Congress responded in similar ways to 2001's major national crises: bolstering internal controls in corporate America under the Sarbanes-Oxley Act in response to Enron's debacle and imposing internal controls on its financial services industry under the USA PATRIOT Act in response to 9/11's terrorism. These reflexive legislative responses to national crisis fit a pattern of proliferating controls as a first-order policy option dating to the mid-1970s. Documenting this proliferation and untangling the definition of internal controls, this Article attributes the appeal of internal controls as a policy option to systemic forces including the movements for deregulation and cooperative compliance, resistance to overt federal preemption of state corporate law, the monitoring model of the board of directors in corporate governance and audit committee ascendance, the social responsibility movement and the diversification of auditing services. Manifest appeals include the limited substantive content control directives carry and the increasing harmonization of control types around audit committees, compliance officers, employee training manuals and external audits of controls fitting neatly into the team production theory of corporate practice and law and making even mandatory controls appealing to corporations being implicitly regulated.
Illuminating the limits of this policy option is an examination of comparative attitudes towards control risk shown by the auditing and legal professions. Audit approaches control risk with a formal context, definition and measurement apparatus consciously aware of risk's inevitability and that controls may increase or decrease risk. Yet auditors advertise their product as capable of doing more. Legal culture takes the advertisements seriously. The resulting expectations gap can be reinforced when audit's emphasis on systems and controls creates false impressions that these reflect likely achievement of underlying objectives. Proliferation of internal controls in the face of crisis shows social anxieties. Assuaging social anxieties with these tools can create illusions of control and denial of risk. Legal culture is telling managers to take steps to buy absolute control; audit culture is happy to sell it; the truth is, there is no absolute control. No system provides absolute assurance. The gap is significant between (1) what systems can deliver versus (2) what legal culture expects and what auditors advertise they can deliver.
When internal controls fail, the policy response is to require audits of controls. This is the story of Sarbanes-Oxley. In the 1970s, the SEC persuaded Congress in response to crisis to pass the Foreign Corrupt Practices Act requiring companies to have internal financial controls. In the early 2000s, in response to crisis perceived to originate in internal control failure, the SEC persuaded Congress to pass Sarbanes-Oxley requiring auditors to audit those internal controls. In this cycle of control mandates followed by audit mandates, pressure builds on audit to create controls that can be audited. But since controls do not automatically reduce audit risk and may increase it, audits of them cannot speak to the effectiveness of underlying substance over which controls offer no reliable assurance. Legislative enthusiasm for controls as crisis-response mechanisms pretends controls can do more than they can and when controls consequently proliferate they can do even less - it becomes hard to assess which controls are effective.
Control proliferation and generality complicate foreseeability analysis in tort. If controls applied only in particular settings with defined functions, they could indicate that related risk realization was foreseeable. They might be useful in assessing difficult pragmatic questions of causation when losses arise after controls fail. But when every aspect of corporate affairs is layered with elaborate controls there is no credible basis for drawing such inferences. Control signifies nothing special, so offers no insight concerning foreseeability or causation. This has not, however, prevented using control failures in exactly this mistaken way. When controls fail, the existence of control norms, directives, or practices are relevant to evaluating the standard of care exercised and matters of causation and foreseeability with little or no regard to the particular control at issue or its underlying substantive purpose.
But Sarbanes-Oxley and PATRIOT show two polar extremes of control types: internal controls over financial reporting and controls dedicated to fighting terrorism. Two competing models of regulatory theory map onto this range. The deterrence model hypothesizes that target decision-making is conducted by comparing the cost of compliance with the product of enforcement threats and penalty levels. The cooperation model enlarges the framework by recognizing norms of compliance that may be skewed by the simple adjustment of threat and penalty levels. For internal controls the relative purchase of these models varies with the tenor of the control: financial controls link to the deterrence model where penalties for failure should be high and liability likely; externally-oriented controls are congruent with the cooperation model: penalties and liability risk should be zero. This theoretical account of the distinction between control types is consistent with the longer history of corporate law but the current legal environment's ambitions for internal controls threatens to upset this traditional stance. This appears most acute in the case of terrorism and provides an internal-controls-based defense of general compensation schemes such as the 9/11 Victims' Compensation Fund.
Lawrence A. Cunningham, The Appeal and Limits of Internal Controls to Fight Fraud, Terrorism, Other Ills, 29 J. Corp. L. 267 (2004).