Considering the Control Legacy-K (CLK) Framework to Serve as a Basis for a Measuring Instrument to Assess the Control Environment of Non-JSE Listed Business Entities

Keywordsassess business entity CLK Framework control environment internal control internal control system non-JSE listed

JEL Classification G32, L20

Full Article

1. Introduction

To curb the impact of unaccounted risks on established business entities between the early-1970s and late-1980s, the Committee of Sponsoring Organisations (COSO) was established (Lee and Azham, 2008; Dickinson, 2001; Karmakar, 2006). The COSO – comprising the Institute of Internal Auditors, the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives International and the Association of Accountants and Financial Professionals in Business – were tasked to develop a type of instrument to assist with the prevention and detection of risks (COSO, 2019; Miller, Proctor and Fulton 2013; Rezaee, 1995). This led to the discovery of the concept of an internal control system in 1992; dubbed the Internal Control Integrated Framework of the Committee of Sponsoring Organisations, as depicted in Figure 1 (COSO, 1992). Being the first internal control framework in the world, it provided clarity in relation to: 1) the definition of an internal control system, 2) the components of an internal control system, and 3) the manner in which a system of internal control should be implemented (Dickins et al., 2011; Debreceny, Gray, Tham et al., 2003; Swinkels, 2012).

An internal control system should assist with the establishment of sound internal control in a business entity (COSO, 1999). The phenomenon of internal control is formally defined by the COSO as a logical process that consists of five inter-related elements that should assist in the mitigation of risks, all with the intent to provide reasonable assurance surrounding the attainment of relevant business objectives in the near future (COSO, 2012; McNally, 2013). Generally, business objectives can be demarcated into strategic objectives, operational objectives, financial objectives and compliance objectives (Sin and Ng, 2013); alternatively, categorised per the triple bottom line framework where it pertains to economic objectives, social objectives or environmental objectives (Bechtold et al., 2013; Buys, 2012). When reverting to the “five inter-related elements” in the COSO’s definition of internal control, this refers to the following (Coetzee, 2006; Rezaee, Elam and Sharbatoghlie, 2001; Smit, 2012):

• Control environment: elaborated on under Section 3.
• Risk assessment: the identification and categorising of risks based on their probability of realising and their potential impact, once realised.
• Internal control activities: the treatment of risks through the deployment of preventive-, detective- and/or corrective control activities which are, in turn, demarcated into five categories, namely document usage and design, segregation of duties, safeguarding of assets, independent checks, and proper authorisation.
• Information and communication: the dissemination of information pertaining to internal control to allow relevant stakeholders to achieve their individual objectives to, in turn, allow in the attainment of relevant business objectives.
• Monitoring: the periodic assessment of the overall adequacy and effectiveness of the entire system of internal control.

In order for an internal control system, as built on the Internal Control Integrated Framework of the Committee of Sponsoring Organisations, to operate successfully, each of these aforementioned five inter-related elements should function effectively and efficiently; individually and combined (COSO, 2013; Spira and Page, 2003).

Notwithstanding the historical development of the Internal Control Integrated Framework of the Committee of Sponsoring Organisations, its need for development was greatly influenced by the Agency Theory; the relationship between the owners of a business entity and the management of a business entity (Jensen and Meckling, 1976). Essentially the owner (principal) appoints a manager (agent) to perform services on his/her behalf while delegating relevant authorising powers. As such, an expectation exists whereby the manager should act in the best interest of the owner however the manager may not necessarily act on the interests of the owner (Fama, 1980). In core, owners are predominantly focused on their business entities’ financial performance and financial position, whereas management (as employed by the owners) are predominantly focused on the achievement of the business entities’ objectives through the implementation of economic, effective and efficient operations (Demsetz and Lehn, 1985; Berle and Means, 2009). Alternatively stated, the value in use of the Control Integrated Framework of the Committee of Sponsoring Organisations vests in its ability to assist management to achieve the objectives of a business entity through the implementation of economic, effective and efficient operations which, in turn, allows for the realisation of relevant expectations of owners in relation to the financial performance and financial position of the same business entity (McNally, 2013).

