## I. INTRODUCTION The Enron, WorldCom scandals have proved a watershed in the area of compliance and governance (Benston, 2006). The scandals provided an additional impetus for increased scrutiny and oversight on the management of these organizations, to improve investor's confidence in the sustainability of regulatory compliance programs and broader corporate risk management policies. Consequently, regulatory authorities and governments in both Europe and the US subsequently formulated various regulations to enhance governance (via increased transparency in financial reporting and disclosure). This issue is particularly pertinent to European firms that choose to list their securities in US markets, as they are subject to the enhanced reporting and risk management monitoring requirements of the Sarbanes Oxley Act, 2002 (hereinafter, 'SOX'). A number of consultancy firms (e.g. McKinsey, 2017; NetIQ, 2019; MicroFocus, 2019) have alerted firms to the challenges that complex organizations face in order to develop a compliance program to meet the increasing complexity and scope of the post-SOX regulatory environment. These issues are particularly relevant for multinational firms that are subject to a complex array of regulations, as they seek to develop a 'Sustainable Compliance Program'. Such issues seem to be particularly relevant to financial firms, and to those adopting big data technologies in both sales and service provision. Moreover, institutional environments such as the UK have further explicated standards for enhanced corporate risk governance (e.g. the UK Revised Corporate Code, 2015). While the Post-Enron, SOX regulations that firms have to comply with have been heavily criticised (e.g., Benston, 2006) and their cost implementations, the implications for the quality and integrity of internal control departments that presumably are responsible to monitor their effectiveness, has received relatively little attention. The impact of SOX on cross-listed firms is well researched as well, as evidenced by Litvak (2007), Bianconi et al. (2013), and Arping and Sautner (2013). However, none of these studies considered the broader inter-connections between corporate effectiveness in implementing these regulations, and their broader connections with corporate risk management and information governance policies. For example, Damania et al. (2004) find that firms are able to evade compliance with regulations in countries with relatively higher levels of corruption, while Jiang et al. (2015) propose a consistency and compliance checker framework to ensure regulatory compliance which is validated by a case study of customs declaration. Moreover, such issues have largely been ignored by the currently dominant "agency paradigm" of corporate governance theory that is primarily concerned with the importance of the "top down" primacy role of shareholders and stock markets in solving corporate governance problems (e.g. Jensen and Meckling, 1976; Jensen, 1983, 1998), as presumed by prior literature reviews of the relationship between internal control departments and governance (e.g. Gramling et al. 2004, Carcello et al. 2011). By contrast, the "bottom up" implications associated with the effectiveness of individuals and business units charged with implementing regulatory compliance programs upon which complex organisations increasingly rely, has been largely ignored. Goergen (2012) draws on insights from complexity theory to examine the inter-relationships between the entire corporate governance 'eco-system' various other stakeholders and gatekeepers, such as auditors, regulators and internal compliance units. The purpose of this paper is to examine both demand and supply side 'influencers' that affect the operational effectiveness of compliance program management (SOX in particular) within organizations. Specifically, we focus on the extent of interrelationship among three main areas - the internal 'supply side' influence of organizational design (people, process, structure) and information systems strategy, and the external 'demand side' influence of corporate governance on the overall culture of compliance management within organizations. This paper draws on the insights of complexity theory to extend relationships with stakeholders within the broader "corporate governance social ecosystem" to study the sustainability of activities to monitor firms' operational risk management exposures (Goergen et al., 2012). Mixed methods research is used to examine how regulatory changes have multiplied the operational risks faced by both UK and EU organisations. The survey provided insights into the quality of internal control departments responsible for monitoring the firm's compliance program management. Empirical tests were then conducted to examine the cross-sectional relationships between firm risk and compliance unit quality. The rest of this paper is as follows. Section 2 overviews the institutional background to the study. Section 3 identifies various influences related to management, internal control and organisational design. Section 4 develops predictions. Section 5 discusses the results of empirical tests. Section 6 concludes. ## II. INSTITUTIONAL BACKGROUND This section briefly describes the standards /framework (COSO) that currently exists, and, used by companies worldwide for complying and implementing SOX, as well as other compliance program that are proposed as having contextual similarities with SOX. By emphasizing the need for having 'effective' and 'efficient' operations as one of its key objectives in the definition of internal controls, the COSO Internal Control - Integrated Framework, effectively puts the management of internal business operations in the critical path for SOX 404 compliance management (Heier et al., 2004). But while the SOX 404 essentially adopted the COSO framework as the benchmark for internal controls for financial reporting, it does not provide any guidance as to these can be implemented to influence executive management's decisions (Datar and Alles, 2003). Given the importance of information systems integrity to effective SOX implementation, one might expect information systems to be managed to create business value and sustainable compliance programs. However there is very little knowledge about this important issue. While the general management principles for information systems have been discussed extensively, the economic impact of these practices is not fully understood even in heavily regulated industries such as insurance (Hitt, 1999). Most of the previous literature has instead focused on the general benefits and costs of SOX implementation. Ribstein (2005) argues that internal controls cost and compliance management are the most prominent of the costs related to SOX implementation, and finds a negative impact (cost-wise) on the smaller firms. Ge and McVay (2004) confirm Ribstein's study on the increased impact of the SOX on smaller firms. They suggest that smaller firms tended to show more cases of material weakness in their filings, vis-à-vis larger ones. This directly reflects the inability of smaller firms to detect and provide effective internal controls for identified risks, presumably because of (lack) of resources. This suggests that the increased time spent by the firms to document their internal process, and controls for their 2004 certification, is a clear indication of the 'time' (of resources) constraints imposed by the process. Engel et al. (2005) suggests that the SOX benefits are far outweighed by the costs. This finding is corroborated by actions taken by some European companies that have preferred to pull out their US listings apparently to avoid the costs implications related to SOX compliance. Berger (2005) finds that amongst non-US firms based in countries with medium to strong "shareholder-protection", are more likely to claim that the benefits of SOX compliance are outweighed by the costs than firms based in countries with weak "shareholder-protection" business compliance programs. Another contributing factor to the overall costs relates to the increased monitoring needs, which we discuss in greater depth when looking at the role of the board. Linck et al (2005) provide empirical evidence of executive and board pay increase directly because of the SOX enactment. They also provide further evidence of the disproportionate impact of SOX implementation on smaller firms. Other empirical studies have examined whether SOX has affected firms' market value, but their results are equivocal. On the one hand, Chhaocharia and Grinstein (2005) find that SOX compliance has a positive influence on "firm value". However, they cannot attribute whether the increased returns of firms post-SOX to either governance introduced by SOX, or just the reduced information asymmetry associated with the promulgation of the Act. By contrast, Rezaee and Jain (2005) find that only those firms with better governance models (prior to the SOX enactment) ended up increasing their market value, subsequent to the enactment. The other contention of the negative impact of SOX relates to 'work inefficiencies'. Organizations contend that with increased need for documentation of processes and controls, the workload on the individual performing a task has disproportionately increased, resulting in less output and loss in productivity. Cohen et al. (2005) find a significant drop in the research and development expenses and capital expenditures subsequent to the implementation of SOX. Ribstein (2005) contends that executives are concerned about potential increased litigation risk due to weak internal controls. There are also cultural differences in corporate governance quality that can affect the propensity of European firms to adopt SOX compliance programs. For example, in the UK Corporate Governance Code (2015) requires companies to take the responsibility for internal