It has been suggested above that the ‘regulatory state’ should be understood as more than a network of sectoral oversight agencies for regulation. Of equal signiWcance in governing economic life has been the growth of audit and evaluation practices. This audit explosion (Power, 1994; 2005b) has been a conspicuous feature of the transformation of public services in the UK in the 1980s and 1990s, and has also been driven by the emergence of the corporate governance principles described above. In the UK public sector, audit came to signify not simply a new technical and operational basis for control in public services, but was part of a critique of closed, ‘club government’ (Moran, 2003). New forms and intensities of auditing were mobilized in the name of ideals of transparency, eYciency, and accountability, and the scope 42 / Organized Uncertainty
of auditing and inspection was extended in many regulated sectors. At the heart of these changes, internal control and related performance measure-ment systems grew in signiWcance as the focus of audit and inspection processes, and this reXected the general shift in regulatory strategy indicated above. Such systems came to be part of a broadly based organizational reform process to make accountable organizations auditable and inspectable. These changes have been registered in the heartland of the audit, the Wnancial auditing process, and have catalyzed practitioner interest in markets for internal controls and risk assurance.
The Wnancial audit is simple in concept. Many organizations publish representations of their Wnancial performance and strength known as Wnan-cial statements. Such statements are checked by auditors whose work adds a level of additional assurance to these statements, thus enabling critical capital allocation decisions to be made by investors and providing signals about the integrity and legitimacy of management (Power, 2003a). Yet, beneath this apparent unity of purpose, Wnancial auditing has been in an almost constant process of reform and critique—with the collapse of Enron in 2001 and other corporate scandals providing the backdrop to global debate in the new century. Even before this event and the eclipsing eVect of the Sarbanes-Oxley legislation in the United States, concerns with the future of Wnancial auditing had been conspicuous in the 1980s. Committees were formed, reports were published, professional structures were criticized, research was commissioned and education systems were re-designed—all with a view to meeting the perceived challenges of a symbolic millennial landmark. Auditing became a site for professional reinvention (Robson et al., 2007),12 and two closely related but distinguishable change programmes are visible in discourses of reform.
There were demands to reinvent the technical basis of the Wnancial audit on the one hand, and there were focused eVorts by the large professional service Wrms to develop markets for possible assurance and advisory practices on the other hand.13 The emergence of rival proprietorial audit products in the 1990s, for example CLASS at Coopers and Lybrand, AuditSystem/2 at Deloitte and Touche, the strategic-lens approach at KPMG, represented professional change programmes to construct a new alignment between a need for greater cost eYciency in the audit process and a need for a new marketing concept of audit as a ‘value adding’ advisory service. To this end, explicitly risk-based approaches to Wnancial audit came to replace a more The Rise of Internal Control / 43
traditional regulatory framing of auditing and drew on more generalized discourses of risk, enterprise, and strategy (O’Malley, 2000). A universalistic logic of opportunity rationalized the reduction of costly transactions testing and a more selective focus on high-risk areas of greater ‘value’ to the client.
The idea of a risk-based approach was hardly new to auditing in the 1990s (Adams, 1991; Humphrey and Moizer, 1990) and was a natural development from the systems-based audit (Lemon et al., 2000).14 As internal control systems became more complex, auditors set themselves the task of focusing on where key risks exist and on how they are controlled and mitigated in these systems. Indeed, such an approach to the audit could be easily sold as an incremental change to business as usual—as a new formalization of the need to understand the auditee. For example, in 1997 the Audit Faculty of the ICAEW ran a series of educational roadshows aimed at small practitioners with the title—‘The Audit of Tomorrow’. These events sought to commu-nicate a new potential for the audit process if a business risk assessment is performed at the outset. Subject to agreed scoping with the client, it was argued that such an assessment could perform a dual function simultan-eously as both a planning tool for the audit and as a client directed service. In this way, a risk-based approach was articulated both as best practice and as a business opportunity—for auditors themselves. The aspiration was to recon-struct auditors as ‘added-value’ business advisors (ICAEW; 1997a; 1998b;
Robson et al., 2007).
Although the audit risk model developed in the 1980s approached inher-ent risk and compensating controls as a sub-unit of the statutory Wnancial audit process, the ICAEW programme anticipated the development of internal control as an advisory focus in its own right. The traditional management letter identifying control weaknesses was normally considered to be a by-product of the statutory Wnancial audit process. Now it would become a primary focus for advice. To some commentators in the 1990s it appeared as if Wnancial audit was being reinvented as a by-product of business services and that independence was being designed out of the Wnancial auditing process (Jeppesen, 1998).15 The audit opinion was to become a part of a larger risk assessment process as developments in the KPMG audit approach demonstrate. Bell et al. (1997) outline the structure of a new audit approach—a ‘business measurement process’ intended to access audit risk through a ‘strategic systems lens’.16 At the heart of this approach is the need to understand the auditee organization ‘holistically’. The KPMG 44 / Organized Uncertainty
authors intended that the BRA process described above should focus explicitly on key interrelationships between the internal and external environment of the organization, which both generate risk and are sources of risk-taking. At the centre of this analytical process is a focus on understanding the client’s business strategy and on understanding the risks that threaten, and the key processes to realize, these objectives.17
While the KPMG approach was constructed on the site of existing internal control practices, it also took the concept of the audit process into areas in which it had not hitherto been formally involved, not least the conceptual space of business strategy. This led to considerable issues in implementation because nothing less was at stake than the creation of a new kind of auditor with new skills (Eilifsen et al., 2001; Knechel, 2007; Curtis and Turley, 2007;
Peecher et al., 2007). Indeed, while the focus on risks to business strategy objectives gave a new accent to the audit process, allowing auditors to focus on control in the widest sense, it also weakened the operational links to Wnancial statement assertions. The business risk approach required that the auditor focus primarily on the risks that the organization will not meet its strategic objectives; the Wnancial statements were to be understood as a derived regulatory product of this focus, that is, a speciWc information system for representing wider economic events.
