Internal control over financial reporting is defined as a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). It involves maintenance of records, and true and fair reflections of the transactions and details of the assets of the company. The main objective of internal control is to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.
The issue of internal control reporting has been of considerable interest to the accounting profession, and has generated significant controversy (Mc Mullen, Raghunandan, & Rama, 1996). The standard states that management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a recognized control framework established by a body of experts that followed due-process procedures to develop the framework. In the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published Internal Control Integrated Framework, commonly called the COSO Report. In this report, they discussed the issues relating to internal control and included some model MRICs (management reports on internal control). The Public Oversight Board (POB) (1993) and the board of directors of the AICPA (1993) recommended the management to include a report on internal controls because they noted that increased auditor and top level management involvement in internal controls would improve the quality of financial reporting. However, the SEC never managed to mandate such a reporting system as there was a considerable opposition from many preparers (especially from small and medium-sized public companies) who debated that the cost of compliance for preparing those reports were relatively higher than the benefits expected. As a result of the strong differences of opinions, MRIC's relevance could not be absolutely determined.
THE ROLE OF CORPORATE GOVERNANCE
Corporate governance is the process of managing, directing, and monitoring a corporation with the goal of creating shareholder value while protecting the interests of other stakeholders. Shareholders elect board of directors so that they could indirectly oversee actions undertaken by managers. They are the agents of the shareholders whose main function is to assess and monitor the activities of the managers and make sure that they perform for the best interest of the shareholders and the corporation. The board of directors are responsible for appointing the mangers and also have the right to remove managers based on their poor performance. This enables the shareholders to monitor the performance, and control distribution of profits in the corporation. Quality financial reports and reliable financial statements which are free of material misstatements due to errors and frauds can be achieved when there is a well-balanced, functioning system of corporate governance.
The theories related to corporate governance has been evolving with time. The neo-classical view as expressed by Modigliani and Miller (1958) is that irrespective of any institution, investment and financing decisions of the firm would remain independent of each other. Furthermore, he mentioned that corporate governance structure of the firm would not contribute to creation of value for shareholders. The neo-classical view paid no or limited attention to corporate governance issues since it was believed that the value of the firm is independent of its mix of debt and equity employed in financing the assets of the corporation therefore, corporate governance does not matter. The modern view on corporate governance, as expressed by North (1994), depicts formal and informal contractual agreements among corporate stakeholders. These may include the payoff structure for suppliers of capital such as stockholders and lenders, the incentive structure for corporate managers, and the organizational structure for maintaining an effective balance in bargaining power of employees of the corporation. The post neoclassical views, however, show that stakeholders' incentives can play a significant role on the mix of debt and equity used in financing the firm's assets, and on its capital investment decisions. Thereby corporate executives can add value to the firm and affect distribution of wealth between common stockholders and bondholders.
For good corporate governance, companies should utilise and maximise the efficiency of the tools involved for circulating corporate governance. The tools comprise of Board of Directors, Audit Committee, Top Management Team, Internal Auditors, External Auditors, and Governing Bodies. Each plays a crucial role in fostering a better corporate governance system in the companies.
Board of Directors
A board of directors doesn't get involved in day-to-day management, yet it has the unique role of overseeing, monitoring, and controlling management activities. It should monitor management plans, decisions, and activities and act independently. Ineffective boards make financial statement fraud possible. A board can be rendered ineffective when management overrides the board's monitoring responsibility, influences the selection of outside directors, controls meetings and agendas, and delivers inside information to certain members.
The Audit Committee
The audit committee composes of non-executive and independent board members whose main function is to oversee corporate governance, financial reporting, internal control, and audit functions. The activeness of the audit committee is highly important as their vigilance determines the probability of financial statement frauds.
Top Management Team
The top management, specifically the CFO, is responsible for the fair presentation of financial statements. Management should produce high-quality, transparent financial reports and present objective, consistent, transparent, and comparable financial results and conditions. Top executives must now certify the accuracy and completeness of financial reports, and they're responsible for establishing and maintaining effective internal controls. They shouldn't influence, coerce, manipulate, or mislead auditors, and they should reconcile pro forma statements with financial statements. They should also prepare Management's Discussion and Analysis (MD&A) sections that discuss and fully disclose critical accounting estimates and accounting policies.
