The US Securities and Exchange Commission (SEC) is planning what could be among the largest changes in the history of American accounting—a conversion from Generally Accepted Accounting Principles (GAAP) to International Financial Reporting Standards (IFRS). This article integrates lessons learned from previous implementations of year 2000 (Y2K) enterprise resource planning (ERP) systems and the US Sarbanes-Oxley Act of 2002, and lessons learned from countries that have already adopted IFRS to provide an assessment that audit committees (ACs), chief financial officers (CFOs) and IT auditors can use to identify critical questions for a successful IFRS implementation.
Conversion to IFRS
Approximately 29 million private businesses and 44,000 certified public accountant (CPA) firms in the US will be required to switch to IFRS-based standards.1 The most likely effective date for an IFRS implementation will not come until 2016. A recent 2010 survey by Financial Executives International (FEI) and KPMG found that responders could attain an implementation deadline of 2016, if the IFRS decision is made in 2011.2
Canadian public companies must be IFRS-compliant starting in 2011. Of 146 senior executives responding to a 2010 Financial Executives Research Foundation (FERF) survey, most respondents from Canadian companies indicated that they were converting because their companies were publicly accountable—meaning, therefore, that conversion was mandatory. The survey also reported that the majority of companies were planning on running IFRS and Canadian GAAP in parallel.3 Canadian IFRS implementation in small enterprises, which is similar to what is expected in the US, is often the responsibility of CFOs, who are also charged with most other financial management issues in their firms. Conversely, CFOs of large companies are more likely to be supported with adequate resources and staff devoted to the conversion. Dedicated IFRS teams for public companies in the Canadian IFRS implementation include accounting, IT, internal audit, treasury, risk management, human resources (HR) and investor relations.
For companies in the UK, Ireland and Italy that have already converted to IFRS, the biggest problem was the unexpected time commitment in understanding IFRS, in training, in assimilating requirements, and, for some, in major changes in IT.4 The most difficult IFRS standards are those that require fair values, external data or key assumptions to be made to implement the standards. While most companies relied heavily on their auditors to advise them, complications arose when the Big Four audit firms did not agree on the treatment of certain items. The feedback from these countries suggests that the IFRS conversion should be viewed as a significant project.
While the timeline for the US adoption/ convergence to IFRS is still unclear, there are several critical questions that corporate officers should be addressing now to achieve a successful IFRS implementation. These questions include:
- What are the requirements for IFRS?
- What has been learned from ERP and Sarbanes-Oxley implementation projects?
- What are the roles of COBIT and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)?
- Do accounting and IT have the necessary project management (PM) skills?
Planning and appropriate resource allocations are necessary IFRS implementation requirements. Moreover, the implementation should be integrated with IT and internal controls in order to meet or exceed regulatory requirements.
IFRS Requirements
The impact of IFRS on IT and financial systems can vary depending on the firm’s IT and financial systems’ capability/integration, industry complexity, size, relevance of business process/transaction, internal control structure, mergers and acquisitions process, and other attributes.5 Integrating both accounting and IT requirements for a multinational company exposes an array of variables that, in combination, can escalate the overall risk of an IFRS implementation.6 Variables include:
- The intricacies of IFRS technical accounting standards
- An overlap of local and international regulatory considerations
- Conversion across business units and countries
- Separate IT systems within many organizations
- A limited number of IT professionals with IFRS technical knowledge who have the abilities to interpret and translate IFRS into IT changes
The effect of IFRS on IT varies from company to company, as evidenced by the results of a survey of Canadian public companies in which 61 percent said that the IFRS conversion would have a medium or high impact on IT systems, whereas only 27 percent of private companies expected a medium or high impact.7 Some of the differences in perceived IFRS impact are attributable to the data collection and maintenance requirements.
Many authors describe the implementation of IFRS as a major system conversion.8 Moreover, conversion to IFRS can be more pervasive to the enterprise than many perceive, will impact business operations and IT, and will require substantive system changes, modifications to business processes and new accounting policies.9 The scope of the IT changes includes the entire food chain from data generation and business processes to final reporting (see figure 1).