These transformations within the external audit process in the 1990s created a focus on business risk control systems in their widest sense. The re-conceptualization of the Wnancial audit paralleled eVorts to expand advisory and consulting services. The category of ‘audit’ went out of fashion in the self-representations of the large Wrms (Robson et al., 2007) creating a new action space for accountants. The risk-based reinvention of the statutory audit came to be seen as one element of a broad advisory Weld. The work of Robert Elliott, a leading reformer in US accountancy profession in the 1990s, exhorted practitioners to recognize the potential markets for new assurance services, locating the statutory audit as one part of this emerging Weld, a Weld in which this audit would need to compete for talent and prestige. As in the UK, the AICPA emphasized the need for CPAs to understand the changes facing Wnancial auditing both as risk and as opportunity (AICPA, 1996).
During the same period, the large Wrms began to develop internal audit practices to provide outsourced internal assurance services, a move which will be discussed further in the next section below.
The Rise of Internal Control / 45
Another important challenge to the traditional Wnancial audit as a form of periodic regulatory inspection was the eVect of technological development in information systems and the emerging need for real time continuous assur-ance services: ‘Users will need data assurassur-ance at points in time other than just at the end of a year or a quarter. Some users may require ‘‘continuous audits’’ of a broad data set, others ‘‘just-in-time-audits’’ of key transactions or data, and still others mixes of the two. When users’ real-time access to databases becomes routine, they will need continuous data assurance’
(AIPCA, quoted in Miller and Young, 1997, note 11). These ideas of timely assurance posed a further radical challenge to the external audit. They pointed in the direction of an explicit shift from periodic, retrospective audit to contemporaneous, proximate auditing (Vasarhelyi and Halper, 1991) in which the audit process becomes more closely aligned with organizational operations. A new potential was constructed for practices of real-time assurance of internal control systems, an idea which matched regulatory preferences for the substitution of internal for external assurance where possible. This was also a fundamental challenge to the traditional disclosure-based certiWcation of periodic Wnancial statements, a challenge which codes of governance in the UK and regulatory developments elsewhere ampliWed.
Developments within professional discourses of external auditing during the late 1980s aligned auditing with increasingly popular ideas of risk and opened the door to a new practice focus on controls assurance (Robson et al., 2007). Pressures for change within the audit process were not simply technical; they were simultaneously pressures for expansion of advisory markets as a response to an emerging corporate governance agenda.
Criticisms of the untimely nature of Wnancial statements and, by implica-tion, of the external audit process, found a new platform in marketing claims for new assurance services. Organizational and regulatory demands to manage uncertain futures grew hand in hand with a supply of ideas about internal control as the self-observation of organizational risks. While the audit of control systems (rather than transactions) had been important to external audit practice throughout the twentieth century, now such control systems were transformed into a stand-alone focus for professional assurance services. As a regulatory window on the integrity of manage-ment and as a signpost for the future these managemanage-ment systems became 46 / Organized Uncertainty
signiWcant objects at the centre of a world of governance in which accountants could claim to have expertise.
The rise of internal control as an autonomous Weld of expertise and norm production has been described as an audit implosion (Power, 1999) and as an internal control explosion (Maijoor, 2000). In the United States the Sarbanes–Oxley legislation (‘Sarbox’) radicalized and continued this focus on internal control, creating new statutorily backed markets for internal control assur-ance. Financial auditors have been returned to their more traditional role as independent veriWers of Wnancial statements, although standards for risk-based auditing have done much to formalize and rationalize the Wrm-speciWc innovations of the 1990s (Robson et al., 2007). Under Sarbox rules, for any particular client, Wrms must now choose between doing an audit or provid-ing advice on controls and risk management. It may be ironic that the principles of corporate governance developed during the 1990s, which expli-citly sought to strengthen the authority and process of the external Wnancial audit, in fact helped to support a new market focus on internal controls design and assurance which has created a new platform for internal auditors.
However, the risk-based re-design of auditing in the 1990s promised a con-sulting platform which is now constrained by rules and regulations. The claimed knowledge-spillover eVects from other services has had to confront a regulatory preference for a purer conception of the Wnancial audit and for a clearer division of labour in markets for advice—at least, for the time being.
In summary, the recent history of the Wnancial auditing Weld suggests that during the late 1980s and early 1990s accounting practitioners were looking to elaborate and extend their expertise in the area of internal controls design and assurance as a stand-alone ‘governance’ advisory service. In part this was to do with the re-engineering of the audit process and its broader positioning as business risk analysis. Internal control as an emerging regulatory and managerial object was re-imagined within the audit process as a window on the client organization, on its risk management and on its strategy. The corporate governance explosion in the 1990s has transformed internal control into a generic regulatory and public policy object and created opportunities to develop new consulting markets in a self-reinforcing process. By the mid-1990s internal control had a regulatory, managerial, and conceptual life of its own as a benchmark of good governance.
The Rise of Internal Control / 47