Current Issues in Auditing Volume 6, Issue 1 2012 Pages A31–A50

American Accounting Association DOI: 10.2308/ciia-50146

How Effective are Organizations’ Internal Controls? Insights into Specific Internal Control Elements Dana R. Hermanson, Jason L. Smith, and Nathaniel M. Stephens SUMMARY: Based on survey responses from approximately 500 Chief Audit Executives (CAEs) and other internal auditors, this article provides an insider’s view of the perceived strength of organizations’ internal controls (i.e., internal control over financial reporting) in the Control Environment, Risk Assessment, and Monitoring components of the Committee of Sponsoring Organizations’ (COSO 1992a) Internal Control—Integrated Framework. Although the respondents largely rate control strength as relatively high, we identify several areas for potential improvement of internal controls, especially related to assessing the ‘‘tone at the top,’’ as well as following up on deviations from policy and management override of controls. In analyzing individual control elements, we find that public companies’ controls are consistently rated as more effective than those of other organizations. We also find a number of interesting differences across key industries, especially in the Monitoring component, where banks and other financial services firms appear to have more robust Monitoring controls than do healthcare and other services firms. The component-level analysis reveals that internal control component strength is positively related to the CAE reporting primarily to the audit committee, public company status, and the average tenure of the internal audit function staff, among other findings. Based on the survey findings, we describe key implications relevant to internal and external auditors, accounting researchers and educators, and management. Keywords: internal control; control environment; risk assessment; monitoring.

Dana R. Hermanson is a Professor at Kennesaw State University, Jason L. Smith is an Assistant Professor at the University of Nevada, Las Vegas, and Nathaniel M. Stephens is an Assistant Professor at Utah State University. We appreciate helpful comments from Dorsey Baskin (co-editor), Rich Houston (co-editor), and two anonymous reviewers. We thank the PricewaterhouseCoopers (PwC) INQuires program, the Institute of Internal Auditors Research Foundation, and Nicki Creatore for their generous support of this project. Submitted: August 2011 Accepted: February 2012 Published Online: February 2012

Hermanson, Smith, and Stephens

A32

INTRODUCTION We recently developed a survey that was administered by the Institute of Internal Auditors Research Foundation (IIARF) to Chief Audit Executives (CAEs) and Internal Audit Managers. The purpose of the survey was to ask CAEs and Internal Audit Managers to assess the strengths and weaknesses of their organizations’ internal controls. Such specific information about individual control elements typically is not publicly available, and we believe that auditors and management would benefit from current, detailed assessments of internal control strength across a broad range of organizations. These assessments by internal audit insiders could be quite beneficial for identifying internal control areas that may require additional attention. In this article, we report and provide insights into approximately 500 internal auditors’ perceptions of the strength of their organizations’ controls, with particular focus on internal control over financial reporting.1 First, we examine control elements perceived to be relatively weak or relatively strong.2 Although the respondents largely rate control strength as relatively high, we identify some common areas for potential improvement, especially in assessing the ‘‘tone at the top,’’ as well as following up on deviations from policy and management override of controls. Second, we explore variations in perceived control strength at the individual control element level by comparing public companies with other organizations and providing information about four key industries. We find that public companies’ controls are consistently rated as more effective than those of other organizations. We also find a number of interesting differences across key industries, especially in the Monitoring component, where banks and other financial services firms appear to have more robust Monitoring controls than do healthcare and other services firms (likely because of the regulated nature of the industry and the significant compliance risks these firms face). Finally, we examine variations in control strength at the component level, exploring how Control Environment, Risk Assessment, and Monitoring strength vary with key characteristics of the internal audit function and organization. The component-level analysis reveals that internal control component strength is positively related to the CAE reporting primarily to the audit committee, public company status, and the average tenure of the internal audit function staff, among other findings. We believe that the results of this study will be useful to internal and external auditors, accounting researchers and educators, and management. We offer implications of each of the major findings. In particular, we encourage increased appreciation of the tone at the top, management override, industry differences in Monitoring strength, and the potential value of the CAE reporting primarily to the audit committee, as well as having experienced internal audit staff.

BACKGROUND Since the passage of the Sarbanes-Oxley Act of 2002 (SOX, U.S. House of Representatives 2002), the literature on internal control weaknesses and their disclosure by public companies has grown rapidly. Schneider et al. (2009) review this literature, which is primarily based on internal 1

2

For ease of exposition, we use the term ‘‘internal controls’’ throughout the paper, but acknowledge our focus on internal control over financial reporting. Under COSO’s (1992a) internal control framework, there are numerous internal control ‘‘elements’’ that reflect specific individual controls. These control elements are grouped into internal control ‘‘components,’’ such as the Control Environment, Risk Assessment, etc.

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A33

control reports under Sections 404 and 302 of SOX. Such reports disclose details of companies’ material weaknesses (and sometimes significant deficiencies) in internal control. Thus, the focus of research on adverse Section 404 reports is on the minority of companies with public disclosures citing materially deficient internal controls. As described by Schneider et al. (2009), this literature provides insights into the types of companies with internal control deficiencies, the nature of specific internal control deficiencies cited, the consequences of internal control deficiencies, and auditing issues related to internal control deficiencies. Much less common are studies that provide more specific insights into internal control strength across a broad range of companies, including the majority of public companies without reported materially deficient controls under SOX. For example, Hansen et al. (2009) survey internal auditors to explore assessments of the tone at the top. They report findings related to current practices and future plans for assessing the tone at the top (e.g., how often, who is involved, which positions are included in the assessment), as well as current assessments of the tone at the top. They find that 47 percent of respondents assess their tone at the top as ‘‘Very Good,’’ 33 percent report the tone as ‘‘Good,’’ and 15 percent report the tone at the top as ‘‘Adequate.’’ Only 2.5 percent of respondents report the tone as either ‘‘Poor’’ or ‘‘Very Poor.’’ Likewise, Hunton et al. (2011) survey financial managers regarding the tone at the top, subsequently relating these assessments to companies’ earnings quality. They find that perceived tone at the top is positively related to earnings quality as measured by the researchers. We extend this line of research by examining a broad range of control elements—37 elements across the Control Environment, Risk Assessment, and Monitoring components—to provide a current view of internal control strength across a range of organizations.3 We include both public companies and non-public entities in our analysis.

