Chief Information Officers (CIOs) around the globe are being drawn into the implementation of Sarbanes Oxley (SOX) compliance. According to the Public Company Accounting Oversight Board (PCAOB),1 15,000 U.S. companies, 1,200 non-US based companies and 1,423 accounting firms spread across 76 countries are affected by SOX. In particular, Section 404, which deals with management's assessment of internal controls, affects CIOs and information technology (IT) departments [1].
With the widespread use of technology, internal controls are either fully automated by being embedded within information systems, or combine automated and manual controls. Section 404 therefore corrals a wide range of applications such as product accounting, general ledger, asset and inventory management, billing and accounts, receivables and payables, payroll, budgeting and other operational, tracking and reporting systems. These include not only the organization's main systems, such as ERP systems, but also local databases and personal spreadsheets developed and used on an ad hoc basis. Consequently, compliance and regulatory issues are something that CIOs must understand, address, and certainly not neglect (as noted in the accompanying box).
Section 404 requires CIOs to work closely with CFOs, CEOs, and auditors. Auditors must attest and report on management's assessment of internal controls. This evaluation is required to be in accordance with standards for attestation engagements issued by the PCAOB. At the very least, financial reporting processes must be mapped and tested, and must be done at a level that ensures consistent and accurate financial reports are provided to shareholders and potential investors. This process requires some of the business analysis skills that already exists in many IS departments. However, it also requires audit and control skills typically found in finance departments. Thus, achieving 404 compliance requires CIOs understand the nature of the relationships they have with the CFO, CEO, and auditors and the tactics they can use when working with these players to implement 404.
Working relationships between the senior-most officers in an organization are not neutral [5]. Such relationships are characterized by a number of dimensions: authority, centralization, decision rights, participation in decision making, and politics. Jasperson et al. [7] refer to these dimensions as "power." Power refers to relationships between two or more actors in which the behavior of one is affected by the behavior of the other [6]. We use power relationships as the basis for our analysis because previous empirical research shows that CIOs have relatively little power in organizations [9].
We adapted the power relationships taxonomy in [7] to differentiate between power and influence. Individuals exercising power impose their will or interests by use of force; whereas, influence occurs when an individual (A), in a relationship, frames others' choices in terms of outcomes or interests they (A) expect to achieve. However, the individual (in this instance, A) cannot impose these outcomes and interests by force [2]. Power and influence can be used by individuals to "push" their outcomes and interests or to encourage and convince others to "pull" their outcomes and interests. To gain deeper insights into relationships, we created the FRIN framework (see Figure 1) which has two power relationshipsFormal and Radicaland two influence relationshipsInterpretive and Negotiated.
Formal power relationships are based on the structural positions that individuals have in the organization hierarchy. Typically, individuals in these power relationships assume there is a single, most appropriate set of goals to be achieved and that people strive toward these goals. Individuals that take actions to reach other goals or objectives are considered irrational. Such actions are assumed to be taken because people have incomplete information, and consequently, the focus turns to giving people more information and education. These power relationships are used to stimulate demand for the interests and outcomes of those exercising power.
Radical power relationships are based on achieving objectives and goals that impact the wider institutional context. Power is assumed to exist separately to the organizational context and yet affects the actions of individuals within the organization. Radical power relationships are aimed at contributing to the overthrow of wider societal and organizational structures. This power relationship is characterized by individuals using sheer force to impose their will. These power relationships are used to "push" the outcomes and interests of those individuals who use this power.
Negotiated influence relationships are based on individuals' abilities to affect the behaviors of others who have different or potentially conflicting interests or who seek different outcomes. Individuals use dialogue and political processes, such as negotiation and compromise, to reconcile divergent interests and to convince others to pursue their direction. This relationship assumes power to be an objective reality, which often takes the form of resources or control over resources. Individuals using this influence relationship use resources to "push" their interests and the outcomes they want to see happen.
Interpretive influence relationships are based on individuals' controlling and constructing the shared assumptions and interpretations that prevail across the organization. Individuals influence others by controlling meaning and shaping perceptions through the use of symbolic activities, stories and metaphors, the introduction and use of language and rituals and new procedures. Outcomes and interests, in this type of relationship are achieved by manipulating the organization's subjective reality instead of formal, hierarchical authority or control over resources. Individuals use Interpretive relationships to create demand for the outcomes and interests they hold.
The FRIN framework combines the ideas of power and influence with pull and push, thereby providing four lenses through which to understand relationships between key players involved in 404 implementation: the CEO, CFO, CIO, and auditors. We conducted case study research of these relationships in six organizations. We used a survey instrument as the means of collecting data, so we could compare data across the organizations. As relationships are bi-directional we asked respondents to describe the relationship from both directions. Given the sensitive nature of both SOX compliance and ability to identify specific individuals from each organization, we use names of states/provinces, based on each organization's home country of incorporation, as pseudonyms for the organization name.
