A century of debate for internal controls and their assessment: a study of reactive evolution

Introduction

In one of several definitions provided by the Random House Webster's Dictionary, evolution can be defined as "a process of gradual, peaceful, progressive change or development in social or economic structure or institutions". The concept of internal controls and their application by CPA firms to modern auditing standards are but one of many economic structures that have experienced the effects of this evolutionary process over the past century. During the period from approximately 1905 to 2004, the definitions, meaning, and use of internal controls in auditing as well as their impact on audit engagements have developed and transformed. These changes were often a reaction to a major change in the economic situation of country as a whole or to the actions of individual firms within the economy.

This paper presents evidence of the evolution in practices relating to internal control in the United States through a survey of the development of, and changes in, controls, their application, and their assessment by auditors over the past century. This survey of internal control practices is essentially split into two distinct historical periods: those internal control practices noted before 1945, and those after 1945 and the issuance of the profession's first formal auditing standards. Included in this survey is a flavour of the professional debate that occurred with each evolutionary event. In addition, corresponding historical events that may have helped to facilitate the changes in internal control practice are presented. Finally, the paper entertains and discusses the impact these changes have had on the audit process, and speculates on the effects the new Sarbanes-Oxley Act will have on the audit environment.

Internal control assessment prior to 1945

Early internal control assessment practices

In his 1962 article Changing Audit Objectives and Techniques, Brown provided a summary of the evolution of auditing procedures as follows:

According to Brown, the 1905 demarcation between non-recognition and at least "slight recognition"1 of the importance of internal controls came with the publication of Auditing by the English audit-specialist, Lawrence Dicksee. His original book, published in 1892, made it clear that the object and scope of an audit were threefold (Dicksee, 1892, p.6): "the detection of fraud, technical errors and errors of principle". Dicksee goes on to state that the "whole duty of the auditor is to ascertain the exact state of the client's affairs upon a certain given date" (Dicksee, 1892, p.6). The author then explained that this duty may be accomplished by "testing" the accounts, but he never discusses the concept of internal controls in any fashion as it relates to those tests. However, he does allude to internal control mechanisms when he writes "It is of the highest degree of necessity that the Auditor, before commencing the investigation ... should thoroughly acquaint himself with the general system upon which the books have been kept ... . Having thoroughly made himself the master of the system, the Auditor should look for its weakest points" (Dicksee, 1892, p.8).

Dicksee indicated that the purpose of this procedure is to understand the system well enough to allow the auditor some judgement and latitude as to the amount of testing necessary. This language is very similar to that of the second standard of audit fieldwork that was to be promulgated forty years later. In 1905, Dicksee expanded this introductory section of his book to include a part on what he termed a review of the General System of Internal Check. He writes (Dicksee, 1905, p.53):

This is a matter that may very profitably engage the careful attention of the Auditor for not only will a proper system of internal check frequently obviate the necessity of a detailed audit, but further possesses the important advantage of causing any irregularities to be corrected at once, instead of continuing until the next visit of the Auditor.

Dicksee goes on to list three classic internal control measures that still have wide applicability a century later (Dicksee, 1905, p.53):

In devising any system of internal check, there are three matters to be specially borne in mind: first the person in charge of the cash should never be in charge of the ledger, each separate ledger should be made to be "self-balancing" or arranged so that it can be separately balanced. ... Thirdly, where individual ledgers are numerous and are not checked in detail by the Auditor, the clerks should be frequently changed about so that if there is any irregularity it is impossible to remain long undetected without implicating the whole staff.

It is clear that Dicksee was beginning to see that the investigation of collusion among employees was necessary during an audit. He finished this section by explaining "With a system of accounts arranged along these lines, a detailed audit is frequently not necessary in its entirety; but it is always desirable that the auditor should satisfy himself that the system has actually been carried out as originally designed" (Dicksee, 1905, p.53).

The American editor of the Dicksee's 1905 Auditing book was the Lybrand Ross Brothers' partner, Robert Montgomery. In 1912, Montgomery himself published a text entitled Auditing Theory and Practice. The book sought to refine Dicksee's English-focused auditing practices and discussed practices that were more in line with the American business reality of absentee ownership. In a departure from Dicksee, Montgomery indicated that the purpose of an audit had moved from just the detection of both fraud and errors to the primary purpose to "ascertain the actual condition and earnings of an enterprise for (a) its proprietors, (b) its executives, (c) bankers and investors who are considering the purchase of securities" (Montgomery, 1912, p.8).

Auditing had moved from protecting the assets of single business proprietors to protecting the numerous stakeholders in an American economy where ownership and management of companies had become divorced from each other. In response to this change in American business practices, Montgomery expanded Dicksee's discussion on Internal Checks beyond the traditional explanation of separation of duties, to an outline of duties and checks for a variety of clerical personnel ranging from the cashier to inventory handlers. Regardless of the changing nature of the audit for Montgomery, a large portion of the audit focus was still on the possible fraudulent actions of clerical employees, with no mention of potential problems within the ranks of the management of the company itself.

It appears that not all accountants agreed with this narrow approach to auditing and wanted to expand the auditor role. Mednick and Previts (1987, p.223), commented on the thoughts of an early accounting writer, Frederick Cleveland, from a 1905 Journal of Accountancy article as follows: "He asserted that 'administrative control' was the province of the professional accountant and that auditing and special examinations relating to investor or creditor rights were customary CPA activities: The general scope of this work ... in relation to devising, installation and supervision of systems of control, in relation to auditing, in relation to the making of examinations and reports - either general or special - is well recognized and well established".

