Sarbanes-Oxley compliance, internal control and ERP systems: Automation and the case of mysap ERP

WORKING PAPER A-2006-02

Pall Rikhardsson, Peter Best & Claus Juhl-Christensen

Sarbanes-Oxley compliance, internal control

and ERP systems: Automation and the case of

mySAP ERP

Accounting

Research Group

Sarbanes-Oxley compliance, internal control and ERP systems: Automation and

the case of mySAP ERP

Pall Rikhardsson, PhD

Department of Business Studies, Aarhus School of Business, Denmark par@asb.dk

Peter Best, PhD

School of Accountancy, Queensland University of Technology, Australia p.best@qut.edu.au

Claus Juhl-Christensen, MSc Financial Accounting and Cost Management Managing SAP Consultant, EDB Gruppen, Denmark

csj@edbgruppen.dk

Abstract

The effort to comply with the Sarbanes-Oxley Act (SOX) has focused management attention on the im-portance of assessing, developing and maintaining an effective and efficient internal control system. ERP systems are a crucial factor in developing such a system. Despite the attention this has attracted in prac-tice, little academic research has focused on this area. This chapter addresses the question: How are ERP systems implicated in Sarbanes-Oxley compliance? It aims to show how SOX requirements regard-ing assessment and improvement of internal controls are related to the functionalities of an ERP system both in local and global implementations. It examines a solution (mySAP ERP) offered by one specific vendor (SAP) and what functionalities are relevant to global SOX compliance. Based on this, the chapter discusses likely developments regarding compliance functionalities in future releases of ERP systems.

Keywords

Sarbanes-Oxley compliance, internal control and ERP systems: Automation and the case of my-SAP ERP

Abstract

The effort to comply with the Sarbanes-Oxley Act (SOX) has focused management attention on the im-portance of assessing, developing and maintaining an effective and efficient internal control system. ERP systems are a crucial factor in developing such a system. Despite the attention this has attracted in prac-tice, little academic research has focused on this area. This chapter addresses the question: How are ERP systems implicated in Sarbanes-Oxley compliance? It aims to show how SOX requirements regard-ing assessment and improvement of internal controls are related to the functionalities of an ERP system both in local and global implementations. It examines a solution (mySAP ERP) offered by one specific vendor (SAP) and what functionalities are relevant to global SOX compliance. Based on this, the chapter discusses likely developments regarding compliance functionalities in future releases of ERP systems.

Keywords

Internal control, compliance, Sarbanes-Oxley, ERP systems, SAP, mySAP ERP

1. Introduction

Corporate governance can be defined as the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled in corporations (Owen Report 2003 as cited in du Plessis et al. 2005: 2). Thus the expression embraces not only the models or systems themselves but also the practices by which this exercise and control of authority are in fact effected (ibid.). It should be clear that corporate governance is a complex concept encompassing values and ethics, systems and or-ganisations, behaviour and activities and results and performance.

One aspect of corporate governance is complying with the rules of society. The term compliance has emerged as something of a buzzword in the past five years. Looking through various journals, it seems that compliance is yet another term that has different implications for different areas. In accounting and auditing compliance has become almost synonymous with Sarbanes-Oxley and strengthening of internal controls and the quality of financial reporting. In production management compliance can mean confor-mance with product specifications and quality standards as well as respecting environmental regulations. In human resource management compliance means adhering to regulations and requirements related to employees including information privacy, health regulations and codes of safety. So compliance seems to be a generic concept as well as focused on specific functions and processes.

The catalyst for the current focus on compliance in accounting and control is a series of high-profile finan-cial frauds and bankruptcies including companies such as ENRON, WorldCom, Tyco, Parmalat and Holl-inger International Inc. These sent shock waves through the business world. How could well-renowned companies with assets worth billions of dollars disappear from the face of the earth in a matter of weeks, leaving thousands of employees without jobs and whole communities reeling from the aftershock? The answer was deemed to be lack of internal controls, management fraud and fraudulent financial reporting. The institutional reaction has been threefold (Baker et al. 2006). First, there was a government reaction where laws were enacted to strengthen internal control frameworks and increase the accountability of external auditors. This reaction mainly focused on re-establishing investor trust in financial reporting. Second, the monitoring of corporate accountability was strengthened with the emergence of new organi-sations such as the Public Company Accounting Oversight Board (PCAOB) in the US. This reaction fo-cused on strengthening the government control regime and possibilities of stepping in should the need arise. Third, there was a professional reaction in accounting and auditing institutions focusing on chang-ing accountchang-ing and auditchang-ing practices and takchang-ing measures to ensure the independence of accountchang-ing firms. This reaction focused on re-establishing public trust in the accounting and auditing profession.

The legal reaction was spearheaded by The Public Company Accounting Reform and Investor Protection Act of 2002, more popularly known as the Sarbanes-Oxley Act (SOX) after its main architects, Senator Paul Sarbanes and Representative Michael Oxley. The Sarbanes-Oxley Act has brought about the most extensive reform that the US financial markets have seen, with ripple effects spreading around the globe (PwC 2003) and into other areas of compliance (Atkinson & Leandri 2005). As such it has changed the landscape for internal controls, auditing and management accountability in thousands of companies all over the world – changes which will be visible for years to come.

One of the issues often mentioned regarding SOX compliance is the importance of information technol-ogy in the compliance effort (MacNally & Wagaman 2005, Byington & Christensen 2005, ACL 2005, Can-non & Growe 2004). This includes IT controls as well as the role of IT in making the SOX compliance more effective and efficient. Some of this discussion focuses on ERP systems. Hailed as one of the most significant IT innovations to affect companies, ERP systems are crucial in developing and maintaining an internal control system that enables companies to effectively and efficiently comply with Sarbanes-Oxley (ITGI 2005, Fox 2004, Cannon & Growe 2004).

This paper examines the question: What are the requirements of SOX regarding internal control and how are ERP systems implicated in meeting these requirements? To do this it describes what SOX requires, shows the elements of a SOX compliance process and discusses internal control and ERP systems in that context. It then examines a specific ERP solution (mySAP ERP) offered by one vendor (SAP) and describes what functionalities are relevant to SOX compliance. Based on this, the paper discusses likely developments regarding ERP systems and compliance and presents several avenues for future research.

2. Sarbanes-Oxley compliance

2.1 What are the requirements of Sarbanes-Oxley?

The Sarbanes-Oxley Act is by no means the first of its kind. Historically it has been preceded by acts that were intended to improve corporate governance and increase accountability. These include, for example, the Securities Act of 1933 and the Foreign Corruption Act of 1977, both of which focused on internal con-trols, financial reporting and the role of external auditors (Baker et al. 2006, Byington & Christensen 2005).