monitoring to identify and create an effective risk - control matrix for the organization. However, the UK voluntary code is based on 'comply or explain'. ## III. INFLUENCES ON REGULATORY COMPLIANCE CULTURE This section explores the demand for, and supply of, sustainable compliance programs through identifying various influences related to recent regulatory demands for greater accountability related to regulatory compliance programs related to (a) regulatory compliance and complexity and (b) internal control culture and (c) corporate governance effectiveness. Figure 1 summarizes the complexity theory framework that underlies the various external and internal influences on regulatory compliance culture. ### a) Regulatory Compliance and Complexity As the organization expands geographically, the complexities of managing compliance increases disproportionately. For example, a public limited UK firm with an American subsidiary, would need to satisfy at the minimum: financial regulatory obligations (IAS reporting, Sarbanes-Oxley (SOX), as well as new information privacy rules (EU newly updated General Data Protection rules related to customer communication, California data privacy rules). Swingly (2005) provides real-life examples in the banking industry, trying to cope up with the new Basel II regulations. He refers to "oversight committees" and "steering groups" (e.g. "KAS Bank"), comprising of the operational heads of the business units, along with the auditors, treasury and the risk management leads, that jointly plan and manage the project "from analysis of the consultation papers, to the assessment of what processing will be affected and ultimately to who needs to be involved". He also provides examples of "wholesale restructuring of the organization in creating a 'centralised' compliance group, which would then have the responsibility for overseeing the compliance program, including targeting the processes and departments to ensure compliance". Swingly (2005) provides a glimpse on the ongoing debate of the actual running of the compliance programs within the organization. The models range between a completely 'centralised' enterprise-wide compliance group, to completely 'autonomous' business-unit/functional level compliance management groups. While the former, provides an 'enterprise wide' oversight, and theoretically, can ensure that the best resources are used in the most appropriate task once – (i.e.) better possibility of using resources efficiently, the latter provides the flexibility of the 'business' experts extending their operational expertise into the area of managing their unit's compliance needs. The business-unit heads generally favours the latter model, as it still leaves the compliance program under their control, whilst the former turns compliance into a 'corporate' function. Requirements from regulatory compliance programs like SOX (that holds the management responsible for ensuring the appropriately qualified person performs the role), has also increased the need for organizations to train their employees. For SOX, organizations have two different training needs that need fulfilling - generic end users training on SOX requirements and compliance, and, more function specific training that relates to SOX implications on the specific job role (for process owners). While the process management (standardized vs. non-standardized) has bearing on the scope of training, the execution of the training itself is dependent on the structure of the organization (CEB, 2004). However, the process literature generally fails to explain the potential for agency conflict that gave rise to SOX. The placement of the internal controls unit within the organization also has a direct impact on all aspects of internal controls setup for SOX - control testing, coordination, and control design. CEB (2004) suggests a positive relationship between process standardisation and the centralisation of the compliance unit function. Another key element in the organization structure is the presence of the risk management function and its proximity to the compliance unit. The emphasis on risk management by the existing frameworks (COSO) expanding the monitoring to beyond financial controls has resulted in firms looking to integrate their existing risk management practices with the new compliance units to achieve economies-of-scale with their internal controls testing (CEB, 2004). ### b) Compliance Culture in Organizations To create a sustainable compliance program, the ethical behaviour of management and employees is a critical factor. There is a strong need to build a culture that would accept 'change' in work practices. This acceptance of change is crucial, as this would enable the employees of the organization to assimilate the newer (compliance-oriented culture) requirements into their daily work practices, enabling the organization to achieve efficiencies faster. Allman (2005) argues that organizations have always propounded different codes of conduct by which their employees are governed and expected to act, in an informal setting. However, US Federal Sentencing Guidelines require organizations to promote "ethical behaviour" and "commitment to compliance" by their employees. He suggests the management should provide 'thought-leadership' emphasizing the values and commitment which need to be espoused by the employees, and recommends that the aspects of information handling - including retention, be incorporated in the 'core' values of the firm, encompassing the information systems training programs and corporate policies and procedures. Allman (2005) recommends "The Sedonna Guidelines" whilst trying to influence the cultural aspects of the firm, for accommodating the practices related to information handling and retention. These guidelines include recommendations on assessing the real drivers for information retention (e.g.) legal considerations and not just day-to-day business drivers, and using technology efficiently to provide an effective archival mechanism, facilitating, easy retrieval and access. Allman (2005) concludes that organisations should adopt a "functional" view of their information retention needs, as opposed to looking from a "departmental" perspective. This holistic approach to documentation management, combined with effective co-ordination between different groups in the organization, led by the legal team, holds the key for formulating a sustainable policy on information retention. With the growing regulatory needs, employees often find themselves suffocated or overloaded with regulatory requirements. One of the unintended consequences, for the majority of 'well-governed' organizations, relates to employee morale. The employees in such organizations, deluged with paperwork, constantly seek to 'robotize' their work output – using lesser and lesser of their own ingenuity due to the fear of non-compliance. Ultimately, this drudgery at work reflects in the lower employee morale. In addition, employees when put under a compliance regime, with clearly defined personal liabilities (like in SOX) tend to work in a climate of fear, not wanting to make any mistakes. This "Fear of failure" is costing organizations heavily, especially in the area of SOX internal control testing (wherein testing objectivity is lost as a direct consequence). Compounding this issue, employees feel less inclined to query or question decisions, taking away an effective 'sounding board' for the management. Prior literature is equivocal as to the relative merits of decentralized versus centralized modes of organization that are most conducive to an effective compliance culture. On the one hand, Levine (1997) proposes "a system based on conditional deregulation, where companies with good records of compliance can choose to work with their employees to improve compliance and face fewer regulations, inspections and penalties". This is based on a mixture of "oversight" and "self-regulation", facilitated by 'workers body' (similar to the dual corporate governance board or joint supervisory and 'workers council' model which exists in Germany and France), to negotiate with the organization on the level of "self-regulation" and the "spheres" within the organization which would be managed by this program. By contrast, Bryan and Lilien (2005) relate complexity in the organization process (e.g. operating in multiple tax requirements) to the firm finding material weaknesses in their process. They also imply that in such cases find a positive relationship with the testing resources used for control process testing. They identify the "siloed functional structure" in organization design as an additional factor that contributed to the increased prevalence of controls weaknesses. They also claim that greater efficiency in design underlying process would reduce the level of compliance activity needed to validate the process. Davenport (2005) identifies the processes that affect the given compliance program (in the instance of SOX, those processes that affect the financial accounts in the firm's statement of accounts). By standardising processes (for their business activities, like order management and revenue recognition), the organization removes one of the primary causes for controls failure within the internal controls structure. However, there are also broader societal demands for accountability which can affect the compliance-oriented effectiveness of organisational culture. While business compliance programs (e.g. SOX) have started to hold individuals liable with legal penalties for any misdemeanours in corporations, any reoccurrence of the misbehaviour (crime) has a substantial cost (Anderson, 1999) and impact on the society (Emmitt, 1993). Murphy (2002) calls for compliance programs to be amalgamated into the overall organizational ethics and integrity program, in order to improve the effectiveness and efficiency of compliance