Internal Control, Enterprise Risk Management, and Firm Performance

Abstract

This dissertation investigates two research questions arising from the regulation of internal controls required by Sarbanes-Oxley Act of 2002 (SOX). The first research question asks whether better internal controls can enhance firm performance? To address this question, the relation between market-value and internal control is estimated by a residual income model. Firms with weak internal controls are identified as those that disclose material weaknesses in internal controls in periodic filings from August 2002 to March 2006, as required by SOX. The empirical results, based on a sample of 708 firm-years with the disclosures of material weaknesses, show that firms with weak internal controls have lower market-value.

Building on the' efforts for SOX to improve internal controls, more and more firms are starting to adopt Enterprise Risk Management (ERM), because sound internal control system rests on adequate and comprehensive analysis of enterprise-wide risks. In light of this trend triggered by SOX, the second research question in this dissertation asks whether implementation of ERM has an impact on firm performance? The basic approach to answer this question uses a contingency perspective, since all risks arise from the firm's internal and external environment. More specifically, the basic argument states that the relation between ERM and firm performance is contingent on the proper match between ERM and five key contingency variables: environment uncertainty, industry competition, firm size, firm complexity, and monitoring by the firm's board of directors. A sample of 114 firms disclosing the implementation of ERM in their 2005 10Ks and 10Qs are identified by keyword search in EDGAR database. In developing the proper match, high performing firms are defined as those with greater than 2% one-year excess return to develop the proposed proper match. An ERM index (ERMI) is constructed based on the Committee of Sponsoring Organizations (COSO) ERM's (2004) definition of four objectives: strategy, operation, reporting, and compliance. The contingency view is supported by the empirical evidence, since the deviation from the proposed proper match is found negatively related to firm performance.