In general terms, the Sarbanes-Oxley Act’s provisions apply to four types of companies (PwC 2003): 1. Domestic US registrants

2. Foreign private issuers, also referred to as ‘foreign registrants’

3. Subsidiaries of US registrants (only to the extent that some information applies to the consoli-dated financial statements) and

4. Potentially, companies planning a US registration in the future.

In addition, the Act appears to have set a benchmark for companies in Europe and Asia that have an in-terest in enhancing corporate governance, including risk management and internal controls (PwC 2003, ITGI 2004). Thus the Act has global implications for corporate governance and the development of inter-nal control systems.

SOX is different from earlier legislation in that it makes the Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) legally responsible for (Kendal 2004, PwC 2003):

1. Establishing, evaluating and monitoring the effectiveness of internal control over financial report-ing and disclosure

2. Designing, establishing and maintaining ‘disclosure controls and procedures’ and reporting on the effectiveness of ‘disclosure controls and procedures’

3. Disclosing to the audit committee and external auditor any significant deficiencies and material weaknesses in internal controls for financial reporting and any fraud (material or not) involving anyone having a significant role in those internal controls

4. Disclosing whether, after their most recent evaluation, significant changes occurred that affected internal controls for financial reporting and whether any corrective actions were taken with regard

to significant deficiencies and material weaknesses.

Compliance with SOX is costly. Different sources estimate that companies around the world spend bil-lions of dollars on SOX compliance projects (CRA 2005, IMJ 2004). Companies are thus increasingly looking for ways to improve the efficiency of the compliance process through optimisation of internal con-trols and IT integration (Waldman 2005).

2.2 Complying with Sarbanes-Oxley: Internal controls

SOX compliance involves various elements such as the role of managers, roles of external auditors, re-porting to external stakeholders and data quality. A key issue in SOX is the internal control system of the company. The Sarbanes-Oxley Act does not define internal controls as such. However, the PCAOB Au-diting Standard No. 2, which interprets the Act in the context of auAu-diting, defines internal controls as (PCAOB 2002: p. 147):

‘A process designed by, or under the supervision of, the company's principal executive and principal fi-nancial officers, or persons performing similar functions, and effected by the company's board of direc-tors, management, and other personnel, to provide reasonable assurance regarding the reliability of fi-nancial reporting and the preparation of fifi-nancial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;

2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that re-ceipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisi-tion, use or disposition of the company's assets that could have a material effect on the financial statements’.

Compliance with Sarbanes-Oxley thus requires establishing, improving and monitoring certain control activities to ensure data quality and system reliability (ITGI 2004). The primary control related require-ments of SOX are shown in table 1 (PwC 2003).

Section of SOX

Requirements Internal control system implications

301 Establish a process for anonymous com-plaints of employees to audit committee (SOX 2002: p. 32).

An independent process for employees and managers for submitting communica-tions to the audit committee.

302 Establish the responsibility of the com-pany signing officers (the CEO and the CFO) for setting up an internal control system, evaluating the effectiveness of this control system and making public the results of the evaluation (SOX 2002: p. 33).

Place unambiguous responsibility for the development, assessment and documen-tation of the internal control system.

401 Require financial reports to reflect all ad-justments identified by auditors.

All off-balance sheet transactions have to be disclosed and pro forma figures have to be reconciliated with Generally Ac-cepted Accounting Principles (GAAP) figures.

Require the internal controls to contain checks on inclusion of off-balance sheet transactions and pro forma reconcilia-tions and whether auditor adjustments have been included.

404 Require that the annual report contains an internal control report which must:

- State the responsibility of

manage-A process for establishing a baseline for internal control systems and assessing the internal control systems against this

ment for establishing and maintaining an adequate internal control structure and procedures for financial report-ing; and

- Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and proce-dures of the issuer for financial re-porting.

The external auditing form is to attest to and report on this report (SOX 2002: p. 45.

baseline has to be initiated. Also proce-dures for reporting on this assessment and the work of the external auditors must be established. Procedures to deal with weaknesses and deficiencies have to be in place as well as procedures for ‘controlling the controllers’.

409 Obligation to report on rapidly changing financial conditions to the public (SOX 2002: p. 47).

The internal control system has to con-tain monitoring and evaluation mecha-nisms for changes in financial conditions.

Table 1: Primary SOX compliance requirements related to internal control systems

Regarding the baseline against which internal control systems have to be evaluated, the PCAOB requires companies to adopt an internal control framework by which its practices can be assessed. It mentions the Committee of Sponsoring Organizations (COSO) (see COSO, 1992) as one framework, but other frame-works can be used as well. Most companies adopt the COSO framework which seems to have become the de facto standard for the development of internal control systems in practice (Shue 2004, COSO 2004, COSO 1992).

In the COSO framework, control is achieved through various internal control activities such as: 1. Authorisation of transaction and activities

2. Segregation of duties (custodial, recording and authorisation functions) 3. Design and use of documents and records

4. Adequate safeguards of assets and records 5. Independent checks on performance.

COSO also stresses that internal control is conducted in a control environment, influencing the control consciousness of organisational actors. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the organisational actors; management's philosophy and operating style; the way man-agement assigns authority and responsibility and organises and develops its people; and the attention and direction provided by the board of directors. This is similar to what Chenhall (2003) calls control cul-ture. Another central element in the COSO guidelines is risk assessment and management. COSO rec-ommends that companies initiate a risk assessment process with the aim of analysing what threats the company faces and what control activities are needed to manage these risks. Risks include, for example, the risk of fraud and misappropriation of assets.

2.3 Implementing SOX compliance

When SOX came into effect in 2002 companies scrambled to implement its requirements. In many cases companies approached SOX compliance in what has been called an ‘all hands on deck’ approach (McNally & Wagaman 2005) where companies threw employee hours, external consultants and invest-ments into the compliance effort without a full vision of what it should contain. Accordingly companies re-ported that the costs of SOX compliance were significant (CRA 2005). However, SOX compliance is a continuous effort that requires it to be integrated into business processes, policies and information sys-tems. Compliance projects have in later years focused on this, aiming to make the compliance process more effective and efficient through e.g. the use of automated controls and IT controls (ACL 2005).

The implementation process of SOX has not been explored much in the literature. Some of the case stud-ies that have looked at how companstud-ies have structured the implementation process show that it includes the following steps (Kendal 2004, Matyjewicz & D’Arcangelo 2004).