While figure 1 seems straightforward, United Technologies Corporation (UTC), an early adopter of IFRS, noted that a move to IFRS affects every aspect of business, with ramifications for everything from compensation to bonuses and budgeting.10 The business model, including pricing, product costs and gross margins, is also affected. While figure 1 identifies the data and applications affected by an IFRS implementation, the consequences must be understood in a business context, which involves a broad training effort inside the organization and corresponding lead times.
Three international experts from companies in the midst of adopting IFRS warn against underestimating the IT challenges ahead, including the potential for millions of lines of new data for a large multinational organization.11 One expert warned against using Excel spreadsheets as a solution to handle the expanded IFRS data requirements. Assuming the IFRS requirements are met, traditional GAAP reporting must be maintained during the dual reporting period, which, ultimately, requires a complete reconciliation of GAAP and IFRS for each reporting period. For SEC registrants, US companies must report US GAAP and IFRS in parallel for three years from the initiation of IFRS. In creating a parallel accounting environment, the company’s internal control and operational audit staff should evaluate prolonged modifications of IT support for dual reporting.12 Internal control and operational audit staff can provide in-depth knowledge for conversion planning and ensure that overall conversion costs are comprehensive and accurate.
ERP Implementations and Sarbanes-Oxley
A review of ERP implementations for Y2K, subsequent IT development and Sarbanes-Oxley provides a rich variety of lessons learned in IT governance and organizational maturity.
ERP
Deloitte Consulting13 conducted in-depth interviews with 164 individuals at 62 Fortune 500 companies that used ERP systems, such as SAP, Baan, Oracle and PeopleSoft. The purpose of the study was to evaluate ERP development issues. The study summarized performance problems and the leading causes of such problems into three categories (see figure 2):
- People—62 percent
- Process—16 percent
- Technical—12 percent
Consistent with the reports from Deloitte Consulting, in the article “Managing Your ERP Project,” Marie Benesh14 described five areas of common management pitfalls that involve:
- Shortcomings in or a lack of integrated project team planning
- Managed communications across many people
- Formal decision-making processes
- Integrated test plans and managed test processes
- Failure to integrate lessons learned into current practices
In a survey of critical success factors (CSFs) throughout all stages of ERP implementations in 86 companies, factors similar to those reported by Benesh and Deloitte Consulting were ranked high in importance.15 In-depth interviews with more than 50 chief information officers (CIOs) produced a similar theme: PM and process engineering skills were frequently mentioned as shortcomings in the course of enterprise development.16 In their study of 541 large IT projects following Y2K, Weidong Xia and Gwanhoo Lee17 demonstrated the influence of organization and personnel in large IT projects across several industries: Organizational aspects, including the use of qualified personnel, were the leading factors that contributed to project success.
Sarbanes-Oxley
The Public Company Accounting Oversight Board (PCAOB) assumed Sarbanes-Oxley regulatory oversight of approximately 15,000 companies and 1,423 accounting firms in the US.18, 19 Three research reports on enterprises that reported at least one material weakness (MW) from 2002 to 2005 found that these enterprises were more likely to be smaller, younger, riskier, more complex and financially weaker, with poorer accrual earnings quality.20, 21, 22
Bonnie Klamm and Marcia Weidenmier Watson23 examined 490 firms that reported MWs in the first year of Sarbanes-Oxley enforcement to evaluate the interrelatedness of weak COSO components and IT controls. Their research identified relationships between the reported MWs and the five components of COSO (control environment, risk assessment, control activities, information and communication, and monitoring), including:
- A weak control environment has a positive association with the remaining four weak COSO components, i.e., COSO components are likely to affect each other.
- Firms with weak COSO components related to IT frequently spill over to create more MWs and misstatements not related to IT.
- Weak COSO components related to IT negatively affect reporting reliability and add to the number of non-IT MWs reported.
