Article Preview
TopIntroduction
Formal and informal control systems are strategically chosen in corporations to motivate and control employees. The role of trust and trustworthiness in business and its relationship with controls and risk have been studied in the management literature. For example, Williamson (1993); Skinner and Spira (2003); Das and Teng (2004); Colquitt, Scott, and LePine (2007); Weibel (2007); and Earle (2010) characterize trust and controls as substitutes and complements. Other studies (Argyris, 1964; Enzle & Anderson, 1993) suggest that formal controls may affect trustworthiness of employees negatively. The nature of the relationship between trust and controls is still being studied. This research stream has developed independently of research in internal controls.
Internal controls are viewed as an amalgam of business models, organizational processes, organizational procedures, initiatives by employees, and information technology. A common element among various definitions of internal controls is that the internal controls are processes designed and installed by top management. The objectives of such processes are safeguarding assets of the business, providing relevant and reliable information, promoting operational efficiency, and complying with managerial policies and procedures. Since internal controls provide reasonable but not absolute assurance, the assumption of competent and trustworthy employees is crucial for effective controls.
Auditors, managers, and risk management practitioners informally evaluate the relationships among internal controls, risk of fraud and errors, and trust in the employees on a regular basis. Cunningham (2004) says, “Internal controls can be designed to mediate the tension between the need to repose trust and discretion in employees on one hand, and the imperative to supervise and impose checks-and-balances on the other.” The controls concept in the management literature is more general when compared to specific concepts of internal controls in the auditing literature. Major organizations that have articulated concepts of internal controls include the American Institute of Certified Accountants, Committee of Sponsoring Organizations, Information Systems Audit and Control Association, and Institute of Internal Auditors. These efforts are not independent. They evolve from each other.
Risk management practitioners and theoreticians have studied the relationships among formal internal controls, audit risk, and financial fraud. For literature reviews see Caster, Massy, and Wright (2000) and Nieschwietz, Schultz, and Zimbelman (2000). Important to all internal control systems are competent and trustworthy employees. All employees are trusted to some extent, and are subject to internal controls (Cunningham, 2004). However, top managers have overridden internal controls and committed frauds. Enron and WorldCom are examples that drew attention from governmental agencies, politicians, and the public. The Association of Certified Fraud Examiners (ACFE) issues a yearly report quantifying costs of fraud to the nation (ACFE, 2010). This report also details costs of corporate fraud committed by employees and top managers. Estimates of losses often run into billions of dollars.
One question is whether internal controls and penalties affect employee trustworthiness and propensity to commit fraud, and if so, under what business conditions? In order to answer this question, we examine the relationships among trust, employee trustworthiness, and internal controls, which have not been theoretically examined or empirically studied. To the best of our knowledge this is the first study that mathematically models a relationship between internal controls, trust, and trustworthiness. We contribute to the literature by examining games under simultaneous and sequential decision making by a manager and an employee. These models provide insights into employee trustworthiness, strength of internal controls, and strategic choices of trust and fraud by manager and employee, respectively. A rich and quantifiable measure of trustworthiness is proposed. This trustworthiness measure comprehensively incorporates aspects of trust, trustworthiness, employee types, and internal controls.