of managerial

capabilities and the responsiveness of the organization (Volberda 1996). Palanisamy (2005)

notes the importance of IT flexibility in facilitating such responsiveness by an organizations

management. Without easy accessibility of organization-wide data on performance and

capabilities, it is difficult for an organization to understand and respond to new market, product,

or service opportunities and to understand shifts in customer preferences and needs

opportunities that require increased organizational flexibility to respond effectively and

efficiently. Based on Byrd and Turners (2000) dissection of the components of IT flexibility, the

IT compatibility component is critical to supporting managements ability to react and thereby

maintain strategic flexibility. This is also consistent with Chapman and Kihns (2009) findings

that centralized data that is accessible organization-wide increased organizational flexibility.

Research in management control systems on facilitating organizational strategic

flexibility provides two key pieces to understanding the relationships between ERM, IT

10

compatibility, and strategic flexibility. First, Chenhall and Euske (2007) specifically note the

role of risk management processes in the successful adaptation of strategic direction. Second, the

literature points to the importance of diverse, readily available information. Abernethy and

Brownell (1999) show a relationship between the type of information needed and the strategic

orientation of the firm, with more strategically oriented firms requiring more dynamic

information. Further, strategically oriented firms demand broader scope information (Bouwens

and Abernethy 2000), and this broad scope information is highly important to organizational

flexibility (Abernethy and Lillis 1995). In combination, these two perspectives suggest that ERM

processes are important to supporting organizational strategic flexibility. As theorized by

Sambamurthy et al (2003), this relationship occurs through high levels of IT compatibility that

provide broad scope information readily retrievable to support strategic decision making. This

leads to the second and third hypotheses:

H2: As IT compatibility increases, organizational strategic flexibility will increase.

H3: The positive effect of ERM processes on organizational strategic flexibility is mediated by the level of IT compatibility.

As noted earlier, Ernst and Young (2008b) highlights the importance of establishing the

proper tone at the top of the organization to assure that the control culture of the organization is

brought in alignment with a risk management perspective. The control environment of the firm

must evolve to a form compatible with the ERM strategies and processes. The control

environment is the foundation for all other components of internal control, providing discipline

and structure. In terms of the theory, the control environment embodies a type of competitive

action that a firm must execute to facilitate reaction to identified risks and opportunities

(Sambamurthy et al. 2003).

11

Similarly, Volberda (1996) notes that an organization can only continue to act flexibly if

conditions are developed to maintain the organizations controllability and responsiveness. If

management tries to increase the flexibility mix beyond the limits of organizational conditions,

the controllability of the organization will diminish. (Volberda 1996, 363). The managerial

control literature similarly points to the importance of effective managerial control as necessary

to support strategic flexibility (Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; Naranjo-

Gil and Hartmann 2006; 2007). Thus, an organization that maintains a consistent state of strong

organizational strategic flexibility will only do so if it uses that strategic flexibility to develop

and maintain an effective control environment that promotes discipline and structure. This leads

to the fourth and fifth hypotheses:

H4: As ERM effectiveness increases, the strength of the control environment will also increase.

H5: Higher levels of organizational strategic flexibility will promote stronger control environments.

Faced with new regulatory compliance requirements, an organization must react quickly

in order to put the processes in place to achieve compliance effectively and efficiently. By

definition, organizational strategic flexibility is the ability to respond appropriately and timely to

changes in the competitive environment (Volberda 1996). The introduction of new regulation is

reflective of such a change in the competitive environment. Thus, more flexible organizations

would be expected to react to regulatory changes by implementing appropriate and timely

processes to achieve compliance.

Amburgey and Miner (1992) view this ability to react to change by implementing

appropriate and timely processes as strategic momentum. In terms of organizational change,

strategic momentum is the tendency to maintain or expand the emphasis and direction of prior

strategic actions in reacting to current strategic challenges (Amburgey and Miner 1992). The

12

experience with change that comes with organizations having high levels of strategic flexibility

provides the ability to incorporate core routines for facilitating change into the structural inertia

(i.e. culture) of the firm (Amburgey et al. 1993). High levels of strategic flexibility coupled with

a culture prepared to address change are perceived to be even more critical when the forces

driving the change are intensified (Grewal and Tansuhaj 2001). Arnold et al. (2007) observe this

facilitating link between a change culture and the ability to adapt to control requirements under

SOX 404 mandates in two of the four firms they studied.

The inertia that allows firms to adapt and repetitively apply change routines (Amburgey

et al. 1993) is consistent with the organizational culture required within regulatory environments

that mandate on-going processes that facilitate compliance. This compliance culture, which must

become engrained in the organizational culture, accordingly influences the control consciousness

of the organizations peoplei.e. the control environment (COSO 1992). This creation of a

strong control environment should have a direct effect on the viability of compliance

implementation processes. Arnold et al. (2007) note the importance of a strong tone at the top

for facilitating the change in culture required for implementing SOX 404 compliance mandates.

Hence, while organizational strategic flexibility should facilitate the development of effective

implementation processes, the impact is likely increased (decreased) in the presence (absence) of

a strong control environment. The control environment is a critical catalyst for successfully

implementing strategic compliance processes. This leads to the sixth and seventh hypotheses:

H6: A stronger control environment will lead to more effective SOX compliance implementation processes.

H7: Higher levels of organizational strategic flexibility will promote stronger SOX compliance implementation processes, but this relationship will be mediated by the strength of the control environment.

