‘The creation ‘The creation ‘The creation ‘The creation of the of the of the of the SOSOSOSOx Acceptancex Acceptancex Acceptancex Acceptance F F F Framework’ramework’ramework’ramework’

(1)

‘The creation

of the

SO

SOx Acceptance

x Acceptance

x Acceptance F

x Acceptance

F

Framework’

ramework’

Barbara Hammink

University of Groningen

Faculty Management and Organization

Sara Lee International

December 2006

(2)

University of Groningen

Faculty of Management and Organization Financial Value Management

Utrecht, December 2006 Author: B. Hammink Student Nr.: S1271814 Supervisors: Rug:

Prof. Drs. J.A. Emanuels Drs. S. Bruinsma

Sara Lee International: K. Hulzebos

The author is responsible for the content of the thesis and the copyright of this thesis is held by the author.

‘The

‘The Creation

Creation

of the

SOx Acceptance Framework’

(3)

Preface

This thesis is the result of a comprehensive research which is performed within Sara Lee International and is considered to be the last step toward my final graduation at the faculty of Management and Organization.

In may 2006 I started my internship which offered me the opportunity to have a closer look at the SOx internal control activities within Sara Lee International. The first month was used to acquire as many information as possible regarding SOx by reading a lot of related literature and by helping with the SOx Management testing activities. By not only reading about SOx, but really experience SOx in practice the acceptance of SOx got my attention. Based on this it was decided to measure the acceptance of SOx within Sara Lee Netherlands. However, after exploring the existing literature base I could not find any literature that was related to measuring the acceptance of SOx. Subsequently, I decided to develop a new measurement tool that would provide a better view on the acceptance of SOx. This all resulted in the creation of the SOx Acceptance Framework, which was extremely pleasant challenge.

Nevertheless, I would never have such a satisfying experience during my internship without the help, support and enthusiasm of my two supervisors. Therefore I would like to thank Klaas Hulzebos, who is my supervisor from Sara Lee International, for everything he taught me about SOx and for the confidence he showed in me by giving me a lot of freedom. I would also like to thank Jim Emanuels, my first supervisor from the faculty of Groningen, for monitoring the progress of my research, for making the time to visit Sara Lee International and for providing me with the necessary and critical feedback. This all definitely contributed to the quality of my research. Besides Klaas Hulzebos and Jim Emanuels, I would like to thank my second supervisor from the faculty of Management and Organization, Sikko Bruinsma, who supported me during the final stage of my research and helped with the evaluation of my thesis. Last, I would like to thank the 18 respondents that filled in all the 81 questions of the self assessment and consequently they have been of great use by supporting the results of my research.

In short, my internship was a very positive experience during which I learned a lot about conducting scientific research. Sara Lee International is a great company that really made me feel part of the organization. My internship even resulted in my first ‘real’ job. Since two months I started as Junior Mangement Accountant at the DE department.

Finally, I hope you will all enjoy reading it and I hope that this research is considered to be the first step toward creating a SOx Acceptance Framework!

Kind Regards,

(4)

Management Summary

As a consequence of the corporate misstatements like the Enron, WorldCom and Xerox affaires investors lost their trust in U.S. public companies. Due to these fraudulent affaires the Sarbanes-Oxley Act 2002 (SOx) was singed into law. SOx is a corporate governance code that is applicable to all U.S. organizations that are registries on one of the U.S. stock exchanges. It is about combating fraud, improving reliability of financial statements. SOx addresses many issues behind accounting misstatements and enforces higher penalties to prevent corporate fraud. By raising the bar for the design of the internal control process the act intends to protect investors and regain their confidence by improving the accuracy and reliability of corporate disclosures. For applicable organizations it has become essential to become compliant with these legal requirements.

After a few years of coping with SOx organizations want to gain more insight in how to improve the quality of their SOx control activities and so the quality of their internal control process. One of the areas of interest is the acceptance of the SOx. Because a low acceptance will have a negative influence on the effectiveness of the SOx control activities. Many employees see SOx as a burden that costs them a lot of extra work and do not take their responsibilities seriously enough. Based on this the following problem statement has been formulated:

Research Objective: Research Objective: Research Objective: Research Objective:

‘Providing a better view on the acceptance of the changes within the internal control process resulting from the implementation of the Sarbanes-Oxley Act 2002’

Key Question Key Question Key Question Key Question

‘What is the acceptance of the changes within in the internal control process resulting from the Sarbanes-Oxley Act 2002 and how can this be measured?’

During this research the key question is answered and subsequently the research objective will be realized. In the first part of the research a theoretical foundation is created which forms the basis for the creation of the SOx Acceptance framework. At the end of the research the framework is tested in reality by conducting a single case study. The theoretical foundation starts with a detailed definition of internal control based on the general accepted COSO framework. Internal control processes are designed to ensure the reliability of financial reporting and ultimately the preparation of the financial statements. According to the COSO-framework internal control consist of the following five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. To become effective it is important for organizations that these five components are built into the corporate infrastructure.

The implementation of SOx, and especially Section 302 and 404 that are in the scope of this research, changed the internal control process of many organizations. Section 302 concerns the accurateness and completeness of the information that must be consistent with the anti-fraud provisions of the Act. Section 404 is related to Section 302 and requires an annual evaluation of the internal SOx controls and procedures for financial reporting that must be confirmed by both management and the independent auditors. These two Sections influence employees at all organizational levels and must assure that incomplete or incorrect financial information could no longer exist. The mandatory and comprehensive SOx control activities start at entity level by identifying and evaluate entity level controls that may have a pervasive effect on the risk of error and fraud. At a lower level organizations must create an understanding of the processes that influence the financial statement at process, application and transaction level. Type of errors that could occur should be identified and new control policies must be designed to prevent or detect these types of errors.

