FERF@65: does internal control improve operations and prevent fraud?During the 1920s, a need arose--that was not well-defined at first--for a carefully created control function in business organizations. With it came a hunger for the objective judgment that only controllers were in a position to contribute to the decision-making process. The Controllers Institute of America (predecessor to Financial Executives International) was the response to the demand for this control mechanism and objective quality of thought in management, wrote James L. Peirce in 1971, in the introduction to FEI's history, The First Forty Years, by Paul Haase. The Controllership Foundation (now Financial Executives Research Foundation, known as FERF) was chartered in New York, on Nov. 29, 1944. It was expected to help achieve two of the institute's original objectives: "Assembling facts and information of value to controllers" and "publishing pamphlets, books and reports," Haase wrote. The search for a better understanding of control and more effective control systems in business, nonprofit and government enterprises has been a constant endeavor over the past century. It's not surprising then, to look over the long history of FERF research and find countless research publications and substantial dollars invested in issues related to control. Centralization vs. Decentralization Some of the earliest research studies published by FERF examined how the controller's department should be organized. In his 1954 research study, Centralization vs. Decentralization in Organizing the Controller's Department, Herbert A. Simon wrote: "if that role is restricted largely to accounting and the preparation of figures to be analyzed by others, a relatively centralized organization may operate in a satisfactory manner." In 1978, Simon was awarded the Nobel Memorial Prize in Economics, for his pioneering research into the decision-making process within economic organizations. Roland Laing, retired FERF president and chief staff officer from 1983-93, notes that "During the sixties and seventies, companies were expanding and merging, running much more decentralized and diverse structures (some firms became known as conglomerates). Controllers were asking questions on how to get the right information for analysis and reporting and how to maintain good operational controls in these complex organizations." FERF published what have become two management classics: Divisional Performance and Control (1965), by David Solomons, and Decentralization: Managerial Ambiguity by Design (1979), by Richard Vancil, as well as a study, Financial Control of Multinational Operations (1971), by Bursk, Dearden, Hawkins and Longstreet. The Foreign Corrupt Practices Act of 1977 The controller's department was also to take on additional responsibilities. During the 1970s, the U.S. Securities and Exchange Commission had uncovered extensive evidence of bribery and related crime. Lay Person's Guide to FCPA, on the U.S. Department of Justice Web site, states: "Congress enacted the FCPA [Foreign Corrupt Practices Act of 1977] to bring a halt to the bribery of foreign officials and to restore public confidence in the integrity of the American business system." Besides its anti-bribery provisions, FCPA also requires SEC-listed companies to meet its accounting provisions. In 1979, following enactment of FCPA, the SEC proposed rules that would have required a company to annually disclose certain information about its internal accounting controls. Because this proposal was criticized for many reasons--including its close correlation with FCPA requirements--the SEC decided to allow the private sector to develop its own initiative. FERF responded with Internal Control in U.S. Corporations: The State of the Art (1980), by a team of researchers from the University of Michigan, led by Professor of Accounting Robert K. Mautz. The research methodology for this project included interviews of executives from 50 randomly selected companies and a survey that garnered 673 responses. [ILLUSTRATION OMITTED] The research team arrived at several major findings, including: "Control is seen by most executives as an integral part of the management process and a key management responsibility which they accept." Mautz and several members of his research team completed two additional reports: Criteria for Management Control Systems and Senior Management Control of Computer-Based Information Systems. The '80s and '90s: The Treadway Commission and COSO In the early 1980s, deceptive financial reporting attracted the public's attention and the U.S. Congress formed a subcommittee to consider and propose legislation to address the problem. The Financial Fraud and Detection Act of 1986 was introduced by then-Rep. Ron Wyden (D-Ore.), who is now a U.S. senator. In 1987, FERF published Fraudulent and Questionable Financial Reporting; A Corporate Perspective, in which author Kenneth A. Merchant--then a professor at the Harvard Business School--wrote: This research study "takes a corporate perspective, describing how and why deceptive reporting takes place at both top--and middle-management levels in corporations and suggests ways of preventing or discouraging deceptive practices or at least detecting them more quickly." One recommendation was a to institute a corporate code of conduct, with guidelines for financial reporting. "In companies that have implemented such guidelines, FCPA requirements--which obligate the company to maintain books and records that accurately and fairly reflect the substance and details of transactions--are taken as a starting point, and then the guidelines typically expand on those requirements." In 1985, the Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, was formed to sponsor the National Commission on Fraudulent Financial Reporting. The Treadway Commission was jointly sponsored and funded by five professional accounting associations and institutes: American Institute of Certified Public Accountants; American Accounting Association; FEI; The Institute of Internal Auditors; and the Institute of Management Accountants (IMA). The commission's first chairman was namesake James C. Treadway Jr., executive vice president and general counsel for