Assessing the Control Environment Using a Balanced Scorecard Approach

By Joseph H. Callaghan, Arline Savage, and Steven Mintz

E-mail Story Print Story

The external auditor reviews management’s report and makes an independent evaluation as part of an integrated audit of internal controls and financial statements. The auditor issues separate reports that provide “reasonable assurance”: The auditor’s internal control report provides reasonable assurance concerning whether the company maintained, in all material respects, effective internal control over financial reporting. The audit report provides reasonable assurance concerning whether the financial statements fairly present financial position, results of operations, and changes in cash flows.

According to PCAOB Auditing Standard (AS) 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (March 9, 2004), the concept of reasonable assurance should be understood to mean that the likelihood that material misstatements will not be prevented or detected on a timely basis is remote—while not absolute, reasonable assurance represents a high level of assurance.

Internal Control Assessment

Management is required to base its assessment of the company’s internal control over financial reporting on a suitable and recognized framework. The framework identified in AS 2 is the Committee of Sponsoring Organizations’ (COSO) framework described in its Internal Control—Integrated Framework (1992).

COSO emphasizes changing the corporate culture to proactively establish the systems that would prevent fraudulent financial reporting. It starts with the “tone at the top.” Top management should set an ethical tone that filters throughout the organization.

The COSO framework defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance of the following objectives: 1) effectiveness and efficiency of operations; 2) reliability of financial reporting; and 3) compliance with applicable laws and regulations.

COSO uses the concept of internal control described in Statement on Auditing Standard (SAS) 55, Consideration of Internal Control in a Financial Statement Audit (1988), which identifies five interrelated components of internal control:

• The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all aspects of internal control, providing discipline and structure. Of particular importance is that the control environment is influenced by the integrity and ethical values of those in leadership positions within the organization and reflected in the tone set by top management.
• Risk assessment is the entity’s identification and evaluation of how risk might affect the achievement of objectives.
• Control activities are the strategic actions established by management to ensure that its directives are carried out.
• Information and communication systems provide the information in a form and at a time that enables people to carry out their responsibilities.
• Monitoring is a process that assesses the efficiency and effectiveness of internal controls over time.

Control Environment

Joseph F. Castellano and Susan S. Lightle point out in “Using Cultural Audits to Assess Tone at the Top” (The CPA Journal, February 2005) that tone affects corporate culture by influencing how top management might react to situational pressures, such as meeting internal budget amounts or financial analysts’ earnings expectations. A strong control environment supported by an ethical tone at the top is the cornerstone of a system of internal controls that supports the financial reporting oversight role of the audit committee.

Castellano and Lightle suggest that a “cultural audit” would provide a means for assessing the tone at the top and the attitude toward internal controls and ethical decision-making. They believe that such an audit can play an important role in helping management shape an ethical climate within the organization and in helping directors and auditors assess the effectiveness of internal controls. The external auditors would include in their internal control assessments and risk management profiles a process designed to assess the tone at the top and its impact on a company’s culture. The authors do not identify issues to be raised or specific questions to address in the cultural audit, but do point out that an assessment of the situational pressures should be an important part of the process.

A more comprehensive and effective way to evaluate the control environment and the oversight role of the audit committee—including how these processes affect stakeholders both inside and outside the organization—is to use a balanced scorecard approach.

Balanced Scorecard

The balanced scorecard was developed in the 1990s by Robert S. Kaplan, a Harvard Business School professor, and David P. Norton, founder and president of the Balanced Scorecard Collaborative. The balanced scorecard is an internal assessment, improvement, and reporting system. It supplies key indicators to management. The key to the scorecard’s success is the link to the entity’s strategic plan, which includes dimensions beyond traditional financial performance measures. Customer and internal process measures were added, along with a mechanism for improving managerial performance over time. The successful implementation of this management system turns strategy into action.