The next step in the research is the creation of the SOx Acceptance framework. SOx definitely changed the internal control process and has a major impact on the internal control activities. Applicable employees have to cope with three significant changes, which are the new SOx controls and the documentation and testing requirements. Because resistant employees will only use the system to a minimal extent it is essential that SOx

(5)

SOx it is very important that the acceptance of SOx is about intrinsic motivation and not just about performing Sox control activities. Based on this the following definition of acceptance is used:

‘Acceptance is the act of accepting with approval by following the required course of action, which is incorporated within the routine operating procedures of applicable employees within the entire organization.’

The SOx acceptance framework is illustrated at the end of the management summary and is based on the Technology Acceptance model (TAM). The TAM is a model of human behavior that assumes that reasoning flows from believes and evaluations of an attitude toward accepting the changed or new IT system. By using the TAM for the creation of the SOx Acceptance framework two different areas of research are brought together. Like the TAM the SOx Acceptance framework assumes that acceptance is directly or indirectly influenced by perceived usefulness, perceived ease of use and the attitude toward SOx. These relations are presented in the model at the end of the management summary. Perceived usefulness is the degree to which a person believes SOx enhances their job and performance. This variable can be measured by the several criteria that are related to the relative advantage of the SOx control activities, the degree to which the sense of urgency is communicated and the commitment of top management toward SOx. Perceived ease of use is defined as the degree to which someone believes that SOx control activities are free of effort. The criteria that are used to measure this variable are related to the complexity, the required learning activities and the compatibility and quality of the design of the SOx control activities. Attitude toward a system is the evaluative response to the implementation of SOx. Measurement criteria used to measure the attitude toward SOx are the degree to which employees perceive SOx as a good idea, important, beneficial to the organization and the degree to which they feel a need for a change within the internal control process. Acceptance is already defined and is measured by the degree an individual wishes to comply with SOx requirements, the organizational enforcement of the change and the degree to which they believe that SOx is a part of their job. All four variables are measured in reality with the use of these measurement criteria that are incorporated in a descriptive self assessment. This is realized during an empirical research by conducting a case study within two departments of Sara Lee International, namely DE and DECS. The self assessment is send to a sample that consists of 18 respondents that can be divided into two homogenous groups that contain 9 employees of DE and 9 employees of DECS from different organizational levels. Based on the trustworthy theoretical foundation of the TAM, the help of the SOx department of Sara Lee and the results of the case study the assessment is considered to be valid and reliable. After evaluating the validity and reliability of the assessment the following hypotheses will be tested:

H1 H1 H1

H1: Perceived usefulness is positively related to the attitude toward the changes within the internal control process resulted from SOx.

H2: H2: H2:

H2: Perceived ease of use is positively related to the attitude toward the changes within the internal control process resulting from SOx implementation.

H3: H3: H3:

H3: Perceived usefulness and perceived ease of use are related to each other H4:

H4: H4:

H4: Perceived usefulness is positively related to the acceptance of the changes in the internal control process resulting from SOx.

H5: H5: H5:

H5: Attitude toward the changes within the internal control process resulting from SOx implementation is positively related to the acceptance of the changes in the internal control process resulting from SOx.

These hypotheses are based on the relations presented in the SOx Acceptance framework. Important to note is that these hypotheses do not hypothesize causality. Relations are assumed to be causal when all the five hypotheses are accepted. This assumption is based on the positive and trustworthy foundation of the TAM which has already been tested many times in reality. The strength and the direction of these relations are measured with the use of the observations obtained by the assessment by performing several statistical tests that measure the correlation-coefficients. Results show strong and positive correlation-coefficients for all relations. This means that all hypotheses are accepted and subsequently causality is assumed.

The case study is conducted within Sara Lee International Netherlands which would like to have a better view on the acceptance of their SOx control activities. This is also realised by taking a closer look at observations acquired by the assessment. However, this time results are not only analysed in total but for the three changes

(6)

and two departments individually. Results show that that applicable employees do not perceive SOx as easy to use. In other words, perceived ease of use is the variable with the lowest scores. The Acceptance variable on the other hand shows the most positive results Based on this it can be concluded that, in general, the applicable employees of Sara Lee do accept the changes within the internal control process resulting from the implementation of SOx. When looking at the three changes it can be concluded that the enhanced documentation requirement has the lowest score and the SOx control the highest scores. When comparing the two departments results show that the average score of DECS is lower than DE on almost all variables for all variables. Based on these results Sara Lee International would be able to improve the quality of their internal control process by improving the variables that show insufficient results.

At the end of this research useful knowledge related to the acceptance of SOx, is generated and a contribution to the total knowledge base is made. In this way a better view on the acceptance of the changes within the internal control process resulting from SOx is created. Important to note is that results are based on the Sara Lee case study and must be interpreted carefully. This means that results may not be generalized to other situations without further research.

H5 + H2 + H1 + H3 + H4 + Acceptance of SOx Acceptance of SOxAcceptance of SOx Acceptance of SOx Control Control Control Control Environment EnvironmentEnvironment Environment Control Control Control Control Activities Activities Activities Activities Risk Assessment

Risk AssessmentRisk Assessment Risk Assessment Information & Information & Information & Information & Communication Communication Communication Communication Monitoring MonitoringMonitoring Monitoring Perceived Perceived Perceived Perceived Usefulness UsefulnessUsefulness Usefulness Perceived Perceived Perceived Perceived ease of use ease of useease of use ease of use Attitude Attitude Attitude Attitude toward towardtoward toward SOx SOx SOx SOx

(7)

Chapter 1

Chapter 1 Research Framework

Research Framework

1.1 Introduction

This chapter provides an overview of the research and describes the different steps that must be taken into consideration during the research. According to De Leeuw (1996) research is a systematic method used to compare or create knowledge by answering the research question. A systematical design is necessary to make sure that the desired information is gained in the right way at the right time. The research framework provides an answer to questions as ‘what’, ‘where’, ‘why’, ‘when’ and ‘how’ is the research conducted (Verschuren, 1986). This chapter (1.2) starts with some general background information by briefly introducing the main subject and the reason for conducting this research. Paragraph 1.3 contains the research design which is based on the model of Verschuren and Doorewaard (1998). This model consists of a conceptual design and a research-technical design which are respectively described in paragraphs 1.4 and 1.5.

