Internal controls: where we've been, and where we need to go.

• Author: Cangemi, Michael P.
• Position: President's page - Personal account

Much has happened to improve companies' understanding and improvement of their internal controls in the past generation, but more needs to be done.

My perspective here was shaped by my training at Pace University in New York City, where I was enrolled in the elite CPA preparation program of intense study. Naturally, I learned about systems of internal control.

During my early years in public practice, we flow-charted systems of internal control, identified key control points and tested the systems' reliability using walk-throughs and statistical sampling. I was a believer in internal control systems. Then, as a result of corporate malfeasance related to bribing foreign officials, the Foreign Corrupt Practices Act of 1977 (FCPA) was passed, requiring public companies to have internal control systems.

The FCPA, however, seemed to drift into obscurity in the 1980s and 1990s. While mandating that companies operating overseas had internal control systems, the law did not define internal control nor establish penalties.

In 1987, the landmark Treadway Commission led to the formation of the Committee of Sponsoring Organizations (COSO)--FEI is one of the five founding members--to study and define internal control. The original COSO study ("Internal Control-Integrated Framework") in 1992 was truly a remarkable work. The authors captured the principles of a good internal control system and so significantly advanced the thinking on internal controls that it is no surprise that we are still using it today.

What this original COSO study did was look beyond the details of a particular internal control system. Instead, this group focused on the high-level factors that would impact such a system. They focused on "the tone at the top," which was an entirely new principle, as well as ongoing monitoring, which had not been so prominently considered, discussed or implemented. This study was truly ground-breaking.

Once again, however, internal control eventually drifted into the background thinking at corporations and audit firms. New methodologies for making audits more efficient were in the spotlight. Clearly, the tone at the top of Enron was not necessarily drawn from the COSO principles. Consequently, when Congress considered new measures to improve corporate accountability and financial reporting, it looked back again at the merits of good internal control systems.

The Sarbanes-Oxley Act of 2002 not only mandated good internal control systems, but also...