MINISTRY OF EDUCATION AND TRAINING
UNIVERSITY OF ECONOMICS HO CHI MINH CITY
------

------

NONG QUANG THANH

DETERMINANTS OF AN EFFECTIVE
INTERNAL CONTROL:
A STUDY OF FIRMS IN VIETNAM

MASTER THESIS OF BUSINESS ADMINISTRATOR

HO CHI MINH CITY – 2013


MINISTRY OF EDUCATION AND TRAINING
UNIVERSITY OF ECONOMICS HO CHI MINH CITY
------

------

NONG QUANG THANH

DETERMINANTS OF AN EFFECTIVE
INTERNAL CONTROL:
A STUDYOF FIRMS IN VIETNAM
Subject: Master of Business Administrator
Code: 06.34.01.02

MASTER THESIS OF BUSINESS ADMINISTRATOR
SUPERVISOR:
DR. NGUYỄN THỊ NGUYỆT QUẾ

HO CHI MINH CITY – 2013


I

ACKNOWLEDGEMENT
I would like to take this opportunity to express my gratitude to all those who
have helped and supported me during the time I conducted the study.
Firstly, I would like to express my deepest sincere gratitude to my
supervisor, Dr. Nguyen Thi Nguyet Que for her patient and invaluable advices to
my thesis. Without her support, the thesis could not have been completed.
Secondly, I would like special thanks to all instructors and lecturers in
eMBA course for their teaching invaluable knowledge and experience to me. I am
very great honor to introduce with my relationships that I have been participated in
eMBA program of Economic University, Ho Chi Minh City.
Many thanks to Mr Cao Quoc Viet, as well as the other classmates in eMBA
K19 class for their sharing valuable knowledge to me to complete this research
study.
I also wish to thank my friends, external auditors in KPMG and A&C as well
as other respondents. Without them, my thesis could not have been conducted.
Lastly, I would like to send the deepest and most special thanks to my
beloved parents, my wife and my family members who encourage me to overcome
all difficulties to complete this course.
Nong Quang Thanh
Ho Chi Minh, September 2013



II

COMMITMENT
I hereby would like to commit that the thesis, “Determinants of an effective
internal control: a study of firms in Vietnam”, was accomplished based on my
independent and serious studies and researches. The data was collected in reality
and it has clear origins. In addition, the data would be trust-worthily handled and it
has never been released in any menu.
Nong Quang Thanh


III

TABLE OF CONTENTS
ACKNOWLEDGEMENT................................................................................... I
COMMITMENT ................................................................................................ II
TABLE OF CONTENTS ................................................................................. III
LIST OF FIGURES............................................................................................ V
LIST OF TABLES............................................................................................ VI
ABBREVIATIONS ......................................................................................... VII
ABSTRACT ......................................................................................................... 1
CHAPTER 1: INTRODUCTION ....................................................................... 2
1.1.

Introduction ........................................................................................... 2

1.2.

Background to the research ................................................................... 2


1.3.

Research problems ................................................................................ 3

1.4.

Research objectives ............................................................................... 4

1.5.

Research questions ................................................................................ 4

1.6.
1.7.

Research methodology and scope .......................................................... 5
Thesis structure ..................................................................................... 6

CHAPTER 2: LITERATURE REVIEW ........................................................... 7
2.1.

Introduction ........................................................................................... 7

2.2.

Internal control components .................................................................. 7

2.3.


Internal control effectiveness ............................................................... 11

2.4.

Gaps in the literature ........................................................................... 13

2.5.

Research hypotheses and theoretical model ......................................... 14

2.6.

Summary ............................................................................................. 19

CHAPTER 3: RESEARCH METHODOLOGY ............................................. 20
3.1.

Introduction ......................................................................................... 20

3.2.

Research process ................................................................................. 20

3.3.

Questionnaires design.......................................................................... 21

3.4.

Operationalisation of measures ............................................................ 22



IV

3.5.

Pilot test .............................................................................................. 25

3.6.

Main survey ........................................................................................ 25

3.6.1 Sample design ................................................................................... 25
3.6.2 Survey method .................................................................................. 27
3.6.3 Data analysis techniques .................................................................. 27
3.7. Summary ................................................................................................ 28
CHAPTER 4: RESEARCH RESULTS ............................................................ 29
4.1.

