[Introductory note: Robert K. Mautz is director
of the Paton Center for Accounting Education and Research of the
University of Michigan. A professor emeritus of the University of
Illinois, he is past president of the American Accounting Association
and former editor of The Accounting Review. He is a retired
partner of the firm of Ernst and Whinney. Professor Mautz has served
on the Cost Accounting Standards Board, the Financial Accounting
Standards Advisory Council, and the Council and Board of Directors
of the AICPA.]
First, let me express my sympathy to those students who were drafted
to be here this evening. We appreciate you and the cost to you of
being here. I often wonder what students think when they hear such
a generous introduction. Do you think: "My golly, that man has
done nothing but accounting all his life." And then you see a
dried up, bald-headed old man who looks kind of serious and sour,
and you wonder, "I bet he's never had any fun in his life."
Well, let me tell you I have had a lot of fun, and a great deal of
it has been in accounting.
I don't spend all of my time in accounting; I have a number of other pursuits that I get great enjoyment from also. But I do want to leave you with the message that there are few vocations that offer as many opportunities as accounting does for stimulating, intellectual activity. In accounting, you can match your mind with some of the best minds in the country. For example, work with the legal profession. Just last week, I met with a select group from the American Bar Association to talk over this very subject of internal control, in this case the legal responsibility that their clients face because of the Foreign Corrupt Practices Act and its emphasis on internal control. They were very interested in our research. When I tried to explain what we were doing, they told me what I should have been doing, so I told them why I was doing what I did. We had a great time.
Accounting provides opportunities to test your view of things, and your attitudes and approaches, with those of the top managers in business. You can go any direction you want; into education, into business, into the public accounting profession, into government. Accounting is now demanding talents that we never thought would be needed. Now it is not enough to just sit in the back room with a set of work papers. Now we have to be able to testify before Congress, to argue a position before the Financial Accounting Standards Board, or make a presentation at a Securities and Exchange Commission hearing. We have to be able to explain to people who really have no background why we do what we do and why we don't do other things. That means we need in the profession and in accounting activity generally all the good minds and talent we can get. I will promise you that if you get into accounting and work at it, you'll find more opportunity than you can ever take advantage of.
Current Research on Internal Control. Now with that, let me get on into
the topic for tonight. We've been doing some research for the Financial
Executives Research Foundation, the research arm of the Financial
Executives Institute, on internal control. When the Foreign Corrupt
Practices Act was passed late in 1977, it hit much of the business
community as an unexpected and unpleasant surprise. Most of them didn't
think foreign corrupt practices had anything to do with them at all.
But the Foreign Corrupt Practices Act reaches every company that files
with the SEC, everyone, whether it is in foreign trade, or not. So
a lot of companies that are totally domestic, that are not engaged
in doing anything that they think of as corrupt, find themselves with
new responsibilities under that Act.
The Act was specifically intended to reach companies that had been making improper payments overseas, bribes, influence payments and the like. It was intended to stop such payments. And the way chosen to stop them was to fix the responsibility upon management for anything that happened. Congress and others were tired of top management saying, "We don't know what's happening way down there or way over there in our huge organization. We don't know anything about those bribes." The FCPA response to that defense is to say, "From now on, you are responsible for a system of internal control which stops that sort of thing." The Act isn't quite that specific, but that's the intent. Internal control is the means seized upon by the government to put a stop to some irregular practices that it doesn't approve of. Management of the company finds that it now is responsible for a system of internal control that will prevent the undesired acts. In one of our research seminars, one person explained it this way. He said: "A term, 'internal control,' that we've always used to describe good management practice, is now used to describe criminal conduct." The absence of a good management practice has become criminal conduct, for which managers are subject to fines and jail sentences.
When that awareness got through to business management, all of a sudden internal control began to get a lot more attention than it had before. Some of that attention was shown by the AICPA which immediately established a blue ribbon committee, consisting primarily of non -- practitioner members of the Institute, to examine what ought to be done about helping companies comply with the Foreign Corrupt Practices Act. The members worked very hard. They met over the course of a year, spent a lot of time in discussions and study, and had hearings. When they got through they did what we often do here in this country, either appoint a committee, (that had already been done so they couldn't do that again) or recommend research. The research that they proposed, first of all, was some state of the art research. "Let's find out what internal control practices in this country are."
