Jensen's (1993) assertion (1) that <> is, perhaps more than ever, at the heart of the evolution of management science in the 2010's. Internal control can be defined by all the means of control available to managers to enable them to master their organization. But the overall level of control has often proved insufficient, especially in the case of frauds, some of them highly publicized and which have shaken global capitalism. Undoubtedly new shocks will occur. McKesson and Robins (1940), Enron (2001), then the Societe Generate in 2008: So many different factors and circumstances that led these companies and their directors to bear the full brunt of the consequences of the frauds developed therein.
Mastering the organization, having it under 'control' and being accountable to investors is not only a clear will of the management, but is also an identified request of internal control frameworks as well as a legal expectation (Sarbanes-Oxley Act, Financial Security Act, EU Directives 2006/43/EC and 2006/46/EC). For nearly a century, legislators have systematically been trying to impose numerous regulations in order to respond to the scandals originating from the discovery of frauds and to reassure investors (Heier et al., 2005). From the Foreign Corrupt Practices Act to the Treadway Commission, from the Sarbanes-Oxley Act (issued in reaction to Enron) to the implementation of the European Directives and the recommendations of the EU Commission (Green Paper on Auditing, 2010), all the regulations imposed to regulate the life of corporations in a general manner, as well as the financial and accounting professions, especially in the aftermath of crisis moments, prove that legislators are working on successive levels of coercion to achieve an ideal of universal control. These various laws and regulations, which led to the implementation of new formal controls, invariably resulted from the history of the 'affairs', reflecting a willingness to improve company management (Heier et al., 2005). They are necessary. No company can expect to ensure its continuity without sufficient investment in its internal controls. The fact that these internal controls are essential does not mean that they are effective enough, hence the feeling that a formal control firewall is powerless against the excesses that everyone has been able to witness. And it is clear that nothing, at least for the moment, has enabled corporations to completely curb the 'affairs' or financial scandals. The illusion of control is given both by the requirements of the various laws and by the current control disclosure, and also by the professional standards (especially those of auditors), which have followed the escalation towards the 'total control' obsession. In this respect, working techniques and standards for statutory auditors (SAS 99, ISA 240) have been continuously attempting to adapt to the new forms of fraud and have evolved in accordance with the ingenuity of the fraudsters. But this is not sufficient to limit the scandals.
Is the potential control of the corporations in this case illusory? How could we ensure a good level of internal control? Understanding the various aspects of internal control and assessing control systems and their malfunctioning enables one to partially understand the nature of frauds that may be developing in organizations. Our goal here is therefore to show that controlling an organization cannot be limited to the formal aspects of control (hard controls) and that informal aspects (soft controls) are both tricky to define and complementary in order to cover the risks in the most suitable way.
The first part of the present paper focuses on the definition and on the sometimes inflationary implementation of the layers of formal controls, as well as on the issues related to the successive addition of these regulations. …