Alabama. This organization is the U.K. subsidiary of a Fortune 250 U.S.-based home-building company whose shares are traded on the New York Stock Exchange (NYSE).
Alabama's CIO has an Interpretive relationship in the direction of the CFO whereas the relationships are Negotiated in the opposite direction. They both use influence to change and adapt each others' behaviors to achieve 404 outcomes. The CFO's influence is directed at pushing 404 requirements on to the IT department; whereas the CIO seeks to create the environment for the finance department to understand IT. There is a pull-push dynamic that indicates this pair has different outcomes in mind and they are using different influence mechanisms to pursue their respective outcomes.
Alabama's CIO has no direct relationship with the CEO, which can be of concern especially where the CIO has a significant role to play in the implementation of 404. Moreover, it implies the CIO has access to the CEO via the CFO, which gives the CFO a political edge over the CIO. The relationship between the CIO and the auditor is based on a Negotiated relationship, which suggests the CIO is getting the Auditor to accept the controls and activities they have in place. The auditor, on the other hand, is using force to push specific 404 requirements in the direction of Alabama's CIO. She/he is in a weaker position in terms of the CFO and auditors, both of whom are likely to have direct and strong relationships with the CEO (see Figure 2).
Tuscany. As a wholly owned U.K. subsidiary of one of the world's largest manufacturers and distributors of premium eyewear, this business is incorporated in Italy with a 21% stock listing on the NYSE.
The CIO has a Negotiated relationship with the CFO, which suggests that influence is being used to push the IT aspects of 404 toward the finance department. This is a symmetrical relationship as the CFO has a Negotiated relationship in the direction of the CIO. This has the potential for conflict as both the CIO and the CFO will tend to push their own interests and outcomes; neither seems to want to create conditions for encouraging demand for their 404 outcomesthis would require one or the other to adopt an Interpretive relationship. Instead, the CIO appears to have an Interpretive relationship with the CEO. This suggests the CIO is providing the CEO with information that affects the underpinning assumptions in the organization. The auditors have a Radical relationship with the CIO suggesting they are able to regulate the functions and activities of the IT department. Section 404 gives auditors significant powers in terms of checking the adequacy of internal systems controls (see Figure 2).
Surrey. A leading supply chain management company for the home entertainment industry, this company is wholly owned by a U.K. gaming and entertainment company whose stocks are quoted on the London Stock Exchange and NASDAQ.
The CIO has different relationships with the CFO and CEO but is faced with the same relationship from both these players. The CIO has a Negotiated relationship with the CFO, suggesting which suggests that Surrey's CIO uses resources such as knowledge of systems, IT personnel, and budgets to ensure IT's outcomes are achieved. The CFO has a Formal relationship with the CIO, indicating the CFO uses pressure where necessary to create demand for the outcomes sought by the finance department. The CEO has a Formal relationship with the CIO suggesting that power is used push the outcomes wanted by the CEO. This suggests that Surrey's CIO is in a vulnerable position as power can be exercised in their direction but they can only use influence to achieve their outcomes. This position is exacerbated by auditors using influence to push the outcomes they want from the CIO (see Figure 2).
Alsace is a waste management division of a global environmental services company, incorporated in France with stock listings in Paris and New York.
We see the same pattern of relationship between the CIO and CFO in Alsace and in Tuscanyboth have Negotiated relationships. The CEO also has a Negotiated relationship with the CIO and vice versa; suggesting these players are engaged in influencing one another to take on their outcomes. This can lead to potential conflict between the players where the outcomes are significantly different. Where these differences persist the CEO might well have to use Formal or even Radial power to bring about a unified direction. The CIO has a symmetrical Interpretive relationship with the auditors. This illustrates that both are trying to influence each other into wanting to adopt their outcomes, which can be positive where these are the aligned (see Figure 2).
Texas is a U.K. subsidiary of a global leader in secure electronic payment technologies, with a parent company incorporated in the U.S. and listed on the NYSE. The CIO has an Interpretive relationship with the CFO; whereas the CFO has a Negotiated relationship with the CIO. This pattern is the same as Alabama. Both use influence to achieve their outcomes. The CFO has a symmetrical Formal relationship with the CEO; while the CIO has no direct relationship with the CEO. This suggests the CIO relies on the CFO to influence the CEO. The Auditors have no direct relationship with the CIO. Instead they have a direct relationship with the CFO, which again suggests the CIO must go through the CFO in order to achieve IT-related outcomes (see Figure 2).
Ontario is the U.K. division of a Canadian financial services company listed on the Toronto Stock Exchange and NYSE. Ontario provides insurance and wealth management products and services.
In this case we find relationships based only on the use of power. The relationship between the CIO and CFO is symmetrical and based on Formal power. This is the same for the relationship between the CEO and CFO. The CIO has no direct relationship with the CEO. Thus, it appears that each player is pushing for the outcomes that he/she wants to achieve using force to get their way. The use of influence to persuade colleagues is not apparent. The CIO appears to be fairly isolated as the CFO is key to exercising any power or influence over the CEO. The CFOauditor relationship is Radical which suggests that both sides are using force to push their outcomes on to the other. This would lay the groundwork for an antagonistic relationship (see Figure 2).