State of the Art Research. We applied to the Financial Executives Research Foundation (FERF) for that particular project and were given the opportunity.
We put together a seven-man team from the Graduate School of Business Administration at the University of Michigan. My first thought was that if we do this research entirely with accountants, we're likely to look too narrowly at the subject. I thought a broad point of view was probably necessary. So we put together a team that had a wide range of interests: one other person with a strong audit background, a management accountant, two data processing people who came into data processing not through business but one through mathematics and one through engineering so they brought an entirely fresh point of view to the data processing problem. Then we had a corporation finance man and a specialist in organization theory.
I must admit I had a hard time cornering these fellows, because they couldn't see internal control as very exciting or interesting as a research topic. They were interested in some interdisciplinary research, but they weren't sure that internal control provided the right opportunity. I worked very hard at getting their interest. Once they got into it and saw what the possibilities were, it ceased to be my project and I just hung on for dear life. They were all younger men and they ran much faster than I could.
The Research Program. Our research program included both a questionnaire and extensive interviews. We put together a lengthy questionnaire which got into not only what practices are now being followed in internal control, but also respondents' evaluations of their systems of internal control. We also asked them how they interpret the term 'internal control.'
On the same project, we scheduled a series of interviews with personnel in 50 Fortune 1,000 companies. We sent out two-man teams from our group to spend a full day at each company, after making complete arrangements with the company in advance. While we were there, we wanted to spend about an hour and a half with the chief financial officer and a representative of the legal counsel's office, because that office frequently has responsibility for the code of corporate conduct. Often the CFO had the chief internal auditor or the controller or someone with active internal control involvement join the discussion, There would be two of us and two or three or more company representatives. We followed an interview guide that asked questions on how they understood internal control, how they viewed the Foreign Corrupt Practices Act, how they thought it might be implemented, what they considered their major internal control problems to be, and so on. Then we divided up and one of us would spend some time examining the company's accounting and policy-manuals. Some companies had very extensive manuals so you can't read very much of them in an hour and a half. Our intent was to discover the extent to which the company utilized manuals, to get a general feel for the coverage, and to see to what extent they were kept up to date.
We found great variety. We found companies that had no manuals whatsoever, and we were in companies that had so many of them we didn't quite know where to begin.
While one of us reviewed manuals, the other researcher spent an hour and a half with the chief internal auditor to discuss with him his work, what kind of a staff he had, what he thought his purposes were, was his work seen primarily as surveillance, or policing, or operational auditing, was he competent in data processing and did his department participate in developing new data processing systems? That same researcher also spent time with the manager of the data processing department to see what he thought of internal control, if he'd ever heard the word, as a matter of fact. What did he think of the internal audit department, of the independent CPAs, and especially of their competence in data processing?
Then we spent time with a number of operating officers, if we could, somebody in production, in general management, in purchasing or credit granting or whatever it might be. We wanted a look at both sides of internal control.
Out of all this, we got together a great amount of information on present internal control practices, conditions, and quality which we put together in a report published by the FERF in May of 1980. It summarizes as objectively as we could present the data the results of the questionnaire and of the interviews and provides a description of the state of the art of internal control practices in U.S. corporations as we found them. Because we couldn't resist commenting on all that we had learned, we divided the book into two parts; the first half is as objective a report as we could make on the findings, the second part is a series of essays on our observations.
Now, what did we find? We found a whole lot of things, most of which have been reported and discussed at other meetings. Tonight I will go beyond that project to discuss an extension of that FERF project. Research beyond the state of the art was in progress when we started the study. The FERF committee didn't want to commit to the complete study until they discovered whether we could do something with the subject, whether it lent itself to research.
The Feasibility of Criteria Study. If we could do a good state of the art study, then they would let us take the next step, which was to consider the feasibility of a set of criteria by means of which companies could judge their internal control systems. We are currently engaged in that research, and that's what I will talk about this evening; the possibility of a set of criteria to judge internal control systems.
If we get a requirement for public reporting on internal control systems, we will need some guidance, some way of measuring the adequacy of a system. How do you report on a system of internal control unless you have criteria to judge it?