Moreover, the conclusion from Klamm and Watson’s research is that the IT domain appears to affect overall control effectiveness.
Cumulative evidence from Y2K ERP and subsequent IT project and Sarbanes-Oxley implementations suggest several risk drivers for IFRS:
- The scope of IT changes required to support IFRS
- The complexity of the enterprise, including the number of subsidiaries and the nature of assets and liabilities
- Smaller, younger, riskier, more complex and financially weaker organizations that lack either adequate resources or the leadership to execute change management
COSO/COBIT
The authors believe that the CSF lies in the organization’s capability to execute an IFRS implementation while sustaining or improving internal controls as the accounting environment grows in complexity. A robust implementation of the COSO Internal Control—Integrated Framework,24 an implementation of the COBIT25 framework and a critical examination of the accounting organization for PM skills are effective responses to the risk drivers referenced earlier.
The COSO framework supports the establishment of an internal control framework for financial reporting, and COBIT supports the establishment of an IT framework for control and security. Together, they support the business process and information requirements, policies and standards necessary to support IFRS implementation and operation.
Accounting and IT PM Skills and the Capability Maturity Model
Accounting organizations that lack either adequate resources or the leadership to execute PM are among the most vulnerable in an IFRS implementation. Based on the previously mentioned research on Sarbanes-Oxley Act implementation experiences,26, 27, 28 small to medium-sized enterprises (SMEs) represent the highest risk group for potential IFRS implementation issues. Moreover, many SMEs were never required to become compliant with Sarbanes-Oxley, and therefore, they lack the experience necessary for a complex implementation/conversion.
An assessment of the accounting organization is particularly meaningful because most accountants and CPAs are not trained for PM or systems implementations. If accountants have experience in any of these disciplines, it was more than likely obtained outside the roles of financial statement auditor or tax preparer, two major career paths that accountants often follow.
Young Hoon Kwak and C. William Ibbs29 presented a PM model that progresses from an unsophisticated level to a sophisticated maturity level. Each maturity level consists of enhancements to major PM characteristics, factors and processes (see figure 3). Kwak30 demonstrated that the average organization across several industries spends 6 percent of project value on total PM costs, which suggests an overall low cost given the potential range of adverse consequences for ineffective PM. In a study of 38 large international companies in four industries, overall PM maturity ranged from a low of 3.1 for information systems companies to a high of 3.4 for engineering construction companies, with an average for all companies of 3.3.31
In a scale with level 1 at the low end of maturity and level 5 at the high end of maturity, how should chief executive officers (CEOs) or CFOs evaluate their organizational capability to initiate, plan, control and close out one-of-a-kind endeavors? At a minimum, any IFRS PM effort should not fall below the average benchmarks of 3.3 identified by Kwak and Ibbs.33 At level 3, defined control systems are in place and adequately documented. The Capability Maturity Model (CMM) levels of 1 or 2 for a planned IFRS implementation should not be acceptable by an AC, the CEO or the CFO. With an emphasis on value and risk drivers, detailed analyses, tools and workshops, full support from business process owners, and accountability, a CMM level 3 for an IFRS implementation may be acceptable. COBIT integrates a CMM for internal controls, which is particularly important for a COSO/Sarbanes-Oxley-compliant organization (see figure 4).
The authors believe that ACs and corporate officers should evaluate their internal organization skills as the project is fully defined and proposed. The evaluation should be based on the premise that:
- Accountants and CPAs do not acquire PM skills in most available career paths.
- Successful IT implementations are inextricably linked to qualified staff and effective PM.
- SMEs are more at risk due to a lack of resources or effective leadership.
- A minimum of CMM level 3 for internal controls should be attained for an IFRS implementation.
A priority for the AC, corporate officers and the IT auditor is to understand the IFRS impact on IT requirements because IT domain weaknesses spill over to other IT and non-IT internal control effectiveness areas in other COSO domains.