programs. Hartman (2000) suggests 'rules' should be part and parcel of a 'value/integrity-based' culture. Hartman emphasizes the criticality for a visible, strong and committed organization leadership for this transition. Once, the leaders have bought into the philosophy, to generate the same level of enthusiasm across the organization, the program must reach-out and involve all levels of the organization, creating an infrastructure that facilitates a feedback mechanism from different parts of the organization. Establishing "effective training programs" would help in reinforcing the 'values' and "values/integrity-based" ideals, propounded by the organization. Finally, developing an "incentive structure" which promotes ethical behaviour and actively discourages unethical conduct would provide the necessary incentives for the employees for making the transition. One of the key areas not addressed in this literature relates to the organizational environment and its conduciveness to facilitate an 'inquisitive' and 'problem-seeking' culture. This involves facilitating bottom-up feedback and communication, especially in the area of internal control testing (CEB, 2004). Senior management's commitment to facilitate such openness within the organization could act as the biggest influencer for inducing this cultural shift, discussed briefly in the next section. ### c) Corporate Governance Influencers A related issue in a changing regulated environment is the effectiveness of the overall organizational governance. Prior literature on this issue tends to focus on the degree of centralization of information systems and business compliance unit resources, or the question of outsourcing. However, there is little evidence on the broader linkages between a compliance cultures with the overall corporate governance system. This section briefly reviews the role of the board and the management in shaping the organization's direction, which is proposed as being critical for the creation of a sustainable structure for managing compliance programs. The term "corporate governance" has had different connotations over time. Berle and Means (1932) initially suggested that professional managers who were unaccountable to dispersed shareholders ran the modern corporation. This point of view subsequently reflected the narrow question how to align manager's work to better the interests of the shareholders, related to the principal-agent paradigm. A recent, more European-oriented definition of corporate governance views a firm as having many stakeholders other than its shareholders (Kay 1996). Given the different views on the definition of what corporate governance meant, it is not surprising that there has been an ongoing debate on the subject of these alternative models of corporate governance, and the effectiveness of internal and external mechanisms of governance. Vives (2000) and Goergen (2012)both make a distinction between two major models adopted worldwide for corporate governance, contrasting market-oriented (US, UK) versus a more bank-oriented or stakeholder model (Germany). In the latter, firms and banks enter into long-term relationships as opposed to purely financial transaction basis, associated with a market-oriented model. In contrast to the situation facing many large companies in Continental Europe, in both the UK the US, large companies have their ownership dispersed amongst institutional and private investors. The threat of hostile takeover ensures a level of corporate control on the managers of such firms. Furthermore, there are limits on cross holdings so competition is not restricted. In theory, the concern of hostile take-overs act as necessary external control and complement the board of directors who are held responsible for managing the firm's internal controls. By contrast, in Continental Europe, the ownership of listed companies is usually highly concentrated, and there is a disproportionately high percentage of family ownership. In such a climate, hostile takeovers are rare, and pyramidal control schemes are common (LaPorta et al. 1999). The large commercial banks control companies through proxy votes in Germany. The hausbank of a firm plays a monitoring role and organizes proxy votes. Furthermore, there is a two-tiered system of company board for public corporations over 500 employees, which is consistent with the stakeholder theory. There is a supervisory board (50% represented by workers, and the remaining by other major stakeholders like, suppliers and customers) and a management board. The board of directors are pivotal in providing the 'active' control over the managers within the firm. Linck et al (2005), Fama and Jensen (1983), Raheja (2005) consider boards to be responsible for both monitoring the management on behalf of the shareholders and owners, and advising the management on strategy formulation. Eisenberg (1997) contends that boards therefore should take greater ownership of the "internal controls" monitoring. Charan (2005) and Bertsch (2005) find that the board's ability to influence the management begins with the task of executive management officer (CEO) selection and planning. Hamelin and Weisbach (1998) and Raheja (2005) examine the departing CEO's influence in succession planning. The effectiveness of the board is also influenced by the degree of independence wielded by the board in its interactions with the management and the quality of relationship that exists between them (Jensen, 1986). In this respect, the composition of the board is a critical factor (Hermalin and Weisbach, 2003). Clieaf and Kelly (2005) recommend boards take increased direct responsibility for performing accountability audit monitoring and assessing the alignment of the organization structure with its existing capabilities. Charan (2005) calls such boards "progressive", in their thinking and actions. These boards come with the necessary skill set and the knowledge in the areas of governance and do not hesitate to act as 'counterbalance' to management. Linck et al. (2005) provide evidence which suggests a potential link of this behaviour to the size of the firm. However, it is unclear if this behaviour is a consequence of increased costs of monitoring (in large firms) or it just represents the synchronization of interests between the CEO and the shareholders (Linck et al., 2005). Boards in Anglo-American countries typically use committees to provide oversight, and advice over different areas of an organization, including ethical behaviour, compensation, and audit. Audit committees provide the backbone for the compliance management by reviewing the working practices, at least the financial reporting practices within the organization. To this end, the committee acts as a control on the 'internal' audit team, which has a reporting structure to the executive (CFO) within the organization. Historically, audit committees have taken an 'avuncular' role in the management of the organizations' governance practices. With the changed landscape, the committee's role has dramatically re-defined, with increased responsibility (Linck et al, 2005) placed on this committee and its chairman to oversee the management's governance program and practices. SOX regulations, requires audit committees to have increased independence in hiring and overseeing the organization's auditors. Likewise, the UK Combined Code on Corporate Governance (2015) states that "Audit Committees should bear more responsibility for internal controls and financial reporting, including monitoring the integrity of financial statements and recommending and reviewing outside auditors". While prior empirical research generally finds that the 'independent' audit committees do increase the monitoring capabilities of the board (Ribstein, 2005), there seems to be conflicting results on the resultant financial impact for the firm While Bryan and Lilien (2005) and DeFond et al (2004) attribute the improved earnings quality to the existence of independent audit committees, Ribstein (2005) finds that the degree of corporate director independence has had no influence in the firm's performance. As a direct consequence of these regulations, the relationship with the management has altered, with the latter constantly looking at the committee with suspicion (suggesting 'holes' in the management's plan for governance). Corporate directors also individually face an increased personal legal exposure as a result of SOX and more rigorous workload especially in areas of audit committees and governance. They need to have more in-depth understanding of the business operations of the organization, with clear view of risk profile and risk management practice of the organization. Cieaf and Kelly (2005) recommend boards take increased direct responsibility for performing "accountability audit" and assessing the alignment of the organization structure with its existing capabilities. Charan (2005) calls such boards "progressive", in their thinking and actions. These boards come with the necessary skill set and the knowledge in the areas of governance and thus act as 'counter balance' to the management. The UK Combined Code on Corporate Governance (FRC, 2015) requires boards to regularly monitor not only the management's performance, but their own performance too. However, similar Codes do not apply to many other European firms, due to the existence of dual supervisory and management boards. While promoting internal or supply side influence of people and organisation, they do not facilitate response to external or demand side influences in responding to regulatory change. The importance of the audit committees in evaluating the internal controls and compliance programs of organizations and increasing oversight provided by the board in the areas of strategy formulation and development emerges as key findings from this section. The prior analysis suggests that a range