13

Finally, more effective SOX compliance implementation processes should reduce the

difficulty in achieving compliance. This is the eighth and final hypothesis:

H8: A stronger SOX compliance implementation process will result in less difficulty achieving compliance.

This final hypothesis serves primarily as a control to assure that higher perceived levels of

activity actually result in tangible benefits.

Figure 2 graphically presents the hypothesized relationships and visually captures the

interrelationships among the various constructs. In terms of the theory on capability building and

entrepreneurial alertness, the research model expands upon the competitive actions portion of the

conceptual model to consider in greater detail the activities necessary for an effective response to

the given regulatory change.

[Insert Figure 2 about here]

III. RESEARCH METHOD

A field survey method was adopted for this study in order to identify and understand the

relationships as they exist within a set of organizations. Partial least square (PLS) analysis

(SmartPLS 2.0 Beta 2005) was used to validate the study constructs and to test the relationships

hypothesized in the conceptual model presented in Figure 2. The following sub-sections

elaborate on the participants, instrument development and validation, and the method of analysis.

Participants

The Institute of Internal Auditors Research Foundation (IIARF) hosted the survey

employed in this study. An invitation to participate was sent by the IIARF to 1,383 members

identified as Chief Audit Executives or the equivalent. A total of two hundred fifty-one

members completed the survey for a total response rate of 18.1%; 139 (55.6%) were employed at

organizations that have completed the SOX 404 compliance process, 111 (44.4%) were

14

employed at organizations that either are not subject to SOX 404 compliance or have not

completed the compliance process, and 1 participant did not respond to this question. While all

invitees were identified by the IIA as the chief audit executives in their organizations, responses

were screened based on the demographics in order to identify anyone that did not appear to fit

the sample profile. Of the 139 respondents at organizations that had completed the SOX

compliance process, two indicated they were staff auditors with less than five years experience

and one individual, also with less than five years experience, did not respond to the question

related to position. The data from these three respondents were excluded from further analyses.

Data from the remaining 136 respondents were examined for completeness. In one case,

the participant responded to less than 30% of the survey and in another case the participant

omitted all items related to one variable of interest; these cases were also dropped from further

analyses. A test of overall randomness found that remaining missing data was missing

completely at random (MCAR) (chi-square = 314.933 df = 386 p-value = 0.997) and the

expectation maximization algorithm (EM) (SPSS 15.0 2006) was used to calculate replacement

values as necessary (Hair et al. 2006).

Respondents were afforded the option of selecting N/A Dont Know for each of the

survey measures. The N/A Dont Know responses were examined to assess the magnitude and

pattern (if any) to these data. Twenty-one of the participants selected N/A Dont Know for

more than 10% of the survey items and these respondents data were all excluded from further

analyses3. The remaining not applicable responses were evaluated and found to be completely

at random (MCAR chi-square = 336.007 df = 312 p-value = 0.168) and EM (SPSS 15.0 2006)

was used to calculate replacement values (Hair et al. 2006). All remaining analyses for the

3 The demographic data for these twenty-one respondents were examined to see if there was a concentration in a particular industry or some other participant demographic characteristic; however, these frequencies were similar to that of participants retained in the sample.

15

current study are based on the remaining 113 respondents employed at organizations that

reported having completed at least 1 filing consistent with the requirements of SOX 404.

Of the 113 respondents used in this study, 106 (93.81%) were employed at publicly

traded companies and 92 (81.42%) had over ten years internal audit, accounting, finance and/or

IT experience. Twenty-six (23.01%) were employed in manufacturing, 19 (16.81%) in financial

services/real estate, 12 (10.62%) in technology, 11 (9.73%) in insurance, and 10 (8.85%) in

utilities. Seventy-eight (69.03%) of the survey respondents were male and 33 (29.20%) were

female (2 did not respond to this item). Demographic data is shown in Table 1.

[Insert Table 1 here]

Survey Instrument

The online survey was divided into two sections; the first section captured measures of

the latent variables employed in this study. The second section of the survey instrument collected

respondents demographic information. The structural model, which is shown in Figure 3,

includes five latent variables with reflective item measures (i.e. effectiveness of ERM, IT

compatibility, organizational strategic flexibility, control environment, and SOX implementation

difficulty) and one latent variable with formative item measures (i.e., the SOX compliance

implementation process). Descriptive statistics as well as the individual items for the construct

measures are presented in Table 2.

[Insert Figure 3 and Table 2 here]

ERM is an organizational process that enables firms to holistically identify, assess and

measure the potential impact of risks that can affect firm value. The five ERM item measures

used in the current study were developed to reflect participants assessment of the effectiveness

of their firms enterprise risk management procedures at a strategic level. Specifically, these

16

measures were developed to reflect top managements role in risk management, as top

management must develop consistency of operational objectives and goals throughout the

organization by implementing risk management processes that provide consistent and reliable

information about both organizational risks and opportunities. Additionally, ERM ensures that

control processes identify risks that may affect the achievement of objectives, and that the

identified risks are complimented with appropriate responses. The item measures for the ERM

Process construct shown in Table 2 reflect a clear picture of an organizations internal strategic

environment with a focus on achieving the strategic benefits that should be derived from

effective ERM strategies and processes (Treasury Board 2001; E&Y 2008b; COSO 2004).

