For many years, internal auditors have operated in the shadow of the external auditor. Notwithstanding scholarship and commentary in journals such as Managerial Auditing and Internal Auditor, they have often been thought of as an adjunct of a statutory auditing process. Thus, economic conceptions of internal auditing often trade its costs against savings in external auditing, and early professional guidance focused on the conditions under which reliance might be placed on the internal auditor in conducting that work. Lack of barriers to entry and a fragmented professional status, despite the eVorts of the Institute of Internal Auditors (IIA), positioned internal auditors as poor relations. They were a necessary function but with limited organizational and institutional signiWcance (O’Regan, 2001).
All of this began to change with the rise of internal control and the changes in regulatory style described above, something anticipated by ICAS (1993) and a number of other commentators. The large accounting Wrms sought new markets in outsourced internal auditing in the 1990s, a move which proved highly controversial in the USA (Rittenberg and Covaleski, 56 / Organized Uncertainty
2001; Covaleski et al., 2003; Robson et al., 2007) but which also helped to raise the proWle of the internal audit function by blurring the methodological boundaries between the two practices; risk-based approaches developed for the external audit were applied in internal audit practices.29 These market developments have also seen internal audit departments transform themselves into niche consultancies.30 In the UK the original Turnbull report devoted considerable attention to the internal auditor (and little to the external auditor).
The mutation of the category of internal control into risk management therefore became both a threat and an opportunity for internal auditors to establish a position in the ‘system of professions’ (Abbott, 1988). On the one hand, it was a threat because the new signiWcance tempted the large accounting Wrms to oVer outsourced internal audit services. On the other hand it was an opportunity for internal auditors to position themselves as risk experts (Rezaee, 1995; McNamee and McNamee, 1995; Selim and McNamee, 1999) providing ‘value added’ services (ICAEW, 2000a; Nagy and Cenker, 2002). The IIA, a world umbrella organization with many loosely federated member bodies, consistently emphasized the signiWcance of internal auditing in the wake of criticisms of the external audit function.
From the mid 1990s onwards the IIA was active in publishing guidance—
speciWcally adopting and promoting risk-based approaches to internal audit and leadership on risk management more generally with a strong operational and IT focus (Colbert and Alderman, 1995).31
Prior to this ‘metamorphosis’ of the concept of internal audit (Spira and Page, 2003), it had been subject to its own internal pressures for reform which can be traced in part back to speciWc organizational experiences. In the 1970s individuals such as Paul Makosz, head of audit at Gulf Canada, pioneered new participative approaches to internal control under the label of Control Self Assessment (CSA) (see Leech and McCuaig, 1999; Wade, 1999).32 In this particular case, the dominant engineering-based control culture of the organization came to be regarded as problematic and as a source of oper-ational and control risk. Internal agents of organizoper-ational change promoted the ideal of a new kind of control knowledge and Gulf recognized the need to think beyond the idea of internal control as a specialist functional area. CSA promotes a logic of control within organizations which is similar to quality
‘ownership’. Questions of risk communication were at the heart of CSA as a ‘soft’ tool for accessing collective tacit risk knowledge in organizations, The Rise of Internal Control / 57
and then formalizing it in collectively owned registers. Control became more sensitive to the internal ‘sociology’ of organizations and CSA work-shops functioned to cement individual and organizational commitment to control.
CSA style practices remain a signiWcant resource for regulatory regimes as forms of self-assessment (Russell 1996) and debates about corporate govern-ance provide the CSA specialists with new market potential. For internal auditors, CSA was an opportunity to cast the control and risk agenda much wider than hitherto; CSA co-developed with claims for a new identity for the internal auditor—as teacher, facilitator, and overseer of organizational control more broadly deWned (Wynne, 1999). CSA ideas shifted the concept of audit from a disciplinary, backward-facing, transactions-based practice involving narrowly deWned expertise to one which was forward-looking, anticipatory, and explicitly risk-based, and which saw itself as providing knowledge leadership and risk management advice in organizations (Leech, 1997). This was a shift from a disciplinary framing of work to one which draws on the tropes and values of enterprise culture. The IIA’s policy developments are good examples of the pervasiveness of the logic of opportunity within discourses of control.