On a larger scale, for an IFRS conversion, the leadership of the SEC, the Financial Accounting Standards Board (FASB), the International Accounting Standards Board (IASB) and the American Institute of Certified Public Accountants (AICPA) should:
- Emphasize the organizational capability to implement and sustain an IFRS-compliant environment based on COSO/COBIT vs. a message that suggests a few courses in IFRS
- Develop well-defined requirements to drive a successful implementation and ongoing application of IFRS
- Create a conversion schedule that accommodates 29 million companies and the audit/consulting resources to support those conversions
Conclusion
For IT auditors and IT professionals, IFRS should be a priority because the demand will be high for those with technical knowledge to interpret and translate IFRS into IT requirements, COSO/COBIT-supporting references and audit programs. The capability to execute an IFRS implementation while sustaining or improving internal controls is a CSF. Lessons from Sarbanes-Oxley implementations indicate that IT and internal controls can be materially affected. The conversion to IFRS in the US will be a difficult and tenuous process for many companies. However, for those who learned from failed implementations in the past, IFRS will present an opportunity to move the organization to a higher CMM level of maturity while simultaneously adding capacity and flexibility for future endeavors.
Endnotes
1 AICPA, “Looking to the Future: An Interview With AICPA President & CEO Barry Melancon, CPA,” CPA Letter Daily, 15 December 2010, www.smartbrief.com/servlet/wireless?issueid=FD77B3FB-FD54-4206-A7C6-C9E7E32E9BEE&sid=9a375f81-708d-44e5-a5f7-ca5c11478ab7
2 Goldschmid, Harvey; “IFRS at a Critical Crossroad,” speech at the Financial Executives International (FEI) Current Financial Reporting Issues Conference 2010, held in New York, USA, 15–17 November 2010, www.ifrs.org/News/Announcements+and+Speeches/IFRS+Critical+Crossroad.htm
3 Canadian Financial Executives Research Foundation (CFERF), “IFRS Readiness in Canada: 2010,” Canada, 2010, www.feicanada.org/pdfs/CFERF%20IFRS%20Readiness%20in%20Canada%202010.pdf
4 Institute of Chartered Accountants of Scotland, “The GAAP Gap,” CA Magazine, 20 March 2008, www.camagonline.co.uk/Magazine/2008-3/64.aspx
5 American Institute of Certified Public Accountants (AICPA), “Financial System Considerations in IFRS Conversion Projects,” USA, 2010, www.ifrs.com/pdf/10414-378_IFRS_IT_White_Paper_WEB_FINAL.pdf
6 KPMG LLC, “Information Technology Advisory Services: The Effects of IFRS on Information Systems,” USA, 2008, http://www.in.kpmg.com/securedata/ifrs_Institute/Files/Effects_of_IFRS_on_IS.pdf
7 Op cit, CFERF
8 Difazio, Nick; D.J. Gannon; “IFRS Roadmap: Planning a Safe, Economical Trip,” Deloitte Review, 20 January 2010, www.deloitte.com/view/en_US/us/Insights/Browse-by-Content-Type/deloitte-review/article/3391e6545eea2210VgnVCM200000bb42f00aRCRD.htm
9 Arnold, Steve; “IFRS Risk Planning and Controls Execution: Strategic Considerations for Financial Managers,” Journal of Accountancy, September 2009, www.journalofaccountancy.com/Issues/2009/Sep/20091594