IT compatibility is a sub-component of Byrd and Turners (2000) technical IT

infrastructure flexibility construct and measures the organizations ability to share information

across various technology components. The item measures for IT compatibility were adapted

from Byrd and Turner (2000). However over 10% of the respondents indicated that two of the

Byrd and Turner (2000) item measures were not applicable for their organization. As a result,

these items were dropped from further analysis. While all item measures are included in Table 2,

descriptive statistics are only shown for the four item measures retained.

Organizational strategic flexibility reflects the organizations ability to respond to the

opportunities and challenges of a competitive environment (Sanchez 1995). Four item measures

of organizational strategic flexibility are employed in the current study. These measures are

adapted from those validated by Cannon and St. John (2004) and focus on organizations

strategic accommodation of market/product changes.

The control environment construct reflects the organizations corporate environment as it

relates to internal controls. The five item measures in the current study for the control

17

environment were derived from COSOs original Internal Control Integrated Framework

(1992). COSO (1992) specifically mentions integrity and ethical values in the form of tone at

the top and an enforceable code of conduct, commitment to competence, active board of

directors, and appropriate organizational structure. Overall a strong control environment consists

of strong tone at the top supported by an organizational structure that encourages ethical

behavior. This organizational structure includes active communication between internal audit

and the board of directors/audit committee, enforceability of the code of conduct (item3) and

anonymous reporting mechanisms. The item measures for control environment shown in table 2

are reflective of a strong control environment.

The facets of organizational process change that are combined to form the construct for

SOX compliance implementation process include leadership, teamwork, change in

organizational culture and technology support functions. These item measures, which are shown

in Table 2, were derived from organizational and business process change best practices and

case study results (Kettinger and Grover 1995; Ungan 2005; Arnold et al. 2007).

Data Analysis

As shown in Figure 3, four of the constructs in the structural model are both exogenous

and endogenous. In addition, the SOX compliance implementation process construct is

formative rather than reflective, thus partial least squares (SmartPLS 2.0 beta 2005) is used for

data analysis and to assess construct convergent and discriminant validity.

Convergent Validity

The measures used to assess the convergent validity of the reflective constructs employed

in this study are factor loadings, variance extracted, and construct composite reliability. The

factor loadings and cross loadings are presented in Table 3; the factor loadings for the constructs

18

with reflective item measures all exceed 0.70 and are higher than related cross-loadings (Chin

1998; Hair et al. 2006). In addition, as shown in Table 4, the variance extracted for each

reflective construct exceeds 0.50 and the construct composite reliability exceeds 0.70 (Fornell

and Larcker 1981; Hair et al. 2006). Together these results support the convergent validity of the

reflective constructs in the structural model (Fornell and Larcker 1981; Chin 1998; Hair et al.

2006). Measures of internal consistency are not appropriate for validating formative constructs

(Hair et al. 2006).

[Insert Tables 3 and 4 here]

Discriminant Validity

The average variance extracted for each latent variable was compared with the related

squared inter-construct correlations to assess discriminant validity (Hair et al. 2006). All of the

average variance extracted estimates were greater than the associated squared inter-construct

correlations (Table 5), which suggests that discriminate validity is not a problem for the

reflective constructs in the model. Additionally, as shown in Table 6, each inter-construct

correlation is also less than 0.85, which is another indicator of discriminant validity (Kline

2005).

[Insert Tables 5 and 6 here]

Formative Construct Validity

Formative measures form a composite index, thus, ensuring that the indicators do not

overweight any particular aspect of the construct is important(Chin 1998; Diamantopoulos et al.

2008). Variance inflation factors were calculated for each of the six indicators of the construct

for SOX compliance implementation process, using a measure of SOX implementation

difficulty. The VIF for one of the measures of SOX implementation process, Our organization

19

developed a formal approach to implementing SOX, was 4.4 (not shown), which exceeded the

recommended threshold of 3.3 (Diamantopoulos and Siguaw 2006; Petter et al. 2007). All six

item measures for this construct were reviewed; removing this item did not affect the construct

content validity (Hair et al. 2006; Petter et al. 2007). As shown in Table 3, the variance inflation

factors for the remaining measures of this construct were all less than 2.0, and they were retained

in the model (Hair et al. 2006).

IV. RESULTS

The purpose of this study was to examine the influence of ERM effectiveness on the

effective leveraging of IT systems, development of organizational strategic flexibility, and the

resulting reactiveness to new regulatory mandates over internal control reporting. The research

model theorized in the current study posits that factors impacting compliance implementation

processes include effectiveness of ERM, the level of IT compatibility, the organizations

strategic flexibility, and the strength of the organizations control environment. Because this

model includes a formative construct, parametric testing is not appropriate; bootstrapping (1000

samples with replacement) was used to calculate model t-statistics and standard errors

(Diamantopoulos and Winklhofer 2001). The construct R2, standardized path coefficients, and

p-values are presented in Figure 3 (SmartPLS 2.0 beta 2005).

H1 posits that ERM is an antecedent of IT compatibility. The results indicate that the

standardized path coefficient (+0.6014) is significant (p-value=0.001) and in the hypothesized

direction, providing support for H1. R2 for IT compatibility is 0.362 suggesting that ERM

explains 36.2% of the variation in IT compatibility. Consistent with prescribed ERM strategies,

these results support the view that the ability to share information across the organization is a

critical and necessary outcome of implementing effective ERM processes.

20

H2 posits that IT compatibility facilitates organizational strategic flexibility. The

standardized path coefficient of H2 (+0.3406) is also significant (p-value=0.001) in the

hypothesized direction. As shown in Figure 3, R2 for organizational strategic flexibility is 0.273.