Thus, nearly 100 years before the problems at Enron and other early twentyfirst century audit failures, the seeds of discussion existed regarding not only the necessity of internal control reviews during an audit, which should be investigated and reported for the protection of stakeholders, but also the corporate administrator's role in financial reporting. This role would be highlighted in the auditor's report beginning in the late 1980's, with the publication of Statement of Auditing Standards (SAS) No.58 Reports on Audited Financial Statements. This pronouncement required that the revised auditor's report read 'These financial statements are the responsibility of the company's management. Our (the CPA's) responsibility is to express an opinion on these financial statements based on our audit" (AICPA, 1988, p. 177). Though this was not a legal requirement in the classic sense, it did have the "force of law" from the profession's reading of its own rules where adverse audit opinions were given if the client barred the auditor from following Generally Accepted Auditing Standards. In the early twenty-first century, Sarbanes-Oxley rules would institutionalise this process through an annual management certification process.2

Early government efforts to reform accounting and Internal control rules The primary focus on internal check continued with the release, in 1918, of the pamphlet, Approved Methods for the Preparation of Balance Sheet Statements. The Federal Reserve Board, at the behest of Federal Trade Commission (FTC), issued the pamphlet, but it was developed and compiled by the American Institute of Accountants (AIA).3 It was the FTC's intent that the pamphlet would enhance the independent accountant's ability to provide bankers with more and better information regarding their potential clients. The 1918 version of this document dealt only marginally with the concept of internal checks, stating (Federal Reserve Board, 1918, p.23):

These instructions cover audits of small and medium-sized concerns. In large concerns having, for instance, tens of thousands of accounts and notes receivable, the detail procedures suggested would be impractical, and internal checks should make that unnecessary. In such cases only tests can be made, but the auditor must be prepared to justify his departure from a complete program by showing that the purposes sought to be accomplished thereby have been adequately affected by his work.

In a May 1929 revision of the document, the discussion of internal checks was expanded and clarified. The new document, now entitled Verification of Financial Statements, said (Federal Reserve Board, 1929, p.1):

The extent of the verification will be determined by the conditions in each concern. In some cases the auditor may find it necessary to verify a substantial portion or all of the transactions reported upon the books. In others, where the system of internal checks is good, tests may only suffice. The auditor must assume the responsibility for the extent of the work required. This procedure will not necessarily disclose defalcation or understatement of assets concealed in the records of the operating transactions or by manipulations of accounts.

This pamphlet goes far in identifying the need for internal checks and the reliance the auditor can put on them in determining the extent of the audit procedures required; however, the focus of the audit on the verification of accounts and the detection of fraud over the examination of proper financial reporting practices had not really changed. Dennis (2000, p.98) writes the following about this pamphlet: "According to Carey, [the pamphlet] 'stressed reliance on the system of internal control, and on the use of tests instead of detailed verification when internal controls were reliable'. It also establishes that testing and sampling don't always uncover defalcations or all understatement of assets". These new government pronouncements, however, came too late to influence the crash of the stock market about six months after their publication.

Post crash efforts to reform accounting and Internal control rules

As a reaction to the stock market crash in the fall of 1929, the Congress passed two acts to stabilise the market and ensure proper reporting to investors. The first was the Securities Act 1933, which required publicly held companies to register their market securities and make regular financial disclosures. The second was the Securities Exchange Act 1934, which created the securities and Exchange Commission (SEC), an organisation tasked with regulating exchanges and brokers as well as monitoring the financial disclosures of publicly held companies.4 According to Femald (1943, p.228), the early Regulation SX Rule 2-02 (b) of the 1933 Act pertained to internal control and the audit process. In part, the rule read as follows: "In determining the scope of the audit necessary, appropriate consideration shall be given to the adequacy of the system of internal check and internal control. Due weight may be given to an internal system of audit regularly maintained by means of auditors employed on the registrant's own staff".

It is interesting to note that in the present text of the Code of Federal Regulations, the rule 202 (b) reads with less a definite focus as follows (SEC, 1970, p.2-3):

(b) Representations as to the audit. The accountant's report (1) shall state whether the audit was made in accordance with generally accepted auditing standards: and (2) shall designate any auditing procedures deemed necessary by the accountant under the circumstances of the particular case, which have been omitted, and the reasons for their omission.

The changes in the focus of this regulation from one of a reliance on internal controls to a more generic view of the audit process occurred in about 1968. The reason for such a change is hard to pinpoint, but its consequence may have been to downplay the importance of the internal control reviews in favour of a more "legalistic" audit process based on promulgated generally accepted auditing standards (GAAS).

The public accounting profession reacted to these new responsibilities by coming together and studying the purpose of an audit. In 1934, a Touche Niven partner, Victor H. Stempf (1934, p.2), highlighted comments made by the nine largest American accounting firms in response to audit concerns raised by the New York Stock Exchange as follows:

We fully recognize the importance of defining the responsibility of auditors and of bringing about a proper understanding on the pan of the investing public of the scope and significance of financial audits ... . This is the more necessary because delimiting the scope of the examination is essentially one of appraising the risks against which safeguards are desirable in comparison with the costs of providing those safeguards.

Stempf goes on to explain that such costs of audit verification could be mitigated by proper internal controls. He discusses this point by referencing the Federal Reserve's Verification of Financial Statements (1929) mentioned above. Stempf writes:

...the bulletin recognizes that an effective system of internal control would make unnecessary some of the portion of procedures [to be outlined in his talk]. Naturally, the larger a corporation and the more extensive and effective its system of accounting and internal check, the less extensive the need [for] detailed checking. ... However, the examinations made by independent auditors coupled with a system of internal control, afford as effective a safeguard as is obtained by more detailed checking where less adequate internal check exists.

Stempf then proceeded to discuss the fact that it is the responsibility of the company, not the independent auditor, to detect fraud within the company. He stressed fraud and defalcation investigations would be a duplication of the work done by the company's internal audit staff. Stempf made these very pointed comments even though the 1931 Ultramares case had ruled that professional liability could attach to auditors in the case of fraud and negligence. The concept of independent auditor responsibilities was to evolve through litigation and authoritative pronouncements over the next 70 years culminating with SAS 99 in 2001, which finally placed an affirmative responsibility on auditors to detect fraud. Finally, Stempf then went on to discuss the procedures he suggested an auditor use to evaluate a system of internal control within a company.5

To enhance the usefulness of its audit pronouncements, in 1939 the AIA did in fact issue a model report on the examination of internal controls by the external auditors. It read in part "We have reviewed the system of internal control and the accounting procedures of the company and, without making a detailed audit of transactions, have examined or tested accounting records of the company and other supporting evidence, by methods and to the extent we deem appropriate" (Short, 1940, p.225).

