Are federal single audit reports of internal control weaknesses a useful tool for evaluating management? The case of charter schools

PurposeThe authors examine whether reports of internal control weaknesses (ICWs) under federal single audit (FSA) guidelines are a useful tool for evaluating non-profit (NP) management, using a unique nationwide sample of NP charter schools. While prior research focuses on external stakeholder reactions to reported ICWs, little if any research addresses the utility of these reports for internal users. The authors fill this gap in the literature, finding evidence suggesting that NP charter school decision-makers use internal control (IC) reports when setting executive compensation – awarding lower pay increases when deficiencies are reported.Design/methodology/approachThe authors regress executive compensation changes on reported ICWs and likely determinants of NP compensation, including organization size, growth, liquidity and management performance, using a sample of 173 school/year observations representing 113 unique schools for the years 2012–2015.FindingsThe authors find a negative relationship with executive pay increases subsequent to reports of initial and repeated IC deficiencies, indicating that lower than average pay increases are awarded subsequent to reports of ICWs.Research limitations/implicationsInterpretation of the authors' results is subject to several limitations, including the possibility of omitted variable bias and the authors' sample, though it comprises all available data for the sample period, and is relatively small and may be considered exploratory in nature. Further, charter schools represent a unique public/private partnership in the educational sector, and the results may not be generalizable to other NPs. Future research could explore the relationship between reported IC deficiencies and governance in other, broader NP sectors.Practical implicationsThe authors' findings are useful to NP organization boards of directors as they consider what factors to evaluate in their chief executive officer (CEO) compensation decisions. In addition to other criteria, inclusion of IC effectiveness in the CEO reward system is prudent, especially in today's environment of increasingly important information security and IC matters. The results suggest such information is being included. This previously undocumented use is also of particular value to regulators when weighing the costs and benefits of mandating single audits for smaller NPs, who are otherwise unlikely to obtain information on the organization's IC environment.Social implicationsThese findings may help inform the debate regarding NP charter schools, a fast-growing, economically significant and highly controversial sector in public education. Charters are predominantly funded by state and local taxes. As such, the quality of governance in NP charter schools is of interest to a wide range of stakeholders including parents, regulators and the public at large.Originality/valueWhile prior research on ICWs and NPs focuses on external stakeholder reactions to reported ICWs, little if any research addresses the utility of these reports for internal users, especially in relatively smaller organizations. The research leverages the existence of charter schools, which are independent but present nationwide, providing a suitable sample of like organizations. Further, no extant research to the authors' knowledge examines the relationship of NP executive compensation and reported ICWs – a topic previously addressed in the for-profit (FP) literature.

The Adoption and Consequences of COSO 2013

COSO has developed frameworks for firms to improve their internal controls with the objective of reducing fraud and managing enterprise risk. The frameworks are widely used by firms and their auditors to comply with the internal control requirements of the Sarbanes-Oxley Act (SOX). We investigate two issues involving the most recent COSO internal control framework (COSO 2013): the determinants of a firm's decision to adopt it in a timely manner; and the consequences of adoption on internal controls. In our sample, firms that report internal control problems under SOX 404, especially firms with information technology (IT) problems, are likely to be late adopters. Regarding the consequences of adoption, for late adopters, we find that firms using the revised COSO framework have a lower probability of reporting weaknesses in IT-related controls. We also find evidence that COSO 2013 adoption is helpful in remediating internal control weaknesses.

Organizational identity, professional identity salience and internal auditors’ assessments of the severity of internal control concerns

Purpose This paper aims to examine whether increasing the salience of the internal auditor’s professional identity, defined by the expectations of their professional group, increases internal auditors’ judgments of the severity of internal control concerns when their organizational identity is high. Design/methodology/approach This paper tests the hypothesis using a laboratory experiment with internal auditors as participants. Findings The results support the hypothesis that professional identity salience moderates the relation between organizational identity and the assessed severity of identified internal control weaknesses. Increasing the salience of professional identity results in a more severe assessment of identified internal control weaknesses when organizational identity is high than when it is low. Originality/value Prior research in the lab and in the field provides mixed results about the impact of organizational identity on internal auditors’ judgments of the severity of identified internal control concerns. This paper contributes to the discussion on this issue. In addition, the results have implications for the debate about the benefits and costs of in-house versus out-sourced internal audit functions.