Confusion About the Meaning of Internal Control. Now one of the things we found, and that we must deal with in this research, is real confusion as to what internal control means. At least four quite different concepts of internal control exist. We found one concept of internal control when we talked to the people in operating management. When we asked these people "What do you think of when you hear the phrase, 'internal control'?" they responded that from their point of view internal control and management are literally identical. Operating management is control.
One analysis of general management says that management consists of a series of different activities, of establishing goals, of formulating policies, of developing plans to reach those goals within the policies, of implementing the plans (that's what we mean by "doing business"), of reporting on the results of activities, and of reviewing and revising goals, plans, and activities as necessary.
This analysis is helpful in pointing out two levels of control: (1) establishing objectives and policies; (2) taking action to attain the goals within the policies. If you think of management in those terms, goals and policies establish the framework within which company personnel are expected to perform. Planning and implementation of plans contain provisions for control, provisions that are governed by goals and policies. General management thinks of internal control as a set of measures to help achieve company goals within company policies.
Both management views have much in common. They are broad in scope, profit oriented, and positive in nature. They are aimed at getting done what needs to be done to attain the company's purposes. When managers think of control, they think in terms of holding down costs, of maintaining quality, and of being on schedule. Internal control is anything that helps them to do those things.
The Audit Definition. Now let's look at another definition, the definition that the independent accountants have developed over the years. Actually, independent accountants have two definitions, but let's talk about the official one that you find in the audit literature. It was first proposed back in 1949, in a little pamphlet by a sub-committee of the Committee on Auditing Procedure of the AICPA. The standard form of the auditor's opinion and the auditing standards had referred to the auditor's responsibility to review internal control but internal control had never been defined authoritatively. So they set out to define internal control, and produced this definition.
"Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies."
Note there are four purposes. Can you think of a broader definition than all measures to "encourage adherence to prescribed managerial policies," all measures "to promote operational efficiency," all measures "to check the accuracy and reliability of its accounting data," and all measures "to safeguard its assets?" Very shortly after issuance of this definition, legal counsel to some of the major firms were saying, "Do you really want to sign an opinion in which you state you have met generally accepted auditing standards when one of the auditing standards says you have reviewed the system of internal control which is defined in such broad terms? Do you mean you reviewed everything in that definition; do you want to commit yourself legally that you reviewed all of the measures described? Think of the obligations you are undertaking."
Revision of the Broad Definition. So shortly after that definition was pronounced, plans got underway to reconsider it. In 1958, almost ten years later, the Committee on Auditing Procedure produced a revision of that definition which cut the four purposes of internal control right in half. It divided internal control in the broad sense, into "accounting control" and "administration control." Safeguarding assets and checking the accuracy and reliability of its accounting data, these were accounting controls; measures to promote operational efficiency and to encourage adherence to prescribed managerial policies were administrative controls. The independent accountant's audit responsibility was described as only to review the accounting controls. What had been a management oriented definition of internal control was restated to serve a specialized audit purpose.
Remember, they were defining internal control for a specific purpose -- to describe the extent of the independent auditor's review in an opinion audit, but that wasn't all; that revision did not go far enough. Independent accountants thought some more about it, and in 1972 they reduced that definition even further. In 1972 they decided that 'accounting control,' as defined, was still too broad from the standpoint of the responsibilities that they wanted to accept. The two terms, 'safeguarding assets' and 'checking the accuracy and reliability of accounting data' were each narrowed still further. They worked out an interpretation that goes like this: "Safeguarding of assets refers only to protection against loss arising from intentional and unintentional errors to processing transactions and handling the related assets." And then they looked at the matter of checking the accuracy and reliability of accounting data, and decided that was too broad also. So they decided their responsibility should run only to the accuracy and reliability of accounting data for external reporting purposes. This left out all questions of accuracy and reliability for internal reporting purposes.
From the standpoint of the independent accountant, it was a very wise thing to do. The original definition was an excellent one from a managerial point of view, but too broad for auditing. So we have the independent accountant starting with a very broad definition, narrowing it in two steps, and getting it down to a very technical, specialized, defensive, definition of internal control, one completely different from the operating officer's definition.