This finding supports both the underlying theory on the relationship between ERM and strategic

flexibility as well as being consistent with prior managerial control research that suggests that

maintenance of flexible organizational structures requires easy access to organizational wide

information that facilitates monitoring (Abernathy and Lillis 1995; Abernathy and Brownell

1999; and Bouwens and Abernathy 2000.)

H3 posits that IT compatibility mediates the impact of ERM on organizational strategic

flexibility. Consistent with Baron and Kenney (1986) the three conditions that must be met to

support a mediation effect are evaluated. The first condition requires a significant relationship

between ERM and IT compatibility; tests of H1 provide support for this condition. The next

condition requires a significant relationship between IT compatibility and organizational

strategic flexibility; tests of H2 provide support for this condition. The third condition requires

that a significant relationship between ERM and organizational strategic flexibility become less

significant when a relationship between ERM and IT compatibility is included in the model. In

other words, for IT compatibility to mediate the impact of ERM on organizational strategic

flexibility, H1 and H2 should have significant path coefficients while the coefficient for H3

diminishes. Figure 4 indicates a significant relationship (p-value=.001) between ERM and

organizational strategic flexibility when the direct relationship between those two variables is

tested. When IT compatibility is included in the model the relationship between ERM and

organizational strategic flexibility, although still significant (p-value=.01) diminishes by almost

50% indicating that IT compatibility partially mediates the effect of ERM on organizational

21

strategic flexibility. Results of the Goodman I version of the Sobel test (z-value = 3.356, p-value

=0.0008) confirm the partial mediation effect. The identification and support of this mediating

effect is a major finding as it explains the interrelationship between three disparate literatures: (1)

conceptualizations on ERM (Treasury Board 2001, COSO 2004; E&Y 2008b), (2) findings in

the managerial control literature on the importance of broad based information to support

flexible organizations, and (3) findings in the strategic management literature on the critical role

of managerial control and IT capability on organizational strategic flexibility.

[Insert Figure 4 here]

H4 posits that improvements in ERM will lead to control environment improvements. The

standardized path coefficient (+0.6347) is significant (p-value = .001), providing support for H4.

ERM also impacts control environment through organizational strategic flexibility, thus the total

effect of ERM on control environment is 0.73822 (i.e. 0.6347 + (0.2408*0.2323) +

(0.6014*0.3406*0.2323)). By including organizational components impacted by ERM in the

research model (i.e. IT compatibility and organizational flexibility), our model reveals that the

total effect of ERM on control environment is substantially higher than the simple direct effect of

0.6347.

H5 posits that improved organizational flexibility is associated with an improved control

environment. Figure 3 indicates that the standardized path coefficient between organizational

strategic flexibility and control environment (+0.2323) is significant (p-value=0.001) in the

hypothesized direction, providing support for H5.This finding is consistent with theorizations

from a strategy perspective (Volberda 1996); findings in prior managerial control studies

(Simons 1990; Davila 2000; Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartmann 2006), and

the underlying theory on ERM facilitation of competitive actions. All have postulated that

22

flexible organizations are only sustainable if they develop strong controls, and our research

results show that a strong control environment represents one such control mechanism for

facilitating and supporting organizations ability to respond in an effective and timely manner.

H6 posits that the quality of the control environment influences the SOX compliance

implementation process. The standardized path coefficient between control environment and

SOX 404 compliance implementation process (+0.4979) is significant (p-value=0.001) and in the

hypothesized direction, providing support for H6. This finding provides additional support for the

finding that a strong tone at the top that facilitates a change in culture has a substantial

influence over the organizations proficiency in implementing SOX 404 compliance processes

(Arnold et al. 2007).

H7 posits that control environment mediates the impact of organizational strategic

flexibility on SOX compliance implementation process. As noted previously, three conditions

must be met to support a mediation effect (Baron and Kenney 1986). The first condition requires

a significant relationship between organizational strategic flexibility and control environment;

tests for H5 provide support for this condition. The next condition requires a significant

relationship between control environment and SOX compliance implementation process; tests of

H6 provide support for this condition. The third condition, which requires that a significant

relationship between organizational strategic flexibility and SOX compliance implementation

process become less significant when a relationship between organizational strategic flexibility

and control environment is included in the model, also exists. As shown in Figure 5, the

coefficient between organizational strategic flexibility and SOX 404 compliance implementation

process is significant (p-value=.001) but diminishes when control environment is included (p-

value=0.10). The results of the Goodman I version of the Sobel test (z-value = 3.0096 p-value

23

=0.003) confirm the full mediation effect. Thus, control environment fully mediates the effect of

organizational strategic flexibility on SOX compliance implementation process. Consistent with

Volberda (1996) this additional major finding demonstrates that the usefulness of organizations

strategic flexibility in facilitating responsiveness to new regulatory mandates is heavily

dependent on the strength of the control environment.

The last hypothesis, H8, posits an inverse relationship between the SOX compliance

implementation process and the amount of difficulty experienced by the organization during the

implementation process. To obtain a measure of SOX implementation difficulty, participants

were asked to respond to the following statement The change that was required for our

organization to comply with SOX was difficult to implement.

A formative construct is by definition unidentified (Hair et al. 2006), thus the SOX

difficulty construct provides model identification and supports the nomological validity of the

formative SOX compliance implementation process construct. The results indicate that the

standardized path coefficient -0.3065) is significant (p-value=0.01) and in the hypothesized

direction, providing support for H8.