of issues related to organisational design, compliance culture and corporate governance effectiveness, can influence the effectiveness of compliance management. ## IV. DEVELOPMENT OF HYPOTHESES The prior analysis suggests that high level IT management issues, organisational design, people management and corporate governance and internal control effectiveness can influence IT expenditure as well as compliance management. We first discuss how IT audit compliance strategy can be adopted by firms to establish an effective IT governance model. We then develop predictions concerning management's engagement in defining the compliance management system, be it earnings, or value, or cash flow, have a bearing in the quality of internal controls. The predictions imply that management/board's role in organisational strategy and compliance management strategy has a direct bearing on the compliance unit's performance (that holds the key to creating & managing a sustainable compliance program), and ultimately the effectiveness of the compliance management program itself. ### a) IT Strategy Given the underlying need of these compliance IT audit programs (Section 3.2), there is an implicit requirement imposed to having an effective underlying IT infrastructure - including availability of adequate controls in the infrastructure to prevent any misuse. Further, due to the increased usage of IT in a firm's operations, the (impact of the) risks related to IT infrastructure failure has become a key component in the organization's overall risk and compliance IT audit programs. To manage this risk introduced by the IT component, organizations have been looking to reduce the complexity surrounding the IT systems, thereby creating the need for an effective IT Governance platform[^2]. While there are multitude of solutions proposed by different IT vendors to managing compliance IT audit programs (or parts of compliance activity), there seems to be a common theme on how organizations should structure their IT investments, to move to a sustainable compliance program. The key theme repeated in these industry journals relates to the need for the IT infrastructure re-usability in supporting the requirements of various regulatory requirements, the starting point for which would be for organizations to evaluate the common requirements amongst these IT audit programs. In this context, the compliance IT audit programs looked at by this paper have the following key IT considerations, (a) Identity Management & Access Control (b) Content & Records Management (c) Risk & Reporting Management (d) Data & Process Management. In addition, having an IT infrastructure that provides for a 'consolidated' ERP system with 'business continuity' provisions is considered crucial for sustainability. Boards in most firms have historically not considered IT as a key enabler in growth and transformation (blaming the high failure rate of IT projects, and the lack of measurement techniques to measure IT's value to the organization), pushing the topic (IT) out of the strategic picture for the firm. This view seems to have changed recently with the ITGI paper[^3] providing evidence of the growing shift away from the above opinion. The survey of the Fortune 500 companies on the board's view on the importance of IT and their need to govern IT, suggests a trend of boards taking a more active role in the IT Governance program of the organization. The move has also been quickened in banks that are subject to the Basel II requirements, which hold the board member to be accountable for IT operational failures[^4]. The above predictions clearly point to the critical role played by IT within organizations in their drive to comply with different regulatory requirements. In addition, they refer to the identification of the common IT considerations for the compliance IT audit programs as a key step in building the underlying IT infrastructure. In selecting and implementing these solutions, the IT management plays a critical role. While there seems to be a growing trend in the board's involvement in providing increased oversight on IT strategy, majority of the firms still have their IT strategy driven by the executive management. While there are multiple IT Governance frameworks available in the market, studies point to the trend that favours combining these frameworks when implementing these within organizations. ### b) Compliance Management Implications on Compliance IT Audit Programs The prior analysis suggests that high level information management issues, organisational design, people management and corporate governance and internal control effectiveness can influence expenditure as well as compliance management. Given the underlying need of these compliance programs there is an implicit requirement imposed to having an effective underlying information management infrastructure - including availability of adequate controls in the infrastructure to prevent any misuse. Due to the increased usage of information systems in a firm's operations, the (impact of the) risks related to infrastructure failure has become a key component in the organization's overall risk and compliance programs. To manage this risk introduced by the information systems component, organizations have been looking to reduce the complexity surrounding these systems, thereby creating the need for an effective information governance platform[^5]. ### c) Risk Management Implications on Compliance Programs Recent corporate innovations in risk management and insurance products for capital raising by financial and non financial firms have effectively bypassed those required in accounting rules by permitting firms to transfer capital at risk from retained to transferable sources. The risk management process of any firm will be targeted at those decision variables that affect at least one dimension of the firm's financial condition. However these choices are also endogenous with the regulatory structure. Our analysis of the effectiveness of organisational compliance business unit programs indicates that a firm is likely to be subject to a range of differing corporate governance control and/or industry environments. Culp (2001, 188) proposes that despite the interconnections between a firms' value, earnings and cash flows, these three alternative measures of a firm's financial condition can be quite different when viewed as strategic variables. Theories that explain why the value of the firms can be increased by risk management depend on whether the focus of compliance is on value, cash flows on earnings. Several of the theories of risk management presuppose that the risk management process of a firm is aimed at controlling the value of the firm, or more specifically, the market value of its assets and liabilities. Jensen and Meckling (1976) argue that value risk manager is then concerned about the value of the firm, either at a specific point of time, or over regular intervals. By contrast, a cash flow risk manager is concerned with the cash flows whenever they might occur. The Froot et al. (1994) underinvestment theory and the Jensen (1986) agency cost of free cash flow analysis can explain why some firms engage in cash flow risk management. Finally, the firm's risk management process could focus on earnings management. This may occur where there is a relationship between the firm manager's own expected utility of wealth, his or her pay, and that value of the firm. Smith and Stulz (1985) imply that the compensation for a manager may dictate his or her preference for hedging. By tying the compensation packages of their managers to accounting earnings rather than to the value of the firm. A manager paid based on accounting earnings will respond accordingly and will choose to hedge accounting earnings. We posit that banks and financial institutions primarily concerned with risk managing their financial position, defined in terms of the quality of their assets and liabilities. By contrast, we consider that UK firms are primarily concerned with managing their earnings. Finally, we assume that non-UK firms are more oriented towards debt capital and therefore are concerned with cash flows than with their earnings volatility. ## V. METHODS, DATA AND RESULTS This section overviews the sample selection procedures used, and report the design of the industry survey, as the first step in identifying the various 'influencers' of the compliance program. Then, we report the empirical findings from the archival data survey analysis of the quality of internal control departments responsible for monitoring compliance. ### a) Sample Selection Procedures We studied the internal control department quality of sample of large UK and Continental European firms that either had SOX as one of the compliance requirements and/or were subject to intense industry-based regulation of their operational risk controls (i.e., financial service firms). The survey focused initially on the top 600 European firms identified by the Department of Trade and Industry in its annual value added scoreboard (www.dti.innovation.gov.uk/). Of these, only 320 firms were fully listed on the stock exchange and had been in continuous existence on the value added scorecard for each of the preceding five years (i.e. prior to the Enron bankruptcy and the consequent implications for corporate governance, earnings quality and subsequent SOX legislation was enacted). This procedure resulted in a final sample of 79 firms for which complete information was available. ### b) Survey Questionnaire We conducted an industry-wide survey that targeted UK and Continental European firms that either had SOX as one of the compliance requirements and/or were subject to intense industry-based regulation of their operational risk controls (i.e., financial service versus industrial firms). Twenty-seven sample firms had an US stock cross listing. These firms also