The FCPA Definition. Now comes some confusion, because when the Foreign Corrupt Practices Act was written, it required a definition of internal control. Whoever was responsible for drafting the Act went to the technical auditing literature and picked the very paragraph which was supposed to summarize the auditor's narrow definition. So, in effect, the law says to use that very narrow, tight, technical definition of internal control, yet that is not really what the Act was designed to do. The Act was designed to stop bribes, no matter how. When it selected that very narrow definition, it left many people with a great question. How do we read that paragraph? In context with the auditing literature or not? How do we know when we're in compliance with the Foreign Corrupt Practices Act? The fact that the FCPA not only selected that narrow definition but then added a new term, internal accounting control, not used elsewhere in the accounting or auditing literature to describe it, does not lessen the confusion.
So coming out of the Foreign Corrupt Practices Act we have a most interesting variety of definitions of internal control and some interesting questions. While we were on our interviews, we always asked our hosts to take us to lunch with all the people we were interviewing so we could have a group discussion over the lunch hour. This was frequently enlightening because they often had different points of view. We tried to get them to tell us how they thought the Foreign Corrupt Practices Act would be interpreted and applied. This brought a variety of answers. The lawyers present contended that the law is of such nature that we will not really know what it means until there has been a lot of litigation. Judging from the statements of spokesmen for the SEC, they want something broader than the narrow definition included in the Act, but if so they face a contest with representatives of the legal profession.
The Management Concept of Internal Control. There is another concept of internal control, one that was slowly emerging before the Foreign Corrupt Practices Act came along, and whose development is being hastened by that Act. It is a definition coming out of the work of chief financial officers, controllers, and general management. They are all trying to determine what their responsibilities for control really ought to be. Within the whole range of management, they seek some identifiable piece that can be described as internal control from a management point of view.
When I was a junior accountant, more years ago than I like to think, we talked about and we reviewed internal control. What we meant by that term were the customary practices and procedures like separation of duties, independent counts, and independent reconciliations that were designed primarily to keep clerks and fairly low-level officers honest. We wanted to know that the inventory clerk wasn't pilfering, that the person in charge of the petty cash fund was honest, that all cash receipts got into the bank, and so on.
The Foreign Corrupt Practices Act suddenly pushed our idea of internal control several levels higher. Now when we talk about internal control, we mean controlling anyone in the company from the president on down from having anything to do with bribing overseas officials or engaging in any other "corrupt practices." In my youth, internal control was never intended to reach that high. It is now, and so we need a new set of definitions, new ways of looking at internal control.
A point to be made here is that this development was under way before the FCPA was promulgated. Over some years, many companies have worked out complete codes of conduct for officers and employees based on conflict of interest letters which originally came out of the legal counsel's office as an effort to eliminate certain practices. These have been expanded and developed into codes of conduct that cover a variety of philosophical, motivational, and control issues. The emerging concept of management control goes beyond the audit concept because it is not only a matter of preventing irregularities in published financial statements. It is a recognition that internal control should be constructive and goal oriented.
The Research Seminars. Part of our research technique in the second phase of this internal control project was to hold a series of research seminars. In a number of cities we got together a small group, eighteen to twenty-five people, including lawyers, CPAs, internal auditors, controllers, and chief financial officers. In advance, we put in their hands the best definitions of internal control we could work out, and our idea of a suitable set of criteria. Then we met with them to discuss our ideas. The discussion was always interesting and often humbling. We learned something from each seminar and kept revising our definitions and criteria. One of the thoughts expressed over and over again was "You are defining internal control too narrowly." Corporate management people wanted internal control to be viewed as something more than merely preventing or reducing errors and irregularities. Internal control, they contend, is the way we attain our objectives, the way we get those things done that we ought to be doing. It is positive, not protective only. Management's job is not just to safeguard the assets. Management's job is to put those assets at risk for a profit, and we want that concept in internal control.
Four Components of Internal Control. Out of our state of the art research, we got the idea that there are probably four basic components of a system of internal control. These are the internal control environment, risk analysis, application of procedures, and monitoring. Each warrants some attention. There are really two internal control environments. One is the external environment. Management operates within society's code of ethics; at least it operates within its perception of that code of ethics. Obviously management's perceptions were in error in making certain overseas payments for contracts, because society, through its elected representatives, concluded these were corrupt practices, This was a traumatic experience for many companies and many executives to find their perception of society's control expectations was in error.