The new AIA document placed a better focus of the review of corporate internal controls. However, as discussed by Short, these continued to be consistent with the evolution of other audit practices regarding internal control that had been outlined by the accounting literature in the previous decade, namely an emphasis on the internal check function, and an assessment of accounting controls. It would not be until 2003 that the original vision of the "Big Nine" would be realised through the Public Company Accounting Oversight Board (PCAOB), an organisation created by the Sarbanes-Oxley Act 2002, (SOX). At this time, the PCAOB issued audit standards that clarified and enhanced the mandated reporting of internal control problems in a corporation.6

In response to changes in the market brought on by the 1929 stock market crash and the passage of the 1933 and 1934 Securities Acts, the final iteration of the 1918 Federal Reserve guidelines on accounting and auditing documents was issued in 1936. This pamphlet, entitled Examination of Financial Statements by Independent Accountants, had an increased focus on internal checks.7 Section II of this document opens with the comment (AIA, 1936, p.7):

In determining the nature and extent of his examination, the accountant will necessarily take into consideration, among other things, (a) the purpose of the examination, (b) the amount of the detail included in the statements to be covered by his report, (c) the type of business accounts of which are to be examined, and (d) the system of internal check and control.

This may be one of the first times that the term internal control was used in the authoritative literature and incorporated into the requirements for a proper audit.

The pamphlet goes on to say "An important factor to be considered by an accountant in formulating his program is the nature and extent of internal check and control in the organization under examination. The more extensive a company's system of accounting and internal control, the less extensive will be the detailed checking necessary" (AIA, 1936, p.8). Finally, using the same examples as Dicksee, such as the separation of duties, the report defines internal checks and controls as "those measures and methods adopted within the organization itself to safeguard the cash and other assets of the company as well as check the clerical accuracy of the bookkeeping" (AIA, 1936, p.8). This section of the pamphlet then goes on to describe how internal controls affect the scope of the audit, but the focus continued to be on "bookkeeping" problems at the clerical level, and again, no mention of management involvement or responsibility for internal accounting fraud. This scenario would soon change with two events.

The first was the sec's decision to delegate responsibility for the development of accounting principles and auditing procedures to the accounting profession and its organ the AIA. The Institute quickly developed two internal organisations, the Committee on Accounting Principles and the Committee on Auditing Procedures. The latter committee issued the Statement on Auditing Procedure No. 1, Extensions of Auditing Procedures. According to Dennis, (2000, p.99) this pronouncement "recommends that auditors be present at inventory taking, that an audit might require a physical test and that auditors get confirmations of inventories in warehouses and of accounts receivable". Such a pronouncement was a clear reaction to the second event in 1938, the McKesson Rabbins case, where according to Dennis (2000. p.99), plaintiffs charged that the management of McKesson & Robbins, a drug and chemical company that had gone into receivership, misrepresented inventories and accounts receivable. Of the $87 million total consolidated assets shown on the 1937 year-end financial statements, $19 million did not exist. According to a 1939 New York Times8 article, a Price Waterhouse partner indicated that collusion among employees and lack of internal controls and audit safeguards, such as observation of inventory, caused the fraud.

With the coming of the war in 1941, the major focus of internal control measures from 1941 to 1945 was to identify and reduce fraud and abuse among defense contractors. This type of contract auditing was the responsibility of the internal audit staffs of many of the large corporations and a little known audit division attached to the Office of the Fiscal Director of the Army Service Forces.

Post World War II changes in Internal control definitions

Controversy over a new definition of Internal control

A booming post-war economy ushered in a long period of growth for many large corporations and for the auditing profession. These new responsibilities to audit very large multi-national corporations led to a need for more enhanced auditing principles. In October 1948, the Committee on Auditing Procedure of the AIA issued the following statement (Holmes, 1951, p.4):

Auditing Standards may be said to be differentiated from auditing procedures in that the latter relate to acts to be performed, whereas the former deal with measures of quality of the performance of those acts, and the objectives to be attained in the employment of the procedures undertaken. Auditing Standards as thus distinct from auditing procedures concern themselves not only with the auditor's professional qualities but also with his judgment exercised in the conduct of his examination and his reporting thereon.

The same document then went on to adopt the second standard of fieldwork as follows. There is to be a proper study and evaluation of the existing internal control as a basis for reliance thereon and for the determination of the resultant extent to which the auditing procedures are to be restricted (Holmes, 1951, p.82).

In the same year, the Committee on Auditing Procedure of the AIA issued a report (dated November 1948) entitled Special Report on Internal Control, which included a definition of internal control. The report indicated that "Internal control comprises the plan of organization and all of the co-ordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies" (AIA, 1948). The report's inclusion of "prescribed managerial policies" surprised many. The root of this thought is very hard to determine from the public accounting literature of the day; however, one explanation may come from the growing reliance on internal auditing by independent auditors. One author writes, "The work of the internal auditor grows in importance as management is removed further from operations. Who should direct the internal auditor, what type plan of work and type of thinking make him effective? Personal relationships, report writing, and relations with external auditors must all be mastered to give management good results" (Tannery, 1947, p.41).

This same author went on to suggest that internal auditing had become the external auditor's liaison to understanding management's policies in light of any corresponding reporting of corporate results. More evidence of this link between internal auditing and administrative controls comes from Brink (1943, p.9), who writes in the book Managerial Control Through Internal Auditing:9

The special qualifications of the internal auditor and his normal aim to make operations of the company more efficient and profitable bring [him] into the problems and functions of management. Through serving management in the solution of problems [he] comes to think in terms of management and to use his accounting analysis as a means of appraising current policies and for the further solution of management problems.

Brink goes on to emphasise this managerial audit theme in his definition of internal auditing when he writes (Brink, 1943, p.11):

The organized activity on the part of the management to assure itself of the proper adherence to company procedures and policies, and to secure the benefits of a systematic and objective verification and constructive analysis and appraisal of accounting, financial and other aspects of the company's operations.

The need for both the internal auditor and an "internal control" system became quite apparent by the mid-1950s as employee theft and embezzlement became epidemic. A New York Times10 article indicated that between 1945 and 1955, embezzlement had increased 400 per cent, with $500 million in losses in 1955 alone. The article quoted one banker as saying: "Today it's gotten to a point where all employers should give careful study to internal controls, cash receipts and audit methods". The article went on to explain that a Price Waterhouse survey indicated that almost 40 per cent of frauds reported by corporations were revealed by the company's internal control system or through the internal/external auditor process. Unfortunately, this situation still left 60 per cent to be found by management inquiries and luck.