METHOD In 2010, the IIARF contacted over 3,000 North American CAEs at our request with an initial email invitation, and later sent a follow-up email invitation to participate in the survey, which was hosted on an online survey platform. To supplement the CAE sample, the IIARF subsequently contacted over 3,000 Internal Audit Managers with an email invitation to participate (no second request was sent to the Managers). After these three solicitations (two to CAEs and one to the Internal Audit Managers), we received 501 responses, for an overall response rate of approximately 8 percent. This rate is consistent with prior studies targeting internal auditors (e.g., Beasley et al. 2005; Hansen et al. 2009). The survey requested that the respondents rate the strength of their organizations’ controls on a scale from 1 ¼ ‘‘Not very descriptive of my company’’ to 7 ¼ ‘‘Very descriptive of my company,’’ where each internal control element was described in positive terms (e.g., ‘‘Management is committed to high quality, accurate financial reporting.’’) using language quoted or adapted from COSO’s internal control implementation guidance (COSO 1992a, 1992b). The survey included 19 Control Environment elements, seven Risk Assessment elements, and 11 Monitoring elements. The 37 individual internal control elements included in the survey are those that experienced 3

We focus on these three components of internal control partly to keep the scope of the study manageable. In addition, the Control Activities component is very specific to an industry, and the Information and Communication component may rely on the effectiveness of the other COSO components (see Hermanson et al. 2011).

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A34

external auditors (in a prior survey conducted by the authors) had rated as most important in promoting financial reporting quality.4

RESULTS Respondent Profile As shown in Table 1, the approximately 500 respondents are primarily CAEs or managers with significant experience in internal auditing. Organization size varies widely, with nearly half of the organizations reporting under $500 million in annual revenues, and over one-third having revenues over $1 billion. The industry distribution of the sample also is broad. The most represented industries include financial services, banking, healthcare, and other services, which collectively account for approximately half of the sample. The vast majority of the organizations are U.S.based, and nearly half are U.S. public companies.5 In terms of the nature of the internal audit function, the vast majority of CAEs report to the audit committee (44 percent), or equally to the audit committee and management (37 percent). Approximately half of the organizations typically have career internal auditors (51 percent), as opposed to having short tours of duty in internal audit. Most of the organizations have either no internal audit outsourcing (41 percent) or very low levels of outsourcing. The average annual internal audit budget is $1.8 million (median of $719,000), and most (69 percent) of the internal audit functions spend less than half of their time on financial audits. Approximately one-third of the internal audit staff members possess the CIA (33.5 percent), and over one-third of members (38.2 percent) possess the CPA certification. Finally, 40 percent of the organizations have a formally designated Chief Risk Officer (CRO) or senior management equivalent. Relatively Weak and Relatively Strong Control Elements Overall First, it is important to recognize that, overall, the respondents rated control strength as relatively high (most means exceed 5.0 on the seven-point scale). The weakest overall controls (those rated under 5.0, on average) are found mainly in the Control Environment component (Panel A of Table 2, Column 1). By far, the lowest-rated item relates to companies performing 4

5

The prior survey results are reported in a contemporaneous academic paper that examines (only for the public company respondents who provided identifying information) the relation between internal control strength and accruals quality (Hermanson et al. 2011). The first survey asked 20 experienced external auditors (managerlevel and higher) from national and Big 4 firms to rate 97 internal control elements, with each control element’s importance to the quality of financial reporting rated on a scale from 1 (Not very important to financial reporting quality) to 7 (Very important to financial reporting quality). The 34 highest rated of these 97 elements were included in the present study’s 37 elements, along with three additional Risk Assessment elements, to provide better balance across the three components. We reduced the number of elements from 97 to 37 to make the length of the survey more manageable, and to focus on those elements most likely to be related to the quality of financial reporting. To identify public companies, we first asked, ‘‘Is your company a U.S. publicly traded company?’’ Then, if yes, we asked, ‘‘Finally, we ask that you provide the following company identifiers. These company identifiers are needed to match survey responses with publicly available information (e.g., Securities and Exchange Commission [SEC] filings) to assess companies’ financial reporting quality and to complete the objectives of this study. We remind you that your responses will remain strictly confidential. Ticker symbol: CIK code: Company name:’’ Thus, our intent was to identify U.S. publicly traded companies, as opposed to, for example, governmental entities with publicly traded debt.