Our concern, of course, is with the inside environment. We asked over and over again, "What is the environment for internal control in your company?" Most interviewees thought it was good to excellent. Rarely did they say it was unsatisfactory. Some of them confessed it had been unsatisfactory in the past which had resulted in changes in management and they were now struggling to maintain a positive attitude toward integrity, discipline, proper accounting, proper handling of transactions, avoidance of improprieties, and to operate within policy guidelines.
When we asked them, 'How does this attitude get established, who is responsible?" they almost always cited the chief executive officer. Generally they said one of two things about the chief executive officer. Either that he came up through accounting or law and therefore is concerned about control and recognizes the problems, or they would say he is a highly moral man and would not tolerate any executive or other employee if he knew they were dishonest. It gets right back to simple honesty, dedication, and loyalty to the company.
Elements of the Internal Control Environment. We think there are two parts to that environment. One element of the internal control environment is some positive action at the executive level that continually reinforces the moral climate within the organization. This might be a code of corporate conduct that is published and distributed periodically; it might be a continuing emphasis in training programs; it might be material in the company's house organ. Whatever it is, it must be serious and come from a high executive level. And of course it has to be recurring. It can't be a one shot effort. You can't send out a code of conduct in 1980 and forget it for ten years. We think that an essential element of the environment criterion is some positive action at a high level on a recurring basis.
The other element of the internal control environment is the absence of anything that has negative control connotations. If we have senior executives who are enjoying excessive perks or who are overriding internal controls, they detract from any positive attitude toward a strong control environment in that company. If we have such an emphasis on profit that it is "You make your profit goal no matter what you have to do," that again defeats the internal control environment. What is needed, of course, is a nice balance; you can't run a business without emphasis upon profit. You must have the right emphasis on profit, recognizing all the time that you can push your employees to the point where they do things you don't really want them to do.
Risk Analysis as a Component of Internal Control. The second component we call 'risk analysis,' an analysis of internal control risk. We try to distinguish business risk from internal control risk. Business risks are the risks you run because you go into business in an uncertain world. No one knows what may happen tomorrow. We don't know what kind of government regulations are going to come along, what is going to happen in the economic climate, whether people's tastes will change, what new ideas will come along, if there's going to be a war in the mid-east, how the price of oil will change, and so on. We don't know what the competition will do. Those are business risks. Internal control risk is that part of business risk that comes from the fact we have to rely on human beings to seek the company's goals. Human beings are fallible. We are subject to both error and irregularities. Personnel failure is not a nice phrase, but it describes the risk very well. The purpose of internal control, as we see it, is to eliminate, or to reduce and provide for timely discovery, of personnel failure, either a failure to do what should have been done or a positive act that should not have occurred.
Internal control risk will vary with the industry. You all know that there is a difference between the internal control risks in a steel mill and in a bank, in a high technology industry versus a bakery. The type of industry has a lot to do with the possibilities and probabilities of failure. The organization of the company is another factor. A highly centralized company with specific rules and regulations is different from one that is decentralized with lots of autonomy out in the branches and divisions. A company that is active in many locations overseas, has risks different from a monolithic organization operating domestically only.
Internal control risk is affected by the market from which the company draws its personnel. There are very big companies in small towns whose officers say, "We have a special situation. We really dominate the community. Our people work together, we go to church together, we serve on the PTA together, we play at the country club together, our kids know each other. We are all pretty much alike and if anybody does anything he or she shouldn't do, there is no place to hide. Everybody knows it. Given the market from which we draw our personnel, the quality here is such that we don't need the internal controls you would need if you were operating in New York City where people come from different backgrounds, don't know each other, and never see each other away from the office."
Risk analysis requires that you take all those things into account and then work through your organization in a position by position evaluation. What can each person do that either helps or hinders the company? Management wants to encourage them to do the right things; we want to discourage them from doing other things. Having made that analysis on a position by position basis, you do it again on a function by function basis: purchasing, production, marketing, treasury, accounting, and so on.