Internal Auditors
The internal auditors' function is to continuously be on the lookout for red flags. They are the first line of defence against fraud. New SEC rules require CEOs and CFOs to establish and maintain a system of disclosure controls and procedures and to evaluate the system's adequacy and effectiveness. Internal auditors can help management establish, maintain, and monitor this.
External Auditors
The external auditors provide reasonable assurance that audited financial statements are free of material misstatements, reducing the risk that they are misleading, false, or fraudulent. External auditors must report all critical accounting policies and practices to the audit committee and report on management's assessment of the effectiveness of internal controls. They must also keep work papers and audit evidence for at least seven years.
Governing Bodies
The examples of governing bodies are Stock exchanges, the SEC, the Financial Accounting Standards Board (FASB), the AICPA, the Institute of Internal Auditors (IIA), and state regulators. All of these individually, play a vital role in influencing corporate governance, the financial reporting process, and audit functions.
EVOLUTION OF SARBANES OXLEY ACT
Financial reporting is an important element of the system of corporate governance. The natures of problems over corporate governance were highly debated particularly in relation to listed companies. Furthermore, debates rose on the role of internal control over financial reporting and the need to regulate financial reporting. It was often seen that managers undertook creative accounting methods to manipulate the financial reporting system. The accounting practice allowed choice of methods in determining the methods of measurement, criteria for recognition and definition of accounting entity, on which financial reports were based. This could have been prevented by internal auditors, but due to lack of auditors' independence and inexistence of a proper reporting standard it was not possible. However, management reports on internal controls (MRIC) did discuss about the issues related to audit committee and internal auditing, and they also discussed issues such as code of conduct, personnel training and written policies, the notion of reasonable assurance, cost-benefit considerations, etc. It was noted that MRIC reduced the chances of manipulation of financial accounting. Despite of that, companies did not opt for MRICs as it was time and money consuming. Hence, internal control over financial reporting was ineffective and unreliable. As a result, corporate scandals and failures emerged one after another and the weaknesses in the corporate governance mechanism and internal control standards were exposed.
In response to the high profile business failures like Enron, WorldCom, Xerox, Sunbeam, Waste Management, Adelphia, Tyco, HealthSouth, Global Crossing, and many others in 2001, the United States Congress passed the Sarbanes-Oxley Act (SOX) in July 2002. The objective of SOX was to introduce corporate governance reforms aimed at restoring investors' confidence in the capital markets. It implemented challenging internal control reporting requirements, which all the companies in the US had to comply to. They created the Public Company Accounting Oversight Board (PCAOB) whose main function was to establish auditing standards, maintain quality control and ethics and submit an annual report to the SEC. Sections 404 and 302 were two of the important aspects of the SOX which addressed issues relating to internal control.
Section 404
This section requires management to assess the effectiveness of its internal control over financial reporting and requires the independent auditor to report on management's assessment and on the effectiveness of the company's internal control over financial reporting. It also requires management to include in the company's annual report, a conclusion based on that assessment as to whether the company's internal control is effective. In addition, Section 404 of the SOA directs the Public Accounting Oversight Board (PCAOB) to establish professional standards governing the independent auditor's attestation and reporting on management's assessment of the effectiveness of internal control.
Section 302
This section requires the principal executive officer and the principal financial officer to certify and sign annual and quarterly reports submitted to the SEC including certifying that those officers are responsible for establishing and maintaining internal controls.
The Essence of SOX
Many companies, especially small and medium sized companies have complained that, in addition to the immense implementation costs of SOX, guidance for management to apply when discharging its responsibilities is lacking. They have stressed that the lack of guidance about identifying deficiencies relating to internal control is a major setback and there should be more clearer guidance to the significance of a deficiency and defining what comprises a material weakness in the internal control system. They have also had questions about how the existence of material weakness in the internal control system affects the auditor's response on ICOFR (internal control over financial reporting), the company's financial statements, and the capital markets' reaction to the existence of material weakness in ICOFR.