Since 1992, more internal control frameworks were developed which include the Criteria of Control (CoCo) Framework and the Control Objectives for Information and Related Technology (COBIT) (Arwinge, 2013; CICA, 1995; Tuttle and Vandervelde, 2007). Despite the development of these internal control frameworks, globally, the COSO Internal Control Integrated Framework is still the most popular and most used internal control framework (Martin et al., 2014; Savage et al., 2008).

Figure 1. The COSO Integrated Internal Control Framework

Source: Wood (2013)

After its inception in 1992, the COSO Internal Control Integrated Framework underwent only one major revision in 2013, which led to a few enhancements (Protiviti, 2013):

• The codification of principles to support the five inter-related elements of internal control.
• The clarifications on the role of objective setting.
• Points of focus (i.e. due diligence of management when implementing internal control activities).
• Enhanced discussions on organisational governance.
• Increased focus on non-financial reporting objectives.

Notwithstanding the enhancements to the COSO Internal Control Integrated Framework, previous studies (Callaghan et al., 2007; IIA, 2011) show that a common approach to measuring the condition of the control environment of a business entity is through means of using a quantitative “tick and bash” checklist approach. Such an approach proves to be problematic, especially when taking into account that one can only accurately manage what one can accurately measure (Drucker, 2012). Otherwise stated, the “tick and bash” checklist approach does not allow for a comprehensive assessment of the control environment of business entities. Furthermore, such checklists are not necessarily completed by those stakeholders charged with the responsibility of oversight.

According to a fairly recently developed Control Legacy-K (CLK) Framework however, the probability exists that the control environment of non-JSE listed business entities can be assessed in both a quantitative and qualitative manner, particularly through scrutinising the ‘nature of the organisation’ and the ‘managerial conduct of members of management’ (Bruwer, 2016). This sentiment is supported by the fact that the CLK Framework was specifically developed for Small, Medium and Micro Enterprises (SMMEs) that are non-JSE listed. A SMME is defined as a separate and distinct business entity, including cooperative enterprises and non-governmental organisations, managed by one owner or more which, including its branches or subsidiaries, if any, is predominantly carried on in any sector or subsector of the national economy (South Africa, 2019). Approximately 90% of all businesses in operation within South Africa are regarded as SMMEs (Mouloungui, 2012).

Although the CLK Framework is empirically untested, the purpose of this study is to ascertain whether this framework (through its first two steps) sufficiently covers the definition and description of the control environment to such an extent that it can be considered as an instrument to assess the control environments of non-JSE listed business entities. This is especially needed since the COSO Internal Control Integrated Framework, as one of the most used internal control frameworks around the globe (Baker Tilly, 2014) does not provide guidance as to how the control environments of business entities can be assessed qualitatively.

2. Research Design

This study was non-empirical in nature and fell within the interpretivist research paradigm. In particular, the study took the form of a literature review and a meta-analysis. In quintessence, this entailed the reviewing of secondary data stored on academic databases, taking on the form of scholarly literature, was first performed. Following this, a meta-analysis was conducted through the assistance of ATLAS.ti by deductively coding qualitative data (reviewed literature) and categorizing it accordingly. The foregoing was achieved by making use of a coding frame, as shown in Table 1.

Table 1. Coding frame used

Source: Author’s own source

Afterwards, word clouds were generated to assist with the depiction thereof visually. Thus, this study constituted qualitative research. A total of 60 literature sources were consulted by the authors that pertained to the definition and description of the control environment and the composition of the first two steps of the CLK Framework. A summary of these sources is provided in Table 2.

Table 2. Literature sources consulted for this study

Source: Author’s own source

3. Literature Review

Under this section, relevant discussions take place in relation to the definition and the description of the control environment, as well as the CLK Framework. All of these discussion topics are sorted under two headings below, accordingly.

3.1. Defining and Describing the Control Environment

The control environment of a business entity is formally defined as a set of standards, processes and structures that provide the basis for carrying out internal control across an organisation. Organisational stakeholders should establish the tone at the top regarding the importance of internal control including expected standards of conduct (COSO, 2013).