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A35

TABLE 1 Survey Respondents and Their Organizations What position or title do you hold in your organization? (n ¼ 458) Chief Audit Executive (or other equivalent title) 56% Manager of Internal Audit 34% Other 10% How many years of experience do you have in internal auditing? (n ¼ 457) 20þ years 27% 15 to 19 years 16% 10 to 14 years 22% 5 to 9 years 24% 1 to 4 years 11% Organization revenues (n ¼ 376) ,$100 million 23% $100–$499 million 22% $500–$999 million 18% $1–$5 billion 26% .$5 billion 11% Industry (n ¼ 396) Financial services 18% Banking 14% Healthcare 9% Services 7% Manufacturing 6% Education 6% Retail/wholesale 5% Other (industries less than 5% of sample and those who selected ‘‘Other’’) 35% Country where headquarters is located (n ¼ 499) United States 84% Canada 8% Mexico ,1% Other 8% U.S. public company? (n ¼ 447) Yes (13 of these companies have HQ outside the U.S.) 47% No 53% How would you characterize your organization’s reporting channel for the Chief Audit Executive (or equivalent)? (n ¼ 448) The Chief Audit Executive (CAE) reports primarily to the audit committee 44% The CAE reports primarily to management 15% The CAE reports equally to the audit committee and to management 37% Other 4% In general, how would you characterize your organization’s IAF? (n ¼ 447) Most IA staff are career internal auditors 51% IA staff are sometimes promoted to management positions outside of the IAF 30% IA staff members often do short tours of duty in the IAF and are then promoted to 3% management positions outside of internal audit Other 16% (continued on next page) Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A36

TABLE 1 (continued) In terms of overall work performed, what percentage of your internal audit function (IAF) is outsourced? (n ¼ 444) 30% or more Outsourced 17% 20% 13% 10% 29% No outsourcing 41% What was your annual IAF budget (combined in-house and outsourced) for the most recently completed fiscal year? (n ¼ 315) Mean ¼ $1.81 million Median ¼ $719,000 Please indicate below the percentage of time your IAF spends conducting financial audits (including assisting the external auditor and performing SOX 404 internal control audits): (n ¼ 443) 75% or more 10% 50% to 74% 21% 25% to 49% 33% Less than 25% 36% Please indicate below the approximate percentage of IAF professional staff with: Certified Internal Auditor (CIA) certification (n ¼ 392) Mean ¼ 33.5% Certified Public Accountant (CPA) certification (n ¼ 399) Mean ¼ 38.2% Does your organization have a formally designated Chief Risk Officer (CRO) or senior management equivalent? (n ¼ 450) Yes 40% No 60%

regular assessments of the tone at the top (Panel A, Item 19, mean ¼ 4.09; 36.6 percent of respondents had ratings of 1–3 for this item, indicating weak controls). Despite the emphasis placed on an organization’s tone at the top (e.g., from the Treadway Commission report to the present day), it appears that many companies do not regularly assess the tone at the top. Given that the recent COSO study, Fraudulent Financial Reporting: 1998–2007 (Beasley et al. 2010), found that nearly 90 percent of accounting fraud cases involved the CEO and/or CFO, we believe that it is vital to understand and regularly assess the company’s tone at the top. Relatedly, the second lowest-rated control relates to limited board and audit committee involvement in assessing the tone at the top (Panel A, Item 18, mean ¼ 4.61; 27.1 percent of respondents had ratings of 1–3 for this item). This result is consistent with a recent study by Beasley et al. (2009), who found that many public company audit committee members do not appear to accept very much responsibility for overseeing the risk of fraudulent financial reporting by top executives, with many indicating that it was difficult to assess management’s integrity. Two other relatively weak controls suggest that policies are not consistently followed, on average. Some organizations do not appear to investigate and document all deviations from established policies (Panel A, Item 17, mean ¼ 4.63; 22.5 percent of respondents had ratings of 1– 3 for this item), and in other organizations, management override of controls is not always appropriately documented and explained (Panel A, Item 16, mean ¼ 4.81; 19.1 percent of respondents had ratings of 1–3 for this item). Frequent deviations from policy and management Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A37

TABLE 2 Internal Auditors’ Assessments of Internal Control Elements Panel A: Control Environment

1. Management is committed to highquality, accurate financial reporting. 2. The executives in charge have the required knowledge, experience, and training to perform their duties. 3. Necessary information is provided to the board and audit committee in a timely manner. 4. Upper management is committed to ethics and integrity in business. 5. The company’s dealings with third parties are always enacted on a high ethical plane. 6. The audit committee meets privately with the internal audit department to discuss issues relating to internal control, the financial reporting process, and management’s performance.

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 7 6.48 6.19 6.25 6.41 6.41 6.28 6.35a

6.12a

7

6.28

5.99

5.98

6.19

6.03

5.96

5.92a

6

6.16

5.72

6.11

5.69

5.33

5.83

5.89a

6

6.04

5.80

5.86

5.90

5.85

6.04

5.77

6

5.84

5.70

5.98

5.79

5.64

5.92

5.70b

7

6.21

5.25

6.36

5.97

4.59

5.38

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A38

TABLE 2 (continued)

7. Members of the board of directors have sufficient knowledge, industry experience, and time to carry out their duties. 8. The directors understand their role and actively carry out their responsibilities. 9. The company’s commitment to ethics and integrity is effectively communicated throughout the organization in both word and action. 10. Management appropriately responds to violations of behavioral standards. 11. Employees understand the consequences of failure to comply with behavioral standards (i.e., written policies/code of conduct). 12. Employees throughout the organization understand the expectations of upper management regarding ethics and integrity.

