In a sense, I began developing this presentation in 1993 when I first taught auditing and internal control for M.B.A.s at INSEAD (European Institute of Administration). In designing the course, I envisioned myself as the CEO of a multinational corporation (as many M.B.A.s view themselves), and asked how would I know whether I was getting the right information for decision making, that my assets were being protected, and that my people were complying with laws, regulations, and company policy--all on a worldwide basis?
As I pondered these questions, it came to me that an answer to all of them is internal control. This revelation changed my thinking about internal control, changed the tone of the M.B.A. course, and also changed my teaching for accounting majors,(1) I now believe that knowledge about internal control is an essential element that affects the welfare of management, corporate directors, shareholders, trading partners of an entity, auditors, and society at large--yet it is relatively unexplored by researchers. All major research methods are applicable, we have conceptual documents to guide our inquiries, and internal control quality is regulated directly or indirectly in many countries. In short, there is an outstanding opportunity for research in internal control for accounting and auditing professors, and for Ph.D. students. There are substantial barriers, of course, and we must all work to overcome them.
The rest of this paper explores research opportunities in internal control quality assurance beginning with a definition of internal control and the demand for internal control quality and quality assurance. This is followed by a discussion of barriers to research, and concludes with research questions and trends for the future.
DEMAND FOR INTERNAL CONTROL QUALITY AND QUALITY ASSURANCE
Because I am most familiar with them and because other groups around the world have conceptually similar definitions, I will use the Committee of Sponsoring Organizations of the Treadway Commission definition of internal control (COSO 1992) supplemented by that of Criteria of Control (CoCo, CICA 1995).(2) COSO defines internal control as:
a process, effected by an entity's board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
* effectiveness and efficiency of operations
* reliability of financial information
* compliance with the applicable laws and regulations (COSO 1992) (emphasis added)
The COSO definition implicitly assumes a constant external environment. The Canadians' CoCo adds the risk of failure to maintain the organization's capacity to identify and exploit opportunities, and resilience or capacity to respond or adapt to unexpected risks and opportunities. Thus, CoCo assumes the external environment may change, and defines "good" internal control to include adaptability of the process to a changing external environment.
The COSO/CoCo definitions have three distinguishing features. First, they are broad, much broader than traditional definitions of internal "accounting" control that are limited to reliability of accounting data and protection of tangible assets. By including the efficiency and effectiveness of operations, compliance with laws and regulations, and responsiveness to external changes, the COSO/CoCo definitions can be interpreted to cover all of management's functions except choosing objectives, strategies to achieve objectives, and follow up of surprises identified. Second, the COSO/ CoCo definitions are about process, rather than about a static state. This means that internal control cannot be directly observed or verified. Third, internal control is about risk, or threats that an entity will not achieve its objectives. All decision makers want to optimize their risk/expected reward trade-off, thus leading to demand for internal control quality and quality assurance. …