In layperson’s terms, the control environment of a business entity pertains to the holistic collection of the attitude of management towards internal control, the awareness of management of internal control, and the actions of management regarding internal control – strongly influenced by strongly influenced by a business entity’s structure (hierarchy), processes and policies (Buckby et al., 2005; Boritz and Lim, 2008; Clarke, 2017). According to McNally (2013), five core principles are indicative of a sound control environment, namely: 1) the demonstration of commitment by management to integrity and ethical values, 2) the exercising of oversight responsibility by management, 3) the establishing of structure, authority and responsibility by management, 4) the demonstration of commitment to competence by management, and 5) the enforcing of accountability by management. Taking into account the Institutional Theory, business entities across the globe may be subject to similar forces which have a direct influence on their overall sustainability (Coase, 1937; Foss, 2000). Otherwise put, all business entities tend to become the same over time due to three isomorphic pressures, namely: 1) coercive pressures (e.g. laws, and regulations), 2) mimetic pressures (e.g. copying effective strategies from successful competitive business entities), and 3) normative pressures (e.g. following best practices as regulated by an industry) (DiMaggio and Powell, 1983). To this end, it may be the case that business entities have similarly developed control environments.

Notwithstanding the above, prior research (Coetzee, 2004; Coetzee, 2006; COSO, 2013; Forte, 2001; Karagiorgos et al., 2011; Moeller, 2007; Muceku, 2014; Talet, 2014) suggests that it is difficult to comprehensively assess the control environment of business entities due to its complex composition; including its influence by inter alia the manner in which management performs their duties, the hierarchical structure of a business entity, and the organisational culture evident in a business entity. Thus, it is not surprising that the assessment of business entities’ control environments generally takes on a quantitative “tick and bash” approach though means of checklists, close-ended surveys to capture observations (Callaghan et al., 2007; IIA, 2011).

Particularly in the United States of America (USA), a closed-ended survey approach is prescribed by the Sarbanes-Oxley Act to assess control environments evident in public business entities; through the completion of Service Organisation Control (SOC) reports (Linford, 2017; SCH, 2018). These reports entail the rating of statements, based on empirical observations, through means of a five-point Likert scale to deliver an audit opinion on the control environment of a business entity (Mohapatra et al., 2015). After investigating an array of academic databases there appears to be no other prescribed control environment measurement instrument(s) used in business entities across the world.

When taking into account the Practice Theory (Schmidt, 2018), it is not to say that the sole quantitative assessment of the control environment is the best approach to use. Alternatively stated, the best approach to follow in a given scenario depends on three concepts: 1) habitus (i.e. the “worldview” of the person performing an action), 2) field (i.e. the social structure in which an action takes place), and 3) capital (i.e. economic capital, social capital, cultural capital, and symbolic capital) (Terjesen and Elam, 2009; Bourdieu, 1993). This is especially the case since the manner in which applicable practices takes place does not solely stem from an array of scholarly traditions but rather from a complex multi-disciplinary network of best practices (Schatzki, 1996; Nicolini, 2012). Therefore, the control environment may also be measurable through means of a framework other than that of the COSO Integrated Internal Control Framework.

3.2. The First Two Steps of the CLK Framework

During the course of 2016, the CLK framework was developed as an instrument to allow for the advancement of internal control activities evident in non-JSE listed SMMEs (Bruwer, 2016). Out of the four steps of this framework, on face value, its first two steps hold relevancy to both the definition and description of the control environment. The two steps of this framework are elaborated on below (Bruwer, 2016):

Nature of the organisation: It is important for a business entity to achieve its objectives. This is reasonably assured when management assesses: 1) the industry in which its business entity operates, 2) the location where its business entity is based, 3) the overall organisation (structure) of its business entity, 4) operational activities that take place in its business entity, 5) the market in which its business entity operates, and 6) the overall size of its business entity.

Managerial conduct of members of management: Once the nature of the organisation is ascertained appropriate managerial conduct should be determined. This is done by means of assessing: 1) the managerial philosophy, and 2) the operating style of management.