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 5.68 6 5.93 5.46 5.42 5.32 5.48 6.00

5.59

6

5.88

5.35

5.48

5.46

5.31

5.70

5.56

6

5.78

5.38

5.63

5.58

5.97

5.52

5.45

6

5.63

5.31

5.24

5.30

5.62

5.36

5.42

6

5.51

5.37

5.65

5.41

5.21

5.46

5.42

6

5.57

5.31

5.55

5.39

5.41

5.63

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A39

TABLE 2 (continued) (3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 13. Existing employees 5.34 6 5.39 5.32 5.34 5.40 5.35 5.24 have adequate knowledge and skills to perform their jobs. 5 5.43 4.78 4.98 4.93 4.50 5.30 14. The board takes 5.08b adequate steps to ensure an appropriate tone at the top. 15. Managers and 4.93 5 5.04 4.84 4.98 5.00 4.44 4.88 supervisors have sufficient time to carry out their responsibilities effectively. 16. Management 5 5.16 4.51 4.76 4.88 4.48 4.95 4.81b override of controls is appropriately documented and explained. 17. All deviations from 5 5.01 4.26 4.75 4.36 3.94 4.58 4.63b established policies are investigated and documented. 18. The board and 5 4.97 4.31 4.51 4.40 3.97 4.48 4.61b audit committee are adequately involved in the tone at the top assessment. 19. The company 4 4.58 3.65 4.02 3.73 3.56 4.08 4.09b performs regular assessments of the tone at the top. Mean of Control 5.39 5.63 5.18 5.41 5.32 5.11 5.40 Environment Element Means Panel A: For each of the elements pertaining to the Control Environment, please indicate your assessment of your company’s adoption or implementation of the element in the most recently completed fiscal year. Scale: 1 ¼ ‘‘Not very descriptive of my company’’ to 7 ¼ ‘‘Very descriptive of my company’’

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A40

TABLE 2 (continued) Panel B: Risk Assessment

1. Responsibility and accountability for fraud policies and procedures reside with management. 2. Management adequately considers risks relating to information systems (i.e., adequacy of backup systems, etc.). 3. Appropriate levels of management are involved with analyzing identified risks. 4. Mechanisms exist in the entity to identify and react to changes that can have a more dramatic and pervasive effect on the entity, and may demand the attention of top management. 5. The company’s assessment considers fraud risk factors that influence the likelihood of someone committing a fraud, and the impact of a fraud on financial reporting.

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 5.39 6 5.62 5.17 5.42 5.30 4.82 5.40

5.30

6

5.40

5.24

5.73

5.55

4.91

4.92

5.23

6

5.41

5.09

5.62

5.45

5.06

4.52

5.21

5

5.28

5.15

5.43

5.39

4.85

5.00

5.18

5

5.61

4.77

5.33

5.06

4.62

5.08

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A41

TABLE 2 (continued)

6. Adequate resources exist to achieve activitylevel objectives. 7. The company’s assessment of fraud risks considers incentives and pressures, attitudes and rationalizations, as well as opportunity to commit fraud. Mean of Risk Assessment Element Means

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 4.97 5 5.13 4.83 5.16 5.06 4.62 5.12

4.87b

5

5.16

5.24

4.56

5.00

4.89

4.62

4.52

5.38

4.97

5.38

5.24

4.79

4.94

Panel B: For each of the elements pertaining to Risk Assessment, please indicate your assessment of your company’s adoption or implementation of the element in the most recently completed fiscal year. Scale: 1 ¼ ‘‘Not very descriptive of my company’’ to 7 ¼ ‘‘Very descriptive of my company.’’

Panel C: Monitoring

1. Deficiencies in internal control are reported to the person directly responsible for the activity and to a person at least one level higher. 2. The internal auditors have access to the board of directors or audit committee.

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 7 6.53 6.33 6.52 6.47 6.41 5.72 6.43a

6.41a

7

6.51

6.28

6.66

6.76

5.91

5.96

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A42

TABLE 2 (continued)

3. Specified types of internal control deficiencies are reported to more senior management and to the board. 4. There exists a mechanism for capturing and reporting identified internal control deficiencies. 5. External auditor recommendations that have been selected for implementation are followed up to verify implementation. 6. Follow-up on internal control deficiencies occurs to ensure that corrective action is taken. 7. The internal audit function’s scope, responsibilities, and audit plans are appropriate to the organization’s needs. 8. Controls that should have prevented or detected discovered problems are reassessed.

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services a 7 6.58 6.01 6.46 6.51 5.64 5.80 6.29

6.15a

7

6.50

5.83

6.18

6.28

5.82

5.96

6.08a

7

6.26

5.94

6.53

6.32

5.35

5.75

5.99a

6

6.25

5.73

6.44

6.11

5.82

5.68

5.90a

6

6.00

5.78

6.18

6.14

5.59

5.60

5.78

6

6.05

5.50

6.00

5.86

5.42

5.24

(continued on next page)

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A43

TABLE 2 (continued)

9. The company has appropriate levels of competent and experienced internal audit staff. 10. Periodic comparisons of amounts recorded by the accounting system with physical assets are performed. 11. Operating personnel are required to sign off on the accuracy of their unit’s financial statements, and are held responsible if errors are discovered. Mean of Monitoring Element Means

(3) Mean (6) (7) (1) (2) U.S. (4) (5) Mean Mean (8) Overall Overall Public Mean Mean Financial HealthMean Mean* Median* Cos.** Other** Banking Services care Services 5.60 6 5.81 5.39 5.80 5.85 5.09 5.48

