Beruflich Dokumente
Kultur Dokumente
1 · 2008
This study examines the impact of the scope These components are derived from the
of risk management and ethical way management runs a business, and are
environment on internal audit activities and seen to be integrated with the management
the quality of accounting control process and the internal control. More
procedures (ACPQ). The conceptual recently, COSO’s (2004) Enterprise Risk
framework for the study is guided by Management – Integrated Framework
COSO’s frameworks on internal controls (hereon referred to as the ERM framework)
and enterprise risk management and data expanded on the previous internal control
from a questionnaire survey of 64 framework by integrating the entirety of an
Australian firms are analysed using a enterprise’s risk management processes
structural equation model. The results of with the organisational objectives classified
the study support that (1) internal audit under four categories: strategic, operational,
activities have a significant intervening reporting and compliance (which may be
effect on the relationship between the scope analysed from differing organisational
of risk management and ACPQ, and (2) a levels i.e. divisional to sub-entity levels).
direct and positive relationship exists
between ethical environment and ACPQ. The responsibility of implementing an
Our findings suggest that widening the effective ERM framework lies with
scope of risk management activities do not managers, of which the design of the
directly improve ACPQ, but that it leads to internal control system and adherence to set
more extensive internal audit activities and policies and procedures are vital aspects.
in turn such activities promote better
ACPQ. Further, the results indicate that The current study, guided by COSO’s
fostering a more ethical environment Internal Control – Integrated Framework,
directly leads to higher ACPQ. These and the ERM Framework, focuses
results have implications for the design of specifically on four key components of an
internal controls, namely with respect to the internal control system.
role of internal audit activities and ethical
environment in enhancing ACPQ.
1
COSO was originally formed in 1985 as a private
Keywords sector initiative by five major professional
Internal Audit associations in the United States, the American
Accounting Association, the American Institute of
Internal control Certified Public Accountants, Financial Executives
Risk Management International, The Institute of Internal Auditors, and
Ethical Environment the National Association of Accountants (now the
Institute of Management Accountants). Its key
Accounting Control Procedures objective was to sponsor the National Commission on
Fraudulent Financial Reporting, which studied the
causal factors related to fraudulent financial
* Sunshine Coast University reporting.
** Deakin University
11
JAMAR Vol. 6 · No. 1 · 2008
We further contend that both risk In summary, the objectives of this study are
management and ethical environment can to examine (1) the direct effects of the
be viewed as internal control components scope of risk management, ethical
that operate at a broader strategic level environment and extent of internal audit
within the organisation. In other words, activities, on ACPQ, (2) the direct effects of
senior management tend to set the risk ethical environment and the scope of risk
appetite for the organisation and invest in management on the extent of internal audit
related strategies for the management of the activities, and (3) the intervening role of the
entity’s risks. Likewise, ethical values may extent of internal audit activities in the
be communicated by example through relationship between the scope of risk
leadership and management’s strict management and ACPQ.
adherence to admonishing those who
violate the ethical standards or code Motivation for Study
(Schwepker and Hartline, 2005; Weaver, In general, the motivation for the present
Trevino and Cochran, 1999b). These study is largely derived from the lack of
broader strategic components, in turn are empirical evidence on the relationships
between related internal control features.
2
We did not assess the information and Such evidence is vital for several reasons.
communication component for reasons relating to
project manageability including keeping the survey Firstly, in the wake of the recent corporate
instrument at a reasonable length. We believe that
future studies may take the opportunity to extend collapses, regulators have intensified their
research by including this component. attention on internal controls. High profile
12
JAMAR Vol. 6 · No. 1 · 2008
cases such as WorldCom and Enron clearly Although, traditionally, the review of the
highlight how accounting and related internal control system has always been a
internal controls had failed as a result of key part of an external audit, the formal
poor design and inappropriate behaviour of reports by both management and the auditor
staff (Cunningham, 2004; Hwang and are new requirements. By having a better
Staley, 2005). At the same time, understanding of the inter-connections of
organisations are increasingly faced with a the various components within a system of
growing number of options for managing an internal controls, management will be better
internal control system including the able to review and report on the quality of
adoption of ERM, self-assessment controls, the overall system.
