Article Preview
Top1. Introduction
Companies must demonstrate compliance with rules and regulations. When government regulators assess whether a company is compliant, they have to rely on evidence provided by the company itself. This leads to a paradox: evidence must be collected and evaluated in order to demonstrate compliance, but that evidence is generated by the company and can in principle be manipulated! The paradox can be solved by the company implementing internal controls: organizational, procedural or technical measures to guarantee that the evidence collected is reliable (COSO, 1992). This shows that in many regulatory supervision relationships, at least some form of collaboration is essential: companies have to implement controls, provide evidence in a particular format, and provide access to inspectors when requested (Mertens, 2011).
On the other hand, regulators have to collaborate, in the sense that they have to adjust their assessments to the specific circumstances of the company or sector. Legislation is generic in order to be applicable in many different situations (Dworkin, 1977). In order to deal with such open norms and adapt them to the circumstances, legal interpretation is crucial. This leads to a form of dialogue between regulator and company (Burgemeestre, Hulstijn, and Tan, 2011). There is also collaboration at sector level. Alternative interpretations of new legislation are actively debated. Branch organizations are trying to influence the debate. Black (2002) calls such debates regulatory conversations. Taking part in such debates also signifies a form of collaboration on the part of the regulator. Without notification, regulatory changes will appear to be sudden and impractical, and companies will not have enough time to adjust processes and software.
There are reasons to suggest that collaborative forms of regulatory supervision are more effective and more efficient, because companies have internalized the norms. Influenced by such approaches as self-regulation (Rees, 1988), responsive regulation (Ayres and Braithwaite, 1992), or risk-based supervision (Black, 2005), governments have experimented and adjusted regulatory arrangements (OECD, 2014). For example, modern approaches to tax compliance are now called ‘cooperative compliance’ (OECD, 2013). These cooperative approaches to regulatory supervision are often characterized by a shift in regulatory responsibilities from the regulator to the companies involved (Burgemeestre et al., 2011). For example, under many safety regulations, companies must make a risk assessment and determine themselves how to mitigate the risks by controls. Regulators only assess at a meta-level whether the company is ‘in control’.
Similar developments exist in the business domain, specifically in financial auditing. The world is changing continuously. Computational audit approaches make it possible to provide assurance (certainty) over the reliability of a data stream, at or near real time (Vasarhelyi, Alles, and Kogan, 2004). Consider online auditing (Koch, 1981; Vasarhelyi and Halper, 1991), continuous control monitoring (Alles, Brennan, Kogan, and Vasarhelyi, 2006) or continuous auditing (Kogan, Sudit, and Vasarhelyi, 1999; Kuhn and Sutton, 2010). Note that here too, financial auditors must rely on evidence, prepared by the company itself. Reliability of the data stream is ensured by internal controls. According to a recent survey (Chiu, Liu, and Vasarhelyi, 2014) most research papers on continuous auditing are either conceptual, or focus on the technical aspects. The governance aspects are largely left unexplored. Moreover, most reported applications are positioned in the financial sector; other application domains have not been explored (Chiu et al., 2014).