5.34

6

5.43

5.24

5.38

5.03

5.03

5.04

5.09b

6

5.77

4.42

5.41

4.87

4.84

5.13

6.15

5.68

6.14

6.02

5.54

5.58

5.91

Panel C: For each of the elements pertaining to Monitoring, please indicate your assessment of your company’s adoption or implementation of the element in the most recently completed fiscal year. Scale: 1 ¼ ‘‘Not very descriptive of my company’’ to 7 ¼ ‘‘Very descriptive of my company.’’ * Across the panels of Table 2, the overall sample size for a given question ranges from a high of 501 to a low of 419. ** Of the respondents, 210 indicated that the company was a U.S. public company (13 of these are headquartered outside the U.S.), and 237 indicated that it was not a U.S. public company. Responses from the respondents who did not answer the U.S. public company question are excluded from Column 4. a Indicates an element with more than 85.0 percent of the responses in the range of 5–7 (strong controls). b Indicates an element with more than 15.0 percent of the responses in the range of 1–3 (weak controls). For a very small number of public companies for which we have the company name, we include a response from the Chief Audit Executive and from an Internal Audit Manager(s), as different individuals may have different perceptions of internal control strength. For other respondents, we do not know the name of the responding organizations, and it is possible that there could be more than one respondent for some of these organizations. We would expect such cases to be rare. Items in Columns 3 and 4 are bold when the mean for U.S. public companies is significantly different (p  0.05) than the mean for other organizations. Items in Columns 5–8 are italicized when there are significant differences by industry (p  0.05, one-way ANOVA). Respondents could select a response of ‘‘Not sure/not applicable.’’ Such responses have been excluded from Table 2.

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A44

override of controls are each troubling weaknesses because they are indicative of ‘‘loose’’ adherence to rules, and may create an atmosphere conducive to abuse and fraud. Adequate time and resources are needed to perform required tasks effectively, and two relatively weak controls suggest that management’s time (Panel A, Item 15, mean ¼ 4.93; 12.7 percent of respondents had ratings of 1–3 for this item) and organizational resources (Panel B, Item 6, mean ¼ 4.97; 11.7 percent of respondents had ratings of 1–3 for this item) may be constrained in some organizations. Finally, in some organizations, the assessment of fraud risk does not appear to encompass all three elements of the fraud triangle (Panel B, Item 7, Mean ¼ 4.87; 19.2 percent of respondents had ratings of 1–3 for this item).6 The strongest controls (i.e., those with overall mean ratings over 6.0) are found primarily in the Monitoring component (Panel C of Table 2), including the two highest-rated controls overall. The strongest control overall relates to reporting control deficiencies to the person responsible for the activity and to a person at least one level higher (Panel C, Item 1, mean ¼ 6.43; 92.9 percent of respondents had ratings of 5–7 for this item, indicating strong controls). Across the broad sample of respondents, internal auditors are very confident that such reporting occurs. The secondstrongest control overall relates to internal auditor access to the board or audit committee (Panel C, Item 2, mean ¼ 6.41; 89.7 percent of respondents had ratings of 5–7); it appears that most organizations surveyed provide the internal audit function with direct access to the board or audit committee. Such access is critical to both the internal audit function and to the directors. Three other controls in the Monitoring area are rated over 6.0. These controls relate to (1) reporting certain types of control deficiencies to more senior management and the board (Panel C, Item 3, mean ¼ 6.29; 90.5 percent of respondents had ratings of 5–7), (2) having a mechanism to capture and report internal control deficiencies (Panel C, Item 4, mean ¼ 6.15; 87.9 percent of respondents had ratings of 5–7), and (3) following up on external auditor recommendations to ensure that they have been implemented (Panel C, Item 5, mean ¼ 6.08; 85.9 percent of respondents had ratings of 5–7). Each of these results suggests that many organizations have very solid procedures in place to identify, communicate, and remediate internal control problems. In the Control Environment component, two control elements received particularly high ratings. First, the respondents are quite optimistic about management’s commitment to accurate financial reporting (Panel A, Item 1, mean ¼ 6.35; 92.6 percent of respondents had ratings of 5–7). Second, respondents rate management’s knowledge, experience, and training favorably (Panel A, Item 2, mean ¼ 6.12; 89.2 percent of respondents had ratings of 5–7). Both of these results are consistent with organizations employing committed and talented management teams. Interestingly, none of the controls in the Risk Assessment area has a rating near 6.0, suggesting that organizations may want to consider whether their Risk Assessment controls are as strong as those in the Control Environment and Monitoring areas. The overall means for Risk Assessment (Panel B, 5.16) and for Control Environment (Panel A, 5.39) each are significantly lower than the overall mean for Monitoring (Panel C, 5.91; p , 0.01). Thus, the overall strength of 6

To gain further insight into the control elements rated weakest overall, we used a statistical method called ‘‘factor analysis’’ to explore how these relatively weak controls group together. We find that many of the lowest-rated elements load on the same factor, which reflects management accountability and fraud risk. Most elements in this factor relate to the Control Environment (e.g., tone at the top, management override), but this factor also includes the lowest-rated Risk Assessment element (fraud risk factors) and lowest-rated Monitoring element (signing off on results).

