American Accounting Association DOI: 10.2308/jis.2010.24.1.1
The Impact of Internal Controls and Penalties on Fraud
Roberta Ann Barra University of Hawai’i at Hilo
ABSTRACT: Little prior research exists on the parameters of internal control activities. The Sarbanes-Oxley Act of 2002 SOX 2002 makes identifying theproperties of these parameters under various conditions important. In this paper, an analytical/reliability engineering methodology is used to investigate the relative impact of penalties versus other types of internal controls on managerial and non-managerial employees’ propensity to commit fraud. Ceteris paribus, increasing required effort with internal controls and/or increasing employee penalties,increases the minimum amount stolen when a fraud incident occurs; that is, more net assets will be taken per fraud incident with controls than without controls. The ﬁndings show that the ﬁrm’s least-cost scenario with managerial employees is to enforce maximum penalties. The ﬁrm’s least-cost scenario with non-managerial employees is to utilize alternative internal controls while imposing minimumpenalties. Further, the effectiveness of separation of duties is dependent on the detective controls in the internal control system. Keywords: detective controls; internal controls; internal control activities; fraud; internal control systems; preventive controls; Sarbanes-Oxley; separation of duties.
I. INTRODUCTION he Sarbanes-Oxley Act of 2002 SOX 2002 imposes potentially serious penalties on ﬁrmexecutives with ﬁnes of up to $5 million and/or imprisonment up to 20 years SOX §906.c.2 . At the same time, this legislation requires that these ﬁrms tighten their internal controls over ﬁnancial reporting. This paper investigates which of these two, the penalties or the tightened controls, is more likely to have the greater effect on reducing fraud in a ﬁrm. Further, because SOX imposespenalties only on managerial employees, this paper also examines the relative effects of penalties and controls on managerial versus non-managerial employees. The literature on fraud e.g., AICPA 2007; Beck 1986; Bierstaker et al. 2006; Heier et al. 2005; Hooks et al. 1994; Mautz and Mini 1966; PCAOB 2008; Rae and Subramaniam 2008; Wales 1965; Wells 2008 consistently claims that an effective internalcontrol system ICS is the primary means of preventing, detecting, and correcting fraud and errors. Yet, that which consti-
My warm thanks to Paul Steinbart, Arline Savage, Brad Schafer, two anonymous reviewers, and the anonymous associate editor at the Journal of Information Systems whose comments greatly strengthened this paper. I also received helpful comments from the participants of the2008 AAA IS Section Midyear Meeting. Special thanks to Randall Shimooka for his insights and help during this process.
Published Online: March 2010
tutes an effective ICS is largely conjecture established through ex post forensics a form of induction performed by practitioners. Demski et al. 1991 and Mattessich 1995, 4 indicate that a symptom of accounting academia incrisis is when accounting research fails to lead practice. This is evident in the acceptance by academic researchers that the effectiveness of internal control activities can be established by a “common sense” approach; that research in this area is unnecessary Barra and Griggs 2007 . Yet, as early as 1970, Carmichael laid out eight behavioral hypotheses that are “implicit in discussions of internalcontrol” Carmichael 1970, 237 . He discussed each of these hypotheses in turn, and laid out the empirical evidence to suggest that there was a general unreality about these accepted hypotheses of internal controls. He suggested formulation of new hypotheses that were “more in agreement with organizational reality” Carmichael 1970, 245 . Three of the eight widely accepted hypotheses that Carmichael...