Preparation

1. Ensuring management support. Given that SOX compliance in many cases is seen as a burden and non-value adding, ensuring management support and allocation of resources is crucial to the compli-ance effort. This includes top management as well as various involved functional managers

2. Project planning involves planning the engagement, such as use of employee time, external consult-ants, roll-out plans, deadlines, milestones, accountability and reporting obligations

Identification and documentation

3. Identifying key accounts and controls: Includes identifying the key financial statement G/L accounts that should be examined

4. Process identification and documentation focusing on those processes that affect the key G/L ac-counts. This could e.g. be revenue processes, payment of loans and cost write-offs

5. Control identification and documentation where the controls that are in place are described and linked to processes and key accounts. This includes e.g. reconciliations, reviews, segregation of duties and independent audits

Assessment

6. Process assessment: This focuses on evaluating the processes identified regarding how they are de-scribed – i.e. walkthroughs that compare the actual process flow to the description

7. Control assessment: Both primary and secondary controls are tested and/or third party documenta-tion or tests of these controls are reviewed

8. Independent auditor assessment: SOX requires independent auditors to assess management reports regarding the reliability of internal controls

Reporting

9. Internal reporting: The results of the compliance effort have to be reported to management in internal management reports. The experiences obtained through the compliance effort are disseminated among relevant employees

10. External reporting: SOX required reports (404 reports and auditor assessments) that are to be in-cluded in annual reports.

2.4 Automation of internal controls

Control involves checking, comparing, monitoring and taking action when results do not match. Control systems also cost money. As this cost is a non-product related overhead, there is an incitement to mini-mise it by making control systems as effective and non-disruptive as possible. Today information technol-ogy plays an increasingly important role in automating controls and thus increasing their effectiveness and efficiency (CFO 2005).

A survey by CFO (2005) show that after the first two years of SOX compliance, companies focus on mak-ing the Sarbanes-Oxley compliance process more effective and efficient. Accordmak-ing to the respondents, remediation and optimisation efforts will primarily focus on:

1. Overall control structures and key controls 2. Underlying business processes

3. Monitoring

4. Manual controls such as reconciliations and reviews 5. Segregation of duties

6. Risk assessment

7. Application controls such as edit and validation checks 8. Internal audit effectiveness

In many companies first-year implementation focuses on better documentation. However, the biggest gains in effectiveness and efficiency of controls are achieved by focusing on what financial control is all about – i.e. testing, monitoring and following up on control results and integrating these activities into business processes and workflows (Waldman 2005). The CFO study documents that companies are fo-cusing on automation and integration of controls in ERP systems as a way of minimising control costs while ensuring a reliable and standardised control performance. Areas where the responding companies are automating their controls are:

1. Security and access controls 2. Documentation of control activities 3. Controls monitoring

4. Information and retention

5. Compliance management/dashboard reporting of control activities 6. Testing of application controls

7. Testing of segregation of duties.

The management structure of control activities also seems to be changing. Control activities now have increased attention from top managers. Thus some companies focus on building high level reporting sys-tems that enable managers to monitor the performance of the control system.

Automation of controls is about embedding the control in the business process and integrating and sup-porting the control activity in the ERP system workflow. This means that some controls are transformed from detective to preventive. That is to say that, for example, errors in data entry are caught in real time as data is entered, reconciliations are done online within the same system, user rights are linked to crite-ria for segregation of duties, which means that the system detects access authorities that are in conflict with segregation of duties criteria.

All SOX relevant controls can of course not be made automatic. For example reconciliations and authori-sations will always have a human element. But information technology can support and facilitate the per-formance of these types of controls as well as provide a structure for their development and assessment. The next section focuses on ERP systems and how SOX compliance relates to these systems.

3. SOX compliance and enterprise resource planning systems

It could be argued that at its core the Sarbanes-Oxley Act is about data quality. The Act sets up mecha-nisms that aim to secure certain levels of financial data quality and minimise the risk of reported financial information being unintentionally or intentionally misleading. Most modern companies could not function without using information technology for capturing, processing and reporting data. Therefore, IT is of cru-cial importance in complying with SOX, both as a part of the initial compliance project and as an integral part of the ongoing compliance process. The PCAOB Auditing Standard includes numerous references to information systems and states that ‘the nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting’ (PCAOB 2002: p. 12).

Few IT innovations have had as much impact on business organisations in recent years as ERP systems (Davenport et al. 2004). Such systems are comprehensive off-the-shelf application systems that offer in-tegrated functionalities that support and integrate most business processes, such as accounting, sales, purchasing and production. It is estimated that organisations worldwide spend approximately US$18.3 billion every year on ERP systems (Shanks et al. 2003). These systems have significant implications for internal control in general (Elmes et al. 2004) and controls related to accounting and auditing in particular (Rikhardsson et al. (forthcoming) 2006, CFO 2005, Granlund & Mouritsen 2003, ITGI 2004, Bae & Ashcroft 2004, Little & Best 2003, Best 2000).

All ERP systems have integrated modules. To illustrate, modules in mySAP such as financial accounting (FI) and management accounting (CO) are fully integrated in that postings of expenses in financial ac-counting also result in postings to cost centres in management acac-counting. Other modules in areas such

as sales (SD – Sales & Distribution) or procurement (MM – Materials Management) automatically gener-ate approprigener-ate accounting postings to financial accounting and to management accounting, for instance in the case of procurement transactions. Integrated modules also share data. For example, the procure-ment module registers purchase orders involving vendors who have been assigned master records within financial accounting. In addition, within financial accounting, accounts payable and the general ledger share data structures that record vendor transactions and their corresponding postings to the accounts payable reconciliation (control) account in the general ledger. ERP systems provide extensive reporting facilities within each module and support integrated views of operational data through data warehouses and advanced reporting tools.

Information systems, including ERP integrated and non-integrated accounting information systems, face threats which can be grouped into four categories (Gelinas et al. 2005, Romney & Steinbart 2004):

1. Natural and man-made disasters including storms, earthquakes, wars and acts of terrorism 2. Software errors and hardware malfunctions

3. Unintentional acts including errors caused by human carelessness, omissions, logic errors and misplaced data

4. Intentional acts including fraud and sabotage.

The Sarbanes-Oxley Act focuses on the last two categories. Internal controls in ERP systems are focused on mitigating these threats. Apart from the control activities mentioned above in the context of the COSO framework, certain system reliability control objectives become relevant for information systems including ERPs (ITGI 2005, 2004):

1. Availability of the system when needed

2. Security of the system against unauthorised physical and logical access

3. Maintainability of the system as required without affecting its availability, security and integrity 4. Integrity of the system to ensure that data entry and processing are complete, accurate, timely

and authorised.