Fulfilling the mandates of SOX need not be an obstacle to implement a better control on financial reporting. Instead, the compliance process can enable companies to focus on enterprise-wide risks through a distributed evaluation-that is, a self assessment of risk and control. Such an approach can help companies achieve a better-balanced risk and control status. The SOX's internal control regulations can help companies to achieve a company-wide transformation of business processes. It helps the companies to make greater use of automated or system-based controls, and provides an opportunity of better evaluation of process risks and mitigation of risk. Furthermore, it helps in cutting the risk of error by using a more technology-based method of control rather than manual processes. It was noted that earnings management, measured in a variety of ways, fell after Sarbanes-Oxley, as did frauds that form the basis for significant class action securities lawsuits (Coates, 2007). Ideally, reports on internal control not only result in improvements, they also provide financial statement users with an early warning about potential future problems that could result from weak controls, as well as the possibility that past financial results may have to be restated.
Investor confidence also increased after the passage of Sarbanes-Oxley. By April 2006, even a majority of financial officers-who have generally been critical of Sarbanes-Oxley believed that the law (and Section 404 in particular) had increased investor confidence in financial reports. In that survey, a third reported that Sarbanes-Oxley had already helped to prevent or deter fraud (Financial Executives Research Foundation, Inc., 2006). At firms with more than $25 billion revenues, 83 percent of financial officers agreed that investors were more confident as a result of Sarbanes-Oxley (Coates, 2007). The SOX guidelines also gave relative freedom to the auditors committees. Furthermore, the rules prohibited external auditors to perform internal audit which previously was not possible. This led to the identification of the emphasis of internal auditors and their crucial role in the reliability of financial statements.
LITERATURE REVIEW
The criteria for the literature review was based on issues relating to internal control before and after the implementation of the Sarbanes-Oxley Act in 2002. Since internal control over financial reporting has come into prominence after corporate failures in the 2001, I was not able to find many articles before that period which directly addressed the issues. However, I have particularly focussed on academic journals which addresses the current concerns of internal control.
Pre-SOX
Corporate Governance and the Regulation of Financial Reporting - Geoffrey Whittington, 1993. This paper examines the inter-dependent role of corporate governance and financial reporting within the institutional context of listed companies in the UK. Four related issues were addressed: the nature of the current problems of corporate governance, the role of financial reporting as a palliative for these problems, the need to regulate financial reporting if it is to fill this role, and the form which such regulation is likely to take.
Internal Control Reports and Financial Reporting Problems - Dorothy A. McMullen, K. Raghunandan and D. V. Rama, 1996. This paper provided empirical evidence relevant to the debate about internal control reporting by examining the proportions of companies with two types of financial reporting problems which had prior internal control reports, and compares such proportions to the population proportions.
The Effects of Corporate Governance Experience and Financial-Reporting and Audit Knowledge on Audit Committee Members' Judgments - F. Todd DeZoort and Steven E. Salterio, 2001. This paper reports the results of a study investigating whether audit committee members' corporate governance experience and financial-reporting and audit knowledge affect their judgments in auditor-corporate management conflict situations.
Post-SOX
Was the Sarbanes-Oxley Act of 2002 really this costly? A discussion of evidence from event returns and going-private decisions - Christian Leuz, 2007. This paper discusses evidence on the costs of the Sarbanes-Oxley Act (SOX) from stock returns and going-private decisions.
Likely Effects of Stock Exchange Governance Proposals and Sarbanes-Oxley on Corporate Boards and Financial Reporting - April Klein, 2003. This paper describes many of the exchange proposals and puts them in their historical context and also presents the likely effects of the new corporate governance proposals on future boards of directors and assess their impact on the financial reporting system.
Internal Control Quality and Audit Pricing under the Sarbanes-Oxley Act - Rani Hoitash, Udi Hoitash, and Jean C. Bedard, 2008. This paper extends prior research on audit risk adjustment by examining the association of audit pricing with problems in internal control over financial reporting, disclosed under Sections 404 and 302 of the Sarbanes-Oxley Act [SOX].
Corporate Governance and Internal Control over Financial Reporting : A Comparison of Regulatory Regimes - Udi Hoitash, Rani Hoitash, and Jean C. Bedard, 2009. This study examines the association between corporate governance and disclosures of material weaknesses (MW) in internal control over financial reporting.