While the six aspects in the first step (‘nature of the organisation’) can be reasonably assessed with ease, it is the assessment of the two aspects in the second step (‘managerial conduct of members of management’) that prove to be more difficult. This is especially the case since 1) non-JSE listed business entities do not necessarily have an internal audit function to provide reasonable assurance to management surrounding the attainment of relevant objectives, and 2) non-JSE listed business entities do not have a Board of Directors to exercise the oversight of internal control development and performance. This complexity is placed in perspective by previous studies (Aicher et al., 2016; Buckingham and Clifton, 2001; Moeller, 2009; Olmedo-Cifuentes and Martínez-León, 2013) where the term “managerial philosophy” is viewed as a phenomenon that pertains to the core values used by management when having to make relevant business decisions, while the operating styles of management pertain to management’s personal preferences to plan, organise, lead and control their business entities.

In addition to the above, when taking into account the limitations of non-JSE listed business entities, in order to assess the ‘managerial conduct of members of management’, management will need to self-assess their values (e.g. accountability, adaptability, competitiveness, loyalty, fairness, creativity and transparency) as well as the manner in which they operate while managing (e.g. democratic management, autocratic management and paternalistic management) (Jamian et al.,2013; Kirkeby, 2000). In such instances, respondent bias is highly probable however, it is imperative that members of management conduct such self-assessments as objectively as possible with the highest levels of integrity (Leedy and Ormrod, 2010).

3.3. Meta-Analysis of Relevant Literature

Under this section, a meta-analysis is performed on the applicable literature covering the definition of the control environment, the description of the control environment and the CLK Framework. This was done with the main intent to establish whether the first two steps of the CLK Framework sufficiently covers the definition and description of the control environment to such an extent that it can be considered as a mixed-method instrument to assess the control environments of non-JSE listed business entities.

For all relevant literature that defined and described the control environment, relevant quotations were coded accordingly as per the first two steps of the CLK Framework, namely “managerial conduct of members of management” and “nature of the organisation”. The code of “managerial conduct of members of management” appeared 44 times throughout the relevant literature reviewed, while the code “nature of the organisation” appeared 12 times. Following the coding, word clouds were generated based on the coded direct quotations in the literature. This is depicted in Figure 2 and Figure 3.

Figure 2. Word cloud on keywords used in quotations in literature covering the definition and description of the control environment in relation to the “nature of the organisation” as per the CLK Framework

Source: Author’s own source

Figure 3. Word cloud on keywords used in quotations in literature covering the definition and description of the control environment in relation to the “managerial conduct of members of management” as per the CLK Framework

Source: Author’s own source

From the above, it becomes apparent that the composition of the control environment, according to literature, is substantially covered by the first two steps of the CLK Framework through the following aspects:

• Overall organisation (structure) of a business entity (“nature of the organisation”).
• Industry in which a business entity operates (“nature of the organisation”).
• Location where a business entity is based (“nature of the organisation”).
• Operational activities that take place in a business entity (“nature of the organisation”).
• Managerial philosophy (“managerial conduct of members of management”).
• Managerial operating style (“managerial conduct of members of management”).

Hence, it becomes apparent that the first two steps of the CLK Framework do cover the composition of the control environment. Making reference to the Practice Theory, further research is to be conducted to develop an instrument to assess the control environment of non-JSE listed business entities, other than what is suggested by the COSO Integrated Internal Control Framework.

4. Conclusion

The control environment serves as the foundation of an internal control system in any business entity. In order for management to have reasonable assurance surrounding the attainment of relevant business objectives in the foreseeable future, it needs to have a sound control environment. Taking into account the composition of the control environment, it is unsurprising that a single quantitative “tick and bash” approach is used to assess it.

This research study tested the possibility to consider the first two steps of the CLK Framework as an instrument to assess the control environment of non-JSE listed business entities. Stemming from the research conducted, became evident that the CLK Framework substantially covers the definition and description of the control environment, providing justification to consider it as an instrument to assess the control environment of non-JSE listed business entities.

