Section 404 of the Sarbanes Oxley (SOX) Act addresses the effectiveness of internal controls,
which in most organizations are either fully or partially automated due to the pervasiveness
and ubiquity of information technologies. Significant or material control deficiencies have to be
reported publicly. The adverse impact on organizations declaring deficiencies can be severe, for
example, damage to reputation and/or market value. While there are many practitioner-led manuals
and methods for dealing with 404, there has been little published in the academic research
literature investigating the role of Information Systems organizations in implementing Section
404. The paper addresses this gap in knowledge. We used institutional theory as the lens through
which to examine the experiences of Section 404 implementation in three global organizations.
We used the case study method and an abductive strategy to gather and analyze data respectively.
Our findings are summarized in six recommendations. We found that institutional pressures play
a critical role in the implementation of Section 404. In particular, organizations face coercive
pressure to achieve Section 404 compliance, without which punitive sanctions can be imposed by
regulators. Organizations tend to imitate one another in the methods they use so that each is perceived
to be in line with their competitive environment. Organizations face normative pressures to
act in ways that are socially acceptable, which is to achieve compliance. Failure to do so would
be a signal to the market that the organization does not take controls seriously. We expand these
findings in terms of power and influence tactics that IS organizations can use when implementing
Section 404. Our findings provide directions for practice and lines of enquiry for further research