Introduction ......................................................................................... 29

4.2.

Descriptive statistic of the study .......................................................... 29

4.3.

Testing measurement scale .................................................................. 31

4.4.


Testing the research model and the hypotheses .................................... 39

4.5.

Summary ............................................................................................. 45

CHAPTER 5: DISCUSSION AND CONCLUSIONS...................................... 47
5.1

Introduction ......................................................................................... 47

5.2

Discussion of findings ......................................................................... 47

5.3

Implications of the research ................................................................. 49

5.4

Limitations and recommendations ....................................................... 52

LIST OF REFERENCE .................................................................................... 54
APPENDIX 1 ..................................................................................................... 60
APPENDIX 2 ..................................................................................................... 66
APPENDIX 3 ..................................................................................................... 69
APPENDIX 4 ..................................................................................................... 72



V

LIST OF FIGURES
Figure 2.1 Quantitative assessment of internal control framework ....................... 12
Figure 2.2: The relationship between internal control components and the
efficiency and effectiveness of operation ............................................................ 18
Figure 2.3: The relationship between internal control components and the
reliability of financial report ................................................................................ 18
Figure 2.4: The relationship between internal control components and the
compliance with laws and regulations ................................................................. 19
Figure 4.1 Respondent's age ................................................................................ 30
Figure 4.2 Respondent's experience ..................................................................... 31
Figure 4.3 Organization industry ......................................................................... 31


VI

LIST OF TABLES
Table 2.1: Comparison of Control frameworks in the US ...................................... 8
Table 3.1: Measurement scale of internal control components ............................ 22
Table 3.2: Measurement scale of internal control effectiveness ........................... 24
Table 4.1: Sample characteristics......................................................................... 30
Table 4.2: Reliability of measurement scales ....................................................... 32
Table 4.3-4.5: The EFA result for internal control components measurement
scales .................................................................................................................. 36
Table 4.6-4.8: The EFA result for internal control effectiveness measurement
scales ................................................................................................................... 38
Table 4.9: Correlation of constructs ..................................................................... 39
Table 4.10a-c: Summary of hypotheses testing results (Model I) ......................... 41

Table 4.11a-c: Summary of hypotheses testing results (Model II) ........................ 43
Table 4.12a-c: Summary of hypotheses testing results (Model III) ...................... 44


VII

ABBREVIATIONS
CONTROL

Internal control components

EFFE

Internal control effectiveness

COEN

Control environment

RISK

Risk assessment

COAC

Control activities

INFO

Information and communication


MONI

Monitoring

EFFI

Efficiency and effectiveness of operation

RELI

Reliability of financial report

LAW

Compliance with laws and regulations

COSO

Committee of Sponsoring Organizations


1

ABSTRACT
This study reports the results on the internal control components and internal
control effectiveness from the external auditor’s perspective by using measurement
scale proposed by Annukka Jokipii (2009). The study is among the very few studies
in Vietnam empirically examines internal control effectiveness as well as suggest
the reference internal control components used in practice.

To assess the internal control components and internal control effectiveness, a
study of 236 external auditors who audited the operation of companies in Vietnam
in 2011 was conducted. Even though some unexpected outcomes have incurred,
“control environment” and “monitoring” are not supported in their relationship with
“the reliability of financial report”; “information and communication” is not
supported in the relationship with “the compliance with laws and regulations”, the
empirical results indicate that all remaining internal control components (Control
environment, risk assessment, control activities, information and communication,
and monitor) have significant positive effect on internal control effectiveness which
are also considered the company objectives: efficiency and effectiveness of
operation, reliability of financial report, compliance with laws and regulations.
Key words: Internal control components, Internal control effectiveness.


2

CHAPTER 1: INTRODUCTION
1.1.

Introduction
This chapter represents general introduction to the study including research

issues, research objectives and research questions applied in this study. In addition,
this chapter also addresses the methodology to be used and the scope of the study.
1.2.

Background to the research
Understanding the concept of internal control is essential for developing an

understanding of its impact on the performance of organization (Lembi, 2006).