Paine Webber Inc. and a former SEC commissioner. The Treadway Commission recommended that its sponsoring organizations work together to develop integrated guidance on internal control and shortly after--in 1988--the SEC proposed rules that would have required companies to include in their annual reports a report of management's responsibility for the company's internal control system and an assessment of its effectiveness. Again, following criticism, the SEC decided to allow the private sector to develop its own recommendations. COSO urged FERF to undertake a new study of integrated guidance on internal control and FERF's Board of Trustees agreed, for which the project's research committee selected the proposal of Coopers & Lybrand (now PricewaterhouseCoopers). The research report was finished within two years and the research committee approved its release to COSO, which released the research to constituent groups and government regulatory agencies, including the SEC. After deliberation, the report was amended and published by COSO in 1992 as Internal Control--Integrated Framework. [ILLUSTRATION OMITTED] The objective of this report was to define and describe internal control to: * Establish a common definition serving the needs of different parties; and * Provide a standard against which business and other entities--large or small, in the public or private sector, for profit or not--can assess their control systems and determine how to improve them. The integrated framework defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations." The scope of this definition moved internal control from a focus on internal accounting controls to the role of internal controls for all business purposes, which, in turn, moved the financial executive prospectively to a much broader business role regarding internal controls. The framework included measures to detect and prevent fraud. At the same time, the report made an important point about the practicality of internal control: there was a relationship between costs and benefits. Among the most important benefits of this study was its "call to senior management to set a strong tone in support of an effective internal control system for the entity and its emphasis that that system required a robust risk management component," suggests Laing. "However, if the anecdotal evidence from the 2000-02 and 2007-09 recessions is any indication, it appears that too many senior executives failed to provide the needed leadership and too many enterprises had short-circuits in their risk management processes." In an academic paper published in the June 2002 issue of Critical Perspectives in Accounting, "Defrauding the Public Interest: A Critical Examination of Reengineered Audit Processes and the Likelihood of Detecting Fraud," Charles P. Cullinan and Steve G. Sutton wrote that CEOs were involved in 70 percent of the 276 frauds that took place between 1987 and 1999, based on analyzing SEC enforcement actions; and another 20 percent of the frauds involved other members of senior management. The Sarbanes-Oxley Act of 2002 Until 2002, external auditors were not supposed to specifically design their audit procedures to detect all frauds, just those that could materially impact the firm's financial statements. If they detected fraud, they were expected to report it. However, they did have to evaluate a company's system of internal controls to determine how much reliance they would place on the existing internal controls and thereby limit the amount of additional testing that would be required in the audit examination. Then came the Enron Corp, and WorldCom Inc. debacles. The U.S. legislative response was The Sarbanes-Oxley Act of 2002, which was enacted on July 30 of that year. Section 404 of the Sarbanes-Oxley Act directed the SEC to prescribe rules requiring annual reports to contain an internal control report. The SEC responded with proposed rule 33-8138, "Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002." The act requires that a complying organization use a framework for internal control, and that it identify the framework used. The SEC proposal identified the COSO integrated framework as appropriate. This, the third time the SEC proposed an internal control report requirement, was backed up with legislation. Another important feature of the act was the delineation of a mandatory whistleblowing process. This fit well with FERF's earlier findings about the source of most fraud and with the COSO internal control framework. Section 404 of the act requires management of public companies to include in their annual reports an assessment of the effectiveness of their financial controls. To help senior financial executives comply with Section 404, FERF published a series of research reports. Two of the reports were based on roundtable discussions by the Section 404 implementation team leaders from companies represented on FEI's Committee on Corporate Reporting. The first report, Sarbanes-Oxley Section 404 implementation: Practices of Leading Companies (May 2005), described the compliance practices for a number of aspects of Section 404 as they transitioned from a "project" orientation to a sustainable "process." Most of the participating executives agreed that compliance with Section 404 had resulted in specific benefits to their businesses, such as encouraging a thorough review of existing processes in their business units. However, most also agreed that compliance had resulted in significant unintended consequences, including excessive costs, diversion of management attention from running the business and a changed relationship with their external auditors. In sum, U.S. companies may have been placed at a competitive disadvantage. The second FERF report, Sarbanes-Oxley Section 404 Compliance: From Project to Sustainability (November 2005), described how these same companies were improving their processes during the second year of compliance, as they aimed for long-term sustainability. Some of the process improvements described included using a top-down approach to risk and planning, requiring self-assessment from process owners and using software to automate documentation, controls and testing. Top-Down Approach to Internal Control