In an effort to clarify that there was a new emphasis in the definition of internal control, the Special Report on Internal Control did acknowledge that its definition of Internal Control was possibly broader than the concept of internal control perceived by auditors. Over the ensuing decade, many practising auditors objected to the definition. For example, Saul Levy, a CPA and attorney, offered the following critique (Levy, 1957):

From the standpoint of legal responsibility there is an obvious danger in assuming so broad a responsibility. Internal control, as broadly defined, is intended not merely to prevent or minimize fraud. It is also a safeguard against waste, inefficiency, and an assurance that operating policies are being followed by personnel who are competent and faithful.

Levy recommended that the auditor's responsibility be limited to a study of those controls directly related to the accounting records. This recommendation was made whilst the profession was facing more litigation regarding professional responsibilities. Others suggested alternative ways of classifying internal controls. Gilbert Byrne (1957) proposed that internal controls could be classified as Internal Administrative Controls, Internal Accounting Controls, and the original concept of Internal Check. Byrne then suggested that the accountant has no responsibility for investigating or evaluating internal administrative controls "except to a minor degree and in exceptional circumstances". Overall, the second standard of fieldwork "proved to be too general to result in a significant improvement in the audit process ... because auditors generally did not document the relationship between the use of specific audit procedures and specific internal controls" (Previts & Merino, 1998, p.334).

Defining the distinction between accounting and administrative controls

The Committee on Auditing Procedure responded to these inherent problems with the second standard of fieldwork by issuing a new clarifying internal control standard in 1958. The standard, which was titled, Statement on Auditing Procedure (SAP) No.29, Scope of the Independent Auditor's Review of Internal Control, formally described internal controls as either accounting controls or administrative controls. The pronouncement noted that the company's accounting controls were directly related to the reliability placed on financial records and must be evaluated in an audit. Administrative controls "... ordinarily relate only indirectly to the financial records and thus would not require evaluation (AICPA, 1938, p.66)". SAP No.29 did, however, state that: "... if the auditor believes that administrative controls, in a particular case, may have an important bearing on the reliability of the financial records, he should consider the need for evaluating such controls" (AICPA, 1958, p.67).

Even though the authoritative literature distinguished administrative controls from accounting controls, the distinction in practice was not as clear. SAP 29 explicitly acknowledged the potential difficulty in distinguishing administrative controls from accounting controls and in a footnote stated that "In one sense all controls may be characterized as 'administrative', even the accounting controls" (AICPA, 1958, p.66). The purpose of the division was to distinguish accounting controls, with which the independent auditor is primarily concerned, from all other controls. Byrne (1957, p.41) argued: "It is usually not difficult to distinguish between internal administrative controls which do, and those which do not, enhance internal accounting control or internal check". Others such as Grady (1957) argued that the distinction between administrative controls and accounting controls is not that clear and that the narrow view of internal control advocated by Levy (1957) and Byrne (1957) is not appropriate. In an elegant response to the views espoused by Levy and Byme, Grady (1957, p.39) raised three questions:

1. Would the narrower view of internal control decrease or increase the effectiveness of the auditor's work?

2. Is it possible to "compartmentalize" the study and evaluation of internal control in practice?

3. Is the narrow view of responsibility for the study and evaluation of internal control espoused by Levy and Byrnc compatible with the present 11957] stature and future direction of auditing?

The questions posed by Grady relate to all of the divisions of internal control suggested in the 1957 article by Byrne (administrative control, internal check and accounting control). Grady went on to raise one more question: "If these are questions of proper interest to the auditor, how is it possible to omit looking at them"? (Grady, 1957, p.39). Grady noted "compliance with the generally accepted auditing standards relating to internal control cannot be considered standing alone. All of the standards are interrelated and all of them must be kept in mind as quality benchmarks pervading every step of the work" (Grady, 1957, p.37). In essence, Grady is suggesting that the auditors cannot overlook relevant controls merely because some auditors would classify (or down-grade) the controls as "administrative controls".

Although the footnote to the aforementioned SAP 29 implies that internal accounting controls are a subset of administrative controls, the later 1972 codification of this SAP in section 320 of SAS No. 1, seemed to emphasise the idea that accounting controls were the primary types of controls with which the auditor was to be concerned. Administrative controls were deemed to bear only an indirect relationship to the reliability of a client's financial records and, accordingly, were not to require direct evaluation by the auditor. This idea also was reinforced in earlier editions of auditing textbooks." Thus, while auditors did not completely ignore administrative controls, they were not required under section 320 to make a direct study and evaluation of those controls in performing the attest function. This growing lack of audit focus on corporate administrative activities would become a growing problem for auditors and for financial reporting over the next three decades.

Internal control transitions in the 19605 and 19705

In 1964, legislation passed by the Congress of the US led to a major overhaul of the 1930s era securities laws by putting virtually all "over-the-counter' (preNASDAQ) traded stocks under the sec jurisdiction. Pan of this legislation also attempted to make the annual reports included with the sec form 10K more transparent with better disclosures and fewer misleading ones. Even with the new responsibilities, the nature of internal control development and application changed very little through the 1960s and early 1970s, even with a US booming economy in the midst of a bitter war being played out in Vietnam and protests at home. The war seemed to mask many other problems and difficulties in the US, but they were just below the surface. These problems were addressed in a 1969 report on the state of the profession that was issued by the American Institute of Certified Public Accountants (AICPA).12 In a discussion of this report, Joseph Roth noted that the profession was facing many problems, ranging from "run-away" litigation to the public's misunderstanding of the auditor's roles in society. A major portion of the report, though, focused on the issue of Internal Controls. In the report, Roth (1969, p.62) wrote:

Another challenge which I think must be met soon is the recurring suggestion by bankers ... that CPAs report on the adequacy of their client's internal controls. The suggestion rises rather logically from the realization that the degree of comfort a credit grantor has during the year [between audit dates] depends considerably on the reliability of a company's internal controls. At present, there are no established criteria for determining the relative adequacy of internal controls, nor any standards for reporting publicly on their adequacy.

Roth's comments about the lending risks faced by banks mirror the problems that led to the Federal Reserve's original issuance of Approved Methods for the Preparation of Balance Sheet Statements half a century earlier. With all of the changes in the profession over that 50-year period, it appeared that the central purpose of the audit had yet to be made clear. Roth goes on to reflect on other problems facing the profession as they related to the subject of internal controls.