In the world, internal control is traditionally proposed as “internal check”. Its
definition was then developed as “process activities” to enable management to deal
with rapidly growth. However, there was no official regulation in force to require
companies set up internal control to prevent risk and protect their business. After
many scandals incurred in financial perspective 21st century, Sarbanes-Oxley Act of
2002 (SOX) requires management of all public firms to issue internal control report,
take responsibility for maintaining an adequate internal control, and make
concerning to its effectiveness (PCAOB,2004). The external auditors are also
responsible for auditing management assertions as to the effectiveness of the
internal control and they have to give their own, independent conclusion (Ramos
2004, 75). Meanwhile, the reference groups like suppliers, investors and customers
have also focused more on quality of company’s reporting and accountability
(Rittenberg and Schwieger 2001, 172). An effective internal control system
therefore has played a critical role in a firm’s success. It helps organization
management to keep the company on profitability goals, to achieve its mission, and
to response to its risks of business (COSO, 1994). However, how to develop an
optimal internal control framework for all companies is still further research.


3

In 1994, Committee of Sponsoring Organizations (COSO) proposes Internal
Control framework consists of five interrelated components but states that the need
for control system and control effectiveness may vary according to a firm’s
characteristics. Donaldson (2001) indicates that the design of management control
system depends on the organization’s context, a fit between the organization’s
context and internal control components leads to better internal control
effectiveness. However, the evidence of the actual performance of an internal
control within the organizational environment is almost non-existent, and the topic
relatively unexplored by researchers (Kitnney, 2000). Consequently, in recent year,

many researchers (Chenhall 2003, Gerdin 2005, Jokipii 2009) have attempted to
explain internal control effectiveness by examining its designs.
With regard to Vietnam, there is almost non-existent research about internal
control and its effectiveness. Thus, this study is motivated to propose an internal
control framework, the internal control effectiveness definition for companies
operated in Vietnam reference as well as to explore the effect of existed internal
control components on internal control effectiveness.
1.3.

Research problems
In Vietnam, learning lessons from financial scandals highlight that those

charged with governance in companies do not properly identify, evaluate and
respond to the firm risks. They do not set up strong internal control enough to
protect their operation. Even though Vietnam is now one of the most strongly
developing of economic growth in Asia after had joined in WTO at the end of 2006,
it has recently been beset by inflation, a trade deficit, the stock market slump and
affect the negative results to enterprises in Vietnam. Thus, this is necessary time for
companies in Vietnam to renew and restructure their operation (Vietnam News,
2012). However, how to restructure their operation is still challenge to management
in companies.


4

As mentioned above, there is still lack of practical research on internal
control sector. The problem is therefore to be addressed. This study concentrates to
the internal control components, internal control effectiveness and to explore the
effect of internal control components on internal control effectiveness of firms in
Vietnam.

1.4.

Research objectives
A research objective is the research version of a business problem.

Objectives explain the purpose of the research in measurable terms and define
standards of what the research should accomplish (Zikmund 1997, 89).
In solving the research problem mentioned previously, this study has the
following objectives:
1) Investigate the relationships of internal control components and the
efficiency and effectiveness of operation.
2) Investigate the relationships of internal control components and the
reliability of financial report.
3) Investigate the relationships of internal control components and the
compliance with laws and regulations.
1.5.

Research questions
The study is conducted to explore the relationship between internal control

components and its observed effectiveness in companies. It is examined to
understand whether internal control components such as control environment, risk
assessment, control activities, information and communication, monitoring have
relationship to the internal control effectiveness which comprise the efficiency and
effectiveness of operation, the reliability of financial report, the compliance with
laws and regulations. The research questions therefore concentrate on internal
control components, the internal control effectiveness assessment as well as the
relationship between them.



5

Research question 1: Is the efficiency and effectiveness of operation
positively related to the internal control components?
Research question 2: Is the reliability of financial report positively related to
the internal control components?
Research question 3: Is compliance with laws and regulations positively
related to the internal control components?
1.6.

Research methodology and scope
The object of this research was external auditors who audited the operation

of companies in Vietnam. Sample size: 236 (See more in Chapter 3).
Qualitative method: The author used the qualitative method to carry out
group discussions with six experienced external auditors. The purpose of this step is
to adjust and amend the translated questionnaire suitable with the subject and
purposes of the study.
Quantitative research was used to explore the relationship between internal
control components and internal control effectiveness from the external auditor’s
perspective. The quantitative model was adopted from the previous research of
Jokipii (2009).
The author used data analysis tools to implement the research such as:
descriptive statistics, multiple regression models with SPSS version 16.