1.2 Research Background

After scandals at Enron, WorldCom, Global Crossing and others, investors lost their trust in U.S. public companies. To regain this trust the Sarbanes-Oxley Act was established and new standards for corporate accountability for U.S. public companies were created. With the implementation of the Sarbanes-Oxley Act 2002 organisations must make sure that their internal control processes are compliant with these new legal requirements. The Act intends to provide better protection to investors by improving accuracy and reliability of corporate reporting and financial disclosures.

Since Sarbanes-Oxley (SOx) regulations have been implemented a few years ago, organizations want to gain more insight on how to improve the quality of their internal control process and thereby their SOx practices. One important subject of interest is the acceptance of the Act. Most employees see SOx as a burden that costs them a lot of extra work. However, a low acceptance will have a negative impact on the effectiveness of the internal control process. Therefore it is important that the applicable employees are well informed and the obligations resulting from the implementation of SOx are taken seriously. This research intends to gain more insight on the acceptance of the Sarbanes-Oxley Act 2002. This is realized by creating a measurement tool, the SOx acceptance framework, which will be tested in reality during a case study. Results of this research may be important for future progress and consequently may contribute to the quality of SOx processes.

1.3 Research Design

According to De Leeuw (1996) the quality of a research relies on the validity and the reliability of the research. To realize this the research design will be based on the Research Design Model of Verschuren and Doorewaard (1998) that will answer the ‘why’, ‘what’, ‘where’, ‘when’ and ‘how’ questions. In other words, the research design can be classified as ‘an action plan for getting from here to there, where ‘here’ may be defined as the initial set of questions to be answered, and ‘there’ as some set of conclusions (answers) about the questions’, (Yin, 1989). Between ‘here’ and ‘there’ several major steps can be identified. These steps are presented in figure 1.1 that forms the general guideline for the rest of this chapter.

(10)

Figure 1.1 Research Design Model1

1.4 Conceptual Design

1.4.1 Research Objective

The Problem Statement can be divided into a research objective, a research problem, several sub-questions and a scope definition (De Leeuw, 1996). The research objective defines the intention of the research and thereby answers the ‘why’ question. According to Verschuren (1986) a proper formulated research objective is essential for the success of the research. It is the driver of the research and forms the basis of the research problem. Based on this the following research objective is formulated:

Research Objective Research Objective Research Objective Research Objective

‘Providing a better view on the acceptance of the changes within the internal control process resulting from the implementation of the Sarbanes-Oxley Act 2002’

Table 1.1 Research Objective

1.4.2 Research

1.4.2 Research Problem

Problem

After defining the research objective the research problem that consists of a key question and related sub-questions comes into place. These sub-questions give an indication of the knowledge that will be necessary for the

Research Design Research Design Research Design Research Design (1.3) (1.3)(1.3) (1.3) Research ResearchResearch

Research----Technical Technical Technical Technical Design (1.5) Design (1.5) Design (1.5) Design (1.5) Research Type Research Type Research Type Research Type (1.5.1) (1.5.1)(1.5.1) (1.5.1) Data Collection Data Collection Data Collection Data Collection

(1.5.2) (1.5.2)(1.5.2) (1.5.2)

Research Planning Research Planning Research Planning Research Planning (1.5.3) (1.5.3)(1.5.3) (1.5.3) Conceptual Design Conceptual Design Conceptual Design Conceptual Design (1.4) (1.4) (1.4) (1.4) Research Objective Research ObjectiveResearch Objective Research Objective (1.4.1) (1.4.1)(1.4.1) (1.4.1) Research Problem Research Problem Research Problem Research Problem (1.4.2) (1.4.2)(1.4.2) (1.4.2) Scope Definition Scope Definition Scope Definition Scope Definition (1.4.3 (1.4.3(1.4.3 (1.4.3)))) Research Model Research Model Research Model Research Model (1.4.4) (1.4.4)(1.4.4) (1.4.4)

(11)

realization of the research objective (Verschuren & Doorewaard, 1998). Within the following chapters the sub-questions, which eventually leads to the answer of the key question, will be answered.

Key question Key question Key question Key question

‘What is the acceptance of the changes within the internal control process resulting from the Sarbanes-Oxley Act 2002 and how can the acceptance of the Sarbanes-Oxley Act 2002 be measured?’

Table 1.2 Key Question

S SS

Subububub----Questions:Questions:Questions:Questions:

Chapter 2 1. What is internal control?

Chapter 3 2. What is the Sarbanes-Oxley Act 2002?

Chapter 3 3. What is the Sarbanes-Oxley Act Section 302?

Chapter 3 4. What is the Sarbanes-Oxley Act Section 404?

Chapter 4 5. What is the influence of the implementation of the Sarbanes-Oxley Act 2002 on the internal control process?

Chapter 5 6. What theoretical insights on acceptance are relevant to describe and measure the acceptance of the changes resulting from the Sarbanes-Oxley Act 2002?

Chapter 6 7. How can the acceptance of the changes resulting from the Sarbanes-Oxley Act 2002 be measured in reality?

Chapter 6 8. What are the results of measuring the acceptance of the changes resulting from the Sarbanes-Oxley Act 2002 in a real life case?