Going a step beyond this is the matter of management controls. Over the last 20 years CPAs have expanded their service to clients beyond audits of financial statements .... Many CPA firms' management advisory groups now provide a wide variety of services ... . It seems to me not only possible but even probable that, possessing the competence to assist clients in establishing effective management controls ... [auditors] ... may be expected to report on their own evaluation of effectiveness of information systems of clients whose financial systems they audit.

These issues prognosticated by Roth in 1969 turned out to have both a long-term and short-term impact. In the long-term focus, his observations turned out to be the central problems that would be addressed by the Sarbanes-Oxley Act 2002. This was especially true regarding the "independence" problems associated with management consulting efforts by the big accounting firms. In the short-term, however, there would be two famous audit failures.

As the 1960's waned, the early 1970s brought the news of two major audit failures. The first was associated with the 1969 bankruptcy of the Penn Central railroad. According to Murray (1971), the company's auditors, Peat Marwick and Company, were accused of allowing the company to apply some special accounting practices to hide losses and create essentially sham profits. Analysts were also taken in because it was very difficult to determine what, if any cash, the company had to pay its mounting debts because the company had failed to disclose the level of long-term debt that was currently due.13 secondly, the news of the Equity Funding fraud became known in 1971 and 1972, as it became apparent that several prominent CPA firms including Seidman and Seidman, Haskins and Sells, and Touche Ross had failed to uncover the widespread management collusion regarding fictitious insurance policies. The audit environment was again changing from locating internal fraud and embezzlement, to more of a focus on proper corporate reporting as large companies, driven largely by analyst predictions, had to meet earnings targets to keep their stock price intact. Though the literature is silent on the direct impact either audit failure had on the emerging audit standards, it was clear that Congressional scrutiny in the form of the Metcalf and Moss hearings that the profession endured during the mid-1970s, was sparked by these events.

In a reaction to the changes in the audit environment, the AICPA changed the structure of its standards setting bodies and created the Auditing Standards Executive Committee (AudSec) in 1972 as a successor to the Committee on Auditing Procedures.14 One of the first acts of the new committee was to codify nearly sixty Statements on Auditing Procedures (SAP) pronouncements into one document called Statement of Auditing Standards (SAS) No. 1. This was the first such major codification since 1951. The new codification let stand the definitions of internal control that were outlined in the 1940s and 1950s, along with the ongoing controversy dealing with the differentiation between accounting and administrative controls, as highlighted by Roth in his speech. In 1977, the AICPA would replace the Auditing Standards Executive Committee itself with the Auditing Standards Board (ASB), but the SAS designation of auditing standards would remain. Subsequently, changes in the American political environment attributable to the Watergate Scandals made the public very cynical and wary of politicians and large business organisations. In 1975, revelations regarding the bribery of foreign officials by over 450 American companies became known. The list of perpetrators included some of America's most well known companies such as Exxon and Lockheed. The revelations led the Congress of the US to again amend the sec acts by passing the Foreign Corrupt Practices Act (FCPA) in 1977. This Act disallowed bribery of foreign officials by American companies, but did allow what were called "facilitating payments". To monitor company adherence to the new laws, and control management activities, the Act also required SEC reporting companies to maintain internal control reviews as a means of limiting the opportunity for undetected bribing of foreign government officials. The law, in part, read15 (Pub. L. 105-366):

2) Every issuer which has a class of securities registered pursuant to section 781 of this title and every issuer which is required to file reports pursuant to section 780(d) of this title shall ... (B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that - (i) Transactions are executed in accordance with management's general or specific authorization: (ii) Transactions are recorded as necessary.

Similar language also appears in Regulation SX of the Securities and Exchange Act 1933 on corporate reporting and accounting policies, though an actual required report on corporate internal controls was not forthcoming. It is clear that the FCPA was not proactive legislation, but again a reaction to events in the market that led to needed changes in sec reporting requirements. Though the FCPA did not change the basic definitions of internal controls as prescribed by the AICPA committees, it did act as a foreshadowing of regulatory intervention by the sec after the Enron debacle of early 2002. Carmichael (1980, p.2) mentions that SAP No.54, The Auditor's Study and Evaluation of Internal Control, "stimulated a reexamination of the audit process in CPA firms that resulted in current firm materials that needed only slight retooling for use by clients in adopting programs to comply with the FCPA".

In 1977, the AICPA formed a special committee to provide guidance on internal control that would benefit management, boards of directors, and other parties. Although the committee was formed by the AICPA, only one of the fourteen members was a CPA engaged in auditing with a public accounting firm. Eugene Minahan chaired the committee, and its final product was a document entitled Report of the Special Advisory Committee on Internal Accounting Control (also referred to as the "Minahan Report"). The Minahan Report reviewed the scope of internal control from an historical perspective and provided guidance to management in assessing and evaluating internal controls and monitoring compliance with established internal control procedures. While the title and text of the report specifically used the phrase "internal accounting control", the committee's conclusions recognised that internal accounting control is concerned with: "... the reliability of financial statements and with the broad internal control objectives of authorization, accounting, and asset safeguarding and, further, that accounting controls should extend to all external reports of historical financial information" (AICPA, 1979, p.11).

While the report was adopted unanimously, two members assented with qualifications. Of particular relevance to this discussion is the qualified assent written by Roger N. Carolus. Carolus argued that the scope of internal control in the report "is too heavily influenced by the existing auditing literature" and that "the scope and objectives of internal accounting control should have been significantly expanded" (AICPA, 1979, p.28). Carolus's qualified assent said: "From a management viewpoint (and that of many interested third parties), the distinction between accounting and administrative controls is usually not recognized or even acknowledged, particularly in the current environment in which business operates and therefore the distinction is, more often than not, academic when it comes to establishing, maintaining, and evaluating internal accounting controls" (AICPA, 1979, p.28).

SAS 55 and changes to internal control definitions

While the literature on internal control would again be modified several times prior to the issuance of Statement of Auditing Standards No.55 in 1988, the basic thrust with respect to accounting controls and administrative controls remained the same, with a distinction (or more closely dichotomy) between internal accounting controls and internal administrative controls formally recognised. Overall, the auditor's primary responsibility was to evaluate internal accounting controls of the client, and then the auditor was responsible for considering only those internal administrative controls that may have an important bearing on the reliability of the financial statements. Before the issuance of SAS No.55, the role of administrative controls evolved with SAP No.29, which defined administrative controls as "the plan of organization and all methods and procedures that are concerned mainly with operational efficiency and adherence to managerial policies" (AICPA, 1958, p.67). The final modification of the pre-SAS 55 definition of internal control appeared in section 320 of Statement on Auditing Standards No. I that described administrative control as including "the plan of the organization and the procedures and records that are concerned with the decision processes leading to management's authorization of transactions". Such a definition seems to move the focus of the administrative controls away from management efficiency to management responsibility for the final accounting document, as well as a tacit understanding that fraud detection would again be a preeminent, albeit silent, focus of auditing.