6

1.7.


Thesis structure
This study includes 5 chapters:
Chapter 1- Introduction, mentions about research background, research

objectives and research scope and approach.
Chapter 2 – Literature review provides theoretical and empirical background
supporting for hypothesized research model.
Chapter 3 – Research methodology, is about the methodologies that author
used to conduct the research.
Chapter 4 – Data analysis and findings, discusses about the analysis that author
conducted to test hypotheses and to answer the research questions.
Chapter 5 - Conclusion and implication, is about the results, implications, and
recommendations for future research.


7

CHAPTER 2: LITERATURE REVIEW
2.1.

Introduction
This part reviews the previous studies concerning about internal control

components, internal control effectiveness, and the relationship between them.
Based on the literature review, hypotheses are developed.
2.2.

Internal control components
The internal control is initially defined in 1930 as “internal check”


comprising system of accounts and procedures that one person performs
independently checks to the work of another to detect and prevent fraud (Sawyer et
al. 2003, 61). This definition was then developed by American Institute of Certified
Public Accountant in broadened meaning as plan of company, measures and all of
coordinate method to ensure the reliability of its accounting data, promote
operational efficiency. However, after big failures incurred in United State in 1980s,
there is a need for re-evaluation of internal control definition in more proper ways
to detect and prevent fraud.
In the United State 1992, COSO states a report that defines Internal Control
as a process, effected by an entity’s board of directors, management and other
personnel, which is designed to provide reasonable assurance to achieve three
objectives: effectiveness and efficiency of operations; reliability of financial
reporting; compliance with applicable laws and regulations. The COSO Internal
Control framework consists of five interrelated components: Monitoring,
Information and Communication, Control Activities, Risk Assessment, and Control
Environment.


8

Source: COSO Internal Control-Integrated Framework 1992.
Shortly after COSO framework 1992 issued, it is considered a basic
framework to develop additional frameworks in United State which focus more on
specific objectives from other perspectives. COBIT (1996) provides control
processes about information technologies (IT) management and IT governance,
SAC (1994) offers assistance to internal auditors on how to evaluate, report, and
improve control system, and SAC 78 (1995) provides guidance to external auditors
regarding the impact of internal control on performing audit of an organization. The
details of these internal control frameworks are described in table as following:


Table 2.1: Comparison of Control frameworks in the US
COSO
COBIT
SAC
Primary
audience

Management

Internal Control Process
viewed as a

Management,
users,
IT
auditors
Set
of
processes:
policies,
procedures,
practices.

Internal
Auditors

SAC 78
External
Auditors


Set
of Process
processes,
subsystems,
and people

Internal control (1) Effective & (1) Effective & (1) Effective (1) Effective &
Objectives
efficient
efficient
&
efficient efficient
operations
operations
operations
operations


9

(2)
Reliable
financial
reporting
(3) Compliance
with laws &
regulations

(2)Confidential
ity

(3)Integrity &
availability of
information
(4)Reliable
financial
reporting
(5)Compliance
with laws &
regulations
Domains:
Components or Components:
domain
(1)Control
(1)Planning &
organization
Environment
(2)Acquisition
(2)Risk
Management
&
implementation
(3)Control
(3)Delivery &
Activities
(4) Information support
&Communicati (4)Monitoring
on
(5)Monitoring
Internal control At a point
For a period

effectiveness
in time
of time
evaluation
Focus
Overall Entity
Information
Technology
Responsibility Management
Management

(2) Reliable
financial
reporting
(3)
Compliance
with laws &
regulations

(2)
Reliable
financial
reporting
(3) Compliance
with laws &
regulations

Components:
(1)Control
Environment

(2)Manual &
Automated
Systems
(3)Control
Procedures

Components:
(1)Control
Environment
(2)Risk
Assessment
(3)Control
Activities
(4)Information &
Communication
(5)Monitoring

For a period
of time

For a period
of time

Information
Technology
Management

Financial
Statement
Management


Source: Cobert et al. (2005)
The need for more advanced and appropriate internal control framework is
also appeared in other countries. Canadian Institute of Chartered Accountant further
develops COSO (1992) framework to the Criteria of Control Framework (CoCo,
1995) comprising elements of an organization like resources, systems, processes,
culture and task that support people in the achievement of the organization’s
objectives. In United Kingdom (UK), The Turnbull report (1999) provides guidance
in adopting a risk based approach in establishing components of internal control and
its effectiveness. The internal control components are reduced to three internal
control components: control activities, information and communication processes,