10 AICPA, “Getting to IFRS: Those Who Have Been There Have Plenty of Advice,” USA, 2009, www.ifrs.com/advice.html
11 Ibid.
12 Op cit, Arnold
13 Deloitte Consulting, ERP’s Second Wave: Maximizing the Value of ERP Enables Processes, 1999, www.ctiforum.com/technology/CRM/wp01/download/erp2w.pdf
14 Benesh, Marie; “Managing Your ERP Project,” Software Testing and Quality Engineering, July/August 1999, p. 38–43
15 Somers, Toni M.; Klara Nelson; “The Impact of Critical Success Factors Across the Stages of Enterprise Resource Planning Implementations,” Proceedings of the 34th Hawaii International Conference on System Sciences, IEEE, USA, 2001
16 Reich, Blaize Horner; Kay M. Nelson; “In Their Own Words: CIO Visions About the Future of In-house IT Organizations,” Database for Advances in Information Systems, 1 October 2003, www.allbusiness.com/technology/3502741-1.html
17 Xia, Weidong; Gwanhoo Lee; “Grasping the Complexity of IS Development,” Communications of the ACM, 1 May 2004, http://cacm.acm.org/magazines/2004/5/6513-grasping-the-complexity-of-is-development-projects/abstract
18 McDonough, William J.; “The PCAOB and Its Oversight Role,” Public Company Accounting Oversight Board (PCAOB), speech at the Joint Financial Management Improvement Program in Washington, DC, USA, 9 March 2004, http://pcaobus.org/News/Speech/Pages/03092004_McDonoughJointFinancialManagement.aspx
19 PCAOB, “Board Approves Revised 2005 Budget,” USA, 30 December 2004, http://pcaobus.org/News/Releases/Pages/12302004_Revised2005Budget.aspx
20 Doyle, Jeffrey; Weili Ge; Sarah McVay; “Determinants of Weaknesses in Internal Control Over Financial Reporting,” Journal of Accounting and Economics, September 2007,
21 Doyle, Jeffrey; Weili Ge; Sarah McVay; “Accruals Quality and Internal Control Over Financial Reporting,” The Accounting Review, vol. 82, issue 5, 2007
22 Ge, Weili; Sarah McVay; “The Disclosure of Material Weaknesses in Internal Control After the Sarbanes-Oxley Act,” Accounting Horizons, September 2005,www.uic.edu/classes/actg/actg593/Readings/Stock-Options/Sarbanes-Oxley/The-Disclosure-of-Material-Weaknessesin-Internal-Control-after-the-Sarbanes-Oxley.pdf
23 Klamm, Bonnie; Marcia Weidenmier Watson; “SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology,” Journal of Information Systems, Fall 2009
24 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, USA, 2004
25 IT Governance Institute (ITGI), COBIT 4.1, USA, 2007
26 Op cit, Doyle, Jeffrey; Weili Ge; Sarah McVay; “Determinants of Weaknesses in Internal Control Over Financial Reporting”
27 Op cit, Doyle, Jeffrey; Weili Ge; Sarah McVay; “Accruals Quality and Internal Control Over Financial Reporting”
28 Op cit, Ge, Weili; Sarah McVay; “The Disclosure of Material Weaknesses in Internal Control After the Sarbanes-Oxley Act”
29 Kwak, Young Hoon; C. William Ibbs; “Project Management Process Maturity (PM)2 Model,” Journal of Management Engineering, July 2002, http://home.gwu.edu/~kwak/PMPM_Model.pdf
30 Kwak, Young Hoon; “A Systematic Approach to Evaluate Quantitative Impacts of Project Management (PM),” doctoral dissertation, Department of Civil Engineering, University of California, Berkeley, USA, 1997
31 Kwak, Young Hoon; C. William Ibbs; “Calculating Project Management’s Return on Investment,” Project Management Journal, June 2000, www.lamarheller.com/projectmgmt/calculatingpmroi.pdf
32 Op cit, Kwak, Young Hoon; C. William Ibbs; “Project Management Process Maturity (PM)2 Model”
33 Op cit, Kwak, Young Hoon; C. William Ibbs; “Calculating Project Management’s Return on Investment”
William C. Brown, CISA, CPA
is an assistant professor at Minnesota State University, Mankato, College of Business (USA). He has taught both accounting and management of information systems. His more than 25 years of experience include various levels of responsibility in positions including chief financial officer (CFO) in three US Securities and Exchange Commission (SEC) registrants. During his career, Brown has led several project teams to implement enterprise accounting and related systems.
Byron J. Pike, CPA
is an assistant professor at Minnesota State University, Mankato, College of Business. He has taught auditing and financial accounting at the undergraduate level. Pike has also worked as an auditor for a Big Four accounting firm.