In general there are two main areas where ERP systems come into the SOX compliance process:

1. Basic internal control functionalities: Providing the basic internal control functionality framework built into ERP systems to secure data integrity, processing security and reporting quality

2. Framework for control system management: Establishing, maintaining and supporting a frame-work for the management of internal controls such as documentation of internal controls, automa-tion and optimisaautoma-tion of controlling processes, risk and control assessment guidance and com-munication channels.

These are referred to as ‘internal control functionalities’ in this paper.

The next section examines how ERP internal control functionalities are linked to SOX compliance in the context of a specific ERP solution: mySAP ERP.

4. Sarbanes-Oxley compliance and mySAP ERP

4.1 mySAP ERP

SAP is one of the world’s leading ERP vendors with approximately a 20% global market share and US$ 365 billion revenue in 2004. SAP employs more than 35,000 people in more than 50 countries and ser-vices over 32,000 customers worldwide (SAP 2006).

The mySAP ERP solution combines complete and scalable software for enterprise resource planning with a flexible, open technology platform that can leverage and integrate SAP and non-SAP systems.

mySAP ERP builds on and extends functionalities in earlier SAP solutions, which have been on the mar-ket since the 1970s. SAP offers integrated modules for accounting, production planning, materials man-agement, sales and distribution, quality manman-agement, project management and more (SAP 2005a).

my-SAP ERP is a complex system enabling companies to integrate most financial, human, asset and data management tasks in one comprehensive IT infrastructure (SAP 2005a). The mySAP ERP solution framework includes four individual solutions. These are mySAP ERP Financials, mySAP ERP Human Capital Management, mySAP ERP Operations and mySAP ERP Corporate Services.

mySAP ERP Financials provides accounting-related functionalities, including legal financial reporting, segment reporting, international accounting standards compliance, parallel recording in multiple curren-cies, accounts receivable, accounts payable, fixed assets, cost centre and profit centre accounting, plan-ning and control. mySAP ERP provides functionality supporting internal control assessment, such as re-porting on changes in user profiles and segregation of duties.

A supplementary module to mySAP ERP Financials is the SAP Strategic Enterprise Management or SAP-SEM (SAP 2004). It includes consolidated financial reporting, planning, budgeting and forecasting corpo-rate performance management and scorecards and finally risk management for identifying, quantifying and analysing business risks.

Together, mySAP ERP Financials and SAP-SEM offer comprehensive financial and management ac-counting functionalities, internal auditing functionalities and advanced planning and reporting functional-ities.

4.2 Basic internal control functionalities

Data integrity controls are the basic internal controls aimed at securing data integrity (Gelinas et al. 2005). These controls have always been available in mySAP (and other ERP systems) but are receiving increas-ing attention because of corporate SOX compliance efforts (PwC 2003). Relevant and important to SOX compliance, these functionalities are not specific to the SOX compliance effort and are (or should be) a part of the overall internal control system. In mySAP ERP these are divided into three major groups which in mySAP terminology are called inherent controls, configurable controls, reporting controls and security controls:

1. Inherent controls are programmed controls that operate automatically, for example to check the validity of entered data. These controls refer to system configuration dynamically

2. Configurable controls are user-defined settings that tailor the way the system operates for the or-ganisation, including its organisational structure, chart of accounts and tax rates

3. Reporting controls are present in mySAP ERP in the form of standard or ad hoc reports that show e.g. changes of account master data, customer master data etc.

4. Security controls allow the definition of authorisations for users in line with their organisational re-sponsibilities and segregation of duties to reduce opportunities for fraud.

The inherent controls provided by mySAP ERP are extensive. Postings are restricted to general ledger ac-counts by the document type. Input fields are checked to verify that all required data is entered and validity checks are satisfied with reference to the data dictionary. Account numbers must exist in the chart of ac-counts used by the organisation. Postings of transactions to sub-ledgers (Acac-counts Receivable and Acac-counts Payable) result in automatic postings to the corresponding general ledger reconciliation (control) accounts. Direct postings to these reconciliation accounts are prohibited.

The balance of debit and credit postings can be reviewed at any time during data entry. A document will be posted only if total debits balance with total credits. Automatic postings are also performed by the system, taking care of the calculation and posting of taxes on inputs and outputs. Gains or losses on exchange rate differences involving monetary items are posted automatically to appropriate general ledger accounts. Changes to posted documents are permitted but are severely limited, thereby preserving the integrity of the transactions. Where documents containing incorrect data have been posted, a document reversal facility can be used to ‘back-out’ the transaction, avoiding the need to post adjustments.

mySAP ERP configurable controls are customising settings that prescribe how the system should operate to meet the organisation’s needs. For example, the organisation must define its ‘fiscal year’ for reporting, such as July to June, and posting periods, in a ‘fiscal year variant’. Every posting is assigned to a fiscal year and

posting period with reference to this variant. This data is stored with each posting to permit reporting for ranges of posting periods, e.g. monthly or quarterly, and for the entire fiscal year. A ‘posting period variant’ controls into which fiscal years and posting periods transactions may be posted. Opening and closing posting periods are manual processes usually performed shortly after the beginning of a new month.

Other examples of configurable controls are tolerance limits in terms of maximum posting amounts as-signed to user groups and setting payment difference limits for handling underpayment and overpayment of accounts. To permit the calculation and reporting of taxes on transactions, the organisation must configure tax codes, associate tax rates and the general ledger accounts (receivable and payable) to which tax amounts are to be posted. Where a general ledger account is not ‘tax-relevant’, the field Posting Without Tax Permitted must be set. The Tax Category field for revenue and expense accounts may be set as relevant to Output Tax and Input Tax respectively, to reduce the incorrect selection of tax codes during data entry. Field status definitions prescribe whether input fields are to be required, optional or suppressed. Tax codes need to be mandatory for postings to tax-relevant accounts.

Validations are another example of configurable controls. Rules can be set up in the system that will enforce process logic from a SOX point of view. For example, a rule can be set up that stipulates that posting can only take place on certain revenue accounts if the business process in SAP is a system generated invoice and the business area is in a predefined range. If a posting is made, the system will issue an error message telling the user that the posting is not allowed. Likewise workflows can be used in order to provide automated routing and escalation of key information with alert capabilities. This helps ensure that the ‘right work is brought in the right sequence at the right time to the right people’. Additionally, it allows process and control owners to monitor deadlines and provides statistics on the length of time to complete work processes, which can determine the workload with regard to individual employees.