10

monitor processes for the continuing effectiveness of the internal control
components.
The previous analysis of internal control frameworks shows that there are
parallel components across internal control frameworks. Although these
components are also described in different terms in the various frameworks, but as a
summary, five internal control components proposed by COSO framework 1992,
the original and the most popular framework used, are mostly adopted. Therefore,
these five components proposed by COSO (1992) are also adopted as independent
variables in this study with details as following:
(1) Control Environment, which sets the foundation for the internal control
components influencing the control consciousness of the entity’s people. The core
of this part is its people composed of their individual attributes, including integrity,
ethical values and competence and the environment in which they operate.
(2) Risk Assessment, which involves the identification and analysis of relevant
risk in achieving predetermined objectives by management. This part includes

procedures help the entity aware of and deal with the risks it faces.
(3) Control Activities, which covers policies, procedures and practices
established and executed to ensure that management objectives are achieved and
risk mitigation strategies are carried out.
(4) Information and communication, which supports all other control
components through information and communication systems. It enables the
entity’s people to capture and exchange the information needed to conduct, manage
and control its operations.
(5) Monitoring, which covers the external overview of internal controls by
independent people likes the management. It includes regular management and
supervisory activities, and other actions personnel take in performing their duties.


11

The entire internal control components should be monitored, and modified as
necessary to ensure they can react dynamically.
2.3.

Internal control effectiveness
COSO (1992) shows that internal control can be judged to be effective when

the evaluators have reasonable assurances that they understand the entity’s
operational objectives, the reliability of published financial statements, and the
applicable laws and regulations compliance. However, its report does not disclose
any guidance on how to perform the assessment. Dai et al (2008) focus on the
comprehensive quantitative evaluation method of internal control effectiveness
from a risk-based perspective to construct a risk-oriented mathematical evaluation
model for internal control. However, due to too many and complex factors involved
in the evaluation, they propose that quantitative evaluation model of internal control

based on risk should be further studied and improved. The assessment of internal
control effectiveness therefore need to further research.
Perry and Warner (2005) have proposed five-step model for quantitative
assessment of internal control effectiveness, which is describeb in Figure 2.1.


12

Choose the right internal control framework
(COSO, COCO, Turnbull…)

Document controls against the selected model

Develop a quantitative scoring process

Assemble a group of examiners

Score the internal control application

Figure2.1: Quantitative assessment of internal control framework.
Compiled by Perry et al (2005)
The most important aspect to note in this model is scoring individual control
objectives against the chosen internal control framework. Examiners use the
selected model to determine the maximum score available for each control objective
under review and continue this process until they have scored all of the control
objectives and accumulated an overall quantitative score for internal control
effectiveness. They note that examiners should apply their own experience with and
knowledge of internal controls in conjunction with internal control framework
guidance in examining the effectiveness of an internal control.
Based on Perry’s quantitative model, Jokipii (2009) develops the

measurement scale for the internal control effectiveness. The definition of internal
control effectiveness in his research is taken from the internal control frameworks
which state that the internal control can be judged to be effective when the entity’s
operation objectives are being achieved, published financial statements are being
prepared reliably, and the applicable laws and regulations are being complied with.


13

In this study, the focus was on internal control effectiveness based on
quantitative assessment model proposed by Jokipii (2009). The external auditors
were asked to assess about the three objectives of internal control so that the
quantitative test for internal control effectiveness could be performed. The internal
control effectiveness composed of the efficiency and effectiveness of operation,
reliability of financial report, and the compliance with laws and regulations were
used as a dependent variable in this model.
2.4.