The conventional scorecard measures performance by combining financial measures with nonfinancial measures, from the following perspectives: 1) financial; 2) customer; 3) internal business processes; and 4) learning and growth. The balancing is done by including nonfinancial measures (customer, internal business processes, and learning and growth) alongside financial accounting measures. Inducing improved performance to meet the objectives of the strategic plan requires monitoring the entity’s obligations to its traditional stakeholders, the most common being stockholders, creditors, customers, and employees. Those obligations rely on ethical systems that produce accurate, reliable, and transparent financial information.

A thorough assessment of the entity’s business processes is needed to align them with these obligations, and hence to the business strategy. Learning-and-growth opportunities facilitate improvements to business processes, and also require that management and employees change their behavior when necessary. The changes can support a stronger control environment brought about by an ethical tone set by top management. Exhibit 1 presents an expanded view of the major stakeholders affected by the control environment and describes how this view influences internal processes and external reporting.

The traditional balanced scorecard is directed at managerial performance, with the balancing accomplished by including nonfinancial measures in the assessment. In the dimensions of the balanced scorecard presented by the authors in Exhibit 2, the traditional “customers” category becomes “external indirect stakeholders,” whereas customers are included under “external direct stakeholders,” along with investors and vendors. Thus, traditional financial measures are expanded to include metrics on all external stakeholders, and a new dimension for indirect external stakeholders is added. This permits the systematic incorporation of measures related to the indirect stakeholders of the company. Often these groups, through regulatory or political action, bring performance considerations that would otherwise be ignored by managers. Inclusion of this dimension would lift the time horizon that managers face by including emerging, possibly strategic, issues. After all, the “customers” of managerial performance are the various classes of stakeholders, who bring various measures of performance. This framework provides a change from narrowly defined direct stakeholders (e.g., managers and customers) to wider categories of stakeholders.

In this approach, organizational performance has external measures related to external direct stakeholders (the traditional “customers” category), balanced by external measures related to external indirect stakeholders. The external measures are coupled with analogous internal measures, also broken down on a direct and indirect stakeholder basis. The internal direct stakeholder absorbs the traditional internal processes category, while an internal indirect stakeholder dimension is added, directed toward high-level corporate governance structures, including the board of directors and various subcommittees (e.g., the audit committee). The traditional learning-and-growth measures are incorporated not as a dimension per se, but as a mechanism to motivate managers to learn, grow, and reassess the more logical dimensions of the new balanced scorecard. Both external and internal measurement sets are built on a foundation of ethics and supported by the new internal indirect corporate governance category.

The standard financial analysis measures related to direct external stakeholders (i.e., shareholders and creditors) should be gathered and standardized. For example, traditional profitability, liquidity, leverage (risk), and growth measures arising from financial statement analysis can be compared to industry norms. These analyses (especially those related to financial distress, operating risk, and financial risk) would provide insight not only into future shareholder return, but also into any risk associated with financial environments conducive to potential unethical behavior, including questionable earnings management techniques.
Unsound financial environments and business models may be breeding grounds for earnings and balance-sheet manipulations, which are manifestations of unethical financial reporting. In addition, earnings manipulation (e.g., the overuse of accruals relative to an industry average), financial risk, and an analysis of financial forecasts are additional sources of empirical information that bear on the ethical risk environment. Customers and vendors, now included under external direct stakeholders, would have measures (e.g., sales returns, warranty work, and survey data) included in this category.

External indirect stakeholders vary by organization. For example, an oil refinery would rank an environmental coalition higher than a financial services company would. Once important parties are identified, empirical measures of these groups’ perceptions could be gathered in several ways, including the number of adverse media reports, SEC complaints, pending lawsuits, class-action lawsuits, and surveys.

Internal direct measures include traditional internal process measures (e.g. throughput, manufacturing efficiency, and product-quality measures) as well as formal 360-degree assessment measures. For internal indirect stakeholders, measurements would include formal questionnaire-based survey results.