CIOs must understand how to use power-based implementation levers directed at affecting behaviors through the use of sanctions and force.
There are specific tactics CIOs can use in each power relationship [8]. We studied the tactics CIOs use when implementing 404 using Institutional theory as the conceptual lens [4, 8, 10]. There are six broad categories of tactics:
The tactics used vary depending on the type of relationship. We found that CIOs in:
Where the same tactic is adopted in different relationships, the ways in which the tactic is deployed varies considerably. Figure 3 condenses our findings of the differences in the ways in which the tactics were used. It shows that in Negotiated relationships knowledge deployment can be enacted by creating a central repository of knowledge, making SOX documents available electronically, holding seminars and workshops and establishing internal SOX forums.
Knowledge deployment in Interpretive relationships involves moving individuals between subsidiaries on secondment. The secondments can span a few weeks to up to six months. In another example, Radical relationships use innovation directive tactics to "name and shame" subsidiaries and individuals who are not achieving SOX compliance or who fail to follow prescribed procedures and methods. The overall tone of communications is that of telling people what needs to be done. The same tactic in Formal relationships is used to encourage bottom-up implementation, involving people from different levels in the organization. The tone of communications is selling the importance of complying with prescribed procedures and methods. Innovation directive tactics in Negotiated relationships take the form of guidelines and templates that people use and follow to ensure compliance.
CIOs play an increasingly vital role in achieving 404 and other forms of compliance. CIOs must have an insight into the type of relationships they have with each key player involved with compliance implementation. They have a range of tactics they can use to achieve the outcomes they seek. However, the relationships CIOs have with the other players means they will be using a range of tactics to achieve the outcomes they seek. These may or may not be in the best interests of the CIO and the IT department. Where the outcomes are aligned, we anticipate that a compliance implementation will go smoothly. However, where the outcomes are not aligned each player will use power and influence tactics based on the perceived type of relationships.
CIOs must understand how to use power-based implementation levers directed at affecting behaviors through the use of sanctions and force. Influence levers are based on tactics that change behavior through education and social processes. Our findings show that CIOs are often isolated from the CEO and auditors, relying on the CFO for direction. We suggest CIOs widen their base of relationships and develop new internal power and influence relationships when implementing 404 compliance. In fact, we argue these relationships will become essential capabilities for CIOs as they are likely to be brought into the executive management team and made accountable for the quality of the financial data processed by the information systems they manage; no CEO or CFO is going to take the fall alone because of bad data from the CIO.
Finally, one consequence of the globalization of technology and processes, exemplified by offshoring, is that compliance and governance are becoming a global phenomenon. The FRIN framework has been developed in relation to implementation of SOX in organizations with parent companies in different countries. Arguably, the framework can be applied to other types of compliance initiatives that involve the use of power and influence for implementation.
1. Berghel, H. The two sides of ROI: Return on investment vs. risk of incarceration. Commun. ACM. 48, 4 (Apr. 2005), 1520.
2. Castells, M.A. Rejoinder: On power, identities and culture in the network society. New Political Economy 3, 3 (1998), 473483.
3. CRA International. Sarbanes-Oxley Section 404 Costs and Implementation Issues: Spring 2006 Survey Update. Washington, DC.
4. DiMaggio, P.J. and Powell, W.W. The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. American Sociological Rev. 48, 2 (1983), 147160.
5. Donovan, J.J. Beyond chief information officer to network manager. Harvard Business Review, 66, 5 (1988), 134140.
6. Hall, R.H. Organizations: Structures, Processes, and Outcomes, 7th Ed. Prentice Hall, Upper Saddle River, NJ, 1999.
7. Jasperson, J.S., Carte, T.A., Saunders, C.S., Butler, B.S., Croes, H.J.P., and Zheng, W. Review: Power and information technology research: A metatriangulation review. MIS Quarterly 26, 4, 397459, 2002.
8. King, J.L., Gurbaxani, V., Kraemer, K.L., McFarlan, F.W., Raman, K.S., and Yap, C.S. Institutional factors in information technology innovation. Information Systems Research 5, 2, (1994), 139169.
9. Lucas, H.C.J. Organizational power and the Information Services Department. Commun. ACM 27, 1, (Jan. 1984), 5865.
10. Robey, D. and Boudreau, M.C. Accounting for the contradictory organizational consequences of information technology: Theoretical directions and methodological implications. Information Systems Research 10, 2 (1999), 167185.
1The PCAOB's mission is to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports; (www.pcaob-us.org).
Figure 2. CIO relationship networks.
Figure 3. Tactics CIOs can use when implementing 404 of the Sarbanes-Oxley Act.
©2007 ACM 0001-0782/07/0900 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2007 ACM, Inc.
No entries found