4.1. Avenues for Further Research

Taking into account the conclusion of the study that the first two steps of the CLK Framework can be considered as an instrument to assess the control environment of non-JSE listed business entities, further research is recommended in order to develop such an instrument. This should be done by taking into account the “nature of the organisation” as well as the “managerial conduct of members of management” whereby a mixture of Likert-scales and open-ended questions are used. Apart from the foregoing, suggested avenues for further research include:

• The feasibility of using the CLK Framework as a self-assessment instrument for management.
• The feasibility of using such a self-assessment instrument as audit evidence to monitor internal control in business entities.

References

1. Aicher, T.J., Paule-Koba, A.L. and Newland, B.L., 2016. Sport facility and event management. Burlington, MA: Jones and Bartlett.
2. Arwinge, O., 2013. Internal control: a study of concept and themes. Heidelberg: Physica.
3. Baker Tilly., 2014. COSO internal control framework as a best practice for utilities. [online]. Available at: http://www.bakertilly.com/uploads/COSO_internal_control_framework_for_utilities.pdf [Accessed on 15/03/2015].
4. Bechtold, J., Kaspereit, T., Kirsch, N., Lyakina, Y., Seib, S., Spiekermann, S. and Stengert, K., 2013. Corporate sustainability in the estimation of financial distress likelihood – Evidence from the world stock markets during the financial crisis. Research Journal of Finance and Accounting, 4(5), pp.205-211.
5. Berle, A.A. and Means, G.C., 2009. The modern corporation and private property. New Brunswick, NJ: Transaction Publishers.
6. Boritz, J.E. and Lim, J.H., 2008. IT control weaknesses, IT governance and firm performance. IT Governance and Firm Performance (CAAA) Annual Conference, January 11.
7. Bourdieu, P., 1993. Sociology in question. London: Sage.
8. Bruwer, J-P., 2016. The relationship(s) between the managerial conduct and the internal control activities of South African fast moving consumer goods SMMEs. Unpublished Manuscript (thesis). Cape Peninsula University of Technology, Cape Town.
9. Buckby, S., Best, P. and Stewart, J., 2005. The role of Boards in Reviewing Information Technology Governance (ITG) as part of organizational control environment assessments. Proceedings 2005 IT Governance International Conference, Auckland, New Zealand, pp.1-14.
10. Buckingham, M. and Clifton, D.O., 2001. Now, discover your strengths: how to develop your talents and those of the people you manage. London: Pocket Books.
11. Buys, J.P., 2012. A conceptual framework for determining sustainability of SMMEs in Lesedi. Unpublished MBA dissertation. North West University, Potchefstroom, South Africa.
12. Callaghan, J.H., Savage, A. and Mintz, S., 2007. Assessing the Control Environment Using a Balanced Scorecard Approach. The CPA Journal, 77(3), p.58.
13. CICA, 1995. Guidance on control. Toronto: Canadian Institute of Chartered Accountants.
14. Clarke, I., 2017. Establishing an effective internal control environment [online]. Available at: https://linfordco.com/blog/internal-control-environment/ [Accessed on 16/06/2019].
15. Coase, R.H. 1937. The nature of the firm. Economica, 4(16), pp.386-405.
16. Coetzee, G.P., 2004. The effect of HIV/AIDS on the control environment: an internal audit perspective. Unpublished MCom (Internal Auditing) Theis. University of Pretoria, South Africa.
17. Coetzee, G.P., 2006. Effect of HIV/AIDS on the control environment. Perspectives in Public Health, 126(4), pp.183-190.
18. COSO. 1992. Internal control – integrated framework. Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission.
19. COSO. 1999. Fraudulent financial reporting: 1978–1997: an analysis of U.S. public companies: research report. Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission.
20. COSO., 2012. Internal control – integrated framework [online]. Available at: http://www.ey.com/Publication/vwLUAssets/COSO_InternalControlFramework_September2012/$FILE/COSO_InternalControlFramework_September2012.pdf [Accessed on 31/03/2015]