Sarbanes Oxley Section 404 Costs of Compliance: a case study - Lineke Sneller and Henk Langendijk, 2007. This paper investigates the cost of compliance of companies to assess their internal controls and acquire an attestation of this assessment from their external auditor.
Reducing Management's Influence on Auditors' Judgments: An Experimental Investigation of SOX 404 Assessments - Christine E. Ear¡ey, Vicky B. Hoffman, and Jennifer R. Joe, 2008. This study examines the general issue of auditors being "second movers" by investigating how their awareness of management's severity classifications of internal control problems influences auditors' initial assessments of internal control over financial reporting (ICFR) under Auditing Standard No. 2.
Economic consequences of the Sarbanes-Oxley Act of 2002 - Ivy Xiying Zhang, 2007. This paper investigates the economic consequences of the Sarbanes-Oxley Act (SOX) by examining market reactions to related legislative events.
RESEARCH AREAS AND METHODS
The articles before the SOX period primarily focussed on issues relating to corporate governance failures in regulating proper internal control over financial reporting. The papers arise from the controversy surrounding the issue of internal control reporting, as evidenced by recent actions and comments of various private sector commissions, regulators and legislators (DeZoort & Salterio, 2001). The paper on internal control reports and financial reporting problems (Mc Mullen, et al., 1996) provides empirical evidence relevant to the debate about internal control reporting by examining the proportions of companies with two types of financial reporting problems which had prior internal control reports, and compares such proportions to the population proportions. Specifically, they examine companies which either were subject to an SEC enforcement action or corrected previously reported earnings. The method used in this paper is to compare a sample of companies with financial reporting problems with a sample of companies without such problems and examine whether the problem companies were less likely to have had an MRIC in prior financial statements. Results indicated that smaller companies with a financial reporting problem were much less likely to have had a management report on internal control than the population of small companies in the NAARS database.
The articles published after the implementation of SOX in 2002, were generally discussing about the impact of SOX on the internal control, its cost of compliance and auditors' role in internal control over financial reporting. Three articles were based on the cost of compliances (X. Zhang, 2007) (Leuz, 2007) (Sneller & Langendijk, 2007), two on auditor's judgements (Klein, 2003) (Earley, Hoffman, & Joe, 2008) and two on the impact on internal control (Hoitash, Hoitash, & Bedard, 2008) (2009). Of the two articles on auditors' role, one examines the association of audit fees and the quality of internal control over financial reporting (ICFR) following the passage of the Sarbanes-Oxley Act of 2002 (SOX)(Klein, 2003). This issue is important because recent revelations of high-profile frauds have highlighted the key role of corporate controls in preventing catastrophic investment loss. While corporate controls are the first line of defence against misstatements in financial reporting, auditors provide another layer of investor protection by reducing the risk of misstatement. The sample consists of accelerated filers required to comply with SOX Section 404 for annual reports dated after November 15, 2004.
The other paper examined the influence of management on the auditor's decision making (Earley, et al., 2008). Auditors often receive summary information or conclusions from management about account balances or internal controls. They must then gather evidence to assess whether this information is fairly stated. In such situations, management can be considered the "first mover" and the auditor the "second mover." When auditors are the second mover, they are vulnerable to the curse of knowledge bias-the inability to ignore previously processed information. This study examines the general issue of auditors being "second movers" by investigating how their awareness of management's severity classifications of internal control problems influences auditors' initial assessments of internal control over financial reporting. SOX Section 404 requires a company's management and its auditors to document, test, and evaluate the effectiveness of ICFR, and each to reach independent conclusions regarding the severity of any control problems found. Management is typically the first mover in this process because completing its ICFR testing and evaluation before the audit often allows the company to remedy any material weaknesses before the end of the fiscal year under audit to avoid the negative public disclosure of the adverse opinion. Management could also conduct its ICFR testing and evaluation earlier in the fiscal year to comply with the quarterly certification process required under SOX Section 302. The auditor's knowledge of management's initial classification of an ICFR problem as a control deficiency, significant deficiency, or material weakness could have an impact on the auditor's subsequent testing and evaluations. Ultimately, being influenced by management's classification could result in the auditor's final assessment being biased in the direction of management's classifications.
