INTRODUCTION
Introduction
This chapter serves as an overview of the study, outlining key research issues, objectives, and questions It also details the methodology employed and defines the scope of the research.
Background to the research
Understanding the concept of internal control is essential for developing an understanding of its impact on the performance of organization (Lembi, 2006).
Internal control, once referred to as "internal check," has evolved into a comprehensive set of "process activities" designed to help management navigate rapid growth Despite its importance, there were previously no formal regulations mandating companies to implement internal control systems to mitigate risks and safeguard their operations The need for such measures became increasingly evident following numerous financial scandals in the 21st century, leading to the establishment of the Sarbanes-Oxley Act.
The Sarbanes-Oxley Act of 2002 (SOX) mandates that management of all public companies must produce an internal control report, affirming their accountability for maintaining effective internal controls Additionally, external auditors are tasked with auditing these management assertions regarding the effectiveness of internal controls and must provide their independent conclusions on the matter.
In recent years, reference groups such as suppliers, investors, and customers have increasingly prioritized the quality of corporate reporting and accountability (Rittenberg and Schwieger, 2001) Consequently, an effective internal control system has become essential for a firm's success, enabling management to maintain profitability, achieve organizational goals, and address business risks (COSO, 1994) However, the development of an optimal internal control framework applicable to all companies remains an area for further research.
In 1994, the Committee of Sponsoring Organizations (COSO) introduced an Internal Control framework comprising five interrelated components, emphasizing that the necessity and effectiveness of control systems can differ based on a firm's unique characteristics Donaldson (2001) highlighted that the design of management control systems should align with the organization's context, as this alignment enhances internal control effectiveness Despite this, there is a lack of empirical evidence regarding the performance of internal controls within organizational settings, a gap noted by Kitnney (2000) In recent years, researchers such as Chenhall (2003), Gerdin (2005), and Jokipii (2009) have sought to clarify internal control effectiveness by investigating its design.
Research on internal control and its effectiveness in Vietnam is scarce This study aims to propose a comprehensive internal control framework and define internal control effectiveness for companies operating in Vietnam Additionally, it seeks to investigate how existing internal control components influence overall effectiveness.
Research problems
In Vietnam, financial scandals reveal that corporate governance often fails to adequately identify, assess, and address firm risks, leading to insufficient internal controls that jeopardize operations Despite being one of Asia's fastest-growing economies since joining the WTO in late 2006, Vietnam is currently facing challenges such as inflation, a trade deficit, and a declining stock market, which negatively impact businesses Therefore, it is crucial for companies in Vietnam to undertake renewal and restructuring of their operations.
2012) However, how to restructure their operation is still challenge to management in companies.
Despite the limited practical research on the internal control sector, this study aims to address this gap by focusing on the components of internal control and their effectiveness It specifically explores how these components influence the overall effectiveness of internal control systems in firms across Vietnam.
Research objectives
A research objective is the research version of a business problem. Objectives explain the purpose of the research in measurable terms and define standards of what the research should accomplish (Zikmund 1997, 89).
In solving the research problem mentioned previously, this study has the following objectives:
1) Investigate the relationships of internal control components and the efficiency and effectiveness of operation.
2) Investigate the relationships of internal control components and the reliability of financial report.
3) Investigate the relationships of internal control components and the compliance with laws and regulations.
Research questions
This study investigates the relationship between internal control components—control environment, risk assessment, control activities, information and communication, and monitoring—and their effectiveness in companies It aims to determine how these components influence internal control effectiveness, which includes operational efficiency, reliable financial reporting, and compliance with laws and regulations The research focuses on assessing internal control components and their impact on overall internal control effectiveness.
Research question 1: Is the efficiency and effectiveness of operation positively related to the internal control components?
Research question 2: Is the reliability of financial report positively related to the internal control components?
Research question 3: Is compliance with laws and regulations positively related to the internal control components?
Research methodology and scope
The object of this research was external auditors who audited the operation of companies in Vietnam Sample size: 236 (See more in Chapter 3).
The author employed a qualitative method involving group discussions with six seasoned external auditors to refine and adapt the translated questionnaire, ensuring its alignment with the study's objectives and subject matter.