had to have at the least one another compliance program listed in Table 1 to provide for a valid test case for sustainable compliance management. The paper originally proposed to a mix European and US firms' participation in this survey, to provide a broader representation on the business compliance programs. The survey comprised four sections. Section one relates to the firm's implementation experiences of SOX. Section two identifies which factors ('influencers') are the most important for effective and efficient compliance management. Section three deals with the surveyed firms' perspective on the importance of the IT infrastructure and the Process Management practice with regards to compliance management. Section four relates to the measurement of compliance programs progress. The survey identified features of the internal control department that are affected by the new compliance environment, ranging from the size of the internal control department, the number of qualified staff, the extent of training, the corporate governance accountability links, and the frequency of internal control checks. Additional SOX compliance questions based on the interview were also included for those firms crosslisted on US stock exchanges. ### c) Descriptive Statistics Table 2 reports the descriptive statistics for the sample. There was a $25\%$ response rate. Analysis of the population of non-respondents relative to the respondent samples indicated no significant differences in profitability, gearing or sales turnover. Table 1: Summary Statistics for Selected Firm Characteristics Survey of Internal Control systems <table><tr><td></td><td colspan="2">Non-UK Companies</td><td colspan="2">UK Companies</td><td rowspan="2">Two-Sample t-Value</td></tr><tr><td></td><td>Mean</td><td>Std Dev</td><td>Mean</td><td>Std Dev</td></tr><tr><td>Long-termdebt</td><td>30109.00</td><td>119084</td><td>7839</td><td>18835</td><td>1.307</td></tr><tr><td>Assets</td><td>150793</td><td>397596</td><td>79322</td><td>224096</td><td>1.028</td></tr><tr><td>Market-to-bk</td><td>2.140</td><td>2.211</td><td>8.052</td><td>15.258</td><td>-2.074**</td></tr><tr><td>ROA</td><td>0.338</td><td>1.602</td><td>0.115</td><td>0.129</td><td>0.987</td></tr><tr><td>ROE</td><td>0.180</td><td>0.111</td><td>0.324</td><td>0.580</td><td>-1.730*</td></tr><tr><td>Sales</td><td>27083</td><td>34859</td><td>10744</td><td>14554</td><td>2.927**</td></tr><tr><td>IASize</td><td>0.021</td><td>0.139</td><td>0.001</td><td>0.001</td><td>1.013</td></tr><tr><td>IAQualify</td><td>0.413</td><td>0.362</td><td>0.611</td><td>0.313</td><td>-2.459**</td></tr><tr><td>IAExp</td><td>0.616</td><td>0.367</td><td>0.624</td><td>0.325</td><td>-0.012</td></tr><tr><td>IAgrow</td><td>39.37</td><td>81.36</td><td>1.93</td><td>76.13</td><td>2.062**</td></tr><tr><td>IAtrainquality</td><td>3.43</td><td>1.700</td><td>3.97</td><td>1.59</td><td>-1.419</td></tr></table> Table Notes: UK is a dummy variable set to 1 if UK, 0 otherwise; Asset is total assets of firm as at 2006 (compustat #89); MB is the ratio of market to book (compustat #135); ROA is ratio of income before taxes over total assets, averaged for three years ended 2006 (compustat #21/#89); ROE is ratio of income before taxes over total shareholders equity, averaged for three years ended 2004 (compustat #21/#135); VAS is value added scorecard per DTI, averaged for three years ended 2004; IA size is ratio of number of IA staff to total number of company staff (survey question 12/question 7); IAqual is ratio of number of IA staff with accounting qualifications over total size of IA (survey question 13i/12); IA exp is ratio of number of experienced IA staff to number of IA staff (survey question 13ii/12); IA growth is difference between number of IA staff in 2006 compared to 2003, divided by number of IA staff on average (survey question 15-question 12/ave); IA quality is self-assessed effectiveness on a likert scale of 1 to 6 (survey question 16); SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise a. $\%$ Equity is defined as the percentage of total invested fund assets invested in stocks and shares. - Significant at 0.10 level \*\* Significant at 0.05 level * \*\*\*Significant at 0.01 level Of the 79 firms that responded to the survey, 29 were UK companies and were separately analysed. There were also 27 firms which were subject to US listing and responded to the SOX questions. Finally, there were 20 financial firms. Various stock and flow financial characteristics were modelled to explain the cross-sectional relationship between internal audit control quality and firms risk management policies. These included long term debt, assets, sales, and return on assets, which are generally higher for non-UK firms than for UK firms. By contrast, UK firms exhibit higher market-to-book ratios, higher return on equity. Table 2 also reports the key characteristics of internal control departments. UK internal control departments tend to be lower, but more highly qualified and experienced staff, and are more likely to benefit from training programmes. However, they are growing more slowly than non-UK firms. These findings highlight the importance of institutional and cultural influences on the quality of the internal control departments that monitor the effectiveness and sustainability of regulatory compliance programs. ### d) Empirical Tests This section reports the results of empirical tests of factors affecting investment in sustainable compliance programs by multinational firms, through investment in high quality internal control departments as developed in section 3 and 4, and based on the survey data outlined in section 5. If there were no association between the level and nature of compliance control department expenditures and either firm (demand-side) or regulatory (supply-side) characteristics, then we would not expect any meaningful relationship between overall corporate risk management policy (i.e. managing the volatility of cash flows and/or earnings) and the quality of the internal audit departments. On the other hand, if there was an established empirical relationship with only supply-side (demand-side) characteristics, our predictions would be supported. ### e) Correlation among Variables Multivariate tests of the propositions first require tests of the correlations among the independent variables, and these are reported in Table 2. Assets and long-term debt are highly correlated, as are ROE with market to book. Further tests (not reported) reveal that, for UK firms, there is an association between these financial characteristics and the level of investment in internal control departments. However the internal control department control variables are not highly correlated with each other and with financial characteristics of the sub-sample continental European firms. Table 2: Correlations Among Independent Variables <table><tr><td></td><td>UK</td><td>LTD</td><td>Assets</td><td>MB</td><td>ROA</td><td>ROE</td><td>Audit</td><td>IAsize</td><td>IAqual</td><td>IAexp</td><td>IAGrow</td><td>IATrain</td><td>SOX</td><td>Financial</td></tr><tr><td>UK</td><td>1</td><td>-0.112</td><td>-0.100</td><td>0.295**</td><td>-0.084</td><td>0.192</td><td>-0.086</td><td>-0.086</td><td>0.268*</td><td>0.011</td><td>0.223*</td><td>0.155</td><td>0.122</td><td>0.045</td></tr><tr><td>LTD</td><td>-0.112</td><td>1</td><td>0.799***</td><td>-0.047</td><td>-0.043</td><td>-0.040</td><td>-0.020</td><td>-0.015</td><td>0.018</td><td>-0.009</td><td>-0.062</td><td>0.027</td><td>-0.080</td><td>0.335**</td></tr><tr><td>Asset</td><td>-0.100</td><td>0.799**</td><td>1</td><td>-0.086</td><td>-0.070</td><td>-0.072</td><td>-0.036</td><td>-0.031</td><td>0.001</td><td>0.030</td><td>-0.031</td><td>0.026</td><td>0.053</td><td>0.572**</td></tr><tr><td>MB</td><td>0.295*</td><td>-0.047</td><td>-0.086</td><td>1</td><td>-0.040</td><td>0.228**</td><td>-0.033</td><td>-0.035</td><td>0.050</td><td>0.018</td><td>-0.068</td><td>0.005</td><td>-0.074</td><td>0.169</td></tr><tr><td>ROA</td><td>-0.084</td><td>-0.043</td><td>-0.070</td><td>-0.040</td><td>1</td><td>-0.018</td><td>-0.012</td><td>-0.006</td><td>-0.156</td><td>-0.172</td><td>0.201</td><td>-0.112</td><td>-0.084</td><td>0.149</td></tr><tr><td>ROE</td><td>0.192</td><td>0.040</td><td>-0.072</td><td>0.228*</td><td>-0.018</td><td>1</td><td>-0.007</td><td>-0.036</td><td>-0.101</td><td>-0.162</td><td>-0.325**</td><td>0.104</td><td>-0.088</td><td>-0.174</td></tr><tr><td>Audit</td><td>-0.086</td><td>-0.020</td><td>-0.036</td><td>-0.033</td><td>-0.012</td><td>-0.007</td><td>1</td><td>-0.012</td><td>0.004</td><td>0.122</td><td>-0.032</td><td>0.093</td><td>-0.080</td><td>-0.065</td></tr><tr><td>IAsize</td><td>-0.086</td><td>-0.015</td><td>-0.031</td><td>-0.035</td><td>-0.006</td><td>-0.036</td><td>-0.012</td><td>1</td><td>-0.155</td><td>-0.039</td><td>0.059</td><td>0.097</td><td>-0.080</td><td>0.056</td></tr><tr><td>IAqual</td><td>0.268</td><td>0.018</td><td>0.001</td><td>0.050</td><td>-0.156</td><td>-0.101</td><td>0.004</td><td>-0.155</td><td>1</td><td>0.557**</td><td>0.264*</td><td>0.069</td><td>0.044</td><td>0.071</td></tr><tr><td>IAexp</td><td>0.011</td><td>-0.009</td><td>0.030</td><td>0.018</td><td>-0.172</td><td>-0.162</td><td>0.122</td><td>-0.039</td><td>0.557**</td><td>1</td><td>0.307**</td><td>0.093</td><td>0.082</td><td>0.032</td></tr><tr><td>IAgrow</td><td>-0.223*</td><td>-0.062</td><td>-0.031</td><td>-0.068</td><td>0.201</td><td>-0.325**</td><td>-0.032</td><td>0.059</td><td>0.264*</td><td>0.307**</td><td>1</td><td>-0.012</td><td>-0.014</td><td>0.027</td></tr><tr><td>IAtrain</td><td>0.155</td><td>0.027</td><td>0.026</td><td>0.005</td><td>-0.112</td><td>0.104</td><td>0.093</td><td>0.097</td><td>0.069</td><td>0.093</td><td>-0.012</td><td>1</td><td>0.210</td><td>0.131</td></tr><tr><td>SOX</td><td>0.122</td><td>-0.080</td><td>0.053</td><td>-0.074</td><td>-0.084</td><td>-0.088</td><td>-0.080</td><td>-0.080</td><td>0.044</td><td>0.082</td><td>-0.014</td><td>0.210</td><td>1</td><td>0.015</td></tr><tr><td>Financial</td><td>0.045</td><td>0.335**</td><td>0.572**</td><td>0.169</td><td>0.149</td><td>-0.174</td><td>-0.065</td><td>-0.056</td><td>0.071</td><td>0.032</td><td>0.027</td><td>0.131</td><td>0.015</td><td>1</td></tr></table> the