Where transactions are entered involving foreign currencies, mySAP ERP refers to its table of exchange rates to convert amounts into local currency (the amounts are also stored in the foreign currency). Alterna-tively, the current exchange rate can be entered with the transaction. To detect data entry errors, a maximum exchange rate difference (tolerable percentage) can be set which will alert the user to intolerable differences between the rate entered and that stored in the exchange rate table. The system also accommodates the organisational requirement for recurring documents (‘standing journal entries’). Routine transactions (e.g. rent payments) which are the same in each posting period may be defined and scheduled for posting.

In order to control changes in the system, predefined reports can be executed to monitor changes to mas-ter data in the system. Reports can show which changes have been made to G/L accounts, customer ac-counts, vendor accounts etc. in order to display changes to critical information. New capabilities for moni-toring closing activities allow for managers to control the closing process more easily and provide timely accounting information. Furthermore, the system provides auditing capabilities with audit trails for every transaction, document flows that allow for easy control of the business process and logging of changes to documents. A great number of reports delivered standard with the system allow for control of the above-mentioned issues and ad hoc reports can easily be created for controlling changes.

Proper implementation of authorisations is a critical ingredient for the maintenance of security in mySAP ERP. The system uses authorisation objects to assign authorisations to users. An authorisation object is a template for an authorisation. For example, authorisation object F_SKA1_BUK - G/L Account: Authori-sation for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger Supervisor to create a general ledger master record, he/she must be assigned an authorisation to create accounts for a specific company code (e.g. Company Code 2000). Such an au-thorisation is created by assigning these field values. Auau-thorisations may be classified as general authori-sations, organisational authorisations or functional authorisations.

Profiles relating to an organisational role (e.g. General Ledger Supervisor) consist of a list of authorisa-tions and links to other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (e.g. password).

1. Defining organisational roles

2. Identification of the R/3 functions (menu options) associated with each role 3. Identification of the authorisations required for each function

4. Designing authorisations and profiles

5. Creating authorisations and profiles in the development system 6. Testing authorisations and profiles in the quality assurance system 7. Transporting authorisations and profiles to the production system 8. Assigning profiles to user master records.

Steps 1 and 2 are best accomplished using a security model documented in the form of a table. The func-tions (menu opfunc-tions) associated with each role should also show the Transaction Code assigned to each function. For example, the Transaction Code for creating a general ledger master record is FS01. Trans-action codes are ‘short cuts’ to menu options and are the link to the authorisations required for each func-tion. The mySAP table USOBT contains a list of authorisation objects and field values required for each Transaction Code.

Steps 3 to 5 may be performed as summarised above. Alternatively, authorisations may be implemented using the Profile Generator. This software uses a graphical interface to identify and assign field values to authorisations. Roles are defined and the permitted menu options (transaction codes) are selected. The system generates the required profiles and authorisations. Field values for authorisations are proposed by the software or can be entered. Roles and their profiles are assigned to users.

A considerable investment in time and resources is required when implementing mySAP ERP. Configur-ing each module and establishConfigur-ing appropriate user roles and profiles must be performed in the develop-ment environdevelop-ment and then tested before transfer to the production system; only then can roles and pro-files be assigned to the actual users. Correct configuration of the system is critical as it often proves ex-tremely costly to change the setup at a later date (Bae & Ashcroft 2004).

4.3 Framework for internal control management

SOX compliance relevant functionalities are those functionalities that can play a role in either securing compliance with SOX, depending on whether the company has implemented these modules, or facilitat-ing effective and efficient SOX compliance. Three functionalities stand out as relevant to SOX compli-ance, provided that the company uses these functionalities. These are audit trails analysis, the Strategic Enterprise Management (SEM) module and the Audit Information System.

With regard to audit trails analysis, extensive audit trails are provided by mySAP ERP, including the secu-rity audit log, changes to master records and accounting audit trails. These permit routine monitoring of controls and user activity.

The security audit log facility provides a high-level overview of user activity at the transaction code level. A profile is created and filters are defined specifying which events are recorded in the log. Selected events are stored in a daily audit file on each application server. These audit files are retained until de-leted.

Filters specify which clients and users are to be monitored. Events may be selected for logging according to audit class, such as log-ons, transaction starts and user master changes, or according to event class – critical events, important events or all events. Alternatively, a set of individually selected events may be chosen as a detailed audit configuration. Once the filter(s) and profile are activated, the application server must be restarted and then logging commences.

Audit records contain the following fields for each logged event: Date, Time, Client, User-id, Transaction Code, Terminal Name (computer name from Windows), Message Identifier and Message Text. A report-ing facility is provided for the security audit log. Reports may be produced for specified date ranges, us-ers, transaction codes, audit classes, event classes and messages.

Changes in master records are stored in two tables: CDHDR Change Document Headers and CDPOS Change Document Items. Changes include creation and deletion of master records and changes in fields. Each change document header record specifies: Client, Object class of the master record (e.g. category of vendor, customer, general ledger account, cost centre etc.), Object value (i.e. vendor number, cost centre code), Change document number, User name that made the change, Date, Time and Transaction code (e.g. FK02 Change Vendor Master Record). For each change document number, there are corre-sponding change document items in the CDPOS table. Change document items have the following fields: Client, Object class of the master record (e.g. category of vendor, customer, general ledger account, cost centre etc.), Object value (i.e. vendor number, cost centre code) and Change document number.

Determining whether authorisations have been properly assigned to users may be quite a challenge to auditors. There are over 120,000 transaction codes in mySAP ERP, each requiring its own set of authori-sations. Management may evaluate and compliance test the organisation’s security model (Institute of Internal Auditors 1997, Ernst & Young 1995). This approach is appropriate when authorisations have been implemented in a structured, well-documented manner. The security model is ‘desk-checked’ for completeness and proper segregation of duties and then tested for proper implementation on a ‘sample’ basis by interrogating authorisations, profiles (or roles) and user master records. All users with the same responsibilities should be assigned the same authorisations and profiles (roles). Proper segregation of organisational responsibilities is a critical concern in this process.

mySAP ERP comes with an Authorizations Information System which includes several standard reports that may also prove useful for reviewing authorisations. Examples of standard reports include

1. Users with ‘critical’ basis authorisations

2. Users with ‘critical’ combinations of authorisations (transaction codes)

3. Transaction codes that may be executed by a specified user, profile, authorisation or authorisa-tion object

4. Comparisons of two user master records, profiles or authorisations.

Changes to users, profiles and authorisations may also be reviewed using standard reports. The func-tions that may be performed by a user with a specified role may be listed and investigated. This user master record may then be compared with those of other users with the same role to highlight differ-ences.