Beyond the rhetoric and visionary aspiration for the organizational sign-iWcance of internal auditors (Spira and Page, 2003: 657–8), much depends in speciWc cases on their organizational position in relation to other control agents and technical specialists. It was reported that IBM separated periodic risk-based internal audits and more continuous CSA activity (Goble, 1997);
whereas Sears gave the internal auditor oversight for the control review of the entire organization (Mercer, 1997). More generally, the internal organ-izational jurisdiction of the internal auditor can often be unclear and the overlap with CSA work is variable. The case of the internal auditor reXects a more general phenomenon created by the re-description of internal control as risk management, namely the struggle by advisory and control groups for organizational signiWcance, a struggle deWned by appeals to the strategic relevance of their control skills (Makosz, 2005). In part, the issue centres on the relations of dependency and sub-contracting which are worked out between accounting and non-accounting expertise in the internal Weld of risk assurance services (Power, 1996a). In some organizations this leaves internal audit with a higher order oversight or surveying function as internal inspectors and facilitators, a role which may lead to turf battles with human 58 / Organized Uncertainty
resource specialists who also see CSA as an opportunity for professional redesign. It may also leave the internal auditor with an ‘expectations gap’
between professional aspirations to become a high level advisor and management demands to detect fraud and errors. To say this is to acknow-ledge that internal auditing has always worked close to the border territory of many internal disciplines with a claim on the risk management process.
A continuing occupational challenge for internal auditors with accounting and systems expertise is their capacity to contribute to the analytical and technical aspects of the management of risk in diVerent sub-Welds. Accord-ingly, their speciWc organizational signiWcance depends on the local legitim-acy of a process-based view of risk management (Selim and McNamee, 1999).
Internal auditors have been exhorted to ‘think risk and survive’ (Brilliant, 1998), to make the strategic and risk-oriented changes to their practice and to become internal business risk surveyors and ‘adders of value’ (e.g., Bou-Raad, 2000). However, as the question of internal auditor independence from management has been debated as part of governance more generally, many large organizations now try to separate sharply a risk management function from an independent internal assurance function. The rise of the chief risk oYcer (chapter 3) may further dilute the internal auditor’s claims on advice and facilitation. Practices like CSA are an opportunity to re-engineer the conception of the internal auditor, but there are no great barriers to entry for this kind of work. The internal auditor has also experienced Sarbox as a dilemma. On the one hand, it has been an oppor-tunity to acquire organizational signiWcance by supporting management in its eVorts to design and document appropriate internal controls (Cenker and Nagy, 2004; Harrington, 2004). On the other hand, such a role compromises the independent assurance function and gives the impression that the internal auditor owns the process, rather than management.
In summary, we should distinguish carefully between the rise of the category of ‘internal control’ as a newly public regulatory object, and the fortunes of an existing occupational group who may, or may not, call themselves ‘internal auditors’. The category of ‘internal audit’, which had been perceived as insuYciently enterprising in the 1980s, has made a come-back as a consequence of regulatory institutionalization via the Turnbull report and Sarbox. In the UK, the category has been stabilized by the FSA which has expressed a wish to place greater reliance on the internal audit function. The designation of ‘Internal auditor’ refers to quasi-regulatory The Rise of Internal Control / 59
agents in neoliberal regulatory and governance regimes who work within organizations via persuasion, interaction and example and who rely on the organic pressure of ‘best practice’ norms linked to world-level discourses of governance (Rose and Miller, 1992; Pildes and Sunstein, 1995). These dis-courses now provide the necessary, if not quite the suYcient, conditions for these agents to have a new organizational authority. Yet, internal control has also become more signiWcant than the internal auditor.
Conclusions
Organizations concerned with the production of normative frameworks for governance in general, and corporate governance in particular, have grown rapidly in the 1990s. These frameworks embody two intertwined logics: a neoliberal managerial logic which draws heavily on the intellectual resources of economics and principal-agent theory as well as from practical disciplines such as accounting; and a rights-based participative logic which draws from democratic and critical theories (Drori, 2006). This chapter argues that this explosion of governance has intensiWed public policy attention to the internal organization and design of large entities. While the role of external auditing, monitoring and inspection has not been superseded, demonstrable capacities for self-control and self-observation have grown in regulatory importance.