Managerial overconfidence and internal control weaknesses: evidence from Iranian firms

Purpose The characteristic of managers’ personality is a key factor in their decision-making. One of the most important personality characteristic of managers is overconfidence. Overconfident managers have false trust about their abilities and have a positive view of the firm’s future performance. Thus, the purpose of this study is to investigate the association between managerial overconfidence and internal control weaknesses (ICW) of the firms listed on the Tehran Stock Exchange (TSE). Design/methodology/approach Sample includes the 480 firm-year observations from companies listed on the TSE during the years 2013–2017, and the hypothesis is tested using multivariate regression model based on panel data analysis. Findings The authors found that managerial overconfidence increases the firms’ ICW. The findings are robust to alternative measure of managerial overconfidence, individual analysis of the research hypothesis for each year and endogeneity concern. Moreover, additional analysis reveals that the positive relationship between managerial overconfidence and ICW is less pronounced in larger firms. Originality/value To the best of the authors’ knowledge, this is the first study to analyze the association between managerial overconfidence and ICW in emerging capital markets and, therefore, can contribute to extend the current literature on managerial overconfidence and ICW in developing countries, especially Iran’s emerging capital market.

Mandatory Internal Control Audits, Audit Adjustments, and Financial Reporting Quality: Evidence from China

This study examines whether audit adjustments are a mechanism that links the effect of mandatory internal control audits (MICAs) on financial reporting quality. We argue that the requirement for auditors to publicly disclose internal control weaknesses exacerbated auditor-client conflicts and that this resulted in auditors being less likely to detect (and correct) misstatements in their clients’ pre-audit financial statements. Consistent with this argument, we find significant reductions in audit adjustments following the staggered introduction of MICAs in the China setting. We find the reductions in audit adjustments are associated with significant increases in material misstatements following the introduction of MICAs. In contrast, we find that the introduction of MICAs led to a significant reduction in material misstatements among clients that did not experience reductions in audit adjustments. Overall, the two effects offset each other, which explains why financial reporting quality did not improve on average following the introduction of MICAs.

Internal Control Personnel’s Experience, Internal Control Weaknesses, and ESG Rating

Effective internal control is expected to have a positive effect on Environmental, Social, and Governance (ESG) ratings, which are an indicator of corporate sustainability, as it ensures improvements in efficiency and effectiveness in operations, reliable reports, and compliance with applicable laws and regulations. However, no matter how well an internal control system is designed, internal control quality deteriorates if internal control (IC) personnel do not understand the firm’s business or lack accounting experience. This study first explores the relationship between ESG ratings and internal control weaknesses (ICWs). We then examine two types of career experience of IC personnel—length of service and accounting experience—and their effect on ICWs. We conduct logit regression analyses using the data of 1876 non-financial listed firms in Korea. The results show that ICW firms have low ESG ratings. We also find that the accounting experience of IC personnel is more closely related to ICWs than the length of service. This implies that the accounting expertise of IC personnel may have a greater effect on internal control quality than the understanding of a firm’s business. Overall, our findings provide evidence that firms must have IC personnel with sufficient accounting expertise for sustainable management.

Classifying the Contents of Cybersecurity Risk Disclosure through Textual Analysis and Factor Analysis

Cybersecurity has garnered much attention due to the increasing frequency and cost of cybersecurity incidents in recent years and become a significant concern for organizations and governments. Regulators such as the Security and Exchange Commission (SEC) have also shown an interest in cybersecurity and the quality of cybersecurity risk disclosures. This paper examines the informativeness of cybersecurity risk disclosures when cybersecurity incidents or related internal control weaknesses are reported. In particular, we propose a quantitative methodology, which is a combination of textual analysis and factor analysis, for classifying cybersecurity risk disclosures into nine factors. Our results show different disclosing patterns among firms depending on whether they had cybersecurity incidents and internal control weaknesses. Further, our analysis indicates that firms disclose control-related factors to mediate the negative effect of disclosing vulnerability-related factors. This study provides various stakeholders, including investors, regulators, and researchers, with insight into the informativeness of cybersecurity risk disclosures.