Other important sets of functionalities in mySAP that could become relevant to SOX compliance are found in the Strategic Enterprise Management or SEM. One set of functionalities is consolidation and an-other is risk management. Consolidating data from different subunits is subject to the basic controls men-tioned above, but in addition SEM consolidation includes controlled consolidation from other systems, which becomes important for securing data quality when not all subunits use SAP. SEM consolidation also offers complete drill down audit trails to levels of both business units in the consolidation chains and individual documents.

The SEM consolidation module also enables identification of auditors’ material adjustments as a separate document type and posting period, which is important in complying with SOX section 401. Likewise the SEM consolidation module enables the usage of alternative versions in order to support the calculation of effects of off-balance sheet transactions on the group financial statement. Comparison reporting and analysis of final financial statements and key figures can be performed. The SEM risk management func-tionality focuses on risk identification, quantification and monitoring. It also offers early warning indicators, e-mail notification, supports reporting and warnings of significant changes for periods subsequent to evaluation. As such, the procedures for managing the risks of SOX non-compliance, including risks of fraud, risks of material misstatements in annual reports and risks of errors in important G/L accounts, are no different from any other risk management process (Matyjewics & D’Arcangelo 2004).

The Auditing Information System (AIS), usually used by internal auditors, can play a role in the SOX compliance process. The AIS provides management or auditors with a structured menu containing stan-dard control reports for performing system and business audits. The system audit monitors the more technical aspects of the system, e.g. tables, authorisations, access statistics, critical combinations of

transactions, system configurations etc. The business audit concentrates on the business transactions and can be either account oriented or process oriented.

The structure is role based, providing only the relevant reports and transactions to each invidual user based on the assigned role. A menu structure can therefore be generated for monitoring different busi-ness processes and a different structure for monitoring the inherent and configurable controls. For exam-ple, users with incomplete address data or users who are dormant may be identified. System-wide secu-rity settings, e.g. password length or expiry, and passwords for ‘super-users’ may be reviewed. Likewise data can be exported to external analysis software directly from the transaction data tables in mySAP ERP, thus enhancing the auditing capabilities. This applies to document line items, account balances, customer open items, vendor open items etc.

SOX compliance specific functionalities are those where development has been initiated by the passing of the Sarbanes-Oxley Act and are specifically aimed at managing SOX compliance. In the mySAP ERP solution framework this includes the Management of Internal Controls (MIC) module released in 2003, the Whistleblower functionality released in 2003 and the Compliance Calibrator released in 2004 by Virsa Compliance Systems, which has now been acquired by SAP.

The MIC is specifically developed in the wake of Sarbanes-Oxley and is specifically modelled to help managers manage the compliance process with sections 302 and 404 (SAP 2005). It includes functional-ities for documenting internal controls as well as control processes, control objectives and the link be-tween risks and controls. It helps manage the assessment of the design and effectiveness of controls through identification of issues and development and tracking of remediation plans. Regarding preparing and publishing the SOX management report on internal controls, the MIC supports sign-off and roll-up of control assessments and associated findings and offers access for auditors to the final assessment. The MIC also includes executive dashboards for managing sign-offs, which gives senior managers better global visibility of the status of Sarbanes-Oxley projects throughout the organisation. It includes central-ised storage and online access to internal-control processes – which can improve the ability to catalogue, distribute and review internal controls.

Another specific functionality that has been developed in the wake of Sarbanes-Oxley is the whistleblower functionality released in 2003 (SAP 2004, SAP 2005). It enables employees to send anonymous com-plaints and messages to the audit committee of the company. The whistleblower functionality also offers limited possibilities for analysing complaints by sorting and marking them.

The Virsa compliance calibrator is an add-on to the mySAP developed by Virsa Systems for SAP (SAP 2005, Virsa Systems 2005). This company has been acquired by SAP in 2006. The product enables us-ers to define and monitor in real time all critical transactions and accounts. The system can scan mySAP where it matches user rights with user activities in the system. This includes a database of segregation of duties rules which are grouped by business process with the possibility of customising rules according to company needs. This involves a risk assessment and matching risks to transactions. Once rules are cre-ated, Virsa automatically assigns the appropriate SAP authorisation objects with suggested values. Fi-nally, Virsa allows users to carry out custom code scanning, analysis of custom tables and reference user violations alerts.

Although SAP has chosen to acquire Virsa and maybe in time integrate it into its mySAP ERP solutions, other products with similar functionalities are available from other vendors including ACL1 and SAS2.

5. Conclusion

Sarbanes-Oxley is here to stay. Not only in the US but also in other parts of the world, it seems to be hav-ing effects. For example, Germany and Australia have enacted similar changes in accounthav-ing regulations (CA 2002, PwC 2003, Breandle & Noll 2005). The 8th EU directive shows influences from the

1

www.acl.com/Default.aspx?bhcp=1. Accessed 20-04-2006 2

Oxley legislation regarding auditor roles and independence. Developing and maintaining internal control systems are thus becoming something companies will focus on for some years to come, even though they are not required to comply with SOX.

It goes without saying that internal controls are not the primary activity of business. The challenge is to reach a level of control that achieves the control objectives of the company without disrupting the primary objective of the company which is to create value for its stakeholders. In creating and delivering value, modern companies are to a large extent dependent on information technology. Developing an effective and efficient internal control system is dependent on an intelligent integration of control activities and in-formation technology.

ERP systems provide the company with basic internal control functionalities and a framework for control system management. Seeing how SOX compliance is reflected in the solutions offered by SAP, it is likely that future ERP development will include a broader compliance focus than just SOX compliance. As com-panies have to comply with an increasing number of regulations, it seems logical that a general compli-ance functionality is developed within the ERP solution framework, merging the variety of system func-tionalities used for compliance with e.g. environment, health and safety regulations, quality management, labour laws, food safety etc. Currently there are a number of non-ERP vendors on the market who offer compliance systems for specific legislations or other compliance areas such as quality management or environmental management3. In the last two years numerous products have also been marketed for SOX compliance (Markham & Hamerman 2005).

It is also likely that the focus on risk management and risk management processes in ERP systems will increase. Assessing and developing compliance and internal controls include risk assessment and risk management, that is to say, assessing the risk of non-compliance, errors or fraud and finding ways to mitigate or avoid this risk through internal controls. However, from a compliance perspective, risk will have to be linked to business processes and business process modelling. For example, complying with the Food and Drug Agency’s regulations regarding the marketing of a new drug involves other risks and requires different controls than complying with Sarbanes-Oxley. However, the overall risk assessment and compliance process could be linked to the business processes in question.

