William C. Brown, CISA, CPA, and Byron J. Pike, CPA
The US Securities and Exchange Commission (SEC) is planning what could be among the largest changes in the history of American accounting—a conversion from Generally Accepted Accounting Principles (GAAP) to International Financial Reporting Standards (IFRS). This article integrates lessons learned from previous implementations of year 2000 (Y2K) enterprise resource planning (ERP) systems and the US Sarbanes-Oxley Act of 2002, and lessons learned from countries that have already adopted IFRS to provide an assessment that audit committees (ACs), chief financial officers (CFOs) and IT auditors can use to identify critical questions for a successful IFRS implementation.
Approximately 29 million private businesses and 44,000 certified public accountant (CPA) firms in the US will be required to switch to IFRS-based standards.1 The most likely effective date for an IFRS implementation will not come until 2016. A recent 2010 survey by Financial Executives International (FEI) and KPMG found that responders could attain an implementation deadline of 2016, if the IFRS decision is made in 2011.2
Canadian public companies must be IFRS-compliant starting in 2011. Of 146 senior executives responding to a 2010 Financial Executives Research Foundation (FERF) survey, most respondents from Canadian companies indicated that they were converting because their companies were publicly accountable—meaning, therefore, that conversion was mandatory. The survey also reported that the majority of companies were planning on running IFRS and Canadian GAAP in parallel.3 Canadian IFRS implementation in small enterprises, which is similar to what is expected in the US, is often the responsibility of CFOs, who are also charged with most other financial management issues in their firms. Conversely, CFOs of large companies are more likely to be supported with adequate resources and staff devoted to the conversion. Dedicated IFRS teams for public companies in the Canadian IFRS implementation include accounting, IT, internal audit, treasury, risk management, human resources (HR) and investor relations.
For companies in the UK, Ireland and Italy that have already converted to IFRS, the biggest problem was the unexpected time commitment in understanding IFRS, in training, in assimilating requirements, and, for some, in major changes in IT.4 The most difficult IFRS standards are those that require fair values, external data or key assumptions to be made to implement the standards. While most companies relied heavily on their auditors to advise them, complications arose when the Big Four audit firms did not agree on the treatment of certain items. The feedback from these countries suggests that the IFRS conversion should be viewed as a significant project.
While the timeline for the US adoption/ convergence to IFRS is still unclear, there are several critical questions that corporate officers should be addressing now to achieve a successful IFRS implementation. These questions include:
Planning and appropriate resource allocations are necessary IFRS implementation requirements. Moreover, the implementation should be integrated with IT and internal controls in order to meet or exceed regulatory requirements.
The impact of IFRS on IT and financial systems can vary depending on the firm’s IT and financial systems’ capability/integration, industry complexity, size, relevance of business process/transaction, internal control structure, mergers and acquisitions process, and other attributes.5 Integrating both accounting and IT requirements for a multinational company exposes an array of variables that, in combination, can escalate the overall risk of an IFRS implementation.6 Variables include:
The effect of IFRS on IT varies from company to company, as evidenced by the results of a survey of Canadian public companies in which 61 percent said that the IFRS conversion would have a medium or high impact on IT systems, whereas only 27 percent of private companies expected a medium or high impact.7 Some of the differences in perceived IFRS impact are attributable to the data collection and maintenance requirements.
Many authors describe the implementation of IFRS as a major system conversion.8 Moreover, conversion to IFRS can be more pervasive to the enterprise than many perceive, will impact business operations and IT, and will require substantive system changes, modifications to business processes and new accounting policies.9 The scope of the IT changes includes the entire food chain from data generation and business processes to final reporting (see figure 1).
While figure 1 seems straightforward, United Technologies Corporation (UTC), an early adopter of IFRS, noted that a move to IFRS affects every aspect of business, with ramifications for everything from compensation to bonuses and budgeting.10 The business model, including pricing, product costs and gross margins, is also affected. While figure 1 identifies the data and applications affected by an IFRS implementation, the consequences must be understood in a business context, which involves a broad training effort inside the organization and corresponding lead times.
Three international experts from companies in the midst of adopting IFRS warn against underestimating the IT challenges ahead, including the potential for millions of lines of new data for a large multinational organization.11 One expert warned against using Excel spreadsheets as a solution to handle the expanded IFRS data requirements. Assuming the IFRS requirements are met, traditional GAAP reporting must be maintained during the dual reporting period, which, ultimately, requires a complete reconciliation of GAAP and IFRS for each reporting period. For SEC registrants, US companies must report US GAAP and IFRS in parallel for three years from the initiation of IFRS. In creating a parallel accounting environment, the company’s internal control and operational audit staff should evaluate prolonged modifications of IT support for dual reporting.12 Internal control and operational audit staff can provide in-depth knowledge for conversion planning and ensure that overall conversion costs are comprehensive and accurate.
