Next Article in Journal
Spiritual Intelligence: A New Form of Intelligence for a Sustainable and Humane Future
Previous Article in Journal
Evolutionary Mismatches Inherent in Elementary Education: Identifying the Implications for Modern Schooling Practices
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Encyclopedia
Volume 5
Issue 3
10.3390/encyclopedia5030106
encyclopedia-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Entry

COSO-Based Internal Control and Comprehensive Enterprise Risk Management: Institutional Background and Research Evidence from China

by
Hanwen Chen
1,
Shenghua Wang
2,
Daoguang Yang
2,* and
Nan Zhou
3
1
Department of Internal Audit, School of Internal Audit, Nanjing Audit University, 86 West Yushan Road, Nanjing 211815, China
2
Department of Accountancy, Business School, University of International Business and Economics, No.10, Huixin Dongjie, Chaoyang District, Beijing 100029, China
3
Department of Accounting, Lindner College of Business, University of Cincinnati, 2906 Woodside Drive, Cincinnati, OH 45221, USA
*
Author to whom correspondence should be addressed.
Encyclopedia 2025, 5(3), 106; https://doi.org/10.3390/encyclopedia5030106
Submission received: 14 May 2025 / Revised: 17 July 2025 / Accepted: 21 July 2025 / Published: 23 July 2025
(This article belongs to the Section Social Sciences)
Versions Notes

Definition

China’s internal control framework follows the Committee of Sponsoring Organizations (COSO) framework, emphasizing enterprise risk management and encompassing financial reporting, operations, compliance, and strategies. The authors review research that uses the COSO-based Internal Control Index to assess internal control quality among all publicly listed firms in China. Unlike the binary classification of internal control weaknesses under the Sarbanes-Oxley Act Section 404, this continuous index captures more nuanced variations in internal control effectiveness and provides two key advantages over traditional assessment of internal control over financial reporting (ICFR). First, while financial reporting can enhance a firm’s monitoring and decision-support systems, the underlying information is determined by operations. Thus, internal control over operations has a greater impact on a firm’s performance than ICFR. While U.S.-based research argues that the effects of ICFR extend to operations, the COSO-based index includes operational controls, allowing for a more direct study of internal control effects. Second, many U.S. corporations fail to report internal control weaknesses, particularly during misstatement years. In contrast, the COSO-based index, compiled by independent scholars, avoids managerial incentives to withhold negative internal control information. Covering institutional background and research evidence from China, the authors survey a wide range of internal control studies related to various aspects of enterprise risk management, such as earnings quality, crash risk, stock liquidity, resource extraction, cash holdings, mergers and acquisitions, corporate innovation, receivable management, operational efficiency, tax avoidance, and diversification strategy.

1. Introduction

Although the Securities and Exchange Commission (SEC) recommends the Committee of Sponsoring Organizations (COSO)’s internal control framework and some U.S. firms adopt it voluntarily, U.S. regulations focus narrowly on internal control over financial reporting (ICFR). This inconsistency stemmed from a swift response to public outrage over accounting scandals like Enron and WorldCom. Consequently, the Sarbanes-Oxley Act (SOX) Section 404 mandates ICFR to restore stakeholder confidence in financial reporting. In contrast, China not only adopts COSO’s internal control framework but also integrates it with COSO’s risk management framework. This approach regulates both financial and non-financial reporting issues, such as compliance, operations, asset safety, and strategy, enhancing the operational and management capabilities of enterprises, especially state-owned ones operating overseas.
The authors survey existing literature that employs the COSO-based Internal Control Index, developed to evaluate internal control quality among all publicly listed firms in China [1]. Compared to the U.S., China’s framework and regulations follow COSO’s comprehensive model and emphasize enterprise risk management. This comparative analysis offers valuable insights into two distinctive paradigms of internal control regulations. Countries such as the U.S., the U.K., Canada, and Japan typically adopt a narrow approach, focusing primarily on ICFR. In contrast, countries like China, Germany, Australia, and members of the European Union implement a broader framework that encompasses both financial and non-financial reporting [2]. By examining the practical implications of these two different approaches, this analysis contributes to a more comprehensive understanding of the relative effectiveness of internal control systems and their suitability for specific nations.
The current entry provides a comprehensive overview of China’s COSO-based internal control practices and related empirical studies. First, the authors introduce China’s internal control framework and regulations, highlighting their evolution and differences from those in the U.S. Second, the authors present the Internal Control Index built on China’s COSO-based framework and regulations, exploring its advantages. Third, the authors review empirical studies that utilize this index to examine the risk management role of internal control in various operational and management activities, such as compliance, asset safeguarding, diversification strategy, cash holding, mergers and acquisitions, innovation, accounts receivable management, exchange rate risk management, tax avoidance, and operational efficiency. Finally, the authors identify future opportunities in China’s internal control research based on the above analysis.