Application of Control Procedures. The next component of control is to match appropriate internal control procedures with those risks. Some internal control procedures are the ordinary things that a prudent businessman does to get the job done and avoid problems. In contrast, a unique situation may require the invention of new control procedures specifically for that situation. A case was cited to us by an officer of one of the major chemical companies in the country. "When the price of silver skyrocketed, as it did not long ago, suddenly the company had a whole new set of internal control problems. An executive was caught with 24 ounces of silver in his car which he said he was going to work on at home. It had never dawned on us to worry about that sort of thing before. Silver, from the standpoint of total dollars of purchases, jumped from fairly low in our list of purchases, right up close to the top. We found a whole series of things that we had to change. Our purchase commitments, our methods for handling the metal, the way we got into transactions with suppliers and others, all had to be changed." As economic conditions change, your risks change. That is part of risk analysis and it is also part of selecting appropriate procedures to meet the risks. Other aspects of procedure selection include the possibility of control, the probability of occurrence, and the cost of control. Some things you can control, some things are beyond control. Some internal control risk really is an unavoidable part of going into business; it is a business risk. Then you take into account the probability of the risk being realized. If it is very unlikely to happen, it gets less attention than if it is highly probable. Cost is also an issue, both direct and indirect cost. Balancing extent of risk and probability of occurrence with possibility and cost of control presents a nice problem in management judgment.
Monitoring as a Component of Internal Control. The last component is monitoring. Someone must monitor the internal control system to make sure that it is functioning as planned. Monitoring typically is done by an internal audit department. We are not prepared to say that an internal audit department is an essential part of an internal control system. It is a part in many systems; it is necessary in some situations. But there are successful companies that do not have an internal audit department. There are companies in the Fortune 1000 that do not have any internal auditors, as such. They may have other people doing internal audit work.
There are also companies that have an internal auditor who is really just an assistant to the controller. He may make special studies but he does very little, if any, auditing. Monitoring is determining that the internal control procedures are being applied effectively, that they are accomplishing their purpose. There are two parts to that. One is to see that the procedures that are supposed to be in use are being applied in an effective way. The other is to look at your procedures periodically from the point of view of overall adequacy considering changes in the company and its situation.
Conclusion. Our assignment on this research is to determine the feasibility of establishing internal control criteria. Our approach was to develop a set of criteria that we thought were useful and to try them on groups of experts. We find we have to do two things: we have to develop a definition, because the criteria have to be applied within some boundaries. So we are trying to find the right words to put some boundaries around internal control and to develop criteria which are broad enough that people can live with them, but that are meaningful enough to cause people to look at their internal control, detect any deficiencies, and know how to remedy them.
QUESTIONS AND ANSWERS
"The definition that you're trying to formulate, is it for the SEC and the FASB? Who is it going to encompass?"
"You raise an interesting point. We have been concerned about that from the time we first started the research. Members of the FERF Steering Committee have been alert to the possibility that we would inadvertently or deliberately define internal control in such a broad sense that they would be subject under the Foreign Corrupt Practices Act to more legal obligation than they could bear. The purpose of our meeting with the group from the American Bar Association last week was to discuss this very matter with them. We were seeking the best legal advice available.
"In effect what the lawyers said was: 'What you should do is go ahead and define internal control conceptually as best you can from the standpoint of the company's management, if that seems useful to them. That is an appropriate and a useful exercise. Be sure you say that is what you are doing and nothing more. Don't get the idea that you can impose your own interpretation of internal control on business and thereby rewrite the law. The law is already on the books. It says what it says and we know how to deal with it. We think we can take care of our clients. If you were to state that you were redefining the law, you'd get yourself and us in trouble. You tend to your business; leave the legal business to us.' "Now, to answer your question more directly, we are writing this from the standpoint of a corporate executive. What is the responsibility that a corporate executive should accept, as a member of management, for maintaining internal control? Within what set of bounds is he obligated as an effective manager? We think of it in terms of a number of other concepts. It is related directly to our concept of internal control risk, which relates to the concept of personnel failure. It relates to controllability, to judgment as to probability, and to alternative uses for funds to pay the cost of control. It relates very closely to what can be achieved on a cost/benefit basis, and it interrelates with the company's goals and policies. So it is a combination of the company's objectives and policy with its control environment, risk analysis, and so on. It will be tied very closely to the elements within the components of control, and it will be for the corporate executive. It will say nothing at all about the Foreign Corrupt Practices Act."