A review of ERP implementations for Y2K, subsequent IT development and Sarbanes-Oxley provides a rich variety of lessons learned in IT governance and organizational maturity.
ERPDeloitte Consulting13 conducted in-depth interviews with 164 individuals at 62 Fortune 500 companies that used ERP systems, such as SAP, Baan, Oracle and PeopleSoft. The purpose of the study was to evaluate ERP development issues. The study summarized performance problems and the leading causes of such problems into three categories (see figure 2):
Consistent with the reports from Deloitte Consulting, in the article “Managing Your ERP Project,” Marie Benesh14 described five areas of common management pitfalls that involve:
In a survey of critical success factors (CSFs) throughout all stages of ERP implementations in 86 companies, factors similar to those reported by Benesh and Deloitte Consulting were ranked high in importance.15 In-depth interviews with more than 50 chief information officers (CIOs) produced a similar theme: PM and process engineering skills were frequently mentioned as shortcomings in the course of enterprise development.16 In their study of 541 large IT projects following Y2K, Weidong Xia and Gwanhoo Lee17 demonstrated the influence of organization and personnel in large IT projects across several industries: Organizational aspects, including the use of qualified personnel, were the leading factors that contributed to project success.
Sarbanes-OxleyThe Public Company Accounting Oversight Board (PCAOB) assumed Sarbanes-Oxley regulatory oversight of approximately 15,000 companies and 1,423 accounting firms in the US.18, 19 Three research reports on enterprises that reported at least one material weakness (MW) from 2002 to 2005 found that these enterprises were more likely to be smaller, younger, riskier, more complex and financially weaker, with poorer accrual earnings quality.20, 21, 22
Bonnie Klamm and Marcia Weidenmier Watson23 examined 490 firms that reported MWs in the first year of Sarbanes-Oxley enforcement to evaluate the interrelatedness of weak COSO components and IT controls. Their research identified relationships between the reported MWs and the five components of COSO (control environment, risk assessment, control activities, information and communication, and monitoring), including:
Moreover, the conclusion from Klamm and Watson’s research is that the IT domain appears to affect overall control effectiveness.
Cumulative evidence from Y2K ERP and subsequent IT project and Sarbanes-Oxley implementations suggest several risk drivers for IFRS:
The authors believe that the CSF lies in the organization’s capability to execute an IFRS implementation while sustaining or improving internal controls as the accounting environment grows in complexity. A robust implementation of the COSO Internal Control—Integrated Framework,24 an implementation of the COBIT25 framework and a critical examination of the accounting organization for PM skills are effective responses to the risk drivers referenced earlier.
The COSO framework supports the establishment of an internal control framework for financial reporting, and COBIT supports the establishment of an IT framework for control and security. Together, they support the business process and information requirements, policies and standards necessary to support IFRS implementation and operation.
Accounting organizations that lack either adequate resources or the leadership to execute PM are among the most vulnerable in an IFRS implementation. Based on the previously mentioned research on Sarbanes-Oxley Act implementation experiences,26, 27, 28 small to medium-sized enterprises (SMEs) represent the highest risk group for potential IFRS implementation issues. Moreover, many SMEs were never required to become compliant with Sarbanes-Oxley, and therefore, they lack the experience necessary for a complex implementation/conversion.
An assessment of the accounting organization is particularly meaningful because most accountants and CPAs are not trained for PM or systems implementations. If accountants have experience in any of these disciplines, it was more than likely obtained outside the roles of financial statement auditor or tax preparer, two major career paths that accountants often follow.