ethical and board evaluation processes and
a plethora of accounting-based controls Thirdly, in addition to such regulatory
(Cohen, Krishnamoorthy and Wright, 2002; requirements, various corporate governance
Fadzil, Haron and Jantan, 2005). Yet, there guidelines (e.g. the United Kingdom’s
is little understanding on how these various Turnbull Report (1999) and the Australian
control strategies and mechanisms may Stock Exchange’s (ASX) corporate
affect each other. Furthermore, the need for governance guidelines (2007)), and
a better understanding of such relationships professional practice documents (e.g. IIA,
becomes even more imperative as the costs 2001a) have been issued with
of designing and implementing internal recommendations on a variety of strategies
controls have grown significantly in recent for internal control enhancement. For
years. For example, it is reported that the instance, management leadership i.e. ‘tone
costs associated with meeting the at the top’ has been much emphasised in
requirements of the Sarbanes-Oxley (SOX) such recommendations (ASX, 2007).
Act passed by the U.S. Congress in 2002
averaged about US $35 million for large Further, these various guidelines have also
firms in the first year (Verschoor, 2005). placed significant emphasis on an entity’s
Interestingly, a large part of these costs approach to risk management as a key
relate to the application of transaction mechanism that overarches the design of
control processes. Therefore, a better internal controls through-out the
understanding of the inter-relationships organisation.
between key internal control features is
increasingly critical for identifying the Organisations have been encouraged to
overall effectiveness and efficiency of a undertake an ERM approach, which
control system. A poor selection of controls involves a process “designed to identify
not only increases the probability of errors potential events that may affect the entity,
and mis-statements but also increases the manage risks within its risk appetite, and to
potential for fraud occurrence, which provide reasonable assurance regarding the
subsequently affects organisational achievement of entity objectives” (COSO,
performance. 2003, p.3). Likewise, it is advocated that
proper assurance processes, particularly that
Secondly, recent regulatory focus on the undertaken by the internal audit function is
reporting of internal control quality another vital internal control component.
necessitates more empirical evidence on the Yet, the literature suggests that there can be
inter-relationships between different trade-offs in the selection of control
internal control components. For example, mechanisms within an organisation. Such
the SOX Act mandates that management an approach is akin to a ‘substitution of
assess and report on the effectiveness of the controls’ strategy where senior
firm’s internal controls over financial management may elect to forgo or
reporting (Agami, 2006). The Act also substitute one type of control for another
stipulates that the independent auditor (Noreen, 1988; Stansbury and Barry, 2007).
should report on management's assessment Unfortunately, there is still little
of the effectiveness of the company's understanding on how these various control
internal controls over financial reporting. strategies and mechanisms affect and
13
JAMAR Vol. 6 · No. 1 · 2008
14
JAMAR Vol. 6 · No. 1 · 2008
Risk Management
H1: +
H4: +
H5: –
H3 +
Ethical Environment
Hypothesis Development
Risk Management - ACPQ
Accounting Control Procedures Quality Management has the responsibility to
(ACPQ) identify business risks, assess the
Accounting control procedures aim to significance and likelihood of risk
prevent and detect transaction errors and occurrence, and decide how to manage such
omissions, and to correct such errors and risks. The IIA’s (2001b) Practice advisory
omissions, where possible. A recent CPA statement on Assessing the Adequacy of
Australia’s survey indicated that about two- Risk Management Processes denotes that
thirds of small businesses claim to have management need to install sound risk
internal accounting controls in place in management processes and periodically
most transaction areas e.g. sales, purchases, communicate such risk strategies to all
accounts receivable, etc. (Hartcher, 2003). stakeholders in the organisation. Nielson,
Accounting control procedures include Kleffner and Lee’s (2005) study found that
authorisation of transactions, record sophisticated shareholders are increasingly
keeping custody, and segregation of duties. demanding that management become more
The quality of the various accounting involved in risk management planning and
control procedures (ACPQ) determines the development of effective principles so as to
timeliness and the accuracy of the detection strengthen the firm’s overall corporate
of errors and omissions. In general, there governance structure. It is also argued that
are two dimensions to ACPQ. The first the risks managed ought to extend beyond
refers to the quality of the design of the the purely financial to embrace the broad
internal accounting controls e.g. the format range of risks experienced by companies
of authorisation procedures relating to a such as environmental, social and other
given transaction. The second relates to the business risks (Lindow & Race, 2002).
extent to which various employees within
the organisation adhere to internal control The process of risk management includes
policies and procedures (Marshall, 1995). the identification, assessment, monitoring
Thus, both the internal control design and and treatment of risks. As the scope of risk
employee adherence to the set procedures management expands, firms are likely to
are critical for enhancing ACPQ. Therefore, cover a larger number of areas of an
the higher the ACPQ, the more likely that organisation’s activities as well as the
errors and misappropriations will be variety of risks including financial,
detected. environmental, industry and operational
15
JAMAR Vol. 6 · No. 1 · 2008
type risks (Fatemi and Glaum, 2000). value and improve an organization's
Beasley, Frigo and Litman (2007) highlight operations. It helps an organization
the importance of having an enterprise wide accomplish its objectives by bringing a
approach to risk management and argue that systematic, disciplined approach to
as organisations invest in a wider set of risk evaluate and improve the effectiveness
management processes, the organisational of risk management, control, and
objectives can be more easily met. governance processes (IIA, 2000)”.
We predict that the greater the scope of risk This revised definition expands the focus of
management activities, the higher the the internal audit function from one of
ACPQ. This is because, as the scope of risk assurance to one providing a value added
management widens, a greater number of approach (Bou-Raad, 2000; Krogstad,
staff from different areas tend to become Ridley and Rittenberg, 1999). Thus, it is no
more aware of, and involved in risk surprise that internal auditors have become
management activities. A greater increasingly involved in consultancy work,
involvement in risk management ought to covering non-financial areas such as
lead to higher levels of relevant knowledge business unit processes, operational
and strategies to mitigating such risks. Staff efficiencies and compliance with laws and
who are more exposed to risk management regulations (Verschoor and Farrell, 1996).
in turn will be better able to identify Consequently, there is now a greater
weaknesses in the existing internal controls. variance in internal audit programs both in
Consequently, the staff will be in a better their nature and scope. For example,
position to offer valuable suggestions to internal auditors may undertake compliance
improve the internal control weaknesses. type audits only, or a variety of other
Further, from an individual psychological performance and operational audit type
perspective, staff are also likely to be more reviews. This increased variance in internal
motivated to adhere to internal controls audit programs may enhance organisational
when they better understand the potential opportunities to improve accounting control
consequences to the organisation of failing procedural quality.
to follow proper accounting control
procedures. We predict that the larger the extent of
internal audit activities, the higher the
Based on the above discussion, the first ACPQ. This is because, with greater levels
hypothesis of this study is as suggested: of checking and monitoring of the internal
control features across a variety of a firm’s
H1: There is a direct and positive business sections, as well as increased value
relationship between the scope of risk added activities, the probability of finding
management and ACPQ. weaknesses in the internal accounting
controls increases. Given that accounting
Internal Audit Activity - ACPQ control procedures often tend to relate to
Traditionally, the internal audit function’s transaction authorisation and processing, a
role has been to assess the effectiveness of higher level of internal audit activities
organisational internal controls, and to would serve to increase the detection of
report to management where and how control weaknesses and failures. Colbert
internal controls could be strengthened and Alderman (1998), for example, found
(Van Peursem, 2004). In June 1999, the that internal audit test results are highly
Institute of Internal Auditors (IIA) officially valued by fraud investigators their fraud
adopted a revised definition of the internal detection procedures, and that such reports
auditing function and integrated this have helped in prompting further
definition into its code of ethics. The investigations. In other words, as the nature
internal audit function is defined as: and scope of the internal audit activities
increases, the higher the probability of
“an independent, objective assurance detecting errors and fraud. Consequently,
and consulting activity designed to add with greater detection of weaknesses, more
16
JAMAR Vol. 6 · No. 1 · 2008
strategies can be developed to remedy the shared system of values), a more highly
weaknesses in the internal control system. ethical environment is created.
Thus, the second hypothesis for the study is In an empirical study by Valentine, Godkin
as follows: and Lucero (2002), a positive association
was found between ethical environment and
H2: There is a direct and positive employee organisational commitment.
relationship between the extent of internal Based on a sample of 304 young working
audit activities and ACPQ. adults, Valentine et al. (2002) found that
ethical environment was positively and
significantly associated with the level of
Ethical Environment - ACPQ employees’ organisational commitment.3
While accounting control procedures can be
easily written down as formal Furthermore, in a recent study, Kizirian and
organisational policies, getting individuals Leese (2004) studied audit papers of 60
or employees to adhere to such policies is information systems audit engagements and
another issue. Carelessness, laziness and found that the ethical tone of the audit
even disobedience are plausible reasons for clients’ management has a significant
ignoring accounting control procedures. impact on the strength of their security
However, it is likely that in a more ethical controls.
environment, employees will tend to follow
company rules and regulations because it Based on the preceding discussion, we
would be the morally acceptable behaviour. predict that in a more ethical environment,
employees will be more willing to adhere to
Prior studies claim that the ethical the organisation’s accounting control
environment within the firm is likely to procedures. It is expected that the greater
influence employee behaviours in two the ethical environment, the higher the
ways. First, through organisational ACPQ as employees’ with a higher moral
socialisation processes, employees will consciousness will be more willing to ‘do
learn to behave according to the level of the right thing’ by their employers.
ethical climate, and the higher the ethical
values, the greater the ethical outcomes The third hypothesis for this study thus is as
(Ardts, Jansen & Van der Velde, 2001). follows:
Second, empirical evidence also indicates H3: There is a direct and positive
that management’s attitude to corporate relationship between ethical environment
ethical environment, exampled by ethical and ACPQ.
leadership, has a positive impact on overall
employee behaviour (Weaver et al, 1999a). Risk Management - Internal Audit
The ethical environment of an organisation Activity
is seen to encompass aspects of upper In organisations where the scope of risk
management’s tone in achieving management activities is large, employees
organisational objectives, their value are likely to be more actively involved in a
judgments and management styles (COSO, wide ranging set of activities. The
1992; AUS 402.43) awareness among employees about the
various types of risks faced by their
Victor and Cullen (1987) introduced the organisation, how such risks may be
concept of ‘ethical climate’ to explain and interconnected, and the risk mitigation
predict organisational ethical behaviour. strategies put in place by management, is
They suggested that when morally expected to be greater in firms with a wide
acceptable behaviours based on honesty and risk management agenda than those firms
integrity are actively promoted and become
part of an organisation’s culture (i.e. a 3
Organisational commitment refers to the extent to
which employees feel connected with the company’s
values and way of doing things (Schwepker, 1999).
17
JAMAR Vol. 6 · No. 1 · 2008
with narrow risk management plans. punishing managers in order to align their
Consequently, with the choice of a wider interests with the organisation’s (Weaver et
set of risk management activities and areas, al., (1999a). Another strategy is to develop
employees are likely to find value in or adopt alternative controls that are more
internal audit activities, because such behaviour-oriented. engendering a more
activities help to identify breakdowns in ethical environment may work as an
both the design of their risk management alternative means of control, which, in turn,
plans and related internal controls, alleviates the need to expand or change a
firm’s traditional control system.
Also, the internal audit function is well
placed to aid in improving risk management Based on the preceding arguments, we
strategies. Lindow and Race (2002), for propose that the demand for internal audit
instance, argue that as a firm widens its risk activities would be negatively related to
management activities, there will be greater ethical environment. Management
demand for the internal audit function to committed to fostering a high ethical
assist in administrating and monitoring environment may be less motivated to
many of these risk management activities. increase more traditional control features
Similarly, Spira and Page (2003) observe such as internal audit activities because
that, in view of the Turnbull report, some there will be greater trust in employees to
companies have expanded their internal follow set rules and procedures. Therefore,
audit function to include specialists such as based on the above discussion, the fifth
engineers and marketers to broaden their hypothesis for study is as follows:
operational risk perspective. Senior
management can engage internal auditors to H5: There is a direct and negative
not only audit control activities, but also relationship between ethical environment
help to monitor a company's risk profile and and the extent of internal audit activities.