2. COSO-Based Internal Control in China: Framework and Regulations

2.1. China’s COSO-Based Internal Control Framework

China’s first comprehensive and widely adopted internal control standard, the Basic Standard for Enterprise Internal Control (the Basic Standard; also known as C-SOX), was jointly issued by five regulatory bodies in June 2008: the Ministry of Finance (MOF), the China Securities Regulatory Commission (CSRC), the National Audit Office (NAO), the China Banking Regulatory Commission (CBRC), and the China Insurance Regulatory Commission (CIRC). Prior to the Basic Standard, various regulatory bodies, along with the Shanghai Stock Exchange (SHSE) and the Shenzhen Stock Exchange (SZSE), issued their own standards, rules, or requirements on internal control for the organizations they regulated, such as listed firms, state-owned enterprises (central or local), commercial banks, insurance companies, and other financial firms. This fragmentation created confusion and burden for regulated entities. For example, a listed state-owned commercial bank had to comply with the requirements of all five bodies. Although initially intended for listed firms, the Basic Standard was also voluntarily adopted by other organizations.
The Basic Standard defines internal control as a process executed by the board of directors, the board of supervisors, management, and all employees to provide reasonable assurance of achieving key objectives. These objectives include compliance with operational and management requirements, safeguarding of assets, accuracy and completeness of financial reporting, operational effectiveness and efficiency, and implementation of development strategies. Internal control is designed as an integrated system comprising five components: internal environment, risk assessment, control activities, information and communications, and internal monitoring.
Given the broad scope of the Basic Standard, the five bodies jointly issued three Supporting Guidelines in April 2010: the Guidelines for the Application of Enterprise Internal Control, the Guidelines for the Self-Assessment of Enterprise Internal Control, and the Guidelines for Auditing of Enterprise Internal Control. These documents provided detailed guidance on designing, evaluating, and auditing internal controls. As a result, China’s internal control framework developed into a comprehensive system centered on the Basic Standard and supplemented by the Supporting Guidelines.
The core elements of an internal control framework are its objectives and components. China’s Basic Standard integrates COSO’s 1992 “Internal Control—Integrated Framework”, its 1994 addendum “Internal Control-Integrated Framework: Addendum to ‘Reporting to External Parties’” and COSO’s 2004 “Enterprise Risk Management—Integrated Framework” [3,4,5].
In terms of objectives, the Basic Standard draws from COSO (1992) and COSO (2004) to emphasize compliance with operational and management requirements, accuracy and completeness of financial reports, and effectiveness and efficiency of operations. These align with COSO’s goals of compliance with applicable laws and regulations, reliability of financial reporting, and effective and efficient use of resources. The safeguarding of assets is derived from COSO (1994), while the implementation of development strategies comes from COSO (2004).
Regarding components, the Basic Standard adopts COSO’s (1992) five-component model while incorporating concepts from COSO’s (2004) eight-component framework. Specifically, internal environment is sourced from COSO (2004), control activities and information and communications are from COSO (1992), and risk assessment includes the four components introduced in COSO (2004) (i.e., objective setting, risk identification, risk assessment, and risk response). Additionally, internal monitoring in the Basic Standard is distinct from COSO’s monitoring, illustrating the transition from control environment in COSO (1992) to internal environment in COSO (2004).
Overall, China’s internal control framework primarily follows COSO’s (1992) model while also integrating core principles from COSO’s (2004) risk management framework. This synthesis results in a comprehensive, enterprise-wide internal control system.