Recognizing the importance of a top-down approach to internal control, FERF asked R. Malcolm Schwartz (one of the principal Coopers & Lybrand contributors to COSO's internal control framework) to describe how it should work. He authored a four-part series of reports on A Top-Down Approach to Risk Management and Internal Control. Having led a number of projects dealing with internal control and the associated management of risk since COSO's publication, Schwartz said: "The original evaluation tools needed to be improved, to deal more effectively with integrated business processes from a business perspective, with aggregated and differentiated risk, with business-process analysis as the core technique, and with integrated, continual monitoring. "As we incorporated these features during the 1990s and as Sarbanes-Oxley came into being, and as we refined these features, the cost of internal control dropped substantially, so the benefits could be expanded. This was very helpful for dealing with fraud." Can Internal Control Prevent Fraud? It's obvious Sarbanes-Oxley has not prevented fraud--and the recent subprime mortgage and credit crises, the failures of large financial firms and banks and the Ponzi scandals of Bernard Madoff and Allen Stanford are prime examples. Dennis R. Beresford was interviewed for an article in the March 2004 issue of Financial Executive ("Detecting Fraud; Who's Responsible?"). Beresford joined the faculty of the University of Georgia after serving as the chairman of Financial Accounting Standards Board from 1987 to 1997. At the time of the interview, he was chairman of the audit committee of MCI, the successor to WorldCom. "As a member of the Special Investigative Committee of the Board of Directors of WorldCom, I saw [after the fact, because Beresford joined WorldCom's audit committee on July 21, 2002, almost a month after WorldCom first reported a financial statement fraud on June 25, 2002] the terrible financial reporting fraud, and I helped the company try to determine what happened and how to prevent reoccurrences," he said. "Without going into great detail, it is fair to state that Andersen had evaluated WorldCom's internal controls as being very strong, although this review was done before Sarbanes-Oxley was enacted, and rather than reporting on the system of internal controls, they simply reviewed them. "I fully recognize that an accounting firm's evaluation of internal control for purposes of planning the audit is nowhere near the same as an audit of internal control. However, I submit that if Andersen could have been so off base with respect to the general quality of internal control under the old rules, there is no assurance that they would have caught the problems under the new rules." When asked about his 1987 work for FERF and what he might do differently today, Merchant--who authored the FERF 1987 study, and is now the Deloitte & Touche LLP chair in Accountancy and professor of Accounting at the Marshall School of Business at the University of Southern California--said: "To a large extent, nothing has changed. If anything, the topic is now even more important, and if I were writing this publication again, I'd say most of the same things. I still teach the cases included, or updated versions of them, in my courses. Sadly, the issues appear to be timeless! "[C]early some discussion of Sarbanes-Oxley would be necessary, but this law has certainly not solved the fraudulent and questionable financial reporting problem once and for all. I wonder if it has even minimized it. My basic reaction is general surprise that while so much has changed, so much has stayed the same." William M. Sinnett (bsinett@financialexecutives.org) is director of Research for Financial Executives Research Foundation. The third in a series of articles highlighting Financial Executives Research Foundation's published research over the past 65 years, this article looks at the role of the finance function in ensuring internal control--a topic that is now more important than ever. The goal of FERF research is advancement through knowledge that is relevant and practical for organizations.
FERF Research Reports on Internal Control
1954 Centralization vs. Decentralization in Organizing
the Controller's Department By Herbert A. Simon,
George Kozmetsky and Gordon Tyndall
1965 Divisional Performance Measurement and
Control By David Solomons
1971 Financial Control of Multinational Operations By Edward C. Bursk,
John Dearden, David F. Hawkins and Victor M. Longstreet
1979 Decentralization: Managerial Ambiguity By
Design By Richard F. Vancil
1980 Internal Control in U.S. Corporations: The State of the Art
By Robert K. Mautz, Walter G. Knell, Michael W. Maher, Alan G.
Merten, Raymond R. Reilly, Dennis G. Severance and
Bernard J. White
1981 Criteria for Management Control Systems By Robert
K. Mautz and James Wingum
1983 Senior Management Control of Computer-Based Information
Systems By Robert K. Mautz, Alan G. Merten and
Dennis G. Severance
1987 Fraudulent and Questionable Financial Reporting: A Corporate
Perspective By Kenneth A. Merchant
1991 Integrated Framework of Internal Controls: Its Significance
to Executives By Howard L. Siers
1995 Internal Audit and Innovation By James A.F. Stoner and Frank M.
Werner
2003 What is COSO? Defining the Alliance That Defined Internal
Control By Tiffany McCann
2004 Sarbanes-Oxley Section 404 Implementation: Status on
Structure, Process and Sustainability By Cheryl de Mesa Graziano
2005 Sarbanes-Oxley Section 404 Implementation: Practices of
Leading Companies By Cheryl de Mesa Graziano, Robert
A. Howell and William M. Sinnett Sarbanes-Oxley Section 404
Compliance: From Project to Sustainability By William M. Sinnett
and Robert A. Howell
2006 A Top-Down Approach to Risk Management and Internal Control
Series By R. Malcolm Schwartz
lssue#1: Having a Business-Process Focus Tied to
Business Planning
Issue #2: Using an Aggregated Risk Assessment
to Reduce Costs
2007 Issue #3: Using a Process Point of View to Reduce Costs
Issue #4: Relying on Ongoing
Monitoring to Test Controls
Performance
2008 Fraud Risk Checklist: A Guide
for Assessing the Risk of Internal
Fraud By Gary A. Rubin
|
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion