As a term, internal control was born out of the field of accounting and auditing, and was originally known to be some forms of accounting controls associated with the system tests performed by external auditors in assurance of the reliability of financial reporting (Fernald, 1943). The Securities Act of 1933, in an apparent reference to internal control and the processes involved in an audit, recommended that the scope of an audit be determined by an external auditor’s assessment of the organization’s internal check and internal control (Fernald, 1943).
According to Heier et al. (2005), as far back as 1905, there had been a book written by Lawrence Dicksee, in which he stated that an audit is essentially concerned with the detection of fraud and errors and that the totality of an auditor’s duty is the ascertainment of the true state of affairs of his client at a specific date. Citing Brown (1962), Heier et al. (2005) contended that the author alluded to systems of internal control by stating that for an auditor to succeed in his task, it is extremely necessary for him, or her to study thoroughly and master the general system of operation upon which the books and records have been predicated. They disclosed that the author of the book enumerated three classical rudiments of internal control that are still applicable more than 100 years later. The first rudiment is that the responsibilities for managing cash and keeping the ledger should not be vested in one individual. The second is that the ledgers should be maintained in such manner that the balance of an account after each transaction is available at a glance. The third is that where an organization’s activities occasion the maintenance of many individual ledgers, the system should provide for frequent movement of staff between job schedules so that any occurrence of fraud or errors can be detected and addressed in a timely manner (Heier et al., 2005).
Brown (1962) argued that a long history trails the audit objective of detection of fraud but that it was only until the 20th century that internal control as a subject was recognized. Sawyer et al. (2003) stated that prior to 1930, the term internal control had gained some form of recognition and attracted discussions. In all, it can be safely concluded that internal control has been associated with business and organizational management over the past century. Therefore, the organization theory upon which this research study is grounded is apt.
The 1929 crash in the stock market caused the U.S. Congress to react by enacting two acts with a view to stabilizing the market, as well as to ensuring that all reports intended for investors are proper in content. The first was the Securities Act of 1933, which made it compulsory for every public company to register its market securities and to ensure that it makes appropriate financial disclosures at all times. The second law, which gave birth to the Securities and Exchange Commission (SEC) is the Securities Exchange Act of 1934. The SEC regulates exchanges and stockbrokers, and monitors the financial disclosures being made by the publicly held companies.
As a result of the 1933 and 1934 Securities Acts, the American Institute of Accountants issued a pamphlet which stated that the forms and dimensions of the internal check and control in any company that is being examined were important factors to be considered in formulating an independent accountant’s program of work (AIA, 1936). This pamphlet described the ways that internal controls can influence an audit from the perspectives of bookkeeping, but did not consider the management’s duties and responsibilities for possible discrepancies and their consequences (Heier et al., 2005). Subsequently, SEC decided to delegate the duty of improving the principles of accounting and auditing to the American Institute of Accountants (AIA). In executing its function, the Institute set up two committees, one for accounting principles, and the other for auditing principles.
In 1938, the management of a company called McKesson & Robbins was charged for misrepresenting its inventories and accounts receivables by overstating by $19 million their consolidated assets, which stood at $87 million in their 1937 year-end financial statements. Explaining the situation, a Price Waterhouse partner, the independent accountants, attributed the fraud to unethical practices made possible by the absence of internal controls and audit safeguards (Dennis, 2000). In a reaction to this case, in 1939, the Auditing Principles Committee introduced an extension to the existing auditing procedures. Thenceforth, auditors were required to attend at stock-taking, conduct physical tests, and obtain certifications for stocks in various locations and for the accounts receivables (Dennis, 2000). This was a major development that preceded the World-War II.
The post World-War II economic boom, the bribery revelations of many reputable firms like Exxon shortly after the Watergate scandals of the 1970s, and corporate failures of the 1980s were some of the reasons for the continued regulation and wider interpretation of internal control. Hence, according to Pfister (2009), nearly all issues of definition and developments in internal control were necessitated by reactions to economic changes in the country as a whole, or in individual firms in the economy. The consequence is that, in the last 3 decades, there has been a shift from the finance and accounting focus to a more corporate governance focus that is wider in perspective.
The other events can be seen in the question of administrative controls being, or not being part of an audit. To help resolve the issue, the American Institute of Certified Public Accountants in 1958 stated that the auditor should consider assessing administrative controls only if not doing so would impugn the integrity of the financial records (Pfister, 2009). In relation to the bribery revelations in the mid 1970s, more than 400 United States companies were involved in cases of bribery. The events led to the enactment of the Foreign Corrupt Practices Act (FCPA) in 1977 (and revised in 1988) to discourage corrupt practices among U.S. persons and organizations in the course of sourcing and executing businesses. Specifically, it required that all publicly traded companies in the U.S. must keep good books, and maintain adequate internal controls. The Act added a great deal of improvement in the management of business organizations (Cleveland, Favo, Frecka, & Owens, 2009).
Another example of a major legislative reaction to significant events is the introduction of the Sarbanes-Oxley Act of 2002. By the end of the 20th century, many investors and stakeholders suffered huge losses following many cases of high profile accounting scandals at Enron and WorldCom (Stewart, 2006). These scandals necessitated demands for greater legislative attention than in the past to be given to corporate governance. In the United States, the scandals motivated the enactment of the 2002 Sarbanes-Oxley Act (SOX) as an effort to address the incidence of corporate failures in the hope that both investor and public confidence in financial reporting would be restored (IFAC, 2006).
The Act provided new rules for the reporting of internal control evaluations of financial reporting, in addition to the assessment of the internal controls by management, the annual report should include an internal control report that acknowledges the responsibility of management for a proper structure of internal control and for the reporting of financial matters and its assessment of how effective the internal control is over financial reporting (Coates, 2007). In addition, the auditor is to report his or her opinion of management’s assessment of the internal control system. Both the Foreign Corrupt Practices Act of 1977 and the SOX Act of 2002 are two examples of reactions to significant events that led to more regulation and in some cases, to the mandatory disclosures of internal control as well as to the widening of the interpretation of internal control.
In the United Kingdom, well-known failures such as the Bank of Credit and Commerce International and the Robert Maxwell Empire sparked concerns about the reliability of financial reporting. These events compelled the London Stock Exchange (LSE) and the accountancy profession to set up the Cadbury Committee in 1991. The Committee’s report stated that the efficient management of a company required an effective internal control system; that it was necessary for Directors to provide a report that showed their own assessment of how effective their internal control system was; and for external auditors also, to report on those statements. Consequently, the LSE adopted these provisions as listing requirements for public companies. Pfister (2009) stated that these historical developments enable a distinction to be made between the focused view and the comprehensive view on internal control. He further stated that defining internal control in relation to financial reporting only exemplifies a focused view, whereas a definition that encompasses operations, financial reporting, and compliance objectives exemplifies the comprehensive view. These two views of internal control are further discussed below.