This study utilized quantitative research to examine the relationship between internal control components and their effectiveness, specifically from the perspective of external auditors The quantitative model employed in this analysis was based on the prior work of Jokipii (2009).
The author used data analysis tools to implement the research such as: descriptive statistics, multiple regression models with SPSS version 16.
Thesis structure
Chapter 1- Introduction, mentions about research background, research objectives and research scope and approach.
Chapter 2 – Literature review provides theoretical and empirical background supporting for hypothesized research model.
Chapter 3 – Research methodology, is about the methodologies that author used to conduct the research.
Chapter 4 – Data analysis and findings, discusses about the analysis that author conducted to test hypotheses and to answer the research questions.
Chapter 5 - Conclusion and implication, is about the results, implications, and recommendations for future research.
LITERATURE REVIEW
Introduction
This part reviews the previous studies concerning about internal control components, internal control effectiveness, and the relationship between them.Based on the literature review, hypotheses are developed.
Internal control components
Internal control, originally defined in 1930 as "internal check," refers to a system of accounts and procedures where one individual independently verifies the work of another to identify and prevent fraud (Sawyer et al 2003, 61) This concept was later expanded by the American Institute of Certified Public Accountants to encompass a company's overall plan, measures, and coordinated methods aimed at ensuring the reliability of accounting data and enhancing operational efficiency However, significant failures in the United States during the 1980s necessitated a reevaluation of the internal control definition to more effectively address fraud detection and prevention.
In 1992, COSO defined Internal Control in the United States as a process implemented by an entity's board of directors, management, and personnel, aimed at providing reasonable assurance in achieving three key objectives: operational effectiveness and efficiency, reliable financial reporting, and compliance with laws and regulations The COSO Internal Control framework comprises five interrelated components: Monitoring, Information and Communication, Control Activities, Risk Assessment, and Control Environment.
Source: COSO Internal Control-Integrated Framework 1992.
Following the release of the COSO framework in 1992, it became a foundational model for the development of additional frameworks in the United States, emphasizing specific objectives from various viewpoints In 1996, COBIT was introduced, offering comprehensive control processes for information technology (IT) management and governance.
In 1994, guidance was provided to internal auditors on evaluating, reporting, and enhancing control systems, while SAC 78 (1995) offered insights to external auditors on the influence of internal control in organizational audits A comparison of these internal control frameworks in the US is detailed in Table 2.1.
Management Management, users, IT auditors
Process Set of processes: policies, procedures, practices.
Set of processes, subsystems, and people
Reliable financial reporting Compliance with laws & regulations
(3)Integrity & availability of information (4)Reliable financial reporting (5)Compliance with laws & regulations
(2) Reliable financial reporting (3) Compliance with laws & regulations
(1)Control Environment (2)Risk Management (3)Control Activities
Components: (1)Control Environment (2)Risk Assessment (3)Control Activities (4)Information & Communication (5)Monitoring
Financial Statement Responsibility Management Management Management Management
The demand for a more sophisticated internal control framework is evident globally, with the Canadian Institute of Chartered Accountants enhancing the COSO (1992) framework into the Criteria of Control Framework (CoCo).
In 1995, an organizational framework was established, highlighting key elements such as resources, systems, processes, culture, and tasks that aid individuals in achieving organizational objectives The Turnbull Report (1999) in the United Kingdom offers guidance on implementing a risk-based approach to internal control, emphasizing three main components: control activities, information and communication processes, and monitoring processes to ensure the ongoing effectiveness of internal controls.
The analysis of internal control frameworks reveals that many share similar components, despite variations in terminology The COSO framework from 1992, recognized as the original and most widely used framework, outlines five key internal control components Consequently, this study adopts these five COSO components as independent variables for further examination.
The Control Environment establishes the foundation for internal control components that shape the control awareness of an organization's personnel Central to this environment are the individuals, whose attributes such as integrity, ethical values, and competence significantly influence the overall effectiveness of internal controls within the entity.
Risk assessment is a crucial process that involves identifying and analyzing potential risks that could hinder the achievement of management's objectives This procedure equips organizations with the awareness needed to recognize and effectively address the risks they encounter.
(3) Control Activities, which covers policies, procedures and practices established and executed to ensure that management objectives are achieved and risk mitigation strategies are carried out.