21. COSO., 2013. Internal control – integrated framework: executive summary. [online]. Available at: https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf [Accessed on 31/12/2018].
22. COSO., 2019. Welcome to COSO [online]. Available at: https://www.coso.org/Pages/default.aspx [Accessed on 01/01/2019].
23. Debreceny, R., Gray, G.L., Tham, W., Goh, K. and Tang, P., 2003. The development of embedded audit modules to support continuous monitoring in the electronic commerce environment. International Journal of Auditing, 7(2), pp.169-185.
24. Demsetz, H. and Lehn, K. 1985. The structure of corporate ownership: causes and consequences. Journal of Political Economy, 93(6), pp.1155-1177.
25. Dickins, D., O’Hara, M. and Reisch, J., 2011. Frameworks for establishing and evaluating internal controls: a primer and case study. Journal of Case Research in Business and Economics, 3, pp.1-16.
26. Dickinson, G., 2001. Enterprise risk management: its origins and conceptual foundation. Geneva Papers on Risk and Insurance, 26(3), pp.360-366.
27. DiMaggio, P.J. and Powell, W.W. 1983. The iron cage revisited: institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48(2), pp.147-160
28. Drucker, P., 2012. Managing in a time of great change. London: Routledge.
29. Fama, E.F. 1980. Agency problems and the theory of the firm. The Journal of Political Economy, 88(2), pp. 288-307.
30. Forte, A., 2001. Business ethics: a study of the moral reasoning of selected business managers. Unpublished PhD Education dissertation. New York University, New York.
31. Foss, N.J., 2000. The theory of the firm: an introduction to themes and contributions. In Foss, N.J. (ed.). The theory of the firm: critical perspectives on business and management, vol. 1. London: Routledge, pp. xv-lxi.
32. IIA., 2011. Auditing the Control Environment [online]. Available at: https://www.iia.nl/SiteFiles/IIA_leden/Auditing_the_Control_Environment.pdf [Accessed on 01/01/2019].
33. Jamian, L.S., Sidhu, G.K. and Aperapar, P.S., 2013. Managerial decision styles of deans in institutions of higher learning. Procedia – Social and Behavioral Sciences, 90, pp.278-287.
34. Jensen, M.C. and Meckling, W. 1976. Theory Of The Firm: Managerial Behavior, Agency Costs And Ownership Structure. Journal of Financial Economics, 3(1), pp.305-360
35. Karagiorgos, T., Drogalas, G. and Giovanis, N., 2011. Evaluation of the effectiveness of internal audit in Greek hotel business. International Journal of Economic Sciences and Applied Research, 4(1), pp.19-34.
36. Karmakar, M., 2006. Stock market volatility in the long run, 1961–2005. Economic and Political Weekly, 41(18), pp.1796-1802.
37. Kirkeby, O.F., 2000. Management philosophy: a radical-normative perspective. Berlin: Springer.
38. Lee, T-H. and Azham, M.A., 2008. The evolution of auditing: an analysis of the historical development. Journal of Modern Accounting and Auditing, 4(12), pp.1-8.
39. Leedy P.D. and Ormrod J.E., 2010. Practical research: planning and design. 9th ed. Boston, MA: Pearson.
40. Linford., 2017. What is a SOC 1 Report? Expert Advice You Need to Know [online]. Available at: https://linfordco.com/blog/what-is-soc-1-report/ [Accessed on 20/05/2019].
41. Martin, K., Sanders, E. and Scalan, G., 2014. The potential impact of COSO internal control integrated framework revision on internal audit structured SOX work programs. Research in Accounting Regulation, 26(1), pp.110-117.
42. McNally, J.S., 2013. The 2013 COSO framework and SOX compliance: one approach to an effective transition. [online]. Available at: http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf [Accessed on 31/12/2018].
43. Miller, K.C., Proctor, T.Y. and Fulton, B., 2013. Teaching managerial responsibilities for internal control: perception gaps between accounting and management professors. Journal of Accounting Education, 31(1), pp.1-16.
44. Moeller, R.R., 2007. COSO Enterprise risk management: understanding the new integrated ERM framework. London: Wiley.
45. Moeller, R.R., 2009. Brink’s modern internal auditing: a common body of knowledge. Hoboken, NJ: John Wiley.