play a key role in identifying areas that
improve risk management processes. Intervening Effect of the Extent of
Accordingly, we predict that as the scope of Internal Audit Activities
risk management increases, there will be In the preceding discussion, it was proposed
greater demand for more extensive internal that there is a positive relationship between
audit involvement. the scope of risk management and the
extent of internal audit activities (H4). In
Thus, based on the above discussion, the addition, a positive relationship was also
following hypothesis is proposed: proposed between the extent of internal
audit activities and ACPQ (H2). When
H4: There is a positive relationship between viewed together, the two predicted
the scope of risk management and the relationships suggest that internal audit may
extent of internal audit activities. act as a significant intervening variable in
the relationship between the scope of risk
Ethical Environment - Internal Audit management activity and ACPQ. 4
Activities
Organisations have several choices for We therefore hypothesise the sixth and final
improving on their existing control system. hypothesis for study:
For example, one strategy is to invest in
more sophisticated controls that add onto or
complement their traditional control system
such as increasing the number and the
variety of controls (e.g. a moving from a 4
Although a significant proposed relationship is
simple to a more sophisticated information proposed for H2, a negative significant relationship is
system or performance evaluation system). proposed in H5 between ethical environment and
Traditional control systems tend to be extent of internal audit activities. Therefore, an
indirect relationship is not proposed between ethical
predominantly outcome controls-based environment and ACPQ.
whereby the focus is on either rewarding or
18
JAMAR Vol. 6 · No. 1 · 2008
19
JAMAR Vol. 6 · No. 1 · 2008
Total 64 100%
20
JAMAR Vol. 6 · No. 1 · 2008
have been adopted by a firm. These four (α = 0.846) supported a strong internal
items developed by Fatemi and Glaum reliability for the risk management scale.
(2000) relate to four specific areas that are Indices in Table 3 from a confirmatory
likely to be covered as part of a firm’s risk factor analysis support a four-item risk
management activities. The four items management factor. Therefore the Z-score
include the management of financial, for the four-item has been used in the
environmental, industry competition, and analysis.
operational risks. A factor analysis
produced a significant result (KMO = .752; The descriptive statistics for the four
Sig = 0.000) while a high Cronbach Alpha variables are presented in Table Two.
21
JAMAR Vol. 6 · No. 1 · 2008
Risk Management
.03 NS
.75 **
NS
-.27
.31*
Ethical Environment
The critical ratio (CR) and non-significant coefficient (CR = 2.568; P = .010) for the
regression coefficient (CR = 0.268; P = positive relationship between the extent of
.788) have been found for the path internal audit activities and ACPQ; thus
representing the relationship between the supporting Hypothesis Two (H2).
scope of risk management and ACPQ. Similarly, the positive relationship between
These statistics do not support a significant ethical environment and the ACPQ is
direct relationship between these factors. shown to be significant (CR = 2.810; P =
Consequently, these results do not provide .005). Therefore these results support
support for Hypothesis One (H1). Hypothesis Three (H3).
Conversely, the SEM results show an
acceptable CR and significant regression
22
JAMAR Vol. 6 · No. 1 · 2008
Table Four also shows significant statistics negative result, which reflects the
(CR = 2.626; P = .009) for the direct directional prediction of the hypothesis.
positive effect of the degree of risk
management on the extent of internal audit Also, from the results in Table Four, the
activities, which support Hypothesis Four acceptable and significant statistics for two
(H4). However, an unacceptable CR and significant paths hypothesised in H2 and H4
non-significant regression coefficient (CR = provide support for the intervening effect
–0.936; P = .349) results are reported for the extent of internal audit activities on the
the relationship between ethical relationship between the scope of risk
environment and the extent of the internal management and the quality of ACPQ.
audit activities. These statistics do not These statistics therefore support
support the relationship proposed in Hypothesis Six (H6).
Hypothesis Five (H5) but do provide a
Table Five: Maximum Likelihood Estimates: Best Fit SEM Model Structural Paths
Both insignificant paths of the initial (full) model’s fit for these relationships as
SEM were eliminated when a further model hypothesised in H2, H3, H4, and H6.8
was constructed to achieve a ‘best fit’ SEM.