In this way, governance discourse has created a new political economy of internal control; internal control and risk management have become demanded as core values of a new ‘grammar’ or ‘policy paradigm’ (Hall, 1989) for corporate governance.
To understand the supply of internal control ideas and designs, we considered a number of speciWc pressures for change in the Wnancial auditing function. EVorts to redesign the external audit, both to be more business risk-based and also as a platform for further assurance services, created a professional focus on internal controls and led to experimentation in forms of private assurance for the management process. Thus, professional services markets were already positioning themselves in the emerging area of internal governance and control prior to the collapse of Enron. The Sarbanes–Oxley legislation in 2002 accelerated and radicalized these developments.
60 / Organized Uncertainty
Throughout the 1990s, ideas about internal control and about risk man-agement were increasingly co-mingled, beginning with COSO (1991) and extending to the Turnbull report in the UK. Despite diVerences in emphasis among the various governance codes and blueprints published in the 1990s, including those in the Weld of quality assurance, very similar high-level emphases on internal control as a management process are evident (IFAC, 2006). And notwithstanding the undoubted variation in the implementation of these ideas, the concept of risk-based internal control has come to be a source of isomorphic pressure across organizations, across industries, and across the private–public divide. The idea of risk-based internal control has become both a resource for regulation and, via a number of blueprints to be discussed in Chapter 3, a model for regulation itself. At the transnational level organizations like OECD and the World Bank promote the importance of internal controls in government as part of their own governance.
The rise of internal control and its re-designation as ‘risk management’
represents a new ‘grand narrative’ of control. As a source of evident, self-supporting authority, the concept of internal control now substitutes for the state. The deWnition of internal control has always varied in nuance and scope, but this vagueness has been important to its recent signiWcance and allowed it to accommodate the two logics of governance described above. Internal control is a ‘boundary object’ (see Chapter 1) in so far as policy-makers in many domains can think of ‘better internal control’ as a desirable solution path.
Managerial and insurance practices also see the concept of internal control a basis for rethinking and representing themselves with a renewed strategic importance; and stakeholder organizations can hold organizations to acc-ount for the quality of their self-control.
The emergence of internal control as depicted in this chapter is an attempt to tell a story of the dynamics of an idea, how this idea comes to shape the way in which control practices depict themselves and how practitioner under-standings are reframed, often via intense circuits of discourse, such as con-ferences. From this point of view, deWning a Wxed concept of internal control is less interesting than observing the capacity of the idea in its various institutional manifestations to shape managerial and regulatory practices, practices which will produce deWnitions for their own operational purposes.
As a methodological prescription ‘dynamic nominalism’ demands that we view ‘internal control’ and ‘risk management’ not as descriptive categories which refer to a clear object, but as contested stakes in an internal regulatory The Rise of Internal Control / 61
space, a space in which the internal auditors and others seek representation collectively and individually. Internal control is something which these diVerent groups seek to perform, codify in rational form, and own.
The topic of internal control in organizations has never been part of mainstream management research, reXecting no doubt its position in the hierarchy of management knowledge and its primary association with audit-ing. Compared with the body of scholarship on management accounting and management control more generally this is surprising since there is consid-erable overlap. For many years, the subject of internal control has been a private matter for a sub-group of technical control and assurance specialists, a largely pragmatic Weld populated by technical journals. Control systems and monitoring may Wgure abstractly in principal-agent theories of organ-izational design, but the practice by which corporations, corner shops, clubs, and churches maintain a basic level of Wnancial and non-Wnancial control over resources, has hardly been worthy of serious intellectual attention.
Today, in 2006, the new governing centrality of internal control is such a part of common-sense that we forget the very short period of time over which it has come about. Internal control systems and their presumed eVectiveness are now issues for public policy and formal law. Over a Wfteen-year period, private organization internal control has come to play a very signiWcant external public role in regulatory programmes. Organizations ranging from major companies to universities continue to be turned ‘inside out’ on the basis of rational designs for control. Internal control has been fashioned as a mode of organizing and processing uncertainty which demands the externalization, justiWcation, and auditability of organizational control arrangements.
