The impact of new regulatory requirements for internal control reporting on an organizations' ability to maintain strategic flexibility has been debated extensively. This paper uses a systems perspective to examine the relationship between an organizations' pre-regulatory effectiveness of enterprise risk management (ERM) processes and their reactiveness to new regulatory mandates. This focus on ERM processes first examines the influence of ERM on the ex ante development of organization structures (i.e. information technology systems compatibility and organizational strategic flexibility). These structures are then examined for their influence on the use of appropriate actions (i.e. control environment and comprehensive compliance processes) to mitigate the difficulty of compliance. Data were collected on these main constructs and related influential constructs from chief audit executives representing a broad range of North American organizations. We specifically focus on Section 404 of the U.S. Sarbanes-Oxley Act of 2002 (hereafter, SOX 404). Structural modeling was used to test the relationships simultaneously and to understand the predictive behavior of the various attributes. First, the results reveal a strong positive relationship between the effectiveness of ERM and strategic flexibility which is partially mediated by IT compatibility-the ability to capture and share data across an enterprise. Second, the results show a strong positive relationship between strategic flexibility and use of effective implementation processes for new compliance requirements over internal control reporting, but the relationship is fully mediated by the strength of an organization's control environment. Third, our structural model allows us to identify both direct effects of ERM effectiveness on the strength of the control environment and the indirect effects of ERM effectiveness on control environment via the interrelationships with IT compatibility and strategic flexibility. Measurement of these indirect effects captures a more complete view as to the influence of ERM effectiveness on the strength of the control environment; the combined direct and indirect effects increase by 16% the variance in strength of control environment explained by ERM. In brief, our research finds that organizations with effective ERM processes and flexible organizational structures already in place incurred little difficulty in implementing SOX 404 mandates, while organizations that lacked effective ERM processes prior to SOX 404 compliance had weaker implementation processes and had a more difficult experience in complying with the mandates. These findings provide key insights into the importance of ERM for creating an organizational form that can effectively deal with regulatory compliance issues in volatile environments.
Read full abstract