Another study investigated the association of audit committee and board characteristics with effectiveness of internal controls over financial reporting (ICFR) focusing especially on studies of audit committee financial expertise and internal control effectiveness (Hoitash, et al., 2009). It raises the issue whether internal control quality, measured as material weaknesses (MW) disclosure, is associated with governance characteristics; i.e., audit committee financial expertise, and board and audit committee structure and activity. The paper also investigates whether the link between corporate governance characteristics and internal control quality holds in both Sections 302 and 404 of the SOX. The research method involved a unique method of collecting data. Use an automated data extraction that builds a database of audit committee qualifications from background information available from Audit Analytics.
The other three papers focussed on the cost of compliance of the SOX. Since the cost has been a major source of controversy, I thought it would be a good idea to see the different perspectives of authors on this issue. The article on the economic consequences of SOX examined the economic outcome by examining market reactions to related legislative events (X. Zhang, 2007). The author finds that the cumulative abnormal returns of US firms and foreign firms complying with SOX around key SOX events are negative and statistically significant. The evidence is consistent with SOX imposing net costs on complying firms. The cumulative abnormal returns of U.S. firms around all SOX events are negative but not statistically significant. However, this finding does not support SOX being costly. Another study builds on the former study (Leuz, 2007) and focuses on the interpretation of the evidence and, in particular, the issues of whether there is evidence that SOX imposes net costs on firms and whether their findings can in fact be attributed to SOX, rather than general market trends and concurrent events, which was the case in the other study. The author concluded that do not have much SOX-related evidence to support the conclusion that SOX has been excessively costly. In fact, there is evidence that SOX has increased the scrutiny public firms face, as intended by Congress, and that this effect has produced certain benefits. But the net effects on firms or the U.S. economy remain unclear.
Another study researched the costs of compliance with Section 404, for both the assessment and the attestation (Sneller & Langendijk, 2007). They concluded that the assessment costs are much higher than expected at the effectuation of SOX. In a case study, they find that the assessment costs are approximately 12 times higher than the initial estimate made by the SEC in 2002, and that the realised other expenses are approximately 1.4 times higher than this estimate. With respect to attestation costs, we conclude that Section 404 compliance
has a substantial effect on total audit fees.
THEORY
Agency theory contends that internal auditing, in common with other intervention mechanisms like financial reporting and external audit, helps to maintain cost-efficient contracting between owners and managers. Agency theory may not only help to explain the existence of internal control in terms of audit in organizations but can also help explain some of the characteristics of the internal audit department, for example, its size, and the scope of its activities, such as financial versus operational auditing. Agency theory can be employed to test empirically whether cross-sectional variations between internal auditing practices reflect the different contracting relationships emanating from differences in organizational form.
CONCLUSION
In the wake of the business failures and corporate scandals that began with Enron in 2001. the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX). The objective of SOX was to introduce corporate governance reforms aimed at restoring investors' confidence in the capital markets. SOX created the Public Company Accounting Oversight Board (PCAOB) and gave it the power to establish auditing, quality-control, ethics, and independence standards; enforce compliance with these standards; inspect the extent to which each registered public accounting firm adheres to SOX; and submit an annual report to the SEC as to SOX compliance. At its core, the Sarbanes-Oxley legislation was designed to fix auditing of U.S. public companies, which is consistent with the official name of the law: the Public Company Accounting Reform and Investor Protection Act of 2002. By consensus of investors and Wall Street professionals alike, auditing had been working poorly.
While SOX has resulted in the public disclosure of numerous internal control deficiencies, the cost of compliance has also been widely questioned. In exchange for these higher costs, Sarbanes-Oxley promises a variety of long-term benefits. Investors will face a lower risk of losses from fraud and theft, and benefit from more reliable financial reporting, greater transparency, and accountability. Public companies will pay a lower cost of capital, and the economy will benefit because of a better allocation of resources and faster growth. However, the law's full costs are hard to quantify, and the benefits even harder, so any honest assessment of Sarbanes-Oxley must be tentative and qualitative.