This transformation and transition in the institutional life of the organ-izational internal control system, from humble adjunct of management to a blueprint for the management of enterprise-wide risk, illustrates the generic shift from risk analysis to risk governance mentioned in Chapter 1. Internal control and management systems translate primary or Wrst order risks into systems and control risks. Diverse risk content gets transformed into audi-table process via warning mechanisms, compliance violation alerts and ‘near miss’ reports. Many varied sources of uncertainty get represented and made governable by organizational processes of control (although indicators for rare but serious events are the most signiWcant challenge as we shall see in Chapter 4). For example, the BSE crisis gave rise to a renewed regulatory 62 / Organized Uncertainty
emphasis on farm management systems; the regulation of GM crops has focused on systems for traceability; the experience of earthquakes has inten-siWed concerns with systems for enforcing building regulations. In the medical Weld, clinical risk management was originally conceptualized in terms of accidental harms done to patients during the care delivery process.
Now it is part of a regulatory regime concerned with the eVectiveness of health care in general, a matter of health care organizational control systems rather than speciWc clinicians (Walshe and Sheldon, 1998).
Internal control is much more than an instrument of control; it has become a form of governing rationality for the organization of organizations, including the agencies of the regulatory state. Internal control does not simply make governance ‘better’, it brings a certain style of governance into existence which reaches into every corner of organizational life. Internal control instrumentalizes neoliberal logics of governance. Good internal control is regarded as a signal of a certain kind of organizational virtue, and a potential platform for the representation and coordination of external interests.33 Rationalized control systems will continue to be regarded as a legitimate response to crisis, even as their limitations are recognized, because they express this dominant logic of governing.
Notes
1. The original recommendations for companies were subsequently reWned. In 1995 the Green-bury report introduced provisions on remuneration. The code was revised by the Hampel Committee in 1998 which also framed governance in terms of a logic of opportunity and value; corporate governance may have had its origins in scandal, but it was to be ‘good for business’. In 2003, the Higgs report dealt with the role of non-executive directors and a new consolidated code was produced—the Combined Code (FSA, 2003).
2. For example, in Canada the Dey Committee published its recommendations in 1994; France published a code in 1995—the Vienot Report; the OECD published generic principles of corporate governance in 1999; a code of best practice for Quoted German Companies was published in July 2000. See also, CheYns (2000) on Britain as an exporter of governance codes, Vinten (1998) and Drori (2006) on the role of transnational institutes for disseminating corporate governance ‘scripts’.
3. See Boli and Thomas (1999); Hutter (2006); Djelic and Sahlin-Andersson (2006a); Ericson and Doyle (2004); Drori (2006).
4. In the areas of ‘treating customers fairly’ (TCF) and Wnancial crime.
The Rise of Internal Control / 63
5. The deterrent ideal is to secure conformity to social or legal norms by regulating to detect and punish violators. It is essentially an ex post function and is argued to be the most eVective regulatory option when it is necessary to control the behaviour of discrete and dispersed individuals by acting as a disincentive to violation.
6. It has been argued that this is an eVective ideal for controlling the behaviour of individuals in organized activities where there is a distinct and deWnable population of potential violators who can be monitored According to Reiss (1984: 32): ‘the basic systems of surveillance by inspection and of investigation, including audit, are far less restricted in compliance than in deterrence based systems. What we wish to emphasize here is that techniques of detection and proof that are considerably restricted in deterrence based systems are far more likely to be legitimated in compliance based systems, especially where one seeks to control the behaviour of organizations or of organized activity.’ See also Parker (2000) who deWnes the compliance mode somewhat diVerently in terms of a tight deWnition of desired regulatory outcome coupled to Xexibility regarding the methods of achieving this outcome.
7. See ‘Bank recruits to bolster supervision role’, Financial Times, 11 November 1996.
8. For a discussion of the tensions facing reporting accountants who must manage duties to
8. For a discussion of the tensions facing reporting accountants who must manage duties to