2.2. China’s Unique Internal Control Regulation

China adopts a trial-and-error approach to regulate listed firms’ internal controls, avoiding a one-size-fits-all strategy by setting different requirements for firms listed on various stock exchanges, such as the Main Board of the Shanghai Stock Exchange (SHSE) and the Shenzhen Stock Exchange (SZSE), the ChiNext Board (a Nasdaq-style board for innovative and entrepreneurial early-stage firms) of the SZSE, and the Small- and Medium-Size Enterprise (SME) Board of the SZSE. For regulation details before May 2020, please see Appendix II in the study by Chen et al. [6]. Similar to SOX Section 404 in the U.S., the core of China’ internal control regulations rests on the self-assessment and external audit (attestation) of internal control effectiveness.
For firms listed on the Main Board, requirements for external audit (attestation) have evolved from June 2008, when the Basic Standard was issued, to April 2010, when the Supporting Guidelines were introduced. These changes include transitioning from voluntary external attestation to mandatory audits and from attesting to the management’s self-assessment report on internal control effectiveness to independently auditing the effectiveness of ICFR. Firms listed on the ChiNext Board and the SME Board are required to hire external auditors to attest the management’s self-assessment report on effectiveness at least once every two years. In March 2021, the MOF and CSRC mandated that firms listed on the SME Board fully comply with the internal control regulations for firms listed on the Main Board starting 1 January 2022, due to the merger of the SME Board into the Main Board. Furthermore, in December 2023, the MOF and CSRC required all listed companies and IPO firms to annually conduct self-assessments of their internal control effectiveness and hire external auditors to independently audit the effectiveness of their ICFR.
From this regulatory timeline, it is evident that China’s internal control regulations are influenced by those of the U.S. However, significant differences arise from their different internal control orientations. While the U.S. focuses on financial reporting and takes a narrower approach to internal control, China emphasizes operations- and management-oriented systems and thus adopts a more comprehensive framework [7]. These differences are summarized in Table 1.
First, China’s self-assessment report on internal control covers both financial and non-financial aspects, reflecting a holistic view of enterprise-wide internal control, whereas the U.S. focuses narrowly on accounting controls or ICFR because SOX Section 404(a)(2) mandates disclosure of “internal control structure and procedures of the issuer for financial reporting”.
Second, different from the U.S., auditors in China are required to disclose internal control material weaknesses (ICMW) over non-financial reporting in the audit report on ICFR and must reveal significant and other internal control deficiencies to those responsible for governance and/or management.
Third, China has separate auditing guidelines for internal control audits, allowing companies to voluntarily choose whether to hire another accounting firm to audit ICFR. In contrast, the U.S. integrates internal control audits into the auditing standards of financial statements [8], meaning that the ICFR audit is part of the financial statements audit. U.S. auditors issue two audit reports: one for the financial statements audit and one for the ICFR audit. Using a U.S. sample of small public companies from 2007 to 2013, Bhaskar et al. found that integrated audits are associated with a higher likelihood of material misstatements and greater use of discretionary accruals [9]. This evidence is consistent with lower financial statement audit quality. In contrast, examining a Chinese setting where firms often engage separate auditors for financial statement and ICFR audits (i.e., non-integrated audits), Gunn et al. reported that ICFR audit quality is significantly higher under non-integrated audits than under integrated audits [10]. For non-integrated audits, while ICFR audit fees are higher, total audit fees are lower.
Fourth, the full audit report on ICFR in the U.S. is presented in the firm’s annual report as a separate section, followed by the audit report on financial statements and the financial statements. In some cases, one audit report contains both opinions on financial statements and ICFR. This reporting format emphasizes that the published financial statements are the joint outcome of the ICFR audit and the financial statement audit. In contrast, listed firms in China disclose the full audit report on ICFR on a designated website and summarize the outcome of the ICFR audit in a separate section, titled “Internal Control,” in the annual financial statements.
Fifth, China mandated ICFR audits for all listed firms starting in 2023, while the United States permanently exempted small companies and emerging growth companies from mandatory ICFR audits in the 2010 Dodd-Frank Act and the 2012 JOBS Act, respectively [11].
The differences outlined above offer several advantages for conducting empirical research using the Chinese regulatory setting. (1) Studies on the economic consequences of internal control can consider specific operational and managerial activities, decisions, and behaviors, extending beyond traditional financial reporting topics, such as accrual quality, accounting conservatism, and earnings relevance. (2) The comprehensive nature of China’s internal control framework allows researchers to directly examine its impact on firm-level operations and management. Note that researchers are not required to assume that the effects of ICFR can be spilled over from financial reporting to corporate governance and operations. (3) China’s internal control self-assessment reports and audit reports often include information on non-financial reporting. This provides researchers with valuable data for identifying internal control material weaknesses (ICMWs) beyond the financial domain. (4) China’s gradual phase-in of internal control regulations through trial-and-error adjustments presents researchers an opportunity to use the staggered difference-in-differences (DiD) research design, which helps strengthen the causal inference drawn from empirical analyses.

