SpeciWc risk and control related disclosures for corporations have existed since the 1990s. Many jurisdictions require disclosures about derivatives, going concern, contingencies, and provisions. In the USA, the operating and Wnancial review and other Wling requirements contain risk disclosure provisions and many banks provide much more information as part of industry practice.24 In the UK, there has been considerable discussion about risk reporting (ICAEW, 1997b; 1999b) and an Operating and Financial Review (OFR) was proposed which requires organizations to disclose key risk indica-tors (ASB, 2005). Although the OFR was formally abolished in November 2005, it is likely that risk disclosure practices will emerge (ASB, 2005; Power, 2007). In Germany, the Control and Transparency Act (KonTrAG) strengthened the role of supervisory boards by requiring them to establish a monitoring system for risk identiWcation (Pausenberger and Nassauer, 2000; Weber and Liekweg, 2000). The newly formed German Accounting Standards Board (GASB) also published German Accounting Standard (GAS) 5 in 2001 which takes its lead from COSO and deWnes risk management as a ‘comprehensive set of control procedures’. Like the ill-fated UK OFR, the standard requires a single report on risks ‘aVecting future developments’ and a description of the system in the management report (Dobler, 2005).
The Rise of Internal Control / 53
All these various speciWc disclosures could be said to relate to speciWc risk
‘objects’; they contain no requirement to comment on the eVectiveness of the risk management system as a whole, as the original principles of the Cadbury Code require (paragraph 4.4). When the Code was published, there followed much practitioner debate both about the meaning and ‘auditability’
of ‘internal control eVectiveness’ from the point of view of an external auditor, and about the nature of any public opinion on such matters. In the UK, the Rutteman report in 1994 had proposed a form of limited reporting on internal control, but the proposal stalled (ICAEW, 1994; 1995).
In the United States, the Public Oversight Board (of the AICPA) published In the Public Interest in 1993 which recommended public reporting on internal control to the SEC; subsequently the POB Board published its Audit EVective-ness Report (The O’Malley Report) recommending that audit committees spend more time on internal control. The General Accounting OYce Report on the Accounting Profession in 1996 also supported internal control report-ing, and there were ongoing pressures for reporting on the eVectiveness of internal control in Canada, led by the Toronto Stock Exchange. In 1998 the UK Audit Practices Board published a discussion document on the subject of providing assurance on internal control which builds on the COSO frame-work (APB, 1998) and the ICAEW (1999b) proposed the publication of a statement of business risk as some version of the organizational risk map (see Chapter 3). Caveats and caution can be read between the lines in all these document reXecting an institutionalized unwillingness by both directors and auditors to venture a public opinion on eVectiveness as a ‘hostage to fortune’
(Spira and Page, 2003: 648). When the dust settled on the debate, UK Directors were required only to report on whether they had completed a review of eVectiveness, rather than on its substance.
While private advisory services for internal control and risk management began to thrive in the 1990s, and were marketed in terms of opportunity, value and enterprise, public reporting on these matters was shrouded in caution and blame avoidance (Hermanson, 2000). Slowly, qualitative non-mandated public disclosures about internal control and risk management grew as part of governance reporting more generally. The fact of Directors’
responsibility for maintaining a sound system of internal control became a standard assertion, as did caveats about the necessary limitations of any system of control. Internal control systems slowly became a more prominent object of public disclosure despite the reluctance to make general statements 54 / Organized Uncertainty
on control eVectiveness. Then the world changed. Enron and other com-panies collapsed and the rapid passing of Sarbanes–Oxley legislation created new public certiWcation requirements.25 Corporate risk management had been seen to fail (Rosen, 2003b) and companies were now forced to do something they had previously avoided and had regarded as diYcult, costly and boring (Chan et al., 2006).
It is no exaggeration to suggest that Sarbox took the existing market for internal controls advice and created an industry, even to the point of stretching the internal resources of the large professional service Wrms to their limits. A great deal of commentary has been focused on the costs and beneWts of section 404 which requires a public certiWcation by senior oYcers of the eVectiveness of internal control systems over Wnancial reporting, meaning that they contain no ‘material weaknesses’ in their design or operation.26 Criticisms of the Wrst two years of implementation drew attention to the bureaucracy and cost created by the need to document controls in minute and low-level detail to support 404 certiWcations, particularly where the spectacular governance lapses have involved much higher levels of control failure.27 Auditors have been blamed for failing to adopt a risk-based approach, thereby amplifying the requirements. Concern was expressed that some companies may delist and ‘go dark’ and that these requirements may prove to be an uncompetitive barrier to IPOs. In contrast, enthusiasts held fast to rhetorics of opportunity and argued for the advantages of being able to prove what had hitherto been assumed. They suggested that much of the early cost was Wxed in nature and unlikely to recur on this scale.
The SEC conducted consultative reviews of experience in 2005 and 2006 and these discussions, which will stretch into the future, will be further animated as non-US resident SEC registrants report under the legislation for the Wrst time.28 What cannot be disputed is the role of this legislation in placing internal controls reporting at the very heart of eVorts to improve the Wnancial statement aspects of corporate governance. A ‘section 404’
advisory industry was created at a stroke, hence the nickname for Sarbox as the
‘accountant’s friend’. The legislation positions internal control systems as part of an operating philosophy of getting things right Wrst time. It remains to be seen whether this emphasis on reporting on the process of producing Wnancial statements will become more signiWcant for regulators than the Wnancial statements themselves; internal control systems now have the potential to become the primary regulatory and managerial reporting object.
The Rise of Internal Control / 55
The rise in the regulatory and managerial signiWcance of internal control systems since the publication of the Cadbury report in 1992 has been dramatic but the question of public reporting on internal control as a risk management system has always been problematic. Even if the problem of incentives might be overcome by drastic legislation, there are continuing issues in determining the meaning of terms like ‘eVectiveness’ and ‘material weakness.’ Such diYculties in the opinion process apply equally to the internal reporting process as boards consider internal control statements for sign-oV. Just as terms like ‘true and fair’ and ‘fairly present’ have dogged the interpretation of Wnancial statements, so the concept of eVectiveness will also aVect the interpretation of internal controls statements. In such cases, it may matter less what such terms mean, as this is a potentially endless discussion. It is more a question of who is trusted in organizations and regulatory Welds to determine their meaning. Who, in short, is an internal control and risk expert? An important candidate for this role is the internal auditor.