Fraud auditing and the impact on internal control development

As indicated by Victor Stempf s aforementioned comments from the 1930s, confusion over the role of the auditor and the actual function of the financial statement audit has existed among the public for some time. In the past, some users of financial statements perceived that the issuance of an unqualified opinion on the financial statements by the auditor provided assurance about the viability of the reporting entity as a going concern (Carmichael & Pany, 1993). In addition, a perception still exists that one of the auditor's primary responsibilities is to detect fraud (Albrecht & Willingham, 1993). This perception has remained constant for many years.16

In 1977, the AudSEC issued two standards that revised the auditors' responsibilities for detecting errors, irregularities, and illegal acts and evaluating internal controls. The first was SAS No. 16 Illegal Acts by Clients. SAS 16

specifically discussed the CPA's responsibilities for the disclosure of illegal acts. This may actually have been a rare proactive response of the profession to the FCPA that had just been passed by the Congress. The second standard issued was Statement on Auditing Standards No. 17 The Independent Auditor's Responsibility For Detecting Errors Or Irregularities. This standard provided auditors with guidance regarding their responsibility for detecting errors, irregularities, and illegal acts material to the financial statements under examination.

In response to widely publicised business failures in the early to mid-1980s and related perceived audit failures at a large number of saving and loan associations, the National Commission on Fraudulent Financial Reporting (the "Treadway Commission") was created. The objective of the Treadway Commission was to identify factors that lead to fraudulent financial reporting and to make recommendations that should reduce fraudulent reporting. Several recommendations directly addressed internal controls. The commission emphasised the importance of the control environment and codes of conduct, among other recommendations. The Auditing Standards Board, partially in response to the Treadway Commission, and direct criticisms of SAS 16 and 17, issued nine "expectation gap" standards in 1988. Three of these directly impact this discussion.

The first two standards were SAS No.53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, and SAS No.54, Illegal Acts by Clients. SAS No.53 required that an audit be designed to provide reasonable assurance17 of detecting material errors and irregularities that affect the financial statements. The audit pronouncement also described irregularities as intentional misstatements. These irregularities included "fraudulent financial reporting" and "misappropriation of assets". SAS No.54 required that an audit be designed to provide reasonable assurance of detecting illegal acts that have a direct and material effect on the determination of financial statement amounts.

Although SAS No.53 was issued in response to criticisms of SAS No.16, it too was the subject of questions and criticisms. An example of the problems inherent in SAS No.53's analysis comes from Loebbecke et al.'s (1989) discussion about the statement's definitions of errors and irregularities. Contrary to the implication of the statement, the authors felt that each of these items should be planned for separately during an audit, and not assumed to be coming from one and the same source. In addition, there were questions about the vague nature of the statement's "red-flags" regarding fraud.

In response to these questions and criticisms surrounding SAS No.53, the ASB issued SAS No.82 Consideration of Fraud in a Financial Statement Audit in 1997. SAS No.82 (para. 12) stated that: "the auditor should specifically assess the risk of material misstatement of the financial statements due to fraud and should consider the assessment in designing the audit procedures to be performed". The auditor should consider fraud risk factors that relate to (a) misstatements arising from fraudulent financial reporting, and (b) misstatements arising from misappropriations of assets. Management can establish policies and procedures that create an environment that is conducive to limiting or even eliminating errors, irregularities, and illegal acts.18

Finally, coming on the heels of the July 2002 Sarbanes-Oxley Act (SOX), the ASB issued SAS No.99 "Considerations of Fraud in a Financial Statement Audit", in October 2002. This standard was intended to provide guidance to the auditor in defining fraud, assessing fraud risk, detecting fraud, and evaluating the audit. One writer explained SAS 99 in the following fashion (McConnell et al., 2003, p.28):19

SAS 99 requires audit engagement team discussions of fraud susceptibilities and reiterates the importance of professional skepticism. The O'Malley Panel concluded that GAAS provides insufficient guidance for implementing the concept of professional skepticism and that auditors don't always adequately pursue conditions noted during an audit or adequately corroborate management representations. In SAS 99. the ASB admonishes auditors to set aside previous beliefs about management honesty and integrity, regardless of past experience with an entity. In gathering and evaluating evidence, auditors should not be satisfied with less than persuasive evidence that management is honest.

Though SAS 99 appeared to be a half-hearted attempt by the ASB to stave off the inevitable take-over of audit standards setting by the new PCAOB, an organisation that was formed through the Sarbanes-Oxley Act (SOX), its genesis as a joint effort between ASB and the International Auditing and Assurance Standards Board20 (IAASB) did occur some years before the SOX.21 The effect of the Sarbanes-Oxley Act on internal control evaluations is discussed at the end of this paper.

The issuance of SAS 55

In 1988 the ASB issued the third "expectation gap" standard. SAS No.SS Consideration of the Internal Control Structure in a Financial Statement Audit. The new standard described the entity's internal control structure as: "... the policies and procedures established to provide reasonable assurance that specific entity objectives will be met". SAS No.SS then went on to identify three elements of the internal control structure: The first was the control environment, next the accounting system, and finally the control procedures.

The issuance of SAS SS may have been a reaction to a wave of business failures during the early 1980s that were the result of systemic business problems rather than straightforward fraud or reporting problems. For example, there was Baldwin-United, the piano company that was moving to become a serious player in the financial services industry. In this case, a lack of broad controls over the company's decision-making systems led to uncontrolled growth and unattainable promises for insurance annuity returns through a non-sustainable "Ponzi-like" system. Auditors had similar problems with repurchase agreements issued by E.S.M. Securities out of Florida.22 In these situations, an earlier evolution of internal control standards like SAS SS may have helped to point auditors to review systematic changes in the business environment, rather than just dealing with transactional changes to acquire the needed information to give a "clean" audit opinion on a company's financial statements and impede improper financial reporting.