Assessment of Control Environment, Including Tone at the Top

One approach to implementing the learning-and-growth and ethical aspects of the balanced scorecard is to use an assessment instrument. Proper assessment of internal processes leads to implied learning-and-growth opportunities for organizational improvement. The cultural audit recommended by Castellano and Lightle is a good starting point.

Learning-and-growth opportunities provide a mechanism to improve internal processes. Improved processes and behavior should improve stakeholders’ satisfaction. Improved societal and stakeholder satisfaction increases legitimacy and improves long-term financial performance of the organization and, at the aggregate level, the market-based economy itself.

The following section illustrates a framework for a balanced scorecard that includes traditional measures along with the new dimensions proposed above. Specifically, the framework incorporates areas and questions that might provide the basis to assess the control environment, including the tone at the top. These areas include a code of ethics, the internal environment for employees, the internal environment for financial reporting, management’s report on internal controls, and corporate governance (covering both the board of directors’ responsibilities and the audit committee’s responsibilities).

New Balanced Scorecard Illustration

Exhibit 3 provides an example of an overall report based on the new balanced scorecard developed in the previous section. It is tied to board members and top managers evaluated by the system. All categories are represented with weights presumably tied to the strategies of the company.

Exhibit 4 illustrates metrics that could be used by the board-management assessment and motivational system. The desired balance is reflected in the weights used (drawn from a company’s strategies and priorities) in index compilation. If the actual weighted scores differ, then organizational goals and priorities are not being met, implying a need to either change them or change management behavior.

Again, the elements and their weights, where applicable to a manager or board member, would be company-specific and driven by the strategies and motivational weighting assigned to the performance metric by the system. This drill-down from the aggregate report would not only provide feedback (and possible compensatory effects), it would also suggest the learning interventions needed for the organization to meet its goals.

Finally, Exhibit 5 provides a structured questionnaire for assessing the tone at the top and corporate governance aspects of the system. It emphasizes the ethics of the internal control environment, including management’s report on internal controls and the responsibilities of the board of directors and the audit committee. The assessment is driven by requirements of the Sarbanes-Oxley Act.

Toward a Coherent Strategy

The authors have developed a more balanced “balanced scorecard” board and management appraisal system, which generates behavior that not only promotes organizational strategies, but does so in a way that promotes ethical behavior. Developing the empirical measures of a balanced managerial assessment can be a challenge, and the process must be specific to the organization. Properly identifying and weighing the measures across these dimensions is key to implementation success. Each organization would have to struggle with these problems. On the other hand, established rating agencies (e.g., Standard & Poor’s for bond ratings) have successfully confronted these difficult issues. The use of multivariate statistical techniques, along with post-hoc analysis of failures, can improve weighting schemes over time. Finally, good-faith attempts to measure managerial performance are preferable to no attempt at all, if there is a recognition that the organization’s success and ultimate viability depend upon societal acceptance of its managerial performance in fulfilling its explicit and implicit obligations.

If implemented well, the proposed balanced scorecard system should force management to articulate a coherent strategy built on a commitment to ethical behavior—learning that is to be communicated and implemented throughout the organization. The system helps to establish the parameters of an internal control environment that promotes actions based on integrity and ethical values. The tone set by top management should encourage effective and ethical internal processes that help to meet external reporting obligations and provide growth opportunities for the employees.

The authors have presented a new balanced scorecard approach to incorporating stakeholder interests and internal dimensions of the organization with the evaluation of the control environment. The issues raised and the questions suggested can be viewed as best practices to be implemented by an organization based on its unique needs. Regardless of the controls in place and the assessment process, what is most important is to have a broad-based organizational commitment to integrity and ethical values that creates a control environment which helps top management resist the pressure to manage earnings.

Joseph H. Callaghan, JD, PhD, is a professor of accounting at the School of Business Administration of Oakland University, Rochester, Mich. Arline Savage, PhD, CPA, is an associate professor of accounting, and Steven Mintz, DBA, CPA, is chair and professor of accounting, both at the Orfalea College of Business of California Polytechnic State University, San Luis Obispo, Calif.