Furthermore, compliance as such seems to be changing. The emergence of wide-reaching legislations such as SOX has spurred an interest in compliance management as a corporate function. Companies are hiring compliance managers and looking into how compliance management and processes can be stan-dardised and harmonised across organisational and geographical boundaries. Compliance is seen as something that can even create competitive advantage if it is done more effectively and more efficiently than the competitor.

Building on this, some interesting research questions arise:

1. How are organisational accountability structures for global, regional and local compliance evolv-ing and how are they managed?

2. Who are the various constituencies that have an interest in the performance of compliance and risk management and how do companies address these concerns?

3. What is the cost of compliance?

4. How much do automation and integration in ERP systems affect the effectiveness and efficiency of internal control systems?

3

See e.g. www.ess-home.com; www.etq.com; www.openpages.com; www.businessplans.org. All accessed 20-04-2006

References

Atkinson, J. & S. Leandri (2005). ‘Organizational Structure that Supports Compliance’. Financial Ex-ecutive, December, pp. 36-40.

ACL Services Ltd. (2005). Sarbanes-Oxley Section 404 Compliance Survey Release. Available from

http://www.acl.com/solutions/sarbanes-oxley.aspx?bhcp=1. Accessed 5/11 2006. Bae, B. & P. Ashcroft (2004). ‘Implementation of ERP Systems: Accounting and Auditing

Implica-tions’. Information System Control Journal, Vol. 5, pp. 43-48.

Baker, R., W. E. Bealing Jr., D. A. Nelson & A. Blair Staley (2006). ‘An Institutional Perspective of the Sarbanes-Oxley Act’. Managerial Auditing Journal, 21(1), pp. 23-33.

Best, P. (2000). ‘Auditing SAP R/3 – Control Risk Assessment’. Australian Accounting Review, Vol. 10, No. 3, November, pp. 31-42.

Breandle, U. & J. Noll (2005). ‘A Fig Leaf for the Naked Corporation’. Journal of Management and Governance, Vol. 9, pp. 79-99.

Byington, J. R. & J. A. Christensen (2005). ‘SOX 404: How do you control your internal controls?’

Journal of Corporate Accounting and Finance, May/June, pp. 35-40.

CA - Commonwealth of Australia (2002). Corporate Disclosures: Strengthening the Financial

Re-porting Framework. Available from

www.treasury.gov.au/contentitem.asp?NavId=&ContentID=403. Accessed 20-03-2006 Cannon, D. M. & G. A. Growe (2004). ‘SOA Compliance: Will IT Sabotage your Efforts?’ Journal of

Corporate Accounting & Finance, July/August, pp. 31-37.

CFO (2005). ‘Compliance and Technology: A Special Report on Process Improvement and Automa-tion in the Age of Sarbanes-Oxley’. Available from www.pwc.com. Accessed 20-03- 2006.

Chenhall, R. (2003). ‘Management Control Systems Design Within its Organizational Context: Find-ings from Contingency-Based Research and Directions for the Future’, Accounting, Or-ganizations and Society, Volume 28, Issue 2-3, pp. 127-168.

COSO - Committee of Sponsoring Organizations (1992). ‘Internal Control - Integrated Framework’. Available from www.coso.org. Accessed 26-02-2006.

COSO - Committee of Sponsoring Organizations (2004). ‘Enterprise Risk Management’. Available from www.coso.org. Accessed 26-02-2006.

CRA - Charles River & Associates (2005). ‘Sarbanes-Oxley Section 404: Costs and Remediation of Deficiencies: Estimates from a Sample of Fortune 1000 Companies’. Available from

www.crai.com. Accessed 01-03-2006.

du Plessis, J., J. McConvill, M. Bagaric (2005). Principles of Contemporary Corporate Governance. Cambridge: Cambridge University Press.

Davenport, T. H., J. G. Harris & S. Cantrell (2004). ‘Enterprise systems and ongoing process change’. Business Process Management Journal, Volume 10, Issue 1, pp. 16-26.

Elmes, M., D. Strong & O. Volkoff (2005). ‘Panoptic empowerment and reflective conformity in en-terprise systems-enabled organizations’. Information and Organization, Volume 15, Is-sue 1, pp. 1-37.

Ernst & Young (1995). Audit, Control, and Security Features of SAP R/3.

Fox, C. (2004). ‘Sarbanes-Oxley—Considerations for a Framework for IT Financial Reporting Con-trols’. Information Systems controls Journal, Vol. 1, pp. 1-3.

Gelinas, U. J., S. G. Sutton & J. E. Hunton (2005). ‘Accounting Information Systems’, 6th edition, Ohio: South-Western, Thomson.

Granlund, M. & J. Mouritsen (2003). ‘Introduction: Problematizing the Relationship Between Man-agement Control and Information Technology’. European Accounting Review, Vol. 12 (1), pp. 77-83.

IMJ - Information Management Journal (2004). ‘AMR Research 2004: Compliance Costs Are Ris-ing’. November/December, p. 6.

Institute of Internal Auditors (1997). ‘SAP R/3: Its Use, Control, and Audit’, Institute of Internal Auditors Research Foundation, Altamonte Springs, Florida.

ITGI – IT Governance Institute (2004). ‘IT Control Objectives for Sarbanes-Oxley’, Rolling Meadows (IL): IT Governance Institute. Available from www.isaca.org. Accessed 01-03-2006. ITGI – IT Governance Institute (2005). ‘COBIT 4.0: Control Objectives for Information and Related

Technology’, Rolling Meadows (IL): IT Governance Institute. Available from www.isaca.org. Accessed 01-03-2006.

Kendal, K. (2004). ‘A 10 Step Sarbanes-Oxley Solution’. Internal Auditor, December, pp. 51-55. Little, A. & P. Best (2003). ‘A Framework for Separation of Duties in SAP R/3’. Managerial Auditing

Journal, Vol. 18 (5), pp. 419-430.

McNally, S., & D. Wagaman (2005). Hard Climb is Done, But Trek Continues: Sarbanes-Oxley Compliance in Year Two and Beyond. Available from

http://www.ascpa.com/public/pressroom/azcpa.aspx?a=view&id=249. Accessed 5/11 2006.

Markham, R. & P. Hamerman (2005). ‘The Forrester Wave™: Sarbanes-Oxley Compliance Soft-ware. Evaluation Of Top SOX Software Vendors Across 58 Criteria’. Available from www.forrester.com. Accessed 01-03-2006.