[Insert Figure 5 here]

V. DISCUSSION

This research study was motivated in part by the discourse over the potential negative

impacts of new global internal control reporting mandates and, in part, by the need for a better

understanding of the relationship between ERM, IT capatibility, and organizational strategic

flexibility on both the development of a strong control environment and compliance difficulty.

Critics of SOX 404 requirements in particular have often pointed to a loss in strategic flexibility

as a cost of regulatory compliance and advocated rescinding this key aspect of the corporate

24

governance initiatives put in place by the Act. While our model specifically focuses on SOX 404

compliance requirements, the conceptual foundations of the model are more generalized and the

models applicability theoretically should also extend to organizational responses to other new

regulatory compliance requirements.

In formulating the conceptual model, consideration was given to the findings of Arnold et

al. (2007) in their case analysis of four small and medium-sized organizations experiences in

implementing SOX 404 compliance processes. Two of the four organizations had difficult

implementation experiences and two exhibited relatively minor difficulty in implementation. On

the surface, these case studies would seem to highlight conflicting evidence regarding the actual

existence of the concerns that have been raisedi.e. reduced strategic flexibility and hindered

competitiveness. A deeper examination of the documented cases, however, provides evidence

that the differences in experiences among the companies could be driven by organizational

culture and/or existing ERM strategies.

In this study, we develop a conceptual model that investigates the effects of

organizational culture and ERM processes on compliance. The model relies heavily on the theory

of capability building and entrepreneurial alertness while integrating that theory with the

managerial control systems literature in order to better understand the facilitation of competitive

actions required to respond to the new regulatory mandates. The theoretical relationships

between the four main constructs are better understood as a result of identifying the mediating

constructs that influence the nature of the relationships among the constructs. Testing of the

model, based on the reported organizational structures and experiences provided by 113 chief

audit executives from organizations having completed and reported upon SOX 404 compliance

requirements for internal controls, yields strong explanatory power and significant relationships

25

that are in line with the hypothesized relationships. Thus, the conceptual model appears to

provide a sound basis for understanding how various organizational structures and processes

affect the level of compliance difficulty experienced across a range of organizations.

First, we find that the effectiveness of ERM processes is very predictive of organizations

strategic flexibility, but that this relationship is partially mediated by IT compatibilitythe

ability to access and utilize enterprise wide data from across all organizational systems. Second,

we find that an organizations strategic flexibility is positively related to their ability to

implement effective processes for addressing compliance with new regulations, but that this

relationship is fully mediatedin this case by the strength of the control environment. Third, our

findings significantly enhance the theoretical understanding of the relationship between ERM

and the strength of the control environment by identifying not only a strong direct effect, but also

finding a strong indirect effect via the organizational structures and processes supported by

ERM. This indirect effect increases the explanatory power of ERM by 16% in terms of

explaining the variance in the strength of organizations control environment. In summary, the

results provide evidence that organizations with strong ERM processes prior to SOX 404

mandates faced fewer obstacles in implementing the processes necessary to meet internal control

requirements. On the other hand, the organizations that did not have effective ERM processes in

place incurred the greatest difficulty in implementing effective compliance processesthe very

organizations for which the Act was deemed so important.

There are limitations of the current study that should be considered when reflecting upon

the results. Many of these limitations are related to scope and also provide guidance on future

research needs. First, our responses were taken entirely from chief audit executives. Their views

on the SOX compliance experience may not be reflective of other chief executives in the

26

organization. Future studies may wish to consider multiple respondents for each organization in

order to get a more diverse perspective on the experiences. Second, our study considers a limited

set of organizational structures and processes, and additional organizational characteristics may

likely aid in further explaining the attributes and relationships that were observed in this study.

Organizations are complex entities and substantial research is required to uncover the myriad of

complex interrelationships that drive organizational behavior and performance. Third, our study

relies on the responses of chief audit executives which necessarily narrows our representation to

organizations that have at least one in-house internal auditor. Given the large market for

consulting services to assist with compliance efforts, there will be a relatively small subset of

organizations that still do not have an internal audit function in-house. While this has become

much rarer in the post-SOX era, future research should consider expanding the scope to these

organizations as well.

Overall, the research reported here provides an initial view into the effect of

organizational structures and processes on the ability to meet regulatory compliance mandates.

The relationships are strong and significant, the interrelationships complex, and the findings

highly insightful in terms of understanding the importance of ERM in effectively dealing with

volatile environments.

27

FIGURE 1 Strategic ERM Processes and the Impact on Organizational Structures and Competitive Action

Strategic ERM Processes

Leveraging of IT Systems

Strategic Flexibility

Competitive Action

28

FIGURE 2 Drivers of Sarbanes-Oxley 404 Compliance Difficulty

Enterprise Risk Management

Information Technology

Compatibility

Organizational StrategicFlexibility

Control Environment

Sarbanes-Oxley 404 Compliance Implementation

Process

Sarbanes-Oxley 404 Compliance

difficulty

H1

H2

H3

H4

H5

H6

H7

H8

29

FIGURE 3 Structural Model

30

FIGURE 4 Structural Model Test of Mediating Effects of Information Technology Compatibility