"How will foreign accountants react to this, because they're going to be doing audits of segments in which this will take place?"
"I don't think foreign accountants, as accountants and as auditors, need pay any attention to us. They should turn, I would think, to the AICPA definition of the extent of responsibility an independent accountant takes as an auditor in the review of internal control. Let me come back to the first question also, because this ties in. If we ever get to the point where we are reporting on systems of internal control, this definition and our criteria might have some application. The chief financial officer could say: 'My company meets the criteria for internal control established by the Financial Executives Institute,' and people would know what was meant. If we also ask the independent auditor to report on management's statement, then the auditor would use the criteria also, but only in that case and only for that purpose. That definition and those criteria should not be confused with the definition and the concepts the auditor has for determining his audit responsibility. We will need at least two or three definitions of internal control for different purposes."
"An observation and then a few questions. The observation, going back to your own interest in and excitement about accountancy, we at Baruch realize how exciting it is because we are accustomed to looking under the bikinis, because we have learned that financial statements are like bikinis: what they reveal is interesting, but what they conceal is vital, and we spend much of our time trying to probe them. What bothers me much about your presentation, probably because of lack of time, is that you did not go into the independent auditor's responsibility in all of this. As you know, the SEC is trying to get the auditor to be responsible for the direct audit of internal control, not really tangentially to the financial statements, but directly as a direct incident to that particular role. Also what concerns me, Bob, is the fact that the legislation was on the Hill for a period in excess of a year, and that the time that the legislation was on the Hill, no one raised the question, 'Woe unto us, we don't know what is meant by internal control or corrupt practices or anything like that.' Instead, SEC Chairman Roderick Hills indicated very forthrightly that management was going to say that there is a system of internal control. And that the auditor will, in fact, render an opinion with respect to it. So it kind of, sort of, sounds to me as though it's almost epuscatory, that somehow the financial executives, the AICPA and other groups say, 'Woe unto us, we don't know what is happening.' Now, you and I know what it is that the legislation was intended to put down. We read about it in the Gulf Oil reports, in Exxon and Northrup and Lockheed and ITT, and to my mind, to try to spend year after year trying to judge the criteria reminds me much of a Supreme Court Justice's observation on pornography when he said, 'I can't define it, but when I see it, I think I know what it is.' So it is that, I believe that we know what the corrupt practices are, and what the breakdowns in internal control are. Let's get on with the job of weeding them out. Let management get on to the job of saying, 'Yes, we do have that system,' and to bear the responsibility for saying it: gosh, they say it each year when they sign a tax return, under the penalties of perjury. Now, do they go to the attorneys and say 'Woe unto us, who knows whether someone took a postage stamp, and they used a personal letter, or who knows whether a couple of pencils have disappeared, and therefore we could be pursued for fraud.' Bob, I would tell all of these people that you have lunch with, and that you meet with as an incident to the research, 'You ought to be spending your time getting on with the job,' and tell our colleagues in the accounting profession to pursue the audit responsibility, and stop dragging our feet."
"Abe, you have a great talent for oversimplifying very difficult situations. You and I have debated this, and we could debate it again. I'm not sure that we do that fruitfully, because you haven't convinced me and I haven't swayed you a bit. Anytime a new piece of legislation designed to stop a rascal appears, and there are rascals and they need to be stopped, it bears very heavily on a lot of non-rascals, because they have to live with it too. And no matter how upright they may be, they have to take into account all the contingencies. Now, you know as well as I do that there are also rascals within the government, ambitious people seeking to make a reputation for themselves. They know that when somebody topples the head of it major corporation, he's going to get rewarded for it. A piece of legislation like this one lends itself to all kinds of abuse. One of the things I learned while serving on the Cost Accounting Standards Board was that no matter how hard we worked, and we worked pretty hard to get what we thought were reasonable, clear cost accounting standards, they didn't always work out that way. Andy Barr, who was Chief Accountant for many years used to say, 'It's very, very hard to write a piece of legislation that's understandable to everybody, and it is almost impossible to write one that will not be misunderstood by somebody. When I made speeches on that subject, I always had a group of people who wanted to talk to me afterward. Some of them were people whose government auditor was harassing the dickens out of their staff members, not on the basis of a standard that had been written, but one that was still in process which the auditor was already seeking to apply. There are all kinds of ways you can threaten and apply power. It's not a black and white world out there; it just is not a black and white world; there are many shades of grey. Now you can ask me questions for which I do not have a good answer. Abe can do that better than anybody I know. But the other side of it is that there is a fair amount of improper harassment and the laws bear heavily on many innocent people. Auditors are very concerned about the extent of legal responsibility that they get stuck with. They are not prepared to offer an opinion on somebody's system of internal control, an opinion on which they can be held in a court of law, until they have a fair idea of what it means.