Young Hoon Kwak and C. William Ibbs29 presented a PM model that progresses from an unsophisticated level to a sophisticated maturity level. Each maturity level consists of enhancements to major PM characteristics, factors and processes (see figure 3). Kwak30 demonstrated that the average organization across several industries spends 6 percent of project value on total PM costs, which suggests an overall low cost given the potential range of adverse consequences for ineffective PM. In a study of 38 large international companies in four industries, overall PM maturity ranged from a low of 3.1 for information systems companies to a high of 3.4 for engineering construction companies, with an average for all companies of 3.3.31
In a scale with level 1 at the low end of maturity and level 5 at the high end of maturity, how should chief executive officers (CEOs) or CFOs evaluate their organizational capability to initiate, plan, control and close out one-of-a-kind endeavors? At a minimum, any IFRS PM effort should not fall below the average benchmarks of 3.3 identified by Kwak and Ibbs.33 At level 3, defined control systems are in place and adequately documented. The Capability Maturity Model (CMM) levels of 1 or 2 for a planned IFRS implementation should not be acceptable by an AC, the CEO or the CFO. With an emphasis on value and risk drivers, detailed analyses, tools and workshops, full support from business process owners, and accountability, a CMM level 3 for an IFRS implementation may be acceptable. COBIT integrates a CMM for internal controls, which is particularly important for a COSO/Sarbanes-Oxley-compliant organization (see figure 4).
The authors believe that ACs and corporate officers should evaluate their internal organization skills as the project is fully defined and proposed. The evaluation should be based on the premise that:
A priority for the AC, corporate officers and the IT auditor is to understand the IFRS impact on IT requirements because IT domain weaknesses spill over to other IT and non-IT internal control effectiveness areas in other COSO domains.
On a larger scale, for an IFRS conversion, the leadership of the SEC, the Financial Accounting Standards Board (FASB), the International Accounting Standards Board (IASB) and the American Institute of Certified Public Accountants (AICPA) should:
For IT auditors and IT professionals, IFRS should be a priority because the demand will be high for those with technical knowledge to interpret and translate IFRS into IT requirements, COSO/COBIT-supporting references and audit programs. The capability to execute an IFRS implementation while sustaining or improving internal controls is a CSF. Lessons from Sarbanes-Oxley implementations indicate that IT and internal controls can be materially affected. The conversion to IFRS in the US will be a difficult and tenuous process for many companies. However, for those who learned from failed implementations in the past, IFRS will present an opportunity to move the organization to a higher CMM level of maturity while simultaneously adding capacity and flexibility for future endeavors.
1 AICPA, “Looking to the Future: An Interview With AICPA President & CEO Barry Melancon, CPA,” CPA Letter Daily, 15 December 2010, www.smartbrief.com/servlet/wireless?issueid=FD77B3FB-FD54-4206-A7C6-C9E7E32E9BEE&sid=9a375f81-708d-44e5-a5f7-ca5c11478ab72 Goldschmid, Harvey; “IFRS at a Critical Crossroad,” speech at the Financial Executives International (FEI) Current Financial Reporting Issues Conference 2010, held in New York, USA, 15–17 November 2010, www.ifrs.org/News/Announcements+and+Speeches/IFRS+Critical+Crossroad.htm3 Canadian Financial Executives Research Foundation (CFERF), “IFRS Readiness in Canada: 2010,” Canada, 2010, www.feicanada.org/pdfs/CFERF%20IFRS%20Readiness%20in%20Canada%202010.pdf4 Institute of Chartered Accountants of Scotland, “The GAAP Gap,” CA Magazine, 20 March 2008, www.camagonline.co.uk/Magazine/2008-3/64.aspx5 American Institute of Certified Public Accountants (AICPA), “Financial System Considerations in IFRS Conversion Projects,” USA, 2010, www.ifrs.com/pdf/10414-378_IFRS_IT_White_Paper_WEB_FINAL.pdf6 KPMG LLC, “Information Technology Advisory Services: The Effects of IFRS on Information Systems,” USA, 2008, https://www.in.kpmg.com/securedata/ifrs_Institute/Files/Effects_of_IFRS_on_IS.pdf7 Op cit, CFERF8 Difazio, Nick; D.J. Gannon; “IFRS Roadmap: Planning a Safe, Economical Trip,” Deloitte Review, 20 January 2010, www.deloitte.com/view/en_US/us/Insights/Browse-by-Content-Type/deloitte-review/article/3391e6545eea2210VgnVCM200000bb42f00aRCRD.htm9 Arnold, Steve; “IFRS