ratio of market to book (compustat #135); ROA is ratio of income before taxes over total assets, averaged for four years ended 2005 (compustat #21/#89); ROE is ratio of income before taxes over total shareholders equity, averaged for three years ended 2004 (compustat #21/#135); Audit is audit fees, averaged for the four years ended 2005; IA size is ratio of number of IA staff to total number of company staff (survey question 12/question 7); IAqual is ratio of number of IA staff with accounting qualifications over total size of IA (survey question 13i/12); IA exp is ratio of number of experienced IA staff to number of IA staff (survey question 13ii/12); IA growth is difference between number of IA staff in 2005 compared to 2002, divided by number of IA staff on average (survey question 15-question 12/ave); IA quality is self-assessed effectiveness on a likert scale of 1 to 6 (survey question 16); SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise Relation to Firm Performance: The propositions developed in section 3 also assume that there is an association between firm reported performance, and the extent of compliance costs incurred. Table 3 reports an OLS regression that establishes the inter-relationship between demand and supply characteristics of the European firms, where performance is determined either by reference to return on assets, return on equity or by reference to the Tobin's Q measure. This establishes whether a prima facie empirical justification can be made for relating firm performance with the extent of compliance cost expenditure (based on various qualitative characteristics). The evidence reported in table 3 suggests that there is an association between return on assets and the size of the European firms. There is also a positive association between return on assets and the growth of internal control department expenditures over time. Finally there is a positive association between return on assets and whether the firm is financial. Thus it is important to control for the impact on firm performance of industry characteristics. Results of the other performance regressions are less equivocal. For the Return on Equity regression however, there is no significant statistical association between ROE and these variables, except again for internal control department control growth rate. For the Tobin's Q measure, there is only a marginal relationship between Tobin's Q and whether the firm is financial and based in the UK. These tests imply that there is only a limited relationship between a firm's reported performance and various demand and supply characteristics used to infer their relationships between compliance cost expenditures. Table 3: Ordinary Least Squares Regressions of Performance Determinants <table><tr><td></td><td>Predicted sign</td><td>ROA</td><td>ROE</td><td>TobinsQ</td></tr><tr><td>Intercept</td><td>?</td><td>3.116***</td><td>0.451**</td><td>4.547</td></tr><tr><td>Long-termdebt</td><td>+</td><td>0.000</td><td>0.000</td><td>0.000</td></tr><tr><td>LNAssets</td><td>+</td><td>-0.315***</td><td>-0.031</td><td>-0.269</td></tr><tr><td>IASize</td><td>+</td><td>-0.146</td><td>-0.139</td><td>-0.743</td></tr><tr><td>IAQuality</td><td>+</td><td>-0.526</td><td>-0.034</td><td>-1.964</td></tr><tr><td>IAExp</td><td>+</td><td>-0.543</td><td>-0.057</td><td>1.858</td></tr><tr><td>IAgrow</td><td>+</td><td>0.005***</td><td>-0.001**</td><td>-0.001</td></tr><tr><td>IAtrainquality</td><td>+</td><td>0.020</td><td>0.041</td><td>-0.167</td></tr><tr><td>SOX</td><td>+</td><td>0.149</td><td>-0.073</td><td>-2.112</td></tr><tr><td>Financial</td><td>+</td><td>1.455***</td><td>-0.075</td><td>5.028*</td></tr><tr><td>UK</td><td>+</td><td>-0.047</td><td>0.098</td><td>6.184**</td></tr><tr><td>F-statistic</td><td></td><td>3.506**</td><td>1.805</td><td>1.108</td></tr><tr><td>Adj R-squared</td><td></td><td>0.241</td><td>0.092</td><td>0.014</td></tr></table> Table Notes: UK is a dummy variable set to 1 if UK, 0 otherwise; Asset is total assets of firm as at 2004 (compustat #89); MB is the ratio of market to book (compustat #135); ROA is ratio of income before taxes over total assets, averaged for three years ended 2004 (compustat #21/#89); ROE is ratio of income before taxes over total shareholders equity, averaged for three years ended 2004 (compustat #21/#135); IA size is ratio of number of IA staff to total number of company staff (survey question 12/question 7); IAqual is ratio of number of IA staff with accounting qualifications over total size of IA (survey question 13i/12); IA exp is ratio of number of experienced IA staff to number of IA staff (survey question 13ii/12); IA growth is difference between number of IA staff in 2005 compared to 2002, divided by number of IA staff on average (survey question 15-question 12/ave); IA quality is self-assessed effectiveness on a likert scale of 1 to 6 (survey question 16); SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise. - Significant at 0.10 level \*\* Significant at 0.05 level * \*\*\*Significant at 0.01 level ### f) Multivariate Tests We conduct both logistic and OLS regressions of the strength of relationship between internal control expenditures and various demand and supply characteristics of European firms. We first make a crude assumption is that there is likely to be some form of relationship between the European firm's overall strategic decision about the extent to which their property rights over the international credibility of their compliance costs is 'sacrificed' to political economy considerations (i.e. whether the firm is based in the UK, complies with SOX or is a more regulated financial firm) and the relevant supply and demand characteristics. Table 4 reports the results of a logistical regression used to regresses the supply side drivers of compliance cost expenditures, which are attributed to take the form of various internal control compliance quality proxies, against various regulatory or cultural variables associated with UK versus non UK; interaction variables are also developed for political economy influencers, such as SOX versus non SOX compliant and financial versus non-financial. For the UK model, there is a significant association between the propensity to be based in the UK (and hence investor-oriented, which is analogous to that implied by proposition 2), and both the size and qualifications of the internal control department. There is also a positive relationship with leverage. By contrast, the results of the other logistic regressions concerning the relationship between the overall strategic decision concerning property rights and SOX compliance are more equivocal. For the SOX compliance regression, the propensity of European firms to be SOX compliant is related only to firm size, leverage and the quality of training undertaken by internal control staff. Hence there is only limited support for the predicted association for this regression. There is no association between being a financial firm and either supply or demand characteristic. Thus the hypothesized relationships require some further sensitivity checks. Table 4: Logistic Regression of Effect of Internal Control on Corporate Governance Status (where $1=$ Corporate Governance Status; 0 Otherwise) <table><tr><td></td><td>Predicted sign</td><td>UK (n =29)</td><td>SOX (n = 27)</td><td>Financial (n =20)</td></tr><tr><td>Intercept</td><td>?</td><td>-1.939*</td><td>-1.344</td><td>-291.75</td></tr><tr><td>Long-termdebt</td><td>+</td><td>0.001*</td><td>0.001**</td><td>0.003</td></tr><tr><td>LNAssets</td><td>+</td><td>0.001</td><td>0.001**</td><td>0.001</td></tr><tr><td>TobinsQ</td><td></td><td>0.272*</td><td>-0.006</td><td>5.672</td></tr><tr><td>ROA</td><td></td><td>-21.590**</td><td>-0.008</td><td>21.84</td></tr><tr><td>ROE</td><td></td><td>13.338*</td><td>-1.322</td><td>-578.53</td></tr><tr><td>Audit</td><td></td><td>0.000</td><td>0.000</td><td>0.001</td></tr><tr><td>IASize</td><td>+</td><td>-272.17</td><td>-261.17</td><td>111.05</td></tr><tr><td>IAQuality</td><td>+</td><td>3.212**</td><td>-0.230</td><td>81.57</td></tr><tr><td>IAExp</td><td>+</td><td>-2.017</td><td>-0.009</td><td>220.13</td></tr><tr><td>IAgrow</td><td>+</td><td>-0.008</td><td>-0.003</td><td>0.036</td></tr><tr><td>IAtrainquality</td><td>+</td><td>0.216</td><td>0.421**</td><td>17.918</td></tr><tr><td>Chisq-statistic</td><td></td><td>38.945</td><td>18.078</td><td>89.974</td></tr><tr><td>Adj R-squared</td><td></td><td>0.385</td><td>0.202</td><td>0.675</td></tr><tr><td>Cox and Snell</td><td></td><td></td><td></td><td></td></tr></table> Table Notes: UK is a dummy variable set to 1 if UK, 0 otherwise; Asset is total assets of firm as at 2005 (compustat #89); MB is the ratio of market to book (compustat #135); ROA is ratio of income before taxes over total assets, averaged for three years ended 2004 (compustat #21/#89); ROE is ratio of income before taxes over total shareholders equity, averaged for three years ended 2004 (compustat #21/#135); VAS is audit fee, averaged for four years ended 2005; IA size is ratio of number of IA staff to total number of company staff (survey question 12/question 7); IAqual is ratio of number of IA staff with accounting qualifications over total size of IA (survey question 13i/12); IA exp is ratio of number of experienced IA staff to number of IA staff (survey question 13ii/12); IA growth is difference between number of IA staff in 2005 compared to 2002, divided by number of IA staff on average (survey question 15-question 12/ave); IA quality is self-assessed effectiveness on a likert scale of 1 to 6 (survey question 16); SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise - Significant at 0.10 level\*\* Significant at 0.05 level \*\*\*Significant at 0.01 level Table 5: Ordinary Least Squares Regressions of Value at Risk Determinants <table><tr><td></td><td>Predicted Sign</td><td>Earnings at Risk (UK=1)</td><td>Cash Flow at Risk (Europe=1)</td><td>Asset-liability at Risk (Financial =1)</td></tr><tr><td>Intercept</td><td>?