46. Mohapatra, P., El-Mahdy, D.F. and Xu, L., 2015. Auditing and internal controls for offshored accounting processes: a research agenda. International Journal of Accounting and Information Management, 23(4), pp.310-326.
47. Mouloungui, S.M.K.E., 2012. Assessing the impact of finance on small business development in Africa: the cases of South Africa and Gabon. Unpublished MTech: Comparative Local Development dissertation. Tshwane University of Technology, Pretoria, South Africa.
48. Muceku, H., 2014. The development of public internal financial control in Albania – and his [sic] role in strengthening the managerial accountability. Academic Journal of Interdisciplinary Studies, 3(4), pp.301-309, July.
49. Nicolini, D., 2012. Practice Theory, Work, and Organization: An Introduction. Oxford: Oxford University Press.
50. Olmedo-Cifuentes, I. and Martínez-León, I.M., 2013. Influence of management style on employee views of corporate reputation. Application to audit firms. Business Research Quarterly, 17(4), pp.223-241.
51. Protiviti., 2013. The Updated COSO Internal Control Framework. [online]. Available at: http://www.protiviti.com/en-US/Documents/Resource-Guides/Updated-COSO-Internal-Control-Framework-FAQs-Second-Edition-Protiviti.pdf [Accessed on 31/12/2018].
52. Republic of South Africa., 2019. Revised Schedule 1 of the National Definition of Small Enterprise in South Africa. Government Gazette No. 42304. Government Printer: Pretoria.
53. Rezaee, Z. 1995. What the COSO report means for internal auditors. Managerial Auditing Journal, 10(6), pp.5-9.
54. Rezaee, Z., Elam, R. and Sharbatoghlie, A., 2001. Continuous auditing: the audit of the future. Managerial Auditing Journal, 16(3), pp.150-158.
55. Savage, A., Norman, C.S. and Lancaster, K.A.S., 2008. Using a movie to study the COSO Internal Control Framework: an instructional case. Journal of Information Systems, 22(1), pp.63-76.
56. SCH., 2018. Expertise Beyond the Numbers [online]. Available at: https://www.schgroup.com/resource/blog-post/a-clients-guide-to-soc-reports/ [Accessed on 20/05/2019].
57. Schatzki, T.R. 1996. Social Practices: A Wittgensteinian Approach to Human Activity and the Social. Cambridge: Cambridge University Press.
58. Schmidt, K., 2018. Practice Theory”: A Critique. in Wulf, V., Pipek,V., Randall, D., Rohde, M., Schmidt, K. and Stevens, G. (eds), Socio-informatics: A Practice-based Perspective on the Design and Use of IT Artifacts. Oxford: Oxford University Press, pp. 105-137.
59. Sin, I. and Ng, K., 2013. The evolving building blocks of enterprise resilience: ensnaring the interplays to take the helm. Journal of Applied Business and Management Studies, 4(2), pp.1-12.
60. Smit, Y., 2012. A structured approach to risk management for South African SMEs. Unpublished DTech: Internal Auditing thesis. Cape Peninsula University of Technology, Cape Town.
61. Spira, L.F. and Page, M., 2003. Risk management: the reinvention of internal control and the changing role of internal audit. Accounting, Auditing and Accountability Journal, 16(4), pp.640-661.
62. Swinkels, W.H.A., 2012. Exploration of a theory of internal audit: a study on the theoretical foundations of internal audit in relation to the nature and the control systems of Dutch public listed firms. PhD thesis. University of Amsterdam, the Netherlands.
63. Talet, M.Z.N., 2014. An analysis of the determinants of internal control disclosure by multinational corporations. MSc thesis. University of Ottawa, Canada.
64. Terjesen, S. and Elam, A., 2009. Transnational Entrepreneurs’ Venture Internationalization Strategies: A Practice Theory Approach. Entrepreneurship Theory and Practice, 33(5), pp.1093-1120.
65. Tuttle, B. and Vandervelde, S.D., 2007. An empirical examination of COBIT as an internal control framework for information technology. International Journal of Accounting Information Systems, 8(4), pp.240-263.
66. Wood, R., 2013. Changing of the guard: the COSO framework. [online]. Available at: http://bappdx.org/changing-of-the-guard-the-coso-framework/ [Accessed on 20/12/2018].

Article Rights and License

Corresponding Author