1.4.3 Definitions

To get a clear understanding of the problem statement the following variables must be defined:

Internal control

‘Internal control is a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of related objectives:

- Effectiveness and efficiency of operations - Reliability of financial reporting

- Compliance with applicable laws and regulations’ (COSO Report, 1994)

Sarbanes-Oxley Act 2002

The Sarbanes-Oxley Act 2002 is a law that intends to protect investors by improving the accuracy and reliability of corporate disclosures. From the Sarbanes-Oxley Act only Sections 302 and 404 are in the scope of this research. Both Sections are indicated during the research with the term ‘SOx’.

Acceptance

Acceptance is the act of accepting with approval by taking and following the required course of action which is formally incorporated into the routine operating procedures. In other words, it is about intrinsic motivation.

(12)

Besides defining the key aspects of the research it is important to point out the limitations. These limitations are the result of the requirements of the University of Groningen, the preferences of the researcher and the restrictions related to the case study. The most important limitation regards the interpretation of the results. This research intends to create a SOx Acceptance framework that might be used for measuring the acceptance of SOx and subsequently improving the quality of the internal control process. This framework is based on a theoretical foundation and will be tested at the end of the research during a single case study. Due to this single case study it is very important that conclusions are interpreted carefully. Results of this research are restricted to the case study and consequently will only provide an indication of the applicability of the SOx Acceptance framework. In other words, results are related to a specific situation and may not be generalized to other situations without further research.

1.4.4

1.4.4 1.4.4 Research

Research

Research Model

Model

This paragraph starts with a brief introduction of the theoretical concepts that are applied during the research. These theories are primarily used as global guidelines for answering the sub-questions. The next step is the creation of the research model that gives a graphical overview of relations between the applied theories.

Applied Theories

De Leeuw (2000) states that most theories are based on and related to general situations and therefore not completely applicable to every specific situation. This is due to context specific aspects that are not incorporated within the theory. Within this research the three theoretical concepts are primarily used. These three theories are briefly introduced in the tables (1.3, 1.4 and 1.5) that are presented below.

COSO COSO COSO

COSO----FrameworkFrameworkFrameworkFramework

The COSO-Framework is a theoretical framework used for the definition and evaluation of internal control. An effective internal control system consists of five interrelated components. These are the Control Environment, Risk Assessment, Control Activities, Information & Communication and monitoring. The COSO-Framework is one of the most accepted internal control frameworks and will be explained in chapter 3.

Table 1.3 Theoretical concept: COSO-Framework

Sarbanes SarbanesSarbanes

Sarbanes----Oxley Act 2002Oxley Act 2002Oxley Act 2002 Oxley Act 2002

The Sarbanes-Oxley Act 2002 is a U.S. corporate governance code that created a new standard regarding the reporting of internal control effectiveness and raised the bar for the design, documentation and evaluation of internal controls. The Act is applicable to all U.S. organizations that are registries of the one of the U.S. stock exchanges. This research focuses on Section 302 and 404 which are considered to be most important for organizations. A more detailed explanation of the Sarbanes-Oxley Act 2002 is given in the chapter 3 and 4. Table 1.4 Theoretical concept: SOx

Technology Acceptance Model Technology Acceptance Model Technology Acceptance Model Technology Acceptance Model

The Technology Acceptance Model of Davis (1989) is also a generally accepted model and is designed for measuring the user acceptance of Information Systems. During the research this model will be used to measure the acceptance of the changes within the internal control process as a consequence of the stringent SOx regulation. The Technology Acceptance Model claims that the acceptance of a new/ changed system depends on three related variables that influence the user’s attitude towards the system. The three variables are attitude towards system, perceived usefulness (U) and perceived ease of use (EOU). This theory and related theories are described in chapter 5.

(13)

Research & Conceptual model

A research model portrays a schematic overview of the research and must provide a better understanding of the problem statement (De Leeuw, 1996)

Figure 1.2 Research Model

The research model contains a conceptual model (see figure 1.2) that provides a graphical illustration of the assumed relations between the variables that influence the acceptance of the changes within the internal control process resulting from the SOx. This conceptual model is the SOX Acceptance framework and is based on Technology Acceptance model which is briefly introduced at the beginning of this paragraph. According to the model the acceptance is directly or indirectly influenced by the perceived usefulness, perceived ease and attitude toward SOx. The rectangle in the right of the conceptual model, the acceptance rectangle, portrays the

Chapter 3: Chapter 3: Chapter 3:

Chapter 3: The SarbanesThe SarbanesThe SarbanesThe Sarbanes----Oxley Act 2002Oxley Act 2002Oxley Act 2002 Oxley Act 2002 Chapter 2:

Chapter 2: Chapter 2:

Chapter 2: The Internal Control ProcessThe Internal Control ProcessThe Internal Control ProcessThe Internal Control Process Chapter 1:

Chapter 1: Research FrameworkResearch FrameworkResearch FrameworkResearch Framework

Chapter 4: The Impact of SOx on the Internal Control ProThe Impact of SOx on the Internal Control ProThe Impact of SOx on the Internal Control ProThe Impact of SOx on the Internal Control Processcesscesscess

Chapter 6: Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study)

Chapter 6: ConclusionConclusionConclusionConclusion Chapter 5:

Theoretical Concept of Acceptance Theoretical Concept of AcceptanceTheoretical Concept of Acceptance Theoretical Concept of Acceptance (Conceptual Model) Acceptance of SOx Acceptance of SOx Acceptance of SOx Acceptance of SOx Control Control Control Control Environment Environment Environment Environment Control Control Control Control Activities ActivitiesActivities Activities Risk Assessment Risk Assessment Risk Assessment Risk Assessment Information & Information &Information & Information & Communication CommunicationCommunication Communication Monitoring Monitoring Monitoring Monitoring Perceived Perceived Perceived Perceived Usefulness UsefulnessUsefulness Usefulness Perceived Perceived Perceived Perceived ease of use ease of useease of use ease of use

A AA Attitude ttitude ttitude ttitude

toward toward toward toward SOx SOx SOx SOx

(14)

COSO-framework which consists of five interrelated components that form the foundation for an effective internal control system. Based on the assumed relations several within the conceptual model several hypotheses will be formulated and tested during an empirical research. By testing the hypotheses in a real life case an indication of the applicability of the model can be given and a SOx Acceptance framework will be created. Important to note is that the SOX Acceptance framework is based on two different areas of research, namely Information System Technology and Corporate Governance.