</td><td>0.019</td><td>-45.11</td><td>0.034</td></tr><tr><td>IASize</td><td>-</td><td>-167.62*</td><td>66.80</td><td>-984.0***</td></tr><tr><td>IAQuality</td><td>+</td><td>0.273</td><td>2527.7*</td><td>2.685</td></tr><tr><td>IAExp</td><td>+</td><td>0.299</td><td>-149.0</td><td>8.671***</td></tr><tr><td>IAgrow</td><td>+</td><td>0.001</td><td>-1.455</td><td>0.025*</td></tr><tr><td>IAtrainquality</td><td>+</td><td>0.119**</td><td>-140.08</td><td>-0.366</td></tr><tr><td>Sales</td><td>+</td><td>0.000**</td><td>-0.002</td><td>0.001</td></tr><tr><td>LTD</td><td>+</td><td>0.000***</td><td>-0.002</td><td>0.001</td></tr><tr><td>StafSal</td><td>+</td><td>0.000</td><td>0.394*</td><td>-0.001</td></tr><tr><td>Penx</td><td>-</td><td>-0.006*</td><td>-1.302</td><td>0.016***</td></tr><tr><td>RD</td><td>+</td><td>0.001***</td><td>-0.539</td><td>na</td></tr><tr><td>Audit</td><td>-</td><td>-0.078**</td><td>-0.050</td><td>-0.105</td></tr><tr><td>Operating inc</td><td></td><td>Na</td><td>Na</td><td>-0.002*</td></tr><tr><td>F-statistic</td><td></td><td>9.600**</td><td>1.295</td><td>4.070***</td></tr><tr><td>Adj R-squared</td><td></td><td>0.545</td><td>0.040</td><td>0.300</td></tr></table> Table Notes: UK is a dummy variable set to 1 if UK, 0 otherwise; Europe is a dummy variable set to 1 if Europe, 0 otherwise; financial is a dummy variable set to 1 if financial firm, zero otherwise; Earnings at risk is standard deviation of reported EPS for four years; Cash flow at risk is standard deviation of net cash for four years; Asset-liability at risk is the standard deviation of capital position ratio for last four years; IA size is ratio of number of IA staff to total number of company staff (survey question 12/question 7); IAqual is ratio of number of IA staff with accounting qualifications over total size of IA (survey question 13i/12); IA exp is ratio of number of experienced IA staff to number of IA staff (survey question 13ii/12); IA growth is difference between number of IA staff in 2005 compared to 2002, divided by number of IA staff on average (survey question 15-question 12/ave); IA quality is self-assessed effectiveness on a likert scale of 1 to 6 (survey question 16); SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise - Significant at 0.10 level \*\* Significant at 0.05 level * \*\*\*Significant at 0.01 level ### g) Sensitivity Tests To test the robustness of the results concerning tentative support for proposition 2 based on the crude proxies for international credibility using logistic regression reported in table 8, we alternatively make the assumption that the propensity to expend compliance costs is primarily associated with the desire to smooth earnings. However the results of table 4 imply that there is only a limited relationship between these variables, and thus is likely to be mitigated by the jurisdiction and/or industry in which the firm is based. We therefore decompose the sample into three sub-samples; (a) UK industrial firms $(n = 29)$, (b) European industrial firms $(n = 27)$ and (c) financial firms $(n = 20)$. We then conduct tests to infer whether the level of compliance cost expenditure, as proxies by various qualitative characteristics associated with their investment in internal control departments, is associated with the desire by these sub-samples of firms to smooth income, cash flow or asset/liability, respectively. Table 5 regresses various supply side shifters against earnings, cash flow and asset-liability at risk measures (proxies as the standard deviation of return of each of these values for the sample European firms). The earnings at risk regression results imply that the desire for UK firms to gain international credibility through smoothing earnings appears to be negatively associated with the size of the audit department, but positively associated with the training quality. Additionally, after controlling for other factors, there is also a negative association between earnings at risk with supply drivers' compliance costs. Finally there is a positive association between earnings at risk and the level of R&D expenditures. The overall model is also significant and explains $54\%$ of the total variation. The results for the cash flow at risk OLS regression model are more equivocal for non-UK European firms. Except for the qualifications of the internal control department, there is no statistically significant association between cash flow at risk and internal control department quality. The overall model is also not statistically significant. Finally, the asset-liability at risk proposition is supported by the model shown for financial European firms. There is apposite statistical significance between internal audit experience and asset liability at risk, and a negative association with the size of the internal control department. The overall model is also statistically significant. ### h) Robustness Tests In order to corroborate the above findings and also validate our predictions, further tests were undertaken of the resilience of the above results for the sub-sample of 59 firms that continued operations a decade after the initial tests reported in tables 3-5 were conducted. The purpose of the robustness tests were to establish a connection between long-term value added per employee and the quality of the business compliance unit as measured above. The empirical tests examined the strength of the association between value added per employee and business compliance unit quality (as measured above) after controlling for a range of other factors (e.g. environmental society and governance scores; risk management disclosure scores; SOX compliance and financial industry dummy variables). Table 6 shows the results. Table 6: Robustness Checks: Ordinary Least Squares Regressions of Value Added per Employee for Surviving Firms (n=59) <table><tr><td></td><td>Predicted Sign</td><td></td></tr><tr><td>Intercept</td><td>?</td><td>-0.335</td></tr><tr><td>Financial firm dummy</td><td>+</td><td>0.373</td></tr><tr><td>Risk disclosure quality score</td><td>+</td><td>0.004</td></tr><tr><td>ESG score</td><td>+</td><td>0.002</td></tr><tr><td>Business Compliance unit quality</td><td>+</td><td>+0.557**</td></tr><tr><td>Earnings at risk</td><td>-</td><td>-0.002</td></tr><tr><td>SOX dummy variable</td><td>-</td><td>-0.303</td></tr><tr><td>Operating inc</td><td></td><td>Na</td></tr><tr><td>F-statistic</td><td></td><td>3.02**</td></tr><tr><td>Adj R-squared</td><td></td><td>0.109</td></tr></table> Table Notes: This table reports the results of regressing value added per employee for the 59 firms that survived for 10 years after the initial tests reported in Table 9 (i.e. as at financial reporting year ended 30 June 2015). Financial is a dummy variable set to 1 if financial firm, zero otherwise; Earnings at risk is standard deviation of reported EPS for four years; SOX is dummy variable set to 1 if NYSE cross listed and thus subject to SOX, 0 otherwise; financial is dummy variable set to 1 if financial firm, zero otherwise; Business compliance unit quality is a dummy variable indicating whether the internal control department is regulatory compliant or otherwise; ESG Score is thRepRisk (RRI) score latest as reported by ORBIS for the latest reporting year; Risk disclosure quality score is the FOG index score for the firm related to the risk management reporting in the latest annual accounts. - Significant at 0.10 level \*\* Significant at 0.05 level * \*\*\*Significant at 0.01 level Value added per employee is positively and statistically significantly related to overall business compliance unit quality, even after controlling for other other governance, compliance level and disclosure quality measures outlined above. These results affirm that the ability of sample firms to generate value added per employee is associated with their investment in sustainable compliance of organisations with various information and governance requirements, as proxied by the quality of the business compliance control unit. ## VI. CONCLUSION Prior literatures on the organisational challenges and information systems strategy implications of regulatory compliance issues post-Enron has focused on the corporate governance, and business compliance implications of these changes as if they were independently determined. This study is the first to explicitly recognise the inter-disciplinary inter-relationships by investigating the contributing factors that potentially influence the quality of information management strategy, and internal audit functions of management that are responsible for monitoring compliance programs within organizations within a multi-disciplinary framework that draws on information systems, regulation, management and auditing disciplines. Specifically, we examine the sustainability of regulatory compliance programs by exploring the strength of relationship between corporate risk management policies, as proxied by the desire to smooth income and/or cash flows, and the quality of the internal control departments responsible to monitor their effectiveness. Our study focuses on multinational European firms that are subject to both national and international factors, as well as country specific influencers on these policies. Our investigation of these supply and demand side influencers broadly centres is based on a survey of best practices across a broad cross-section of sample European firms, in three main areas – Board/Management influence, information management strategy and organization design (including people, process, structure). The