Effective information and communication systems are essential for supporting all control components within an organization They facilitate the capture and exchange of critical information, empowering personnel to manage, conduct, and oversee operations efficiently.
Monitoring involves an external assessment of internal controls by independent individuals, such as management This process encompasses regular management and supervisory activities, along with various actions taken by personnel in the execution of their responsibilities.
The entire internal control components should be monitored, and modified as necessary to ensure they can react dynamically.
Internal control effectiveness
According to COSO (1992), effective internal control is determined by evaluators' reasonable assurance of understanding an entity's operational objectives, the reliability of its financial statements, and compliance with applicable laws and regulations However, the report lacks guidance on conducting assessments Dai et al (2008) emphasize a comprehensive quantitative evaluation method from a risk-based perspective, proposing a mathematical model for assessing internal control effectiveness They note the complexity and multitude of factors involved, suggesting that further research is needed to enhance the quantitative evaluation model of internal control Therefore, additional studies on assessing internal control effectiveness are essential.
Perry and Warner (2005) have proposed five-step model for quantitative assessment of internal control effectiveness, which is describeb in Figure 2.1.
Choose the right internal control framework (COSO, COCO, Turnbull…)
Document controls against the selected model Develop a quantitative scoring process Assemble a group of examiners
Score the internal control application
Figure2.1: Quantitative assessment of internal control framework.
Compiled by Perry et al (2005)
In this model, it is crucial to evaluate individual control objectives against the selected internal control framework Examiners utilize this framework to assign a maximum score for each control objective under review, continuing this scoring process until all objectives are assessed, resulting in an overall quantitative score for internal control effectiveness Additionally, examiners should leverage their expertise and knowledge of internal controls alongside the guidance of the chosen framework to effectively assess internal control performance.
Jokipii (2009) builds upon Perry's quantitative model to create a measurement scale for assessing internal control effectiveness His research defines internal control effectiveness based on established frameworks, asserting that it is deemed effective when an entity successfully meets its operational objectives, prepares reliable financial statements, and complies with relevant laws and regulations.
This study evaluates internal control effectiveness using a quantitative assessment model by Jokipii (2009) External auditors assessed three key objectives of internal control, enabling a quantitative analysis of its effectiveness The model identifies internal control effectiveness through three dependent variables: operational efficiency and effectiveness, reliability of financial reporting, and compliance with laws and regulations.
Gaps in the literature
This study incorporates the five components outlined in the COSO 1992 internal control framework Previous research primarily emphasizes specific elements of this framework, including the control environment (D’Aquila 1998), communication (Hooks et al 1994), and risk assessment (Mills).
In his 2006 study, Lembi evaluates the effectiveness of internal control over financial reporting by examining all five components, utilizing a qualitative approach Jokipii (2009) enhances the understanding of internal control by affirming that all components positively influence its effectiveness, while suggesting that further research is necessary to validate the measures of internal control components and their observed effectiveness He also highlights the potential benefits of including external auditors in future studies Notably, there is a significant lack of practical research on internal controls in Vietnam, underscoring the urgent need for further investigation to enhance knowledge in this area for Vietnamese companies.
Research hypotheses and theoretical model
The control environment is crucial for the effectiveness of internal controls, serving as its foundational element As highlighted by Schmidt and Posner (1983), the board of directors plays a vital role in establishing the organization's tone through governance, policies, and behaviors This leadership guides countless daily decisions across all organizational levels, ultimately fostering efficiency and effectiveness while contributing to significant cost savings.
The control environment serves as the organizational tone, with research indicating a positive correlation between management's perceived integrity and the accuracy of financial reporting A COSO study conducted in 1999 revealed that 83% of financial fraud cases addressed by the SEC from 1987 to 1997 involved top management, underscoring the control environment's critical role Additionally, Cohen's 2002 study further emphasizes the importance of the control environment, supported by auditor survey findings.
“tone at the top and its implication for the behavior of employees” are the most importance ingredients for an effective internal control Author therefore hypothesizes that
H1a: Control environment is positively related to the efficiency and effectiveness of operation.
H1b: Control environment is positively related to the reliability of financial report.H1c: Control environment is positively related to the compliance with laws and regulations.