In addition to these two events, during this same era, related audit failures occurred at Oklahoma City's Penn Square Bank and Chicago's Continental Illinois Bank. In this case, Continental Illinois purchased fraudulent loans from Penn Square for its portfolio. Traditional audit procedures failed to give the auditors a proper understanding of the accounting systems necessary for buying and selling loans between banks, and the lack of controls on the quality of loans purchased leading to an unwarranted clean opinion. Finally, in the case of ZZZZ. Best Company, a franchisor of home cleaning equipment, an actual fraud was perpetrated on both stockholders and franchisees through an elaborate ruse that apparently the company's auditors were not fully able to understand.

The new auditing standard required the auditor to obtain an understanding of each element of the internal control structure sufficient to plan the audit. SAS No.55 acknowledged that: "an entity generally has internal control structure policies and procedures that are not relevant to an audit and therefore need not be considered". In addition, SAS No.55 did not make a distinction between administrative controls and accounting controls. Rather, it discussed the concepts in a broader sense called a control environment. SAS 55 says the control environment "... represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures".23 The pronouncement stated that: "The auditor should obtain sufficient knowledge of the control environment to understand management's and the board of directors' attitude, awareness, and actions concerning the control environment. ... The auditor should concentrate on the substance of management's policies, procedures, and related actions rather than their form because management may establish appropriate policies and procedures but not act on them". Thus, the auditor is required to obtain a substantive, as opposed to superficial, understanding of the factors listed above.

Though the examination of management controls was dropped, it is clear the factors include the way management interacts with the organisation and its specific environment. Because the standard was difficult to apply in practice, the ASB issued in 1990 an audit guide on SAS No.55 entitled Consideration of the Internal Control Structure in a Financial Statement Audit. This guide was issued to illustrate how SAS No.55 might be applied in practice, and illustrated different audit strategies for three hypothetical companies. Even with the issuance of the audit guide, criticisms of the new standard continued. For example, Morton and Felix (1991) had problems with the concept of defining and applying the concept of assessing control risk. In addition, Kinney and Felix (1993) identified three specific areas in which corrections were needed including a need to: "broaden the auditor's review of internal controls to consider ... financial reporting by management". Though there was really no requirement that publicly held banks provide other than a cursory statement on corporate internal controls, the Federal Deposit Insurance Corporation Act (FDIC)24 ratcheted up the debate on controls in 1991 when it included a provision in its accounting regulations "that mandated internal control reporting by management for insured depository institutions with assets in excess of $500 million" (Rama & Raghunandan, 1994, p.54).

COSO and SAS No.78

In response to the criticisms leveled at SAS 55, in 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO)25 issued the document Infernal Control - Integrated Framework ("COSO report"). The report was intended to define internal control, describe its components, and provide criteria and materials for evaluating control systems.26 Subsequent to the issuance of this rather lengthy report, the ASB issued SAS 78 as an amendment to SAS No.55, to recognise the definitions and descriptions of internal control contained in the COSO Report.

SAS No.78 now defined internal control as a process consisting of five interrelated components designed to provide reasonable assurance regarding the achievement of objectives in the following three categories. The first was the effectiveness and efficiency of operations. Next was the reliability of financial reporting. The final category was compliance with applicable laws and regulations. The basic performance requirements of SAS No.78 were essentially the same as in SAS No.55. The requirements were simple; in all audits, the auditor is required to first obtain an understanding of the components and objectives of internal control sufficient to plan the audit. Secondly, the auditor is to document that there is an understanding of the client's internal control system. Next, the auditor is required to assess control risk, and finally document the assessment of control risk. SAS No.78, however, neither explicitly nor implicitly reverted to the SAS No.1 dichotomy between "accounting controls" and "administrative controls". Though SAS 78 required the auditor to obtain an understanding of each of the components of internal control sufficient to plan the audit to determine whether they are placed in operation, none of the components distinguishes "administrative controls'" from other relevant controls. The SAS 78 definition may be overly complex and could give auditors a false sense that following those requirements actually acts as a review of the administrative controls of the company. However, this might not necessarily be a review of administrative controls in the classic sense because such an assessment is not officially required. Instead, the process could easily allow such items to be overlooked by the auditor, even though the SAS 78 requirements are probably gathering much of the information that would be needed to make a judgement about administrative controls. Kelly (1993)27 indicated that this lack of an administrative control component was one of many problems that the US Government Accounting Office (GAO) had with the COSO Report.

Beyond the problems voiced by the GAO in 1993,28 the development of the COSO framework, through its codification in SAS 78 in 1996, has been slow, painful, and difficult. This may have indicated another underlying problem with the COSO process - limited guidance on implementation, even though the second COSO volume (1992) provides numerous examples of flow-charts and sample program documents. Oliverio (2002, p.76) explains the problem as follows:

Recent high-profile business failures and incidents of financial statement fraud have led me to wonder about the adequacy of the internal controls for US corporations. Although reports from the Treadway Commission and certain statutory provisions help provide a basis for a control system that assures proper financial reporting, an important element seems to be absent. There is an implied assumption in the reports und professional literature that someone, somehow, has actually designed an appropriate system. Yet nowhere is there straightforward identification of who is - or should be - responsible for this task. In other words, the architect of the system of internal controls is missing.

The confusion and problems with this limited guidance appear to add to the complexity when a company tries to develop a system to monitor the internal controls. This monitoring "requirement" has led to a new set of systems known as a CSA or "control self assessment". These CSA systems may be the very items about which GAO was worried. They apparently review current systems of internal control, but there is the possibility that the system would not identify any new control problems that were not associated with the old control structure. For example, the monitoring system of Enron may not have identified new problems with the accounting for "special purpose entities" and related conflicts of interest. This is why GAO wanted an annual review of internal controls by the independent CPAs, and then a report of this review provided to the corporate shareholders (GAO, 1996, Executive Summary, p.5). The importance of a published Management Review of Internal Control, (MRIC), and its importance to stockholders was highlighted by McMullen and Ragahunandan in a 1996 study. According to the authors of the study, there is an "association between the presence of MRICs and an absence of financial reporting problems". This evidence should have bolstered the need for more and better reviews of administrative internal controls.29

The former head of the sec, Arthur Levin,30 in an article in Business Week discusses some changes in the corporate reporting that have occurred since the early 1980s that he felt were the direct result of auditor independence problems when it came to the review of corporate controls. He writes regarding the number of recent financial restatements (Levitt, 2002, p.75):

It wasn't just a case of a few bad apples, either. Blue-chip companies with sterling reputations were manipulating their numbers in misleading ways. From 1997 through 2000, 700 companies would find flaws in past financial statements and restate earnings. By comparison, only three companies restated in 1981. These came at a tremendous loss to investors who would lose hundreds of billions of dollars in market value.