"You say we ought to have a system of internal control that sops all bribes. Competent auditors, good independent CPAs, with no limitations on their examinations, seeking these things as best they could, didn't find them. Collusion at high levels is a pretty hard thing to dig out in an audit. What do we do in such situations? Well, you give us some standards and criteria so we know what we will be held for, and then we will be prepared to express an opinion, not before.
"I have sympathy for both sides: I have sympathy for the independent CPA. I have sympathy for the corporate executive who is trying to compete in international trade on an honest basis and finds himself with a whole series of regulations and requirements that weight him down. I have sympathy for the government employee who is trying to stop bad practices. And there are bad practices. Somehow we must learn to work and to live together and eliminate evils. I'm encouraged by the fact that the SEC has said to the private sector, 'We'll hold off on any more requirements on internal control with respect to public reporting for a reasonable period of time. Now during that period of time, you people show some progress toward self-regulation or we'll be back knocking on the door with the necessary regulation.' The private sector has three years. I am hopeful that corporate management will recognize its responsibility, will live up to its opportunity. I don't know that they will, although I am optimistic, but I'm pretty sure that if they miss this opportunity, it will be a long time before they get another one. That is part of the reason the American Bar Association was interested in cooperating with the FEI; they see this as a special opportunity. There is a very real feeling, and I must say I share it, that you can get too much regulation and too much government. We can be burdened down to the place where we cannot be efficient in accomplishing the things that need to be done. At the same time, we can have too little protection also. Getting the balance is what we seek. We have people working at it in a great variety of ways. I think we need Abe Briloff, we need Abe Briloff to scold me and to scold a lot of other people. But if everybody were doing that, we would be in great trouble. We need some people who are out on the job trying to get it done. That is a long answer to your question, Abe."
"Bob, let me ask you one. Have you discerned in your research an influence that this Foreign Corrupt Practices Act and all the aftermath it has on the actual process of the public accountant and his endeavor to establish whether there is or is not proper accounting, internal accounting control? I remember that the highest we would ever go in questioning people would be the corporate controller. Has this Act, to your knowledge, had any influence on the way the internal control questionnaire, the procedures of asking questions, evolves?"
"I can't cite you empirical evidence, but there is no question in my mind about it. Everybody is much more concerned about internal control than they were before. Accountants ask questions of their clients at higher levels. Audit committees (if directors are pressing the independent auditor to cover these things so they feel protected. Boards of directors are concerned and they use the audit committee to inquire into this. I have no question that the amount of interest in internal control is many times what it was, even two years ago. In some cases, I think it's overdone. In other cases, it's been a very, very good thing. There are companies who are taking a calculated risk. They feel they have never had any trouble, they are not likely to have any trouble, and they are going to go along as they always have. If they ever do have a bad time and can't show that they have taken the appropriate precautions with a system of internal control, the results could be catastrophic for them.
"There is an interesting concurrent development. Many of the CPA firms are concerned that new disclosure and other reporting requirements are increasing audit fees beyond acceptable limits. So they are saying, 'We can't just go along like we have, auditing and auditing and auditing as if there was no end to the fees. We must find ways to be more efficient. One way is to do what we always said we did, that is to analyze the internal control and put our time and energies where they are most needed and not spend time where it adds little to our opinion.' They are developing audit approaches that rely more and more on internal control, which means they have to have better and better ways of analyzing it. The evidence I have seen is that some of them are doing some excellent work.