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A45

Monitoring controls appears to exceed the overall strength of Control Environment and Risk Assessment controls.7 Control Elements—Public Companies versus Other Organizations (Columns 3 and 4 of Table 2) Columns 3 and 4 of Table 2 present the means for public companies versus other organizations (i.e., private companies or non-profits), and the bold items in these columns represent control elements with ‘‘significant’’ differences (p , 0.05) between the two groups.8 Given the intense focus on internal control effectiveness in public companies (i.e., SOX Sections 302 and 404), as well as their generally larger size and greater access to resources, we would expect public companies, on average, to have more effective internal controls. For example, for companies with available data, the average internal audit budget for the public companies is $2.7 million, versus $942,000 for the other organizations. Also, only 42 percent of the public companies have revenues under $500 million, versus 48 percent of the other organizations. Consistent with our expectation, across the 37 internal control elements, the mean rating for public companies is significantly higher than the mean for other organizations in 27 cases (73 percent of the elements). There are no cases where the mean for other organizations exceeds that of the public companies. While the existence and direction of the public/other differences are not surprising, this analysis does allow for quantification of the differences and identification of areas where the differences are the greatest. Specifically, across the 37 elements, the public company mean is, on average, nearly 0.5 points higher than the mean for other organizations, using the 1–7 scale. In four areas, there are differences of 0.8 points or more. The largest difference between the groups relates to having operating personnel sign off on their unit’s financial results, which is much more common in public companies (Panel C, Item 11, mean ¼ 5.77; 11 percent of respondents had ratings of 1–3 for this item, indicating weak controls) than in other organizations (mean ¼ 4.42; 33.3 percent of respondents had ratings of 1–3). Public company internal auditors also are more likely to meet privately with the audit committee (Panel A, Item 6, mean ¼ 6.21; 8.4 percent of respondents had ratings of 1–3) than are internal auditors in other organizations (mean ¼ 5.25; 23.5 percent of respondents had ratings of 1–3). While the mean for both groups is relatively low, public companies are more likely to assess the tone at the top (Panel A, Item 19, mean ¼ 4.58; 27.2 percent of respondents had ratings of 1–3) than are other organizations (mean ¼ 3.65; 45.2 percent of respondents had ratings of 1–3). Finally, public companies appear

7

8

Another way to assess the 37 control elements is by their standard deviations, which reflect the degree of variation in responses (higher standard deviations indicate lower consensus across respondents). Three elements have standard deviations greater than 2.0—Control Environment element #6, Control Environment element #19 (which also has the lowest mean in the component, thus allowing greater opportunity for variation in this specific setting, as the item is less subject to a ceiling effect), and Monitoring element #11 (which also has the lowest mean in the component and is less subject to a ceiling effect). Control Environment element #6 deals with the audit committee meeting privately with the internal audit department to discuss issues relating to internal control, the financial reporting process, and management’s performance. While the mean rating for this element is relatively high (5.70), there is considerable variability across companies. Throughout our discussion of the results, we refer to ‘‘significant’’ differences only when p , 0.05 (Table 2) or p , 0.10 (Table 3). For brevity, we do not include each p-value in the text.

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A46

to have more robust fraud risk assessments (Panel B, Item 5, mean ¼ 5.61; 6.7 percent of respondents had ratings of 1–3) than do other organizations (mean ¼ 4.77; 18.6 percent of respondents had ratings of 1–3).

Control Elements—Industry Figures (Columns 5–8 of Table 2) As noted above, four industries (banking, financial services, healthcare, and other services) account for approximately half of the sample. Columns 5–8 present the mean ratings for each of these key industries. The figures presented in italics reflect internal control elements where there is significant variation across the four industries. Many of these inter-industry differences relate to the Monitoring component (Panel C, Items 1–3 and 5–9), where banks and other financial services firms report having particularly strong controls. This result likely is due to the regulated nature of the financial industry and the significant risks of non-compliance, especially in the immediate postFinancial Crisis period during which we administered our survey. Items 2 and 3 relate to board and audit committee issues. It appears that there is especially open access and effective reporting to boards and audit committees of banks and financial services firms. Other items in Panel C (Items 1, 3, 5, 6, and 8) relate to handling internal control problems, and it again appears that banks and financial services firms often are quite vigilant in this area. On an overall basis, the mean for Monitoring controls is over 6.0 for banks and other financial services firms, versus 5.5 and 5.6 for healthcare and other services companies, respectively. In terms of the Control Environment (Panel A), one notable finding is the strong emphasis in the banking industry on having internal audit representatives meet privately with the audit committee (Item 6). This is the only control element where one industry has a mean greater than 6.0 (banking), while another industry’s mean is less than 5.0 (healthcare). Finally, in the Risk Assessment area (Panel B), banks and financial services firms appear to be relatively strong on evaluating information systems risk (Item 2) and involving management in risk assessment (Item 3). Overall, there is much less variation across industries in the Control Environment and Risk Assessment components than in the Monitoring component.

Variations in Internal Control Component Strength In addition to examining the 37 individual control elements above, we also explore how the strength of controls, at the COSO component level, varies with organizational characteristics. Specifically, we examine how Control Environment, Risk Assessment, and Monitoring strength vary with key characteristics of the internal audit function and organization. These results are presented in Table 3. While the statistical details are beyond the scope of this paper, the approach used in Table 3 is to explore, for example, how average Control Environment strength (the mean of all of the Control Environment questions) varies with key internal audit and other organizational characteristics. The dependent variable is average Control Environment strength, and the independent variables are those listed in Table 3—internal audit budget, etc. The analysis is designed to identify ‘‘statistically significant’’ relationships between control strength and the internal audit and other organizational characteristics. We perform Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A47

TABLE 3 Exploring Variations in Internal Control Component Strength Control Environment Variable LN IA Budget CAE Report to AC IAF Tenure Percent IA Outsourced Percent CIAs CRO Public Co. Large Co. Financial Industry Sample Size

Risk Assessment

Monitoring

Sign

Signif.

Sign

Signif.