Table Five summarises the regression Discussion of the Results
coefficients, CR and significance for each The results of this study provide two major
of the remaining three significant SEM sets of findings. The first set of findings
structural paths that are hypothesised in H2, pertains to the internal audit function
H3, and H4. Significant findings achieved whereby internal audit activities are seen to
for the ‘best fit’ SEM are similar to the play two important roles. Firstly, as
initial (full) SEM results that supported H2, hypothesised (H2) the extent of internal
H3, and H4. The significant statistics for audit activities is found to have a direct and
the two SEM structural paths hypothesised positive effect on ACPQ. These findings
in H2 and H4 again provide support for the are aligned with various anecdotal case
intervening effect of the extent of internal evidence (Colbert and Alderman, 1998;
audit activities on the relationship between Buckhoff, 2002) whereby internal audit
the scope of risk management and ACPQ reviews are viewed as being vital in the
hypothesised in H6. These significant SEM identification of weaknesses in internal
structural paths are illustrated in Figure
Four.
8
Smith and Langfield-Smith (2004) recognised that
The ‘goodness of fit’ indices are reported in while χ2, GFI, NFI, AGFI are the most commonly
Table Six for the ‘best fit’ SEM. These used fit indices for accounting research, they
acknowledged some structural equation model (SEM)
significant indices (SRMR = 0.0352; GFI = experts consider these to be inappropriate measure
0.9930; AGFI = 0.9640; NFI = 0.9740; CFI (e.g. Hu & Bentler, 1999; Byrne, 2001).
= 1.0000; RMSEA = 0.0000) support the Consequently, Table 7 incorporates additional indices
considered to be more appropriate by these SEM
experts (e.g., CFI, RMSEA & Standardised RMR).
Further, the appropriateness of the χ2 statistic to as an
indicator of fit has been questioned due to its
potential bias (Byrne, 2001; Arbuckle, 2005).
23
JAMAR Vol. 6 · No. 1 · 2008
control procedures and fraud detection. auditors are seen to lead to detection of
Often recommendations made by internal errors and incidences of fraud.
Table Six: Indices for Full and Best Fit Structural Equation Models: Testing Hypotheses
H1 to H6
Risk Management
.64 *
.15 **
Extent of IA
Accounting Control Procedural Quality
.33 **
Ethical Environment
24
JAMAR Vol. 6 · No. 1 · 2008
Secondly, internal audit activities are also The second set of findings of this study
seen to play a significant intervening role in relate to the effects of ethical environment
the relationship between the scope of risk on ACPQ. Firstly, H5 was not supported,
management and ACPQ. More specifically, suggesting that there is no direct
the results do not support H1, indicating that relationship between ethical environment
there is no direct relationship between the and internal audit activities. Instead, our
scope of risk management and ACPQ. findings support H3, suggesting a direct and
However, since H4 and H2 were found to be positive relationship between ethical
supported, it can be concluded that the environment and ACPQ. More specifically,
scope of risk management still has an a stronger ethical environment within the
impact on ACPQ through internal audit firm is seen to lead to a higher ACPQ.
activities. In other words, the support of H4 These findings suggest that in more ethical
indicates that as the scope of risk environments, employees are more likely to
management widens, the extent of internal follow accounting control policies and rules
audit activities is likely to increase. This as this would be the expected norm at the
finding is aligned with Lindow and Race’s workplace. These findings are consistent
argument (2002) who contend that there with results by Weaver et al. (1999b) who
will be greater demand for the internal audit found that organisations that fostered strong
function to assist in administrating and ethics were more likely to support
monitoring such risk management activities employee development such as engendering
as such activities increase in frequency and employee performance appraisals that
in their nature. In addition, the support of placed emphasis on their behaviour.