Matyjewicz, G. & J. D’Arcangelo (2004). ‘Beyond Sarbanes Oxley’. Internal Auditor, October, pp. 67-72.

PCAOB – Public Company Accounting Oversight Board (2004). Auditing Standard No. 2 - An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of

Financial Statements. Available from http://www.pcaobus.org/Rules/Docket_008/index.aspx. Accessed 23/3 2006.

PwC – PricewaterhouseCoopers (2003). Sarbanes Oxley – Internal Control Solutions Framework. Available from www.pwc.com. Accessed 03-03-2006.

Rikhardsson, P., C. Rohde & A. Rom (2006: forthcoming). ‘Management Control in Enterprise Sys-tem Enabled Organizations: A Literature Review’. Forthcoming in Corporate Ownership and Control, September.

Romney, M. & P. Steinbart (2003). Accounting Information Systems. Upper Saddle River (NJ): pren-tice Hall

SAP (2004a). SAP Service Select Web Seminar. SAP Sarbanes-Oxley. Available from www.sap.com. Accessed 20-03-2006.

SAP (2004b). Strategic Enterprise Management – An overview. Available from www.sap.com. Ac-cessed 20-03-2006.

SAP (2005a). MySAP ERP functionalities – Overview. Available from www.sap.com. Accessed 20-03-2006.

SAP (2005b). Enterprise Governance and Sarbanes-Oxley Compliance with mySAP ERP Finan-cials. Available from www.sap.com. Accessed 20-03-2006.

SAP (2006). Company information. Available from www.sap.com. Accessed 04-03-2006.

Shanks, G., P. B. Seddon & L. P. Willcocks (Eds.) (2003). Second-wave enterprise resource plan-ning systems: Implementing for effectiveness. Cambridge: Cambridge University Press. Shue, L. (2004). ‘Sarbanes Oxley and IT outsourcing’. Information System Audit and Control

Asso-ciation, Volume 5, pp. 43-49.

Virsa Systems (2005). SAP Compliance Calibrator – White Paper. Available from www.virsasystems.com. Accessed 20-03-2006.

Waldman, M. (2005). ‘Operationalizing Sarbanes-Oxley: How to Leverage Sarbanes-Oxley to Add Value to Business Operations’. Percipio Consulting Group. Available from

Working Papers from Accounting Research Group

A-2006-02

Pall Rikhardsson, Peter Best & Claus Juhl-Christensen: Sarbanes-Oxley

compliance, internal control and ERP systems: Automation and the case of

mySAP ERP.

A-2006-01

Claus Holm & Niels Steenholdt: Explaining Differences in Learning

Out-comes in Auditing Education – The Importance of Background Factors,

Prior Knowledge and Intellectual Skills.

Before November 2006

FINANCIAL REPORTING

R-2006-04

Finn Schøler: Is there something rotten in Denmark? A true story about

earnings management to avoid small losses.

R-2006-03

Finn Schøler: The accrual anomaly – focus on changes in specific

unexpected accruals results in new evidence.

R-2006-02

Claus Holm & Pall Rikhardsson: Experienced and Novice Investors: Does

Environmental Information Influence on Investment Allocation Decisions?

R-2006-01

Peder Fredslund Møller: Settlement-date Accounting for Equity Share

Op-tions – Conceptual Validity and Numerical Effects.

R-2005-04

Morten Balling, Claus Holm & Thomas Poulsen: Corporate governance

rat-ings as a means to reduce asymmetric information.

R-2005-03

Finn Schøler: Earnings management to avoid earnings decreases and losses.

R-2005-02

Frank Thinggaard & Lars Kiertzner: The effects of two auditors and

non-audit services on non-audit fees: evidence from a small capital market.

R-2005-01

Lars Kiertzner: Tendenser i en ny international revisionsstandardisering

- relevante forskningsspørgsmål i en dansk kontekst.

R-2004-02

Claus Holm & Bent Warming-Rasmussen: Outline of the transition from

national to international audit regulation in Denmark.

R-2004-01

Finn Schøler: The quality of accruals and earnings – and the market pricing

of earnings quality.

MANAGEMENT ACCOUNTING

M-2006-05

Pall Rikhardsson, Peter Best, Peter Green & Michael Rosemann: Business

Process Risk Management, Compliance and Internal Control: A Research

Agenda.

M-2006-04

Steen Nielsen & Erland Hejn Nielsen: System Dynamic Modelling for a

Balanced Scorecard: With a Special Emphasis on Skills, Customer Base,

and WIP.

M-2006-03

Iens Christian Pontoppidan: Økonomistyring af værdi – set i et værdibaseret

ledelsesperspektiv.

M-2006-02

Iens Christian Pontoppidan: Risiko og værdibaseret ledelse – set i et

øko-nomistyringsperspektiv.

M-2006-01

Morten Jakobsen: A survey of trust, control and information in networks.

M-2005-07

Pall Rikhardsson & Pernille Kræmmergaard: Identifying the effects of

En-terprise System implementation and use: Examples from Denmark.

M-2005-06

Pall Rikhardsson: Accounting for Health and Safety costs: Review and

comparison of selected methods.

M-2005-05

Pall Rikhardsson, Carsten Rohde & Anders Rom: Exploring Enterprise

Sys-tems and Management Control in the Information Society: Developing a

Conceptual Framework.

M-2005-04

Jesper Thyssen, Poul Israelsen & Brian Jørgensen: Activity Based Costing

as a method for assessing the economics of modularization - a case study

and beyond.

M-2005-03

Christian Nielsen: Modelling transparency: A research note on accepting a

new paradigm in business reporting.

M-2005-02

Pall Rikhardsson & Claus Holm: Do as you say – Say as you do: Measuring

the actual use of environmental information in investment decisions.

M-2005-01 Christian

Nielsen:

Rapporteringskløften: En empirisk undersøgelse af

for-skellen imellem virksomheders og kapitalmarkedets prioritering af

supple-rende informationer.

M-2004-03

Christian Nielsen: Through the eyes of analysts: a content analysis of

ana-lyst report narratives.

M-2004-02

Christian Nielsen: The supply of new reporting – plethora or pertinent.

M-2004-01

Christian Nielsen: Business reporting: how transparency becomes a

ISBN 87-7882-184-3

Department of Business Studies

Aarhus School of Business Fuglesangs Allé 4

DK-8210 Aarhus V - Denmark

Tel. +45 89 48 66 88 Fax +45 86 15 01 88