þ þ

*** **

þ þ

*** **

þ

*

þ þ

** **

235

Sign þ þ

Signif. * ***

þ

***

235

233

*, **, *** Reflect significance at the 0.10, 0.05, and 0.01 levels, respectively. þ Indicates that the variable is positively associated with internal control strength. The dependent variables are the means within the Control Environment, Risk Assessment, and Monitoring components. Variable Definitions: LN IA Budget ¼ natural log of the IA budget; CAE Report to AC ¼ 1 if CAE reports primarily to the AC, else 0; IAF Tenure ¼ 1 for average tenure of 1–3 years, 2 for 4–6 years, 3 for 7–9 years, and 4 for 10þ years; Percent IA Outsourced ¼ 0 for no outsourcing, 1 for 10 percent, 2 for 20 percent, up to 10 for 100 percent; Percent CIAs ¼ percentage of IAF staff with CIAs; CRO ¼ 1 if there is a Chief Risk Officer (CRO), else 0; Public Co. ¼ 1 if a public company, else 0; Large Co. ¼ 1 if company revenues greater than sample median, else 0; and Financial Industry ¼ 1 if banking or financial services, else 0.

this analysis three times—separately for the Control Environment, Risk Assessment, and Monitoring components. 9 We find that the perceived strength of controls in the Control Environment, Risk Assessment, and Monitoring components is higher when the CAE reports primarily to the audit committee and when the organization is a public company. Thus, CAE reporting channel and public company status are consistently related to control strength. CAEs reporting primarily to the audit committee may signal the organization’s commitment to a strong assurance role for the internal audit function, and the audit committee’s oversight of controls may be enhanced by the information provided by internal audit. As noted earlier, public companies have higher ratings for many of the 37 individual control elements, and this finding also holds for the three internal control components overall. 9

All three models are significant at p , 0.01, with R2 ranging from 10–13 percent. Given the exploratory nature of the analysis, we discuss coefficients with p , 0.10 (two-tailed). Also, while not addressed in our main model, it is possible that CAEs with previous public accounting experience have different perceptions of internal control strength. If we add a public accounting experience variable to the models in Table 3 (¼ 1 if CAE has public accounting experience, else 0), it is insignificant in the Control Environment and Monitoring models, but positive (p ¼ 0.07) in the Risk Assessment model (CAEs with previous public accounting experience assess Risk Assessment controls as stronger). The other results in the Risk Assessment model are unaffected.

Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A48

In addition, average internal audit tenure (average years of experience) is positively related to perceived control strength in the Control Environment and Risk Assessment components. It is possible that organizations with greater internal auditor tenure have more established, effective internal audit functions, which, in turn, promotes control effectiveness. Two other variables are related to perceived strength in one component. The size of the internal audit budget is positively related to strength in the Monitoring component, which may reflect the need for resources to support a robust control monitoring effort. Finally, the presence of a Chief Risk Officer (CRO) or equivalent is positively related to strength in the Risk Assessment component. The CRO may promote active risk assessment, or the presence of a CRO may signal the organization’s commitment to risk assessment.

IMPLICATIONS FOR PRACTICE AND ACADEMIA We believe that these results have key implications for internal and external auditors, accounting researchers and educators, and management. First, we encourage internal and external auditors and management to focus carefully on two areas of relative weakness in the survey results presented in Table 2: (1) assessing the organization’s tone at the top, and (2) pursuing deviations from policy and management override of controls. It is possible that the tone at the top often is not formally assessed and does not include adequate board or audit committee involvement, because assessing the tone at the top can be difficult. It certainly is much less objective than analyzing many other areas of the internal control system. In addition, as Cullinan and Sutton (2002) highlight, there are relatively few barriers between top management fraud and the financial statements, certainly far fewer barriers than there are between lower-level employee fraud and the financial statements. In such a setting, internal and external auditor and audit committee vigilance are critical to sound financial reporting, as is a well-established strong tone at the top. Given the importance of this control element and the relative difficulty of evaluating the tone at the top, we encourage readers to consult Hansen et al. (2009), who provide detailed insights into how internal auditors assess the tone at the top. Consistent with our survey results (which address a much broader range of controls than examined in Hansen et al. [2009]), they find that nearly one-third of the companies surveyed report that they never perform such assessments. The authors conclude by offering ways that internal auditors can seek to improve the tone at the top. Beyond ensuring that such assessments actually take place, the authors suggest steps including the following (Hansen et al. 2009, A11–A12): Expanding the assessment of tone to include more of the upper management than just the CEO and CFO; Ensuring that internal auditors with sufficient experience and interaction with uppermanagement are performing tone at the top assessments; Examining who receives results of tone assessments; and Considering whether tone would improve if the internal auditors evaluated and opined on the tone set by the Board of Directors. We believe that each of these suggestions would serve to promote improvements in the tone at the top. In addition, Castellano and Lightle (2005) advocate the use of cultural audits to assess the tone at the top. Such audits would address the following issues: The degree to which preoccupation with meeting the analysts’ expectations permeates the organizational climate; Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A49