qualitative comparison of the 'influencers' from the industry survey against the literature reviews found culture and training, as the most crucial elements for organizations looking to build sustainable compliance IT programs. While organization culture was rated as crucial for the compliance management in the case studies, there were no suggestions in the broader survey on the usage of incentives to affect this employee behaviour towards compliance, which is contrary to proposals from Hartman (2000) and industry findings [CEB (2004)]. Firms instead try to leverage the standard processes in achieving compliance supported by regular training provided to the process owners and employees, via the e-learning platform within these firms. While all the surveyed firms had an infrastructure to train employees on ethical behaviour, there were no indications of an overarching umbrella programme that linked compliance and ethics in any of these organizations, running contrary to proposals discussed in the literature [Hartman (2000), Anstead (1999)]. By examining the association between alternative forms of risk management strategy and regulatory compliance business unit quality, the survey of European firms corroborated the inter-relationship between supply side and demand-side influencers', which firms consider to be critical for managing their compliance programs. The results support the hypothesis that UK firms' internal audit control department quality is associated with earnings at risk strategy. Financial firms' regulatory compliance business unit quality is also associated with assetliability at risk. However no statistically significant relationship is found with cash flow at risk faced by Continental European firms. We further find that surviving firms subsequently exhibited a positive and statistically significant relationship between the quality of their internal control department and value added per employee. The board and management's influence on compliance programs sustainability is an area that needs further research. Our results were limited to examining indirectly the cultural/institutional setting which effectively drives board composition. Future research could focus greater attention to the 'supply side' explanatory variables that influence the sustainable compliance program. While this paper tries to capture elements of the non-information systems management factors that influence the sustainability of compliance programs, there might be an opportunity to research on additional variables, especially within the organization context, including, 'middle' management's influence, globalisation of the business and the consequent social implications to compliance program management. The results of our analysis should be treated with extreme caution for a number of reasons. First, the literature seeking to identify and explore various factors affecting the sustainability of regulatory compliance programs and their connection with broader information management strategy, operational risk management is not well developed. Second, the survey evidence used to garner evidence on the implementation of these policies are subject to the limitations of sample selection and statistical inference. Third, our analysis and inferences from our results was restricted to European multinational firms that were faced with an uncertain and changing multinational regulatory environment. Finally, our empirical evidence on the relationship between the quality of internal control departments and corporate risk cash flow and income smoothing policies is based on the implied assumption that these proxy for the broader relationship between the sustainability of regulatory compliance programs and overall risk management effectiveness. Notwithstanding these caveats, our research on regulatory compliance programs can be extended in a number of directions. Extending the coverage of this compliance programs to include the ones from Japan and Asia Pacific countries will provide a 'global' perspective of those programs with common threads of requirement. This might result in increased explanatory variables being identified and analysed, making the scope much broader. ### APPENDIX A #### Survey Questionnaire Section 1: SOX Implementation 1. What best describes your company's SOX compliance status? - Completed year 1, working on year 2 - In the midst of Year 1 now - Still to start year 1 - Not required to comply with SOX - Other (Pls. Specify) 2. Which group/role leads the effort for SOX compliance today? - CFO - Chief Compliance Officer - Controller - Internal Audit - IT - Business Unit Management - Other (PIs. Specify) 3. What were the significant cost elements that you incurred to fulfilling the SOX compliance obligations? (Rate 1-6, 1 being the most expensive). - Auditor fees - External consultant fees - IT System purchase fees - IT System implementation fees - Consulting (internal/external) Resources fees - Internal Process change/alignment costs - Other (PIs. Specify) 4. Is the SOX compliance effort managed by the same team running the Risk Management program in your company? - Yes - No 5. Do you consider the SOX requirements while managing the overall Risk Program in your organization? - Yes - No 6. Do you re-use the resources between the risk management program and SOX program? (Select multiple options as applicable) - Audit Personnel - Process design - Internal Controls design - IT Systems (Pls. Specify) - Others (Pls. Specify) #### Section 2: Compliance Programs – Influencers #### 7) Please state the 'Mandatory' compliance programs you're company needs to fulfil - Financial Regulatory programs (e.g.) Sarbanes-Oxley, FASB/IAS - Privacy regulations (e.g.) EU directive, industry specific regulations - Health and Safety regulations - Other (Pls. Specify) 8. What areas do you consider critical when looking to improve the cost effectiveness in fulfilling the compliance obligations? (PIs. Rate 1-6, 1 being the most critical) - IT/Technology improvements/investments - Organization Culture - Employee Training and Development - Process Standardization and Consistency - Strategy Formulation process - Management structure (e.g.) CIO, Chief Compliance Officer etc - Other (Pls. Specify) 9. Do you have 'Mandatory' training program for your employees on compliance regulations? - Yes - No 10. What areas of compliance do these training programs cover? - Business Ethics - HR - Sales practices - Financials & Reporting - Other (Pls. Specify) 11. What type of training programs does your organization run? - Online, Self-service managed by employees themselves - Class-room, Instructor-led (including, 'train-the-trainer') - Combination (Pls. Specify) - Other (Pls. Specify) Section 3: IT Systems & Processes 2 What type of IT structure exists in your company? - Centralized - De-Centralized (i.e.) business unit, regional - Mixed #### 12) What type business systems do you run in your company > - Packaged software (ERP, CRM) - In-house developed systems - Manual spreadsheet-based system - Other (Pls. Specify) 13. What is your biggest concern with your IT systems with respect to Compliance regulations? - Access control to systems - Consolidated information availability - Risk of system failure and backup availability - Other (PIs. Specify) 14. Would you consider access to 'consolidate' information a key factor to managing compliance needs? - Yes - No 15. What is the minimum 'lead' time you need to get access to consolidated financial information? - Day - Week - Fortnight - Month - On-Demand - Other (Pls. Specify) 16. What IT systems/tools do you use to manage your compliance requirements? (Select multiple options as applicable.) - Identity Management - Access Management - Financial reporting - Sales Management - Business Intelligence - Others (Pls. Specify) 17. How is your business processes aligned within your company? - Global processes standardized across the whole company - Business unit specific processes - Department specific processes - Other (Pls. Specify) 18. Which Business functions in your company are 'Global' processes? (Select multiple options as applicable) - Finance & Operations - Sales - Marketing - HR & Payroll - IT Systems - Other (Pls. Specify) Section 4: Measuring Compliance Performance and Metrics: 19. What criterion do you use for your measuring your group's effectiveness? (Select multiple options as applicable) - Financials - revenue based - Budgets - cost based - Customer performance/satisfaction - Employee satisfaction - Other (Pls. Specify) 20. Would you consider measuring compliance fulfillment as one of the criterion used to measuring organizational effectiveness? - Yes, Currently use this criterion - Yes, Will use it in the future - No, Don't intend to add this criterion - Undecided at the moment 21. What tools do you use to measure your group's effectiveness in fulfilling compliance obligations? - Balanced Scorecard - Metrics dashboard - Spreadsheets (manual) - Don't use any tools. [^2]: $^{2}$ Information Systems Audit and Control Association (ISACA), "IS AUDITING GUIDELINE: IT GOVERNANCE (Document g18)", 2002, http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=18562 _(p.6)_ [^3]: IT Governance Institute (ITGI), "IT Governance Executive Summary" ("seven of eight boards are at least regularly informed about IT issues, while six of 10 boards approve IT strategy, half of them having an IT strategy Committee"). _(p.7)_ [^4]: Kennan, Paddy, (2003), Computer Weekly 9/16/2003, p40-40 _(p.7)_ [^5]: Information Systems Audit and Control Association (ISACA), "IS Auditing Guideline (Document g18)", 2002, http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=18562 _(p.7)_ [^1]: Firms can opt-out, as long as they meet the minimal guidelines set by the regulatory bodies and can provide a satisfactory explanation of their work practices, when required. _(p.3)_

Generating HTML Viewer...