31

FIGURE 5 Structural Model Test of Mediating Effects of the Control Environment

Organizational StrategicFlexibility

ControlEnvironment

Sarbanes-Oxley404 Compliance Implementation

Process

H5+0.467***

H6+0.410***

H7+0.167

Organizational StrategicFlexibility

Sarbanes-Oxley404 Compliance Implementation

Process

H7+0.382***

* P-value < 0.05 (one-tailed t-statistic > 1.645)** P-value 2.236)

*** P-value < 0.001 (one-tailed t-statistic > 3.090)

32

Table 1 - Participant Demographics Category Frequency

N = 113 Percentage

Gender Male 78 69.03% Female 33 29.20% Not answered 2 1.77% Age 25 to 40 years 28 24.78% 40+ years 84 74.34%

Not answered 1 0.88% Experience 3 to 10 years 21 18.58% 10+ years 92 81.42% Industry Manufacturing 26 23.01% Financial services / real estate 19 16.81% Technology 12 10.62% Insurance carriers / agents 11 9.73% Utilities 10 8.85% Wholesale/retail 6 5.31% Transportation 6 5.31% Communication 4 3.54% Health 3 2.64% All other 16 14.16% Organizational Structure Publicly traded 106 93.81% Not publicly traded 6 5.31% Not answered 1 0.88%

33

Table 2 - Descriptive Statistics Construct Measures

Minimum Mean Median Maximum Std dev.

Enterprise Risk Management (ERM) Process

1. Our organization performs a thorough enterprise-wide risk assessment at least once a year 1 3.65 4.00 5 1.314

2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives

1 3.04 3.00 5 1.109

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 1 3.02 3.00 5 1.257

4. Management has effective processes to respond to identified risks 1 3.02 3.00 5 1.134

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.

1 3.13 3.00 5 1.128

IT Compatibility

1. Remote, branch, and mobile offices have easy access to data from the home or central office 1 2.48 2.00 5 1.188

2. Our organization's ability to make rapid IT change is high 1 3.39 3.00 5 1.145

3. Information is shared seamlessly across our organization, regardless of the location 1 3.01 3.00 5 1.214

4. Our user interfaces provide transparent access to all applications. 1 2.96 3.00 5 1.105

34

5. Our organization offers a wide variety of types of information to end users (e.g. multimedia) (D)

6. Data received by our organization from electronic links with supply-chain partners are reliable (D)

Organizational Strategic Flexibility

1. Our organization has difficulty maximizing new market opportunities (RC) 1 2.50 2.00 5 1.127

2. Our organization is able to introduce new products/services 1 2.18 2.00 5 0.967

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC) 1 2.29 2.00 5 1.027

4. Our organization is able to manage the impact of serving new classes of customers 1 2.42 2.00 5 0.975

Control Environment

1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk 1 2.65 3.00 5 1.034

2. The board of directors actively interacts with internal auditors 1 2.53 2.00 5 1.391

3. Our organization has an enforceable formal code of conduct 1 2.21 2.00 5 1.285

4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior 1 2.50 2.00 5 1.409

5. The actions of management support a strong internal control environment 1 2.29 2.00 5 1.080

35

SOX Compliance Implementation Process

1. Top management provided committed leadership in the implementation of SOX requirements 1 1.58 1.00 5 0.822

2. Our organization developed a formal approach to implementing SOX requirements 1 1.33 1.00 5 0.558

3. Our organization assembled an effective team to lead the SOX implementation process 1 1.44 1.00 5 0.704

4. Our organization experienced a change in organizational culture as a result of implementing SOX requirements 1 2.36 2.00 5 1.240

5. Our organization had a champion leading the SOX implementation process 1 1.52 1.00 5 0.790

6. The IT function in our organization effectively supported the necessary changes for SOX compliance 1 1.99 2.00 5 1.007

SOX Implementation Difficulty

1. The change that was required for our organization to comply with SOX was difficult to implement. 1 2.96 3.0 5 1.117

(RC) reverse coded (D) Items dropped due to volume of not applicable/dont know responses; items not included in data analyses Scale: 1 = Strongly Agree to 5 = Strongly Disagree

36

Table 3 - Item Loadings and Cross Loadings

Latent Variables with Reflective Indicators

Latent Variable

With Formative Indicators

VarianceInflationFactor

Control Environment

Enterprise Risk

Management IT

Compatibility

OrganizationalStrategic

Flexibility SOX

Difficulty

SOX Compliance

ImplementationProcess

CE1 0.799948 0.587382 0.520346 0.443651 -0.30446 0.433958 CE2 0.817297 0.645214 0.430881 0.418776 -0.35895 0.408118 CE3 0.779757 0.526933 0.491482 0.384745 -0.3615 0.435451 CE4 0.741822 0.487143 0.374668 0.299003 -0.20409 0.337813 CE5 0.770664 0.618163 0.504355 0.444200 -0.34635 0.489083

ERM1 0.480316 0.735474 0.376448 0.227031 -0.05027 0.119125 ERM2 0.681789 0.872316 0.538702 0.433014 -0.37431 0.421941 ERM3 0.685408 0.888451 0.559818 0.361941 -0.3129 0.333831 ERM4 0.671748 0.939087 0.575135 0.494995 -0.30959 0.451344 ERM5 0.659149 0.897131 0.53242 0.372234 -0.29524 0.363645 IFC1 0.48294 0.512423 0.835917 0.413831 -0.26963 0.238095 IFC3 0.522344 0.483832 0.881748 0.341684 -0.30837 0.308309 IFC5 0.518378 0.498639 0.816921 0.460071 -0.27521 0.384329 IFC6 0.510228 0.545117 0.868262 0.424306 -0.28279 0.278661 OF1rc 0.377564 0.241598 0.385518 0.732945 -0.22762 0.265035 OF2 0.383514 0.285678 0.337121 0.788538 -0.12844 0.317927

