You are here

Internal Controls and Corporate Governance

Bedard, J. C., Graham, L. (2013) Remediation of internal control deficiencies prior to year-end. Auditing: A Journal of Practice & Theory, 32 (4).

Baxter, R. J., Bedard, J. C., Hoitash, R., Yezegel, A. (2012). Enterprise Risk Management Program Quality: Determinants, Value Relevance, and the Financial Crisis. Contemporary Accounting Research.

Bedard, J. C. (2012). The impact of information tagging in the MD&A on investor decision making: Implications for XBRL. International Journal of Accounting Information Systems, 13 (2), 2-20.

Bedard, J. C., Arnold, V., Phillips, J., Sutton, S. (2012). Another Piece of the "Expectations Gap": What Do Investors Know About Auditor Involvement with Nonfinancial Information in the 10-K? Current Issues in Auditing, 6 (1), A17-30.

Bedard, J. C., Sutton, S. G., Arnold, V., Phillips, J. (2011). Do Section 404 disclosures affect investors’ perceptions of systems reliability and stock price predictions?  International Journal of Accounting Information Systems, 12, 243-258.

Flynn, P. M., Mangelsdorf, M. (2009). Board Games: An Interview with Alan Hassenfeld, Former Chairman and CEO of Hasbro, Inc. Directorship Magazine, June/July.

Bedard, J. C., Graham, L. (2011). Factors associated with severity classification of Sarbanes-Oxley Section 404 internal control deficiencies. The Accounting Review, 86 (3), 825-855.

We examine detection and severity classification of internal control deficiencies (ICD) identified under Section 404 of the Sarbanes-Oxley Act of 2002. While the cost/benefit balance of auditor testing of internal controls is highly controversial, prior research has not examined auditor vs. client detection of ICD, nor has it examined factors auditors consider in judging ICD severity. We find that auditors detect about three-fourths of unremediated ICD, usually though control testing. This finding contrasts with extant research inferring control deficiency detection effectiveness from publicly available data, underscoring the value of Section 404 auditor testing in improving financial reporting quality. Auditors judge greater severity when a misstatement has already occurred. In the absence of a misstatement, severity is contingent on client and ICD characteristics, implying a more complex and nuanced judgment process without objective evidence of control failure. We also find that clients often underestimate ICD severity, but this tendency is lower among well-controlled companies with a well-designed Section 404 process.

For additional information contact Jean Bedard (

Abdolmohammadi, M. J., Read, W. J., Asare, K. N. (2010). Corporate Governance Factors Associated with Financial Fraud. Journal of Forensic and Investigative Accounting, 2 (2), 1-29.

We identify a sample of 36 publicly-held companies with financial fraud in their 2003 financial statements. We use industry-specific summary corporate governance ratings (CGQ-Y) from RiskMetrics Group (formerly Institutional Investor Services), to select a sample of control firms with governance ratings similar to the fraud firms. We trace changes in CGQ-Y ratings as well as numerous governance mechanisms over the period of 2003-2006 to identify those with significant differences between the fraud firms and control firms. Specifically, we identify two corporate governance mechanisms with theoretical justification for their effects on differences due to fraud. The first is the extent of non-audit services, as proxied by the dollar magnitude of “audit-related” and “other” non-audit fees, provided by incumbent auditors. We hypothesize and find that significantly fewer fraud firms received substantial non-audit services compared to the control sample. The second governance variable is board election, where we hypothesize and find that fraud companies elect all directors annually, more often than control firms, which have more staggered terms for their directors.

We used the Compustat data base to codify a number of control variables identified from prior literature as impacting governance and investigated differences by fraud and control firms. We do not find significant differences between fraud and control firms with respect to return on assets, the proportion of executive ownership of the firm, or firm size. However, we find that fraud firms have significantly more financial need, lower Z-scores, and more audit committee meetings in the fraud year than control firms. Finally, when compared with control firms, we find that fraud firms improve their overall governance rating in the year following the fraud, but revert to lower ratings in the following two years.

For additional information contact Ali Abdolmohammadi (

Markus, M., & Jacobson, D. (2010). Business Process Governance. The International Handbook on Business Process Management (pp. 199-220). New York, NY: Springer

Good business process governance is necessary for the success of business processes, which in turn are essential for business success. The term business process governance refers to the direction, coordination, and control of individuals, groups, or organizations that are at least to some extent autonomous: that is, not directly subject to the same hierarchical authority. Business process governance comprises a variety of mechanisms that may be impersonal (e.g., laws or rules) or personal (i.e., administered by individuals who may or may not have formally designated responsibility or accountability for governance). All governance mechanisms have pros and cons; some mechanisms are more effective (and more costly) than others. The challenge is to design a cost-effective governance structure, which usually consists of several mechanisms working in combination. This chapter describes various governance mechanisms, identifies their advantages and disadvantages, and provides examples that reveal how governance mechanisms contribute to business process success.

For more information, please contact: Lynne Markus ( or Dax Jacobson (

Abdolmohammadi, M. (2009). Factors Associated with Use and Compliance with the IIA Standards: A Study of Anglo-culture CAEs. International Journal of Auditing, 13 (1, March): 27-42.