1.5 Research

1.5 Research----Technical Design

Technical Design

The technical design (or methodological design) is based on the conceptual design and provides an overview of the technical aspects (Verschuren and Doorewaard, 1998). This part of the research relates to the practical aspects of the research and thereby answers the ‘where’, ‘when’ and ‘how’ questions.

1.5.1 Research Type

De Leeuw (1996) distinguishes three types of research, namely scientific, practical and policy supporting research. Scientific research contributes to the creation of general organizational knowledge by testing or refining existing theories. Practical research on the other hand is bounded to a specific situation and helps solving an organizational problem. Policy supporting research can be seen as a combination of the other two types of research. This type intends to create useful knowledge related to solving a specific problem situation that satisfies the total need for knowledge and thereby contributes to the general knowledge base.

Baarda and De Goede (2001) make a distinction between descriptive and explorative research. Descriptive research is an accurate description of the units of measurement based on a systematic approach that is defined at the beginning of the research. An Exploratory research intends to improve insight and understanding of the unit of measurement. It starts with vague assumption about reality and is focussed on the development of a theory or on the refinement of a hypothesis and intends to answer correlation or comparison questions.

Based on these definitions the research can be classified as policy supporting and explorative research. The next four chapters are used to build a strong theoretical foundation for the creation of the SOx Acceptance framework. Eventually the framework is tested in reality during a single case study. This is realized by, as mentioned, formulating several hypotheses that are derived from the framework. Based on the results of the case study an indication of the applicability of the framework is given.

1. 5.2 Data Collection Methods

During this research two different data collection methods are used (Hertog and Van Sluijs, 1995). Desk research is a literature study that consists of reading, analysing, investigating documents like scientific journals and articles, newspapers, external reports, books etcetera. This data collection method is used for the answering of sub question one until seven. Field research is a data collection method that gathers data in reality and can also be classified as an empirical research. This data collection method is applied for the answering of the last two sub-questions, namely eight and nine. During this part of the research a case study takes place. The case study will be conducted within two business units of Sara Lee International (SLI). These business units, DE and DECS, will be briefly introduced at the beginning of chapter 6. For a more detailed overview of the specific data collection methods that are used during the research appendix 1 contains a table that shows the methods used within each chapter.

1.5.3 Research Planning

This research will be conducted during a period of seven moths. The first month was used to identify subjects of interest related to the Sarbanes-Oxley Act 2002 and resulted in focus on the acceptance of the changes within the internal control process resulting from the Sarbanes-Oxley Act. For a detailed time schedule (planning) see Appendix 2.

(15)

Chapter 2

Chapter 2 The Internal Control Process

The Internal Control Process

Chapter 3: The SarbanesThe SarbanesThe SarbanesThe Sarbanes----Oxley Act 2002Oxley Act 2002Oxley Act 2002 Oxley Act 2002

Chapter 6: Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study) Chapter 2:

Chapter 2: The Internal Control ProcessThe Internal Control ProcessThe Internal Control ProcessThe Internal Control Process

Chapter 7: ConclusionConclusionConclusionConclusion Chapter 1:

Chapter 5: Chapter 5: Chapter 5: Chapter 5:

Theoretical Concepts of Accept Theoretical Concepts of Accept Theoretical Concepts of Accept Theoretical Concepts of Acceptanceanceanceance (Conceptual Model)

Acceptance of SOx Acceptance of SOxAcceptance of SOx Acceptance of SOx Control Control Control Control Environment Environment Environment Environment Control Control Control Control Activities Activities Activities Activities Risk Assessment

Risk AssessmentRisk Assessment Risk Assessment Information & Information & Information & Information & Communication Communication Communication Communication Monitoring Monitoring Monitoring Monitoring Perceived Perceived Perceived Perceived Usefulness Usefulness Usefulness Usefulness Perceived Perceived Perceived Perceived ease of use ease of use ease of use ease of use Attitude Attitude Attitude Attitude toward toward toward toward SOx SOx SOx SOx Chapter 4: Chapter 4: Chapter 4:

(16)

2.1

2.1 2.1 Introduction

Introduction

As a result of the many bankruptcies and fraud disclosures the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the COSO framework. The framework is based on three years extensive research and is created with the help of board members, legislators, members of sponsoring organizations, academicians, regulators, lawyers, auditors, chief executives and consultants. Nowadays the COSO framework is the most widely accepted internal control framework that organizations can use to assess or design their internal control systems (Ernst & Young, 2003). The COSO framework is praised for its comprehensiveness, effectiveness and universal principals of strong internal control (http://www.ci.com). ). ). It serves as a blueprint for ). establishing internal controls that promote efficiency, minimize risks and helps to ensure the reliability of financial statements and comply with laws and regulations.

This chapter intends to create a better and clear understanding of the internal control process that is one of the key subjects of this research. The basic principles of the internal control process described within this chapter are based on the COSO Framework which is already introduced briefly in chapter 1. The following paragraph (2.2) starts with a comprehensive definition of internal control. After this definition the COSO framework and its five interrelated components are described in paragraph 3.3. These five components are, as mentioned, illustrated in the acceptance rectangle of the conceptual model.

2.2 Internal Control

‘Internal controls are put in place to keep organizations on course toward profitability goals and achievement of its mission, and minimize surprises along the way. Internal controls promote efficiency, reduce risk of asset loss, and help to ensure the reliability of financial statements and compliance with laws and regulations’ (COSO Executive Summary, 2006). Based on this the COSO created the following general accepted definition that serves the needs of different parties:

‘Internal control is a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives within the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting (related to preparation and publication) Compliance with applicable laws and regulations’

This definition reflects certain fundamental aspects that will be described in the rest of this paragraph (COSO Report 1994).