Risk assessment: The implementation of an effective Enterprise Risk
Effective Enterprise Risk Management (ERM) enhances organizational performance and contributes positively to the reliability of financial reporting Studies by Hoyt et al (2006), Nocco and Stulz (2006), and Chih (2007) support the notion that robust risk management practices lead to improved outcomes for firms Additionally, research by Lembi (2006) and Jokipii (2009) underscores the significant relationship between effective risk management and the accuracy of financial disclosures.
In 2010, it was found that there is no evidence to suggest that the implementation of Enterprise Risk Management (ERM) enhances its effectiveness across an entity's strategic, operational, reporting, and compliance objectives Based on this analysis, the author posits a hypothesis regarding the relationship between ERM application and its overall impact.
H2a: Risk assessment is positively related to the efficiency and effectiveness of operation.
H2b: Risk assessment is positively related to the reliability of financial report.
H2c: Risk assessment is positively related to the compliance with laws and regulations.
Control activities are essential policies and procedures designed to mitigate risks and help organizations achieve their objectives, as outlined by COSO (1994) Research by Hans Mjoen and Stephen Tallman (1997) indicates a strong positive correlation between control activities and organizational performance, highlighting that specialized control measures enhance both protection and the effective use of key resources, thereby increasing bargaining power Pyria (2013) further supports this by demonstrating the statistical significance of control activities in influencing performance outcomes Additionally, control activities play a crucial role in guiding performance management, as noted by Ana Morariu (2008) Ultimately, these activities are developed and implemented to ensure effective management of identified performance risks.
As control activities are taken to address risks to achieve the entity’s objectives, the author therefore hypothesizes that:
H3a: Control activities are positively related to the efficiency and effectiveness of operation.
H3b: Control activities are positively related to the reliability of financial report.
H3c: Control activities are positively related to the compliance with laws and regulations.
Information and communication systems are essential for organizations to effectively identify, capture, process, and report relevant information in a timely manner, enabling individuals to fulfill their responsibilities efficiently (COSO, 1994) Research indicates that clear communication channels within organizations and with customers positively impact firm performance (Carr & Kaynak, 2007) By integrating information systems into their operations, organizations enhance competitiveness and drive business growth (Fisher & Kenny, 2000) Despite variations in their information systems, all organizations aim for competitive advantage through continuous improvement and regular evaluation of their business information systems (Chaffey & Wood, 2005) These systems generate crucial reports—operational, financial, and compliance-related—that facilitate effective business management (Sawyer, 2003) Based on this analysis, the author hypothesizes that
H4a: Information and communication are positively related to the efficiency and effectiveness of operation.
H4b: Information and communication are positively related to the reliability of financial report.
H4c: Information and communication are positively related to the compliance with laws and regulations.
Monitoring is the ongoing process of evaluating a system's performance to ensure it meets its intended objectives, particularly in financial reporting (Jones, 2008; Henle, 2005) It plays a crucial role in assessing the effectiveness of internal control systems (Coffin, 2003) and allows management to continuously review business processes for compliance and performance deviations (Sumit, 2010).
Monitoring plays a crucial role in effective internal controls, as highlighted by COSO's Integrated Framework introduced in 1992 and reiterated in the COSO Enterprise Risk Management framework of 2004 This emphasis on ongoing monitoring aligns with the requirements of the Sarbanes-Oxley Act of 2002, which mandates public companies to prioritize their internal controls over financial reporting The author hypothesizes that the significance of monitoring is essential for enhancing the effectiveness of internal controls.
H5a: Monitoring is positively related to the efficiency and effectiveness of operation.
H5b: Monitoring is positively related to the reliability of financial report.
H5c: Monitoring is positively related to the compliance with laws and regulations.
Efficiency and effectiveness of operation Control activities H3a
Reliability of financial report Control activities H3b
Figure 2.2: The relationship between internal control components and the efficiency & effectiveness of operation (Model I).
Figure 2.3: The relationship between internal control components and the reliability of financial report (Model II).
Compliance with laws and regulations Control activities H3c
Figure 2.4: The relationship between internal control components and the compliance with laws and regulations (Model III).
Summary
This chapter reviews literature on internal control components and their effectiveness, while also examining the relationship between these aspects The author formulates hypotheses by clearly defining the dependent and independent variables for the study.