3. Internal Control Evaluation: An Internal Control Index Based on COSO Components

Differentiating firms with high-quality internal control from those with low-quality internal control is a significant concern for a wide range of stakeholders. First, the absence of disclosed deficiencies or weaknesses does not necessarily indicate high-quality internal control. There are numerous instances where deficiencies or weaknesses exist but are not voluntarily disclosed or are not detected by auditors [12]. Second, even if the absence of disclosed deficiencies or weaknesses genuinely indicates no deficiencies, there can still be significant variations in the internal control quality among companies without deficiencies or weaknesses [1,13]. Third, the internal control self-assessment and audit in the U.S. focus narrowly on ICFR, leaving out internal control over compliance, operation, and strategies [6,14].
To address the limitations mentioned above, Chen et al. developed the comprehensive Internal Control Index for Listed Firms in China (the Internal Control Index), based on the five COSO components: control environment, risk assessment, control activities, information and communication, and monitoring [1]. Built upon COSO (1992, 2004), the Basic Standards, and the Supporting Guidelines, the Internal Control Index also incorporates specific requirements from regulatory agencies such as the Ministry of Finance (MOF), the China Securities Regulatory Commission (CSRC), Shanghai Stock Exchange (SHSE), and Shenzhen Stock Exchange (SZSE). Furthermore, it employs the Analytic Hierarchy Process (AHP) to select over 100 elements across the five internal control components [1], where these elements were polished through discussions with scholars and practitioners.
The Internal Control Index has received wide recognition and been used in studies published in impactful journals such as Contemporary Accounting Research [13], Journal of Corporate Finance [6], Journal of the American Taxation Association [14], European Accounting Review [15], and Journal of International Accounting Research [16,17]. It is also regarded by practitioners as an industry benchmark and is acknowledged by Chinese regulators, including the SHSE [1,14].
This Internal Control Index distinguishes itself from other objectives-based indexes due to several advantages. First, the components-based index aligns more closely with the definition of internal control as a process, compared to objectives-based indexes. Second, objectives-based indexes are outcome-oriented, which is incompatible with the fact that internal control can only provide reasonable, rather than absolute, assurance regarding the achievement of objectives. Third, the components-based index is more effective in improving internal control quality because it can show low scores in specific internal control components and measures.

4. Internal Control Function: The Nature of Risk Management

Given that China’s internal control framework extends beyond ICFR to emphasize risk management throughout the entire process of operations and management, the financial-reporting-oriented research paradigm prevalent in U.S. academia (i.e., “ICFR → Quality of accounting information → Agency costs and information asymmetry and related consequences”) does not fit China’s operations- and management-oriented internal control system [7].
Drawing from this differentiation, several studies have utilized the Internal Control Index, developed by Chen et al. [1], to conduct extensive research on the risk management role of internal control in various aspects of a firm’s operations and management. These aspects include cash holdings, mergers and acquisitions (M&A), corporate innovation, accounts receivable management, exchange rate risk management, tax avoidance, and operational efficiency, in addition to traditional examinations of financial reporting quality. This comprehensive approach fully reflects the objectives of the COSO-based internal control framework. In contrast, using a self-constructed internal control index based on the output measures (e.g., using accrual quality to proxy for the quality of ICFR), Li et al. [18] found contradictory results, suggesting that high-quality internal control may inhibit corporate innovation. This discrepancy highlights the importance of relying on the COSO framework to more accurately assess the broader, enterprise-wide internal control system in China.