2.2.1 Process

Internal control is a process and therefore can be defined as a series of actions. These actions are penetrated throughout the organization and are inherent in the way management runs the business. The internal control system exists for fundamental business reasons and is most effective when it is ‘built into’ rather than ‘built on’ the organization’s infrastructure. Business processes within the entire organization are managed through planning, executing and monitoring. Internal control must be part of this process and should be integrated.

2.2.2 People

Internal control is influenced and accomplished by what people say and what they do. People establish organizational objectives and put control systems in place. On the other hand, people’s actions are influenced by internal control. Internal control recognizes that people not always understand, communicate and perform consequently. Important to note is that the board of directors, management and other personnel must know their responsibilities and limitations of authority.

(17)

2.2.3 Reasonable Assurance

Internal control can only provide reasonable assurance of achieving objectives. This is due to limitations, like faulty human judgement in decision making or human failures, that are inherent in all internal control systems.

2.2.4 Objectives

Many objectives s are specific for to a particular organization. They can be set for the organizations as a whole, or they are related to specific activities. However, the three objectives mentioned in the definition of internal control are considered as common and are shared by different organizations. The effectiveness and efficiency category deals with basic business objectives of an organization like profitability and performance targets, safeguarding of assets and effective and efficient use of resources. Reliability of financial reporting concerns the preparation and publication of financial statements. This objective is related to SOx and considers the accurate, complete and timely preparation of financial reports (Deloitte, 2005). Organizations must need to realise these financial reporting objectives in order to meet external obligations. The third objective states that organizations must be incompliance with applicable laws and regulations that establish minimum standards of behaviour. The three objectives address different needs and allow a direct focus on different aspects of internal control. However, ‘an objective in one category may overlap or support an objective in another.’ (COSO Report, 1994). Objectives should also be complementary and linked. This means that organization wide objectives must be divided into sub-objectives that are consistent with the organization’s strategy, and coupled with activities within the entire organization.

2.3 COSO Framework

The COSO framework provides broad criteria against which companies could evaluate the effectiveness of their internal control system. According to the COSO framework effective internal control consists of five interrelated components that are derived from the way management runs their business. In order to become effective it is important that the internal control system is built into the corporate infrastructure. It must be integrated within the management process and must become the very essence of the operating philosophy. This is because an internal control system links organization operating activities, helps an organization to get were it wants to go and helps avoiding pitfalls and surprises along the way.

The control environment forms the foundation and presents the atmosphere in which people conduct business and perform their control responsibilities. Within this environment, management assesses risks to attain the organization’s objectives that are set earlier. Control activities are implemented and support the establishment of management commands to address risks. During this process high quality and timely information must be captured and communicated throughout the organization. In the mean time the whole process is monitored and changes are managed.

Effectiveness and efficiency of operations, reliability of financial reporting (related to preparation and publication) and compliance with applicable laws and regulations are the three general objectives related to internal control. These objectives are directly related to the five components of the COSO framework. Objectives indicate what an organization wants to achieve and the COSO components indicate what is needed to achieve these objectives. This relationship is illustrated by a three-dimensional matrix that is shown in figure 2.1. Besides the relationship between the objectives and the components the model also shows the linkage with the units or activities of an organization that are related to internal control.

(18)

Figure 2.1 COSO framework and Objectives

2.3.1 Control Environment

The control environment is the first of the five components and can be seen as the foundation for all other components of the internal control framework. It sets the tone of the organization in which people conduct their activities and act on their responsibilities. People are at the core of a business because they are the engine that drives an organization. Their control consciousness is affected by the control environment that provides discipline and structure. The Control is also affected by an organization’s history, structure and culture. The impact of an ineffective control environment can be enormous. It can lead to financial loss, damage public image or a business failure. The COSO has divided the control environment into nine factors that are relevant for achieving an effective internal control system. A general overview of these nine factors is provided in appendix 3. Important to note is that the attitude and concern of top management is crucial and must pervade trough the entire organization.

2.3.2 Risk Assessment

Risk affects an organization’s ability to survive, successfully compete, financial strength, public image and the overall quality of its products, services and people. Therefore it is essential that risks need to be assessed and kept within acceptable limits within the entire organization at both organization level (high-level risk) and activity level. Risk assessment can be seen as the identification and analysis of relevant risks related to the achievement of the objectives that are set. Risk identification and analysis is an ongoing iterative process and critical for effective internal control systems.

An organization faces a variety of risks over financial reporting from external and internal sources. External factors are for example new legalisations and economic changes. Examples of internal factors are disruption in information systems and quality of hired personnel. After the identification of risk factors management must define the significance of these risks and if applicable tackle these risks to a lower level within the organization. A good risk profile is created with the use of a risk map (figure 2.2). Risks with a high likelihood (frequency) and a high impact are of serious concern and demands extensive attention. These risk are called key risks and are scattered in the upper right of the risk map. Once key risks are identified management should take into consideration on which necessary actions must take place to manage them.