(Internal control components, internal control effectiveness)
The first draf of questionnaire
Descriptive statistic, EFA, Cronbach alpha’s analysis, Regression analysis
RESEARCH METHODOLOGY
Introduction
This chapter outlines the methodology employed to test the hypotheses formulated in Chapter 2, detailing the questionnaires, sample selection, tools utilized, and overall research approach.
Research process
Questionnaires design
The design of the questionnaires was based on a comprehensive literature review and initially created in English To ensure objectivity, the English version was translated into Vietnamese by two independent translators with expertise in internal control The Vietnamese version was subsequently validated by six external auditors for clarity and comprehension, resulting in the first draft of the questionnaires This draft is divided into three sections: the first section gathers demographic information about the respondents, including their title, age, and experience; the second section addresses the five components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring; and the third section evaluates the effectiveness of internal controls, focusing on operational efficiency, reliability of financial reporting, and compliance with relevant laws and regulations.
Operationalisation of measures
The constructs of the internal control components and internal control effectiveness were adopted from the existing instruments in earlier studies.
3.4.1 Measurement scale of internal control components
Internal control components was measured with five-point Likert scale based on questions recommended by COSO (1992) and adapted in practice by Jokipii
In 2009, chapter two outlined five key components of internal control: control environment (COEN), risk assessment (RISK), control activities (COAC), information and communication (INFO), and monitoring (MONI) The article further elaborates on the measurement scale for these internal control components.
Table 3.1: Measurement scale of internal control components
Dimension Item wording Item code
Environment The governing board genuinely called management’s decisions into question and evinced realizable alternatives.
Managers and management have not been overworked.
There has been a great deal of variation in control and management tasks.
The personal understand the content and responsibility of their tasks.
The personnel have demonstrated commitment to honesty and ethical value of the company through their conduct.
Risk Assessment The goals for the company’s operations had credible and in my opinion reasonable measures.
Management actively evaluated both internal and external risks likely to prevent the achievement of goals.
A risk analysis covering the entire company was carried out during the last year.
Those in managerial functions were aware of the risks of their areas of responsibility and knew how risk management was implemented.
In my opinion the company’s risk analysis and means of protection could have been more efficient.
Control activities There was functioning controls in the company’s processes which gave warning whenever something exceptional occurred.
As soon as something exceptional and undesired was noticed it was promptly and appropriately dealt with.
In the definition of task special attention was paid to authorization and the special demands of tasks.
In my opinion the internal control measures should have been stepped up still further.
The entire personnel had updated job descriptions.
The personal had no problems in obtaining information pertaining to their work tasks.
The report are forwarded to management were sufficiently clear and contained relevant information from the management perspective.
Sufficient information moved between the different divisions of the organization so that the smooth uninterrupted running of operation could be ensured.
Our company’s information and communications system was not quite up to date with respect to functions.
The work was efficiently coordinated within the function and also with other functions.
Monitoring The operative information used in management was specified to the systems information of financial management.
Line managers take excellent care of day-to-day control.
There is active control of how the personnel obey the operating instructions issued.
We conducted analyses based (customer satisfaction, job satisfaction, efficiency) changes during the last year.
Management has not in the last year requested accounts of the accomplishment of control measures.
3.4.2 Measurement scale of internal control effectiveness
The effectiveness of internal control was assessed using a measurement scale that aligns with the internal control component measures This evaluation utilized a five-point Likert scale, drawing on questions suggested by COSO (1992) and adapted in practical applications by Jokipii.
In 2009, the effectiveness of internal control (EFFE) was assessed through three key components: the efficiency and effectiveness of operations (EFFI), the reliability of financial reporting (RELI), and compliance with relevant laws and regulations (LAW) The measurement scale for these components was detailed as follows.
Table 3.2: Measurement scale of internal control effectiveness
Dimension Item wording Item code
Effectiveness and efficiency of operations
With a reasonable effort the efficiency of operations could have been further improved.
There are possibly in operations problems which, if removed, would have resulted in a better input - output ratio.
There are no stages in the processes where I have any doubts about efficiency
In some functions resources might have been more efficiently deployed.
I did not completely trust the reports by financial management and sometimes had to check the information I received.
There were sometimes errors in the reports which had to be corrected later when the information had been confirmed.
We sometimes received information about errors in reports sent out for external use.
There have been problems with the accounting programs used by financial management.