Gaps in the literature
In this study, five components defined in the internal control framework

(COSO 1992) are included. Most of the research done in this field focuses on
examining particular control components, such as the control environment
(D’Aquila 1998), communication (Hooks et al. 1994) or risk assessment (Mills
1997). Lembi (2006) examines all five components to evaluate the effectiveness of
internal control over financial reporting. However, he uses a qualitative approach in
his study. Jokipii (2009) adds value to internal control section by indicating that
control components have all positively effect on internal control effectiveness.
However, he proposes that the measures for internal control components and its
observed effectiveness should be conducted in further research to ensure the

reliability and validity of the measures. He also recommends that it would be
interesting to examine if studies of other reference groups, for example external
auditors. The final but is the most important, as mentioned above there is lack of
practical research about internal controls in Vietnam, this increase a requirement in
conduction a research to develop the knowledge in this section for companies in
Vietnam.


14

2.5.

Research hypotheses and theoretical model
Control environment:

Many studies have stressed the importance of

control environment to internal control effectiveness as a foundation of the internal
control. According to Schmidt and Posner (1983), control environment starts with
the board of director, who set the tone of an organization through policies,
behaviors and effective governance, gives direction to the hundreds of decisions
made at all levels of the organization every day. This enables the organization to
become efficient and effective, and achieve associated cost savings. D’Aquila
(1998) supports the position of control environment as the tone of an organization
by indicating that the perceived integrity of management has positively correlated
with fairly reported financial information. Its important role also supported from the
result of COSO study (1999) on 200 companies which has shown that 83% of the
financial fraud cases address by the SEC between 1987 and 1997 involved top
management. In addition, Cohen (2002) in his study continues to confirm the
important of the control environment with the finding from a survey of auditors that

“tone at the top and its implication for the behavior of employees” are the most
importance ingredients for an effective internal control. Author therefore
hypothesizes that
H1a: Control environment is positively related to the efficiency and effectiveness of
operation.
H1b: Control environment is positively related to the reliability of financial report.
H1c: Control environment is positively related to the compliance with laws and
regulations.


15

Risk assessment: The implementation of an effective Enterprise Risk
Management “ERM” will improve firm performance (Hoyt et al, 2006; Nocco and
Stulz, 2006; Chih, 2007). In addition, risk management has positive related to the
reliability of financial reporting (Lembi, 2006; Jokipii, 2009). However, Leen et at
(2010) find that there is no evidence about the application of the ERM improves
ERM effectiveness which includes entity’s strategic, operational, reporting, and
compliance objectives. From the above discussions, author hypothesizes that:
H2a: Risk assessment is positively related to the efficiency and effectiveness of
operation.
H2b: Risk assessment is positively related to the reliability of financial report.
H2c: Risk assessment is positively related to the compliance with laws and
regulations.
Control activities: are policies, procedures and necessary activities that are
taken to address risks to achieve the entity’s objectives (COSO, 1994). Hans Mjoen
and Stephen Tallman (1997) in their research suggest that entity’s performance is
strongly and positively related to control activities. Their results show that
specialized control activities provides both protection and exploitation of key
resource inputs through increasing bargaining power. Pyria (2013) confirms that

control activities are statistically significant in determining performance. In
addition, the control activities support performance management instructions (Ana
Morariu, SA, 2008:75). Control activities are developed and implemented for the
effective management of the identified risks performance.
As control activities are taken to address risks to achieve the entity’s
objectives, the author therefore hypothesizes that:


16

H3a: Control activities are positively related to the efficiency and effectiveness of
operation.
H3b: Control activities are positively related to the reliability of financial report.
H3c: Control activities are positively related to the compliance with laws and
regulations.
Information and communication: refer to the system put in place by an
organization to identify, capture, process and report relevant and reliable
information in a timely manner so that people can carry out their responsibilities
effectively (COSO1994, 59). Previous studies show that clear communication
channels within the organisation and between the organisation and its customers
have a positive effect on firm performance, see for example (Carr, Amelia S.
Kaynak, Hale, 2007). Organisations infuse information systems into their operations
so as to enhance competitiveness and facilitate business growth and success (Fisher
and Kenny, 2000). Even though organisations have different information systems,
they all strive for competitive advantage through continuous improvement; reevaluation of the effectiveness and efficiency of their business information system
(Chaffey and Wood, 2005). Information and communication system produces
reports including operational, financial and compliance related information that
make it possible to run and control the business effectively (Sawyer, 2003). From
the above discussions, author hypothesizes that:
H4a: Information and communication are positively related to the efficiency and

effectiveness of operation.
H4b: Information and communication are positively related to the reliability of
financial report.
H4c: Information and communication are positively related to the compliance with
laws and regulations.