Risk Planning and Controls Execution: Strategic Considerations for Financial Managers,” Journal of Accountancy, September 2009, www.journalofaccountancy.com/Issues/2009/Sep/2009159410 AICPA, “Getting to IFRS: Those Who Have Been There Have Plenty of Advice,” USA, 2009, www.ifrs.com/advice.html11 Ibid.12 Op cit, Arnold13 Deloitte Consulting, ERP’s Second Wave: Maximizing the Value of ERP Enables Processes, 1999, www.ctiforum.com/technology/CRM/wp01/download/erp2w.pdf14 Benesh, Marie; “Managing Your ERP Project,” Software Testing and Quality Engineering, July/August 1999, p. 38–4315 Somers, Toni M.; Klara Nelson; “The Impact of Critical Success Factors Across the Stages of Enterprise Resource Planning Implementations,” Proceedings of the 34th Hawaii International Conference on System Sciences, IEEE, USA, 200116 Reich, Blaize Horner; Kay M. Nelson; “In Their Own Words: CIO Visions About the Future of In-house IT Organizations,” Database for Advances in Information Systems, 1 October 2003, www.allbusiness.com/technology/3502741-1.html17 Xia, Weidong; Gwanhoo Lee; “Grasping the Complexity of IS Development,” Communications of the ACM, 1 May 2004, http://cacm.acm.org/magazines/2004/5/6513-grasping-the-complexity-of-is-development-projects/abstract18 McDonough, William J.; “The PCAOB and Its Oversight Role,” Public Company Accounting Oversight Board (PCAOB), speech at the Joint Financial Management Improvement Program in Washington, DC, USA, 9 March 2004, http://pcaobus.org/News/Speech/Pages/03092004_McDonoughJointFinancialManagement.aspx19 PCAOB, “Board Approves Revised 2005 Budget,” USA, 30 December 2004, http://pcaobus.org/News/Releases/Pages/12302004_Revised2005Budget.aspx20 Doyle, Jeffrey; Weili Ge; Sarah McVay; “Determinants of Weaknesses in Internal Control Over Financial Reporting,” Journal of Accounting and Economics, September 2007, http://home.business.utah.edu/sarah.mcvay/DGM_2007_JAE.pdf21 Doyle, Jeffrey; Weili Ge; Sarah McVay; “Accruals Quality and Internal Control Over Financial Reporting,” The Accounting Review, vol. 82, issue 5, 200722 Ge, Weili; Sarah McVay; “The Disclosure of Material Weaknesses in Internal Control After the Sarbanes-Oxley Act,” Accounting Horizons, September 2005,www.uic.edu/classes/actg/actg593/Readings/Stock-Options/Sarbanes-Oxley/The-Disclosure-of-Material-Weaknessesin-Internal-Control-after-the-Sarbanes-Oxley.pdf23 Klamm, Bonnie; Marcia Weidenmier Watson; “SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology,” Journal of Information Systems, Fall 200924 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, USA, 200425 IT Governance Institute (ITGI), COBIT 4.1, USA, 2007, www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx26 Op cit, Doyle, Jeffrey; Weili Ge; Sarah McVay; “Determinants of Weaknesses in Internal Control Over Financial Reporting”27 Op cit, Doyle, Jeffrey; Weili Ge; Sarah McVay; “Accruals Quality and Internal Control Over Financial Reporting”28 Op cit, Ge, Weili; Sarah McVay; “The Disclosure of Material Weaknesses in Internal Control After the Sarbanes-Oxley Act”29 Kwak, Young Hoon; C. William Ibbs; “Project Management Process Maturity (PM)2 Model,” Journal of Management Engineering, July 2002, http://home.gwu.edu/~kwak/PMPM_Model.pdf30 Kwak, Young Hoon; “A Systematic Approach to Evaluate Quantitative Impacts of Project Management (PM),” doctoral dissertation, Department of Civil Engineering, University of California, Berkeley, USA, 199731 Kwak, Young Hoon; C. William Ibbs; “Calculating Project Management’s Return on Investment,” Project Management Journal, June 2000, www.lamarheller.com/projectmgmt/calculatingpmroi.pdf32 Op cit, Kwak, Young Hoon; C. William Ibbs; “Project Management Process Maturity (PM)2 Model” 33 Op cit, Kwak, Young Hoon; C. William Ibbs; “Calculating Project Management’s Return on Investment”
William C. Brown, CISA, CPAis an assistant professor at Minnesota State University, Mankato, College of Business (USA). He has taught both accounting and management of information systems. His more than 25 years of experience include various levels of responsibility in positions including chief financial officer (CFO) in three US Securities and Exchange Commission (SEC) registrants. During his career, Brown has led several project teams to implement enterprise accounting and related systems.
Byron J. Pike, CPAis an assistant professor at Minnesota State University, Mankato, College of Business. He has taught auditing and financial accounting at the undergraduate level. Pike has also worked as an auditor for a Big Four accounting firm.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.