37

OF3rc 0.314371 0.342347 0.331338 0.773228 -0.03544 0.113477 OF4 0.45194 0.447844 0.398181 0.729167 -0.19754 0.306636

PERF3 -0.40847 -0.32467 -0.33331 -0.20395 1 -0.30648 SOXD1 0.430316 0.213079 0.25 0.130866 -0.18184 0.622641 1.5281 SOXD3 0.327479 0.214426 0.22585 0.291656 -0.0642 0.572628 1.7013 SOXD4 -0.24126 -0.22535 -0.11766 -0.21609 0.2156 -0.56392 1.0298 SOXD5 0.158904 0.034334 0.104942 0.153982 -0.02945 0.286873 1.4648 SOXD6 0.205493 0.239005 0.294668 0.164783 -0.15986 0.444248 1.3613

38

Table 4 - Tests of Convergent Validity

Variable Measures Factor

Loading

Construct Composite Reliability

Average Variance Extracted

Enterprise Risk Management (ERM) Process 0.9389 0.7556

1. Our organization performs a thorough enterprise-wide risk assessment at least once a year (D) 0.7355

2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives 0.8723

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 0.8885

4. Management has effective processes to respond to identified risks 0.9391

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being. 0.8971

IT Compatibility 0.9131 0.7244

1. Remote, branch, and mobile offices have easy access to data from the home or central office 0.8359

2. Our organization's ability to make rapid IT change is high 0.8817

3. Information is shared seamlessly across our organization, regardless of the location 0.8169

4. Our user interfaces provide transparent access to all applications. 0.8683

39

Organizational Strategic Flexibility 0.8423 0.5721

1. Our organization has difficulty maximizing new market opportunities (RC) 0.7329

2. Our organization is able to introduce new products/services 0.7885

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC) 0.7732

4. Our organization is able to manage the impact of serving new classes of customers (D) 0.7292

Control Environment 0.8874 0.6120

1. Top management exhibits shared attitudes regarding acceptable levels of enterprise risk 0.7999

2. The board of directors actively interacts with internal auditors 0.8173

3. Our organization has an enforceable formal code of conduct 0.7798

4. Our organization has an effective mechanism for employees to anonymously report dishonest, illegal or unethical behavior (D) 0.7418

5. The actions of management support a strong internal control environment 0.7707 (D) dropped and not included in analyses of construct validity (RC) reverse coded

40

Table 5 - Test of Discriminant Validity

Organizational Strategic

Flexibility IT

Compatibility ERM Control

Environment Average Variance Extracted 0.5721 0.7244 0.7556 0.6120

SQUARED INTER-CONSTRUCT CORRELATIONS Organizational Strategic Flexibility 1.0000 IT Compatibility 0.2356 1.0000 ERM 0.1985 0.3617 1.0000 Control Environment 0.2654 0.3577 0.5449 1.0000

41

Table 6 - Latent Variable Correlations

Control Environment

Enterprise Risk

ManagementIT

Compatibility

Organizational Strategic

Flexibility SOX

Difficulty

SOX Compliance

ImplementationProcess

Control Environment 1.0000

Enterprise Risk Management

0.7382 1.0000

IT Compatibility 0.5980 0.6014 1.0000

Organizational Strategic Flexibility

0.5151 0.4456 0.4854 1.0000

SOX Difficulty -0.4085 -0.3247 -0.3333 -0.2040 1.0000

SOX Compliance Implementation Process

0.5429 0.4053 0.3561 0.3439 -0.3065 1.0000

42

REFERENCES

Abernethy, M.A. and P. Brownell. 1999. The role of budgets in organizations facing strategic change: an exploratory study. Accounting Organizations and Society 24: 189-204.

Abernethy, M.A. and A.M. Lillis. 1995. The impact of manufacturing flexibility on management control systems design. Accounting Organizations and Society 20(4): 241-258.

Ahrens, T. and C.S. Chapman. 2004. Accounting for flexibility and efficiency: a field study in management control systems in a restaurant chain. Contemporary Accounting Research 21(2): 271-301.

Amburgey, T.L and A.S. Miner. 1992. Strategic Momentum: The Effects of Repetitive,

Positional, and Contextual Momentum on Merger Activity. Strategic Management Journal (13): 335-348.

Amburgey, T.L., D. Kelly, and W.P. Barnett. 1993. Resetting the Clock: The Dynamics of Organizational Change and Failure. Administrative Science Quarterly (38): 51-73.

Arnold, V., T. S. Benford, J. Canada, J. R. Kuhn Jr., and S. G. Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting. Vol. 4 No. 1 103-121.

Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations. Journal of Personality and Social Psychology. Vol. 51, No. 6, 1173-1182.

Beasley, M.S., R. Clune, and D.R. Hermanson. 2005. Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24: 521-531.

Bloomsberg, M. R., C.E. Schumer, and McKinsey and Company. 2007. Sustaining New Yorks and the US Global Financial Services Leadership (New York: McKinsey and Company).

Bouwens, J. and M. A. Abernethy. 2000. The consequences of customization on management accounting system design. Accounting Organizations and Society 25: 221-241.

Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of information technology infrastructure: Exploratory Analysis of a Construct. Journal of Management Information Systems; Summer Vol. 17, No. 1, 167-208.

Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy and Plant Level Flexibility. International Journal of Production Research, 42(10): pp 1987-2007.

Chapman, C.S. and L-A. Kihn. (2009). Information system integration, enabling control and performance. Accounting Organizations and Society 34(2): 151-169.

43

Chenhall, R.H. 2003. Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting Organizations and Society 28: 127-168.

Chenhall, R. H. and K.J. Euske. 2007. The role of management control systems in planned organizational change: an analysis of two organizations. Accounting Organizations and Society 32: 601-637.

Chin, W.W. 1998. The Partial Least Squares Approach to Structural Equation Modeling. Mosern Methods for Business Research. Marcoulides, G.A. Lawrence Erlbaum associates, New Jersey, USA: 295-336.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control Integrated Framework. American Institute of Certified Public Accountants.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management Integrated Framework. (Committee of Sponsoring Organizations of the Treadway Commission, AICPA: New York).

Davila, T. 2000. An empirical study on the drivers of management control systems design in new product development. Accounting Organizations and Society 25: 383-409.

DeFond, M.L. and J.R. Francis. 2005. Audit research after Sarbanes-Oxley. AUDITING: A Journal of Practice and Theory 24(supplement): 5-30.

Diamantopoulos, A., and J.A. Siguaw. 2006. Formative Versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration, British Journal of Management 17: pp. 263-282.

_________, P. Riefler and K.P. Roth. 2008. Advancing formative measurement models. Journal of Business Research. (In Press). __________and H.M. Winklhofer. 2001. Index Construction with Formative Indicators:An

Alternative to Scale Development. Journal of Marketing Research 38 (2): 269-277 Ditillo, A. 2004. Dealing with uncertainty in knowledge-intensive firms: the role of management

control systems as knowledge integration mechanisms. Accounting Organizations and Society 29: 401-421.

EACLN and NAACLN. 2008. Enterprise Risk: Recurring Challenges and New Considerations for the Audit Committee. ViewPoints for the Audit Committee Leadership Summit 8 (31 October 2008).

Ernst and Young. 2008a. Internal Controls: From Compliance to Competitive Edge (EYGM

Limited).

44

_____________. 2008b. The Future of Risk Management and Internal Control (EYGM Limited).

Fornell, C. and D. F. Larcker. 1981. Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research, Vol. 18, No. 1 39-50.

Grewal, R. and P. Tansuhaj. 2001. Building organizational capabilities for managing economic crisis: the role of market orientation and strategic flexibility. Journal of Marketing 65 (April): 67-80.

Institute of Internal Auditors. 2004. The Role of Internal Audit in Enterprise-wide Risk Management. London: The Institute of Internal Auditors UK and Ireland.

Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle River, NJ: Pearson Education Inc

Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com (May 02).

Kettinger, W. K. and V. Grover. 1995. Toward a Theory of Business Change Management. Journal of Management Information Systems. Vol. 12. No. 1 9-30.

Kleffner, A., R. Lee, and B. McGannon. 2003. The effect of corporate governance on the use of enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6(1): 53-73.

Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling, Second Edition. (The Guilford Press: New York)

KPMG. 2008. International Survey of Audit Committee Members (Audit Committee Institute, London).

Lam, J. 2003. Enterprise Risk Management. Hoboken, NJ: John Wiley & Sons, Inc.

Langfield-Smith, K. (1997). Manaement control systems and strategy: a critical review. Accounting Organizations and Society 22(2): 207-232.

Levine, R. 2004. Risk management systems: understanding the need. EDPACS 32(2): 1-13.

Liang, H., Saraf, N., Hu, Q., & Xue, Y. 2007. Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly 31(4): 59-88.

Liebenberg, A. and R. Hoyt. 2003. The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6(1): 37-52.

Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams use management accounting systems to implement strategy. Journal of Management Accounting Research 18: 21-53.

45

Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting systems, top management team heterogeneity and strategic change. Accounting Organizations and Society 32: 735-756.

Palanisamy, R. 2005. Strategic information systems planning model for building flexibility and success. Industrial Management and Data Systems 105(1): 63-81.

Petter, S., D. Straub., and A. Rai. 2007. Specifying Formative Constructs in Information Systems Research. MIS Quarterly. 31 (4): 623-656.

Ringle, C. M., S. Wende and A. Will. 2005. SmartPLS 2.0 (beta), www.smartpls.de.

Romano, R. 2005. The Sarbanes-Oxley Act and the making of quack corporate governance. The Yale Law Review 114: 1521-1611.

Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27 (2): 237-263.

Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for information technology governance: a theory of multiple contingencies. MIS Quarterly 23(2): pp.261-290.

Sanchez, R. 1995. Strategic Flexibility in Product Competition. Strategic Management Journal, 16: pp 135-159.

Simons, R. 1990. The role of management control systems in creating competitive advantage: a new perspective. Accounting Organizations and Society 15(1/2): 127-143.

Treasury Board. 2001. Integrated Risk Management Framework. (Treasury Board, Canadian Government, Ottawa).

Ungan, M. 2005. Management support for the adoption of manufacturing best practices: key factors. International Journal of Production Research. Vol. 43, No. 18, 38033820.

Volberda, H.W. 1996. Toward the flexible form: how to remain vital in hypercompetitive environments. Organization Science 7(4): 359-374.