Example:

‘Financial and non-financial data generated from internal and external sources, which is part of the information and communication component, is needed to effectively manage business operations, develop reliable financial statements and determine that the entity is complying with applicable laws.’ (COSO report, 1992 ) Control Environment Control Environment Control Environment Control Environment Risk Assessment Risk Assessment Risk Assessment Risk Assessment Control Activities Control ActivitiesControl Activities Control Activities

Information & Communication Information & Communication Information & Communication Information & Communication

Monitoring MonitoringMonitoring Monitoring Complian Complian Complian

Compliance Financial Financial Financial Financial reporting reportingreporting reporting A AA A cccc tttt iiii v vv v IIII tttt IIII eeee ssss O O O O p pp p eeee rrrr aaaa tttt iiii o oo o n n n n ssss B B B B Operations OperationsOperations Operations

(19)

Figure 2.2 Risk Map

3.3.3

3.3.3 3.3.3 Control

Control

Control Activities

Activities

During the risk assessment key risks are identified and analysed. Control activities should be in place to mitigate the key risks that are threatening the achievement of the objectives. The establishment of activities and procedures helps management to ensure that identified activities are carried out effectively. Control activities take place through the whole organization, at all levels and in all functions. They should not be regarded as separate processes, but must be ‘built in’ to contribute to the mission statement. A broader description of control activities is given in the next chapter.

3.3.4 Information and Communication

Relevant information must be identified captured and communicated in such a manner that it supports the other four components. Information system produces reports that include operational, financial and compliance-related information that enables people carry out their responsibilities and provides assistance to controlling the business. Information must embrace both internal and external information. High quality and timely information is an extremely important prerequisite for management’s ability to make appropriate decisions to support effective control and reliable external financial reports. Effective communication must take place within the entire organization. Important is that management communicates clearly that control responsibilities must be taken seriously. Communication also must take place with external parties as customers, suppliers and shareholders.

3.3.5 Monitoring

Internal control systems must be monitored by assessing the quality of the system’s performance over time. This can be realised by continuous monitoring or separate evaluations or by a combination of these two monitoring activities. As a result all internal control components that are just presented will stay in place. During this monitoring process it is important that management keep changing conditions into consideration. Deficiencies are the result of ineffective internal controls and can be defined as ‘a perceived, potential or real shortcoming, or an opportunity to strengthen the internal control system to provide a greater likelihood that the entity’s objectives will be achieved’, (COSO Report, 1994).

IIII M MM M P PP P A AA A C CC C T TT T LIKELIHOOD LIKELIHOOD LIKELIHOOD LIKELIHOOD

KEY RISKS

(20)

Chapter

Chapter 3

3

3 The

The

The Sarbanes

Sarbanes

Sarbanes----Oxley

Oxley

Oxley Act 2002

Oxley

Act 2002

Chapter 3: The SarbanesThe SarbanesThe SarbanesThe Sarbanes----Oxley Act 2002Oxley Act 2002Oxley Act 2002 Oxley Act 2002

Chapter 6: Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study)Empirical Research (Case Study) Chapter 2:

Chapter 2: The Internal Control ProcessThe Internal Control ProcessThe Internal Control ProcessThe Internal Control Process

Chap Chap Chap

Chapter 7:ter 7:ter 7:ter 7: ConclusionConclusionConclusionConclusion Chapter 1:

Chapter 5: Chapter 5: Chapter 5: Chapter 5:

Theoretical Concepts of Acceptance Theoretical Concepts of Acceptance Theoretical Concepts of Acceptance Theoretical Concepts of Acceptance (Conceptual Model)

Acceptance of SOx Acceptance of SOxAcceptance of SOx Acceptance of SOx Control Control Control Control Environment Environment Environment Environment Control Control Control Control Activities Activities Activities Activities Risk Assessment

Risk AssessmentRisk Assessment Risk Assessment Information & Information & Information & Information & Communication Communication Communication Communication Monitoring Monitoring Monitoring Monitoring Perceived Perceived Perceived Perceived Usefulness Usefulness Usefulness Usefulness Perceived Perceived Perceived Perceived ease o ease o ease o ease of usef usef usef use

Attitude Attitude Attitude Attitude toward toward toward toward SOx SOx SOx SOx Chapter 4: Chapter 4: Chapter 4:

(21)

3.1 Introduction

The last couple of years corporate governance has attracted a good deal of interest because its importance for the economic health of organizations. Due to corporate misstatements, as the Enron, WorldCom and Ahold affaires, debates on corporate governance has centered on practical issues, including corporate fraud, abuse of managerial power and social irresponsibility (Letza et al. 2004). The Public Company Accounting Reform and Investor protection Act of 2002, commonly known as the Sarbanes-Oxley Act, was signed into law on July 30, 2002 (Viton, 2003) as a result of these fraudulent affaires. This new corporate governance code was created by senator Paul Sarbanes and Representative Michael Oxley and requires a new level of corporate governance and accountability for U.S. public companies. Due to the new stringent rules highly significant legislative changes to financial practice and corporate regulation are introduced.

As can be derived from the research model and the introduction, a description of the corporate governance code SOx is provided in this chapter. Before the basic principles of SOx are introduced in paragraph 3.3 a description of Corporate Governance in general is given in paragraph 3.2. The two Sections of SOx that are in the scope of this research are respectively described in paragraphs 3.4 and 3.5.

3.2 Corporate Governance

The seeds of corporate governance are probably sown by the Watergate scandal. As a result from several investigations U.S. regulatory and legislative bodies were able to highlight the control failures of major public corporations. This led to the development of the Foreign and Corrupt practices Act of 1977 in the US that contained specific provisions regarding the establishment, maintenance and review of internal control systems.

Reviewing corporate governance literature shows some diverging definitions of corporate governance. Perspectives can be categorized into two contrasting paradigms: the Anglo-Saxon shareholder perspective and the European stakeholder perspective (Friedman & Miles, 2001). In the traditional shareholder perspective organizations are viewed as legal instruments for shareholders to assure and maximize their own return on investment (Goodijk, RuG 2006). Company laws are attempting to secure this interest on the shareholders. The stakeholder perspective focuses on a broader group of external stakeholders instead of just shareholder wealth. This perspective was first introduced in the late 20th_{century and started to acquire widespread acceptance in}

1984. Major stakeholders are employees, customers, suppliers, shareholders, investors and public stakeholders as governments and communities who provide infrastructures and legal frameworks (Preble, 2005).