In an attempt to confirm Levin's comments, a search of the Lexis Nexis business article database (which goes back to approximately 1980) revealed that during the pre-SAS 55 1980s there were only 35 articles that focused on accounting irregularities. Between 1990 and 1996 (the period between SAS 55 and SAS 78), the number of articles discussing accounting irregularities grew to 337. From 1997 onwards (approximately a post-SAS 78 period), there were 1,916 articles that discussed accounting irregularities. Though these types of data are anecdotal in nature, they do show a striking change in reported accounting irregularities as the auditing profession was changing some of its internal control practices.

Sarbanes-Oxley and internal control reporting

These problems with lack of internal control (both accounting and managerial) reporting and a sister problem with auditor independence came to a head in late 2001 when the Enron Corporation, the seventh largest US company, imploded as the revelations of management conflicts of interest and off-balance sheet financing came to light. In a very short period, a long laundry list of companies reporting such accounting errors and irregularities, along with the failures of "Big Six" auditing firms, were listed in the news. All of these problems, coming on the heels of the 11 September terrorist attacks, placed extreme downward pressure on an already shaky stock market. The problems led to Congressional hearings in February 2002, but they did little to calm the fears of investors. In an effort to assuage the public outrage over the Enron debacle and other high-profile financial scandals at the turn of twenty-first century, as well as mute the criticisms over the weak regulatory oversight by the government, the Congress of the US passed a sweeping market reform act that became known as Sarbanes-Oxley Act31 2002 in July 2002.

Officially, the Sarbanes-Oxley Act 2002 has the title "An Act to Protect Investors by Improving the Accuracy and Reliability of Corporate Disclosures made Pursuant to the securities Laws and for other Purposes". According to the CPA firm of PriceWaterhouseCoopers: "Most observers would agree that the Sarbanes-Oxley Act (SOA) is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s. It is, moreover, a law that came into being in the glare of a very bright, very hot spotlight" (PWC 2003 Website).

The new law was indeed far-reaching and contained many new regulations. They included, first the creation of the PCAOB, next limitations on the scope of services that a CPA firm can offer to clients to help solve the related problems with auditor independence, and finally new rules regarding independent audit committees. Of particular interest to this paper were the new rules regarding the reporting of internal control evaluations with the annual reports. These are outlined in section 404: Management Assessment of Internal Controls of the law. The AICPA website highlights this section as follows:

Section 404: Management Assessment of Internal Controls

Requires each annual report of an issuer to contain an "internal control report", which shall:

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.

As the new PCAOB was in the process of organisation, the SEC issued preliminary regulations in early 2003 regarding the evaluations of internal controls by registered companies. In a summary of the regulations, the SEC required registrant companies to:

...include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.

The internal control evaluation requirements of the Act barkens back to both the original SX rule 202 (b) and calls from writers like Stempf after the original securities laws were passed in the early 1930s. Many of the components of the new 2003 regulations were developed and conceived as early as 1993, when the Public Oversight Board of the AICPA recommended to the SEC that it require its registrants to include an internal control report in addition to their traditional financial Statements (GAO, 1996, p.71).32 The outgoing Chief Accountant of the SEC Turner (2001) made similar comments on this topic in an August 2001 speech. He indicated that the sec should:

Require that management report to investors on their internal accounting controls. These controls are critical to quality financial repotting and investors have a right to understand whether management thinks, those controls are working effectively or not. If management is nervous about having to make such disclosures, then I suggest investors may be just as nervous about the numbers they arc getting. Many corporations already provide management reports to their stockholders today, but they remain in the minority.

Subject to final securities and Exchange Commission approval, in March 2004, the PCAOB issued a standard regarding the audit of internal control. According to Accounting Today (2004, p.3), "the PCAOB, 'gave a thumbs up' to a controversial new auditing standard that requires auditors to attest to the effectiveness of corporate internal controls now over financial reporting - a mandate that some board execs fear may sharply increase the costs and complexity of external audits". In the end, it was hoped that the Act and its facilitating regulations would also calm the fears of investors in a run-away bear-market and bring confidence back to corporate financial reporting.

Summary and conclusion

Though the impact of the Sarbanes-Oxley Act on audit procedures and internal control development will be studied for many years, it can also be seen as simply one of many developments in the evolution of internal control definitions, applications or procedures over the twentieth century. Like the Sarbanes-Oxley law, in many cases the changes were reactions to an event in the business environment that identified a weakness in the current view of internal control or its application by either private or public entities. As the SOX itself shows, this evolution of the internal control process, as seen through the many laws, regulations and pronouncements of the twentieth century, has been, in the main, a reactive one, with few proactive steps taken to deal with corporate reporting problems resulting from inadequate controls.

Though criminal indictments have been brought against officials of both Enron and Worldcom, as of the completion of this paper, the final disposition of these and of civil proceedings against the two companies has not been determined. However, based on the materials discussed and the thesis put forward in this paper, one could speculate on the impact that the reactive evolution had on internal control definitions and applications, especially those of SAS SS and the COSO-inspired SAS 78. Did these changes influence the auditor's performance in the case of both companies? Questions still persist. Would a directed administrative control review have changed the outcome of Enron's audit report? Would such a review have helped to find reporting problems with management authorisations and the conflicts of interests in dealing with Enron's internal policies with respect to special business enterprise accounting or Andersen's outsourced internal audit function? Or, in the case of Worldcom, would a review of administrative procedures and authorisations have uncovered improper capitalisation of current expenses? In retrospect, the answers to these questions cannot be known, but intuitively, it is clear that knowledge of the client's administrative procedures, authorisation controls, and potential conflicts of interest should be the focus of any auditor's work. As the PCAOB begins its process of implementing the newly released audit standards, especially with regard to internal control reviews, will these standards help to enhance the audit process and help reassure a leery public and investors as to the soundness of a company's financial position?