Compliance with applicable laws and regulations
It was difficult in practice to apply the regulations governing our company.
Changes in the legislation frequently came as a surprise to the company.
I have observed that the personnel had problems with the laws and regulations in force.
There is no individual in our company whose area of responsibility it is to monitor forthcoming legislative changes and new regulations.
Pilot test
The pilot test aimed to refine the questionnaire, ensuring that respondents could easily understand and answer the questions, thereby enhancing the quality of the data collected for the main survey.
The procedure consisted of two main steps to refine the measurement scale Initially, an exploratory study was conducted to evaluate the first draft of a questionnaire, which was translated from English to Vietnamese and reviewed by six external auditors for clarity In the second step, a focus group discussion involving four senior auditors and two manager auditors from KPMG Vietnam was held to ensure that all survey questions were clear and comprehensive from an audit perspective Based on participant feedback, some questions were revised for better understanding and appropriateness in the Vietnamese context, such as changing “thường xuyên thay ủổi hoạt ủộng kiểm soỏt” to “ủa dạng nhiều hoạt ủộng kiểm soỏt.”
“Tôi hoàn toàn không tin tưởng” was revised to “Tôi không hoàn toàn tin tưởng”,
“cú nhiều vấn ủề” was revised to “cũn tồn tại nhiều vấn ủề” After the revision finished, the author had the final questionnaire.
The final version of questionnaire was made in Vietnamese (Appendix 1) and was translated back into English (Observed variables).
Main survey
The initial phase of the sampling process involved defining the study's population, which aims to examine the impact of internal control components on the effectiveness of internal controls in Vietnamese companies The population included external auditors who assessed various sectors, such as manufacturing, trading, construction, and services, in 2011 These auditors were selected for interviews due to their extensive expertise in internal controls, as they play a crucial role in reviewing, evaluating, and reporting on the effectiveness of internal controls to the management during audits.
The second step in the sampling process involves selecting the sampling frame, which is a list of elements from which a sample can be drawn In this particular study, the sampling frame consists of external auditors from companies located in southern Vietnam.
The third step in the research process involves selecting an appropriate sampling method Methodology literature identifies two primary types of sampling: probability and non-probability sampling (Tho, 2011) Given the significant constraints of time, budget, and expertise, this study employs a non-probability sampling technique, specifically convenience sampling While convenience sampling is considered one of the least reliable methods, it is the most cost-effective and practical choice for this research.
The crucial final step in the sampling process is the collection of samples With over six years of experience in auditing and established relationships with external auditors in Vietnam, the author possesses the necessary expertise to gather an adequate sample size for this study.
A reliable and valid sample allows for the generalization of findings to the broader population (Canava, 2001) The appropriate sample size hinges on the desired precision and confidence in estimating population parameters, as well as the population's variability While the question of the ideal sample size remains partially unresolved, it is influenced by the statistical methods employed, such as maximum likelihood and generalized least squares (Tho, 2011, p 231) Some researchers recommend a minimum sample size of 100 to ensure robust results.
The Maximum Likelihood (ML) method typically requires a sample size of 150 responses, while other researchers recommend a minimum of five observations for each estimated parameter (Hair et al., 2006, cited in Tho, 2011).
The study involved 37 observed variables, resulting in a total of 185 observation samples, as the sample size needed to be at least five times the number of observed variables Therefore, the research was carried out with a sample size of 236 external auditors from companies in Vietnam.
Research methodology literature identifies various survey methods, including face-to-face interviews, telephone interviews, and mail surveys For this study, the email survey method and direct distribution of questionnaires were selected to efficiently gather statistical data from multiple companies and establish direct contact with external auditors Questionnaires were initially sent via email, followed by reminders to non-responders after 7 days and a third contact after another week Additionally, the author directly engaged with interviewees to ensure a sufficient response rate.
The Statistical Package for the Social Sciences (SPSS) version 16.0 was used for all statistical calculations Descriptive and inferential statistics includes:
Cronbach alpha, exploratory factor analysis, correlation, multiple regression analysis The analysis process was implemented as follow:
After completing data collection, descriptive statistics were conducted to provide an overview of the sample Reliability analysis was performed using Cronbach's alpha coefficients to refine the measurement scales, eliminating items with low item-total correlations (