Chief audit executives (CAEs) are required to use and comply with The International Standards for the Professional Practice of Internal Auditing (standards). However, this study finds that 13.5 percent of CAEs in Anglo-culture countries do not use the standards. Furthermore, of those who use the Standards a significant number fail to comply with specific standards. Multivariate tests of data from CAEs in this study show that “length of IIA membership” and “internal auditing certification” are positively associated with use. Other significant variables are “superseded by local/government regulations or standards,” “not perceived as value added by management/board” and “compliance not expected in the country” that are inversely related to use,  The length of training is also positively associated with compliance, while other significant variables are internal audit certification, “standards are too costly,” “not perceived as value added by management/board” and “inadequate internal audit staff” that are negatively associated with compliance. The paper ends with a discussion of the implications of these results for practice and research.

For additional information contact the author: Ali Abdolmohammadi (

Hoitash, R., Hoitash, U. (2009). The Role of Audit Committees in Managing Relationships with External Auditors after SOX: Evidence from the US. Managerial Auditing Journal, 24 (4), 368-397.

Recent US reforms aimed at strengthening audit committees and their structure assign independent audit committees the responsibility to appoint, dismiss, and compensate auditors. We examine the association between audit committee characteristics and auditors' compensation and dismissals following the enactment of SOX. We observe that stronger audit committees demand higher level of assurance and are less likely to dismiss their auditors. Further, we find increase in auditor independence as measured by reduced board involvement and less dismissals following unfavorable audit opinion. Our overall results suggest that increased audit committee roles and independence after SOX contribute to auditor independence and audit quality.

For additional information contact Rani Hoitash (

Hoitash, R., Hoitash, U., Bedard, J. C. (2009). Evidence from the U.S. on the effect of auditor involvement in assessing internal control over financial reporting. International Journal of Auditing, 13 (2), 105-125.

Securities regulators around the world are considering the costs and benefits of alternative policies for providing information to financial markets on corporate internal control. These policy options differ on the level of auditor involvement, among other dimensions. We examine the association of relative auditor involvement and auditor characteristics with Section 302 internal control disclosures made by US “non-accelerated filers” from 2003-2005. We find more material weaknesses disclosed in the fourth quarter, when there is relatively more auditor involvement, relative to the first three quarters. Clients of larger audit firms have higher disclosure rates (although they are likely less risky due to more stringent client acceptance standards), but this difference is due to fourth quarter disclosures. Audit firms with Section 404 experience also have greater material weakness disclosure, implying process improvement associated with knowledge sharing across engagements. Collectively, our results shed light on ways to increase the effectiveness of internal control regulation.

For additional information contact Rani Hoitash (

Hoitash, U., Hoitash, R.Bedard, J. C. (2009). Corporate Governance and Internal Control over Financial Reporting: A Comparison of Regulatory Regimes. The Accounting Review, 84 (3), 839-867.

This study examines the association between corporate governance and disclosures of material weaknesses (MW) in internal control over financial reporting. We study this association using MW reported under Sarbanes-Oxley Sections 302 and 404, deriving data on audit committee financial expertise from automated parsing of member qualifications from their biographies. We find that a lower likelihood of disclosing Section 404 MW is associated with relatively more audit committee members having accounting and supervisory experience, as well as board strength. Further, the nature of MW varies with the type of experience. However, these associations are not detectable using Section 302 reports. We also find that MW disclosure is associated with designating a financial expert without accounting experience, or designating multiple financial experts. We conclude that board and audit committee characteristics are associated with internal control quality. However, this association is only observable under the more stringent requirements of Section 404.

For additional information contact Rani Hoitash (

Smith, E., Johnstone K., Bedard, J. (2009). How good is your audit firm? Directorship, June/July, 64-67.

Audit firms may soon be required by regulators to divulge information about the activities of their firms that is relevant to measuring audit quality. This paper updates public company directors about the background of this possible regulatory initiative, and its possible implications for audit committees.

For additional information contact Jean Bedard (

Jenkins, G., Deis, D., Bedard J., Curtis, M. (2008). Accounting firm culture and governance: A research synthesis. Behavioral Research in Accounting, 20 (1): 45-74.

This paper summarizes research related to accounting firm culture and governance. While perennially important, this topic has immediacy due to the intention of the Public Company Accounting Oversight Board (PCAOB) to consider revisions of the current U.S. interim auditing standards on quality control. Our purposes are to bring together several disparate lines of research on this broad topic in order to identify specific areas of insufficient research. We review literature related to the roles of culture and subcultures within audit firms, and the relation between culture and audit quality. We also consider governance and control mechanisms, including policies related to consultation, independent monitoring boards, ethics training and acculturation. Throughout the paper, we offer suggestions for future research based on the current status of the literature and the recent environmental changes in the auditing profession.

For additional information contact the author: Jean Bedard (

Thibodeau, J.C., Packwood, T.R. (2007). A Risk-Based Approach to Achieving Audit Committee Effectiveness. Bank Accounting and Finance, December, 39-42.

The risk assessment and management system described in this article is a practical and efficient tool that can be used by audit committee members to help demonstrate that they have met their fiduciary responsibility to shareholders. Importantly, the tool helps to satisfy both business and regulatory requirements. The combined report identifies and monitors more than 250 risks. The comprehensive nature of the report enables board and audit committee members to efficiently review and monitor policy compliance, areas requiring additional focus, areas requiring follow-up questions and explicit action plans.

Check the website to download a copy:

Or, contact the author:  Jay Thibodeau (