H2 suggests that as more internal audit
activities are conducted, ACPQ will Conclusion and Limitations
become higher. Given that accounting To date there is scant evidence on the inter-
control procedures can be broad covering relationships among different components
not only cash or sales transactions, but also of an internal control system. The present
controls over physical assets that may study provides valuable empirical evidence
involve environmental-related risks, on the effects of risk management and
increase in internal audit activities in such ethical environment on internal audit
areas is likely to have a spill-on effect on activities and ACPQ. Overall, the results of
ACPQ. Spira and Page (2003) observed the present study clearly highlight that both
that, since the Turnbull report (1999), some risk management and ethical environment
companies have added specialists to their impact ACPQ through different modes.
internal audit function to broaden their When organisations plan to invest in a
capacity to audit operational risks. Further wider risk management strategy in order to
Spira and Page (2003) also note that improve internal control procedures such as
internal auditors are becoming more ACPQ, they will need to be aware that
involved in the identification and significant attention also needs to be paid to
monitoring of a company's risk profile as internal audit activities in order to achieve
part of the overall risk management their objective. This attention reflects a
process. In sum, these results imply that holistic approach that has been purported to
when firms broaden the scope of their risk provide tangible financial benefits for firms
management activities, there will be greater (Whitehorn, 2008). Additionally, the
emphasis placed on their internal audit results also suggest that an organisation can
activities. A more active internal audit derive direct benefits in terms of improving
function in turn leads to better ACPQ as their ACPQ through engendering a more
such activities increase the probability of ethical environment. These results have
identifying weaknesses in accounting both theoretical and practical implications
control procedures (e.g. poor authorisation for both audit activities and ethical
and lack of segregation of duties over environment.
physical assets and employee activities).
25
JAMAR Vol. 6 · No. 1 · 2008
Theoretically, the study provides a more in- ACPQ, a flow-on positive impact can be
depth understanding of the inter- expected in corporate governance
relationships of the components of COSO’s processes, and the safeguard of financial
internal control framework. It is evident reputations - which are two of the top ten
that the relationships among the various risk concerns in 2006/20079.
internal control components are not always
direct and simple, and that monitoring Although the internal audit function is
mechanisms such as internal audit activities frequently a driver of the ERM process, in
may play a significant intervening role in theory, organisational culture is the long
achieving high quality control activities term key factor of an effective ERM system
(Subramaniam and Ratnatunga, 2003). (Whitehorn, 2008; Singer, 2008).
These results support the comments by Consequently, in practice, senior
Thomson (2007, p. 31) that “organisations management must provide strong support
must demonstrate strong internal controls, for ERM to be successful in providing
maintain integrity at all times, and manage reasonable assurance of financial statement
enterprisewide business risks”. He further reliability, which should be an outcome of
warns that the price for mistakes and ACPQ (Thomson, 2007). Such an holistic
surprises are only becoming steeper, and approach to ERM may involve compliance
that all organisations including those in the officers, ethical officers, and quality control
not-for-profit sector face the same personnel so that key risks are managed
impending pressure. (Julien and Richards, 2008). Furthermore,
ethical leadership is also seen as an
From a practical perspective, the results important ingredient for achieving high
suggest that firms need to consider the level quality internal control procedures. The
of resources allocated to their internal audit current findings suggest that senior
function because of the positive direct and management, in their strategic planning of
indirect effect these internal audit activities an internal control system will need to pay
have on ACPQ. Assessment of the strength significant attention to the role of internal
of the internal audit function and adequate audit as well as to internal environment
resourcing of such a function are some of factors such as the ethical environment.
the issues that an organisation needs to pay
increasing attention to, particularly as the The results of this study, nevertheless, need
pressure on senior management to broaden to be interpreted in light of several
the scope of risk management increases limitations. First, a limitation of this study
(Cai, 1997; Spira and Page, 2003). This relates to the measurement of ACPQ, which
broadening of the scope of risk focus was reported by the financial controllers.
requires better funding for the internal audit Given that financial controllers tend to be
function as well as recruitment and training responsible for ACPQ, there is the risk of
of qualified and certified professionals e.g., upward bias in their assessment. Future
CIAs, CMAs and CPAs (Singer, 2008). studies may adopt a more objective measure
of the ACPQ construct by using measures
Further, the results of this study suggest that such as the level of resources and
a move towards enterprise strategies is sophistication of the various accounting
likely to be associated with greater internal control procedures. Alternately, future
audit activities. Enterprise involves studies may adopt a weighted measure of
integrating risk management strategies ACPQ, whereby its assessment could be
rather than evaluating risk management in undertaken by multiple parties including
silos, which is likely to result in fragmented
and/or duplicated roles within a firm’s risk 9
Aon Insurance Brokers, (2007) Australian Risk
management system (Whitehorn, 2008). Management and Total Cost of Insurable Risk Survey
This holistic approach would help improve (Whitehorn, 2008, ‘Top 10 Risks for Companies, p.