The degree of fear and pressure associated with meeting numerical goals and targets; and The compensation and incentive plans that may encourage unacceptable, unethical, and illegal forms of earnings management. Each of these elements can greatly undermine the tone at the top and is worthy of formal consideration. In terms of deviations from policy and management override, in addition to working with management to ensure that such deviations are always pursued, we encourage internal and external auditors to work to sharpen the audit committee’s focus on management override of controls. A very helpful publication in this regard is Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention (American Institute of Certified Public Accountants [AICPA] 2005), which discusses steps that audit committee members can take to become more attuned to management override and the risk of fraudulent financial reporting. The steps outlined include ‘‘maintaining an appropriate level of skepticism, strengthening committee understanding of the business, brainstorming about fraud risks, using the code of conduct to assess financial reporting culture, ensuring that the entity cultivates a vigorous whistleblower program, and developing a broad information and feedback network’’ (AICPA 2005). We encourage internal and external auditors to educate and communicate with audit committees about these issues to ensure that audit committee members are attuned to the risks of management override and, as a result, are fully supportive of both internal and external auditors’ efforts to assess and bolster this area. Second, the survey indicates (Table 2) that elements in the Control Environment and Risk Assessment components are, on average, not as strong as those in the Monitoring component. We encourage internal and external auditors to work with audit committees and management to understand whether this finding holds in their setting. If so, it may be important to explore ways to cost-effectively enhance controls in the Control Environment and Risk Assessment areas. This is especially critical for the Control Environment, which is viewed as the foundation for all of the other components of the COSO internal control framework. If the Control Environment is not as strong as it should be, the other components of internal control can be undermined. Third, the analysis of individual control elements (Table 2) reveals numerous differences in perceived control strength based on organization type—public companies versus others, and banks and financial services firms versus healthcare and other services firms. In light of these variations, it is important for internal and external auditors to consider the context and risk profile when assessing organizations’ controls. For example, given the results of this survey, a smaller, privately traded services firm may develop different controls than would a large, publicly traded financial services firm. The two organizations have different risk profiles and available resources to invest in controls. Accordingly, we encourage internal and external auditors to be active in industry-specific organizations, where they may have access to the very latest and most detailed insights into industry approaches to internal controls, governance, and risk management. In addition, various IIA resources, such as the GAIN and Common Body of Knowledge (CBOK) surveys, also may provide very important insights into current practice. Finally, the component-level results in Table 3 highlight the importance of having the CAE report primarily to the audit committee. Such a reporting role can allow the internal audit function to focus mainly on assurance work, as opposed to internal consulting work, and it can enhance the information set available to the audit committee (see Raghunandan et al. [2001] for a discussion of internal audit/audit committee interaction). The results also demonstrate the advantages of a more experienced internal audit staff, as well as of a larger internal audit budget and the presence of a CRO, as each of these variables is associated with greater perceived control strength. Current Issues in Auditing Volume 6, Issue 1, 2012

Hermanson, Smith, and Stephens

A50

CONCLUSION This study extends previous internal control research by examining the perceived strength of 37 individual internal control elements across a large sample of organizations. We hope that the results of this survey will be useful to internal and external auditors, accounting researchers and educators, and management. Based on the results, we encourage increased appreciation of the tone at the top, management override, industry differences in Monitoring strength, and the potential value of the CAE reporting primarily to the audit committee, as well as having experienced internal audit staff. From an educational perspective, the results may be useful in highlighting to students the factors associated with variations in internal control strength, especially the apparent importance of the CAE’s reporting channel. From a research perspective, the results provide deeper insights into perceived control strength and its determinants than may be provided by archival studies that can only capture the extremes of effective versus ineffective control over financial reporting. We encourage additional research using survey or qualitative methods to further explore variations in internal control strength.

REFERENCES American Institute of Certified Public Accountants (AICPA). 2005. Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention. New York, NY: AICPA. Beasley, M. S., J. V. Carcello, D. R. Hermanson, and T. L. Neal. 2009. The audit committee oversight process. Contemporary Accounting Research 26 (1): 65–122. Beasley, M. S., J. V. Carcello, D. R. Hermanson, and T. L. Neal. 2010. Fraudulent Financial Reporting 1998-2007: An Analysis of U.S. Public Companies. Durham, NC: Committee of Sponsoring Organizations of the Treadway Commission (COSO). Available at: http://www.coso.org/documents/COSOFRAUDSTUDY2010.pdf Beasley, M. S., R. Clune, and D. R. Hermanson. 2005. Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24 (6): 521–531. Castellano, J. F., and S. S. Lightle. 2005. Using cultural audits to assess tone at the top. The CPA Journal. Available at: www.nysscpa.org/cpajournal/2005/205/perspectives/p6.htm Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992a. Internal Control—Integrated Framework. New York, NY: COSO. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992b. Internal Control—Integrated Framework Evaluation Tools. New York, NY: COSO. Cullinan, C., and S. Sutton. 2002. Defrauding the public interest: A critical examination of reengineered audit processes and the likelihood of detecting fraud. Critical Perspectives on Accounting 13 (3): 297–310. Hansen, J., N. M. Stephens, and D. A. Wood. 2009. Entity-level controls: The internal auditor’s assessment of management tone at the top. Current Issues in Auditing 3 (1): A1–A13. Hermanson, D. R., J. L. Smith, and N. M. Stephens. 2011. Internal Control Strength and Accruals Quality. Working paper, Kennesaw State University, University of Nevada, Las Vegas, and Utah State University. Hunton, J. E., R. Hoitash, and J. C. Thibodeau. 2011. The relationship between perceived tone at the top and earnings quality. Contemporary Accounting Research 28 (4): 1190–1224. Raghunandan, K., W. J. Read, and D. V. Rama. 2001. Audit committee characteristics, ‘‘gray directors,’’ and interaction with internal auditing. Accounting Horizons 15 (2): 105–118. Schneider, A., A. Gramling, D. R. Hermanson, and Z. Ye. 2009. A review of academic literature on internal control reporting under SOX. Journal of Accounting Literature 28: 1–46. U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H.R. 3763]. Washington, D.C.: Government Printing Office.

Current Issues in Auditing Volume 6, Issue 1, 2012