Recent interpretations of corporate governance are about the way organizations are managed and controlled. It is about the internal control process and the faith shareholders hold in the decisions made by management. The Corporate Governance Commission is striving to honesty, integrity, accountability and transparency (www.ci.nl). Investors do not want to invest their money into some kind of ‘black box’. Organizations need to have a clear vision about their strategy and risks and need to conduct their business according to legal restrictions, laws and rules. Based on this new trend the following definitions, which are respectively created by the OECD (Organization for Economic Co-operation and Development, Arpril 1999) and J. Wolfensohn (President of the World Bank in Financial Times, June 21 1999), are used during this research:

‘Corporate governance is the system by which companies are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance’.

Corporate governance is about promoting corporate fairness, transparency and accountability’.

These definitions are stakeholder perspectives and can be seen in the light of SOx. Key aspects of SOx are integrity, improved financial disclosure and increased accountability through the distribution of rights and responsibilities among participants. SOx primarily objects to improve shareholder value by regaining investor

(22)

trust. In this way SOx can be seen as a shareholder perspective. However, SOx also involves major consequences for an organization’s stakeholders. Governance Guidelines show that corporate governance codes as SOx are important for organizations in order to gain and retain not only investor trust, but also the trust of, employees, customers and suppliers. In other words, SOx adopt new tough provisions that intend to deter corporate and accounting fraud by taking the interest of major shareholders and stakeholders into consideration. Based on this SOx can be viewed as a Stakeholder perspective, with an emphasis on shareholder wealth.

3.3 Overview Sarbanes

3.3 Overview Sarbanes----Oxley Act 2002

Oxley Act 2002

3.3.1 Objective Sarbanes

3.3.1 Objective Sarbanes----Oxley Act

Oxley Act

The Act is passed by U.S. Congress in response to the corporate and accounting scandals of Enron, WorldCom and others and has the following objective:

‘To protect investors by improving accuracy and reliability of corporate disclosures made pursuant to the securities laws’, (Sarbanes-Oxley Act 2002).

SOx is about combating fraud, improving reliability of financial reporting and restoring investor confidence (Wagner and Dittmar, 2006). New and improved internal controls and procedures need to make sure that incomplete or incorrect information can no longer exist. SOx addresses many issues behind accounting misstatements and enforces higher penalties that intend to prevent corporate misstatements in the future. As Bush states: ‘The Act intends to deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect workers and shareholders’. Violation of the Act is subject to criminal penalties with fines up to $5 million and up to 20 years in prison (Kleckner and Jackson, 2006). The Act enhances responsibilities of the Securities Exchange Commission and is probably one of the most significant changes for corporations, executives and auditors since the Securities Exchange Act of 1937 (Raiborn and Schorg, 2004).

3.3.2 Structural changes

The implementation of SOx is a costly and time consuming process. Structural changes need to be made in the auditing of financial statements and corporate disclosure management. Corporate accounting and reporting must be more transparent and top executives and board members are personal responsible regarding the accuracy of financial statements and company releases. Also a greater emphasis is placed on the prevention, detection, investigation and remediation of fraud and misconduct by requiring organizations to document the controls that have a bearing on financial reporting. After the documentation they need to test the controls and report any gaps and/or deficiencies (SLC 2004, Policy Number 101).

3.3.3 Deadlines Sarbanes

3.3.3 Deadlines Sarbanes----Oxley Act

Oxley Act

Planned deadlines regarding the implementation of SOx vary between the different provisions of the Act. Most U.S. public companies, called ‘accelerated filers’, must meet financial reporting and certification requirements according to SOx legalisation for any end of year financial statements filed after November 15th_{2004 (Waxman,}

2004). Accelerated filers are U.S. public companies that are located in the U.S. and own a shareholder capital above $75 million (Exchange Act Rule 12b-2). Smaller companies and foreign companies must meet these mandates for any statements filed in after 15th_{July 2005. (PCAOB AS par. 215, 2003)}

3.4 Section 302: Certification Req

3.4 Section 302: Certification Requirements

uirements

On August 30, 2002, the U.S. Security Exchange Commission (SEC) implemented the final provisions of Section 302. This Section concerns controls related to the distribution of information (disclosures) and includes a set of internal procedures designed to ensure accurate financial disclosure. Section 302 requires that:

SOx registrants’ CEO and CFO must personally certify financial statements and disclosure controls and procedures enclosed in the periodic report. This certification is accompanied by each annual or quarterly

‘The creation ‘The creation ‘The creation ‘The creation of the of the of the of the SOSOSOSOx Acceptancex Acceptancex Acceptancex Acceptance F F F Framework’ramework’ramework’ramework’

‘The creation

‘The creation

‘The creation

‘The creation

of the

of the

of the

of the

SO

SO

SO

SOx Acceptance

x Acceptance

x Acceptance F

x Acceptance

F

F

Framework’

ramework’

ramework’

ramework’

Barbara Hammink

Barbara Hammink

Barbara Hammink

Barbara Hammink

University of Groningen

University of Groningen

University of Groningen

University of Groningen

Faculty Management and Organization

Faculty Management and Organization

Faculty Management and Organization

Faculty Management and Organization

Sara Lee International

Sara Lee International

Sara Lee International

Sara Lee International

December 2006

December 2006

December 2006

December 2006

‘The

‘The

‘The

‘The Creation

Creation

Creation

Creation

of the

of the

of the

of the

SOx Acceptance Framework’

SOx Acceptance Framework’

SOx Acceptance Framework’

SOx Acceptance Framework’

Preface

Preface

Preface

Preface

Management Summary

Management Summary

Management Summary

Management Summary

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Chapter 1

Chapter 1

Chapter 1

Chapter 1

Research Framework

Research Framework

Research Framework

Research Framework

1.1 Introduction

1.1 Introduction

1.1 Introduction