15) and the Risk Management Institution of
resource allocations to these internal audit Australian’s Master Class on Reputation
activities and reduce costs through Management for Certificated Practising Risk
mitigating redundant roles. With improved Managers, November 2007 (Whitehorn, 2008,
‘Endnote 2, p. 18).
26
JAMAR Vol. 6 · No. 1 · 2008
financial controllers, internal and external tactics and personnel instruments”, Journal
auditors. A second limitation may relate to of Management Development, 20(2), pp.
the problem of a small sample size. Since 159-178.
only 64 respondents participated in this
study, this may have posed restrictions on ASX Corporate Governance Council
the use of a structural equation model for (2007), Principles of good corporate
data analysis. However, the Hoelter’s governance and best practice
(1983) critical N (414 @ .05; 636 @ .01) recommendations. [Online]. Available:
suggests the sample size is adequate http://www.shareholder.com/visitors/dynam
(Byrne, 2001; Arbuckle, 2005).10 Finally, icdoc/document.cfm?documentid=364andc
the usual caveats of survey research are ompanyid=ASX.
applicable to this study. Future studies may
undertake a more qualitative approach to Baines, A. and Langfield-Smith, K. (2003),
understanding the various processes that “Antecedents to management accounting
facilitate or inhibit the relationships among change: a structural approach”, Accounting,
the selected internal control features. For Organizations and Society, 28, pp. 675-698.
example, in-depth interviews of employees
may better explain how a more ethical Beasley, M.S., Frigo, M.L. and Litman, J.
environment has helped in the willingness (2007), “Strategic Risk management:
of employees to adhere to control policies, Creating and protecting value”, Strategic
and contribute to improving ACPQ. Finance. 88(11). 24-33.
In conclusion, this study highlights the Bou-Raad, G. (2000), “Internal auditors and
importance of the inter-relationships a value-added approach: the new business
between ethical leadership, risk regime”, Managerial Auditing Journal,
management and the extent of monitoring 15(4), pp. 182-186.
activities namely, the internal audit
activities for the design of effective Buckhoff, T. A. (2002), “Preventing
accounting control procedures. Further employee fraud by minimizing
research in this area is much needed as the opportunity”, The CPA Journal, 72, pp. 64-
benefits of having adequate internal 66.
controls have become abundantly clear. No
doubt, the design of effective internal Business Review Weekly, (2004), The 1000
control systems remains a key challenge for biggest enterprises. Retrieved January 15,
senior management. 2004, from
http://www.brw.com.au/Login.aspx?Return
Url=/lists/brw1000/brw10002004.aspx&err
References Code=10001
Agami, A.M. (2006), “Reporting on
internal control over financial reporting”. Byrne, B. M. (2001), Structural Equation
The CPA Journal, 76(11), pp. 32-34. Modeling with AMOS Basic Concepts,
Applications, ad Programming, Lawrence
Arbuckle, J. L. (2005), AmosTM 6.0 User’s Erlbaum Associates, Mahwah, N.J.
Guide. Il: SPSS Inc. Chicago, Illinois.
Cai, C. (1997), “On the functions and
Ardts, J., Jansen, P. and Van Der Velde, M. objectives of internal audit and their
(2001), “The breaking in of new underlying conditions”, Managerial
employees: Effectiveness of socialisation Auditing Journal, 12(4/5), pp. 247-251.
10
Chen, A. Y. S., Sawyer, R. B. and
The reported Hoelter critical N for the ‘best fit’ Williams, P. F. (1997), “Reinforcing ethical
SEM (i.e., between 414 for .05 and 636 for .01)
indicated that the hypothesised model is correct and
decisions through corporate culture”,
should be accepted for these large sample sizes Journal of Business Ethics, 16, pp. 855-865.
because they are much larger than the accepted
critical N of 200 argued by Hoelter (1983).
27
JAMAR Vol. 6 · No. 1 · 2008
28
JAMAR Vol. 6 · No. 1 · 2008
29
JAMAR Vol. 6 · No. 1 · 2008
30