4.1. Internal Control over Financial Reporting

Extant studies in the U.S. and China have predominantly examined the influence of internal control quality on the reliability of financial reporting, as evidenced by its association with earnings quality [19,20,21,22,23], financial restatements [24,25], accounting conservatism [26], and audit quality [27,28]. These findings are confirmed by empirical evidence from other countries, such as Canada, Japan, and Germany, showing that quality internal controls contribute to higher accrual quality, the disappearance of discontinuity in the earnings distribution, increased timely loss recognition, and a decrease in earnings smoothing [2,29,30,31].
Using the Internal Control Index to measure internal control quality, research has also examined how internal control affects the relevance of accounting information. For instance, Chen et al. demonstrated that higher internal control quality is negatively associated with future stock price crash risk and positively associated with the earnings response coefficient (ERC) [15], which are confirmed by other studies [32,33]. These findings suggest that robust internal controls mitigate managerial opportunism, particularly the strategic withholding of adverse information, thereby enhancing the informativeness of earnings and reducing the stock price crash risk.
Moreover, improvements in the quality of accounting information and corporate disclosures extend benefits beyond investors. Enhanced internal control systems support managerial decision-making, particularly in the issuance of management guidance [34], and they improve the forecast accuracy of financial analysts by providing more reliable and timely financial data [35,36].
Overall, empirical evidence on the effect of internal control on accounting information quality is robust and consistent. A possible explanation is that accounting information quality is a key objective of internal control.

4.2. Internal Control over Operations

Since the internal control framework in the U.S. narrowly focuses on ICFR, U.S.-based studies often rely on indirect spillover effects from accounting information to governance and operations when exploring the role of internal control in various areas, including equity financing [37,38,39], debt financing [40,41,42], client risk management [43], cash holding [44], investment efficiency [45], operational efficiency [46], mergers and acquisitions (M&A) [47,48], tax avoidance [49], and resource allocation [50]. Two notable exceptions are Feng et al. and Bauer, who collected data on weaknesses in internal control over specific operations and examined how these weaknesses affect operational efficiency [51,52]. Feng et al. found that inventory-related material weaknesses in ICFR are negatively correlated with inventory management efficiency, such as inventory turnover [51]. Analogously, Bauer discovered that firms with tax-related internal control weaknesses, especially at the company level, avoid less tax due to their inability to effectively perform tax planning functions [52].
In contrast, China’s COSO-based internal control framework provides a broader setting to directly investigate the role of internal control in specific operations without relying on indirect spillover effects. Several studies in China have leveraged this advantage to conduct empirical investigations. Chen et al. found that firms with high-quality internal control quality are less likely to have abnormal cash holdings, whether excessive or deficient [6]. Moreover, investors place a higher value on cash holdings in these firms, indicating that internal control contributes to prudent cash policies that balance the risks and benefits of holding cash [6]. Yang further provided evidence that firms with sound internal control systems have greater propensities for mergers and acquisitions (M&A), experience lower post-M&A bankruptcy risk, and achieve superior M&A performance outcomes [7]. These findings underscore the role of internal control quality in mitigating M&A-related risks, thereby promoting more effective integration processes and enhancing long-term value creation.
In addition, internal control also has a significant influence on working capital management. Chen et al. studied the role of internal control in accounts receivable management, finding that high-quality internal control is linked to greater accounts receivable turnover, fewer aging receivables, and less impairment of receivables [17]. This demonstrates that effective internal controls alleviate receivables-related risks and improve accounts receivable management. Contrary to the hypothesis of cash flow maximization, they find that high-quality internal control speeds up payable turnover rather than slowing it down [17]. This suggests that internal control fulfills COSO’s objective of comprehensive enterprise risk management, as settling payables slowly bears the risk of late payments. Regarding tax risk management, Chen et al. found that high-quality internal control enhances tax avoidance for under-sheltered firms but curbs it for over-sheltered firms, thereby reducing tax volatility [14].
Whether the generally positive influence of high-quality internal control on firm-specific operational activities and decision-making translates into enhanced operational efficiency remains an important empirical question. Exploring the institutional setting of China that mandates ICFR audits for certain firms, Imdieke et al. found that small firms with ICFR audits exhibit significantly higher overall operational efficiency, compared to those that only issue ICFR self-reports [53]. This suggests that external assurance of internal controls may play a critical role in improving operational outcomes [53]. Complementing this, Chen et al. used the Internal Control Index to identify an inverted U-shaped relationship between internal control quality and operational efficiency [16]. Their findings indicate that while effective internal controls can enhance efficiency by reducing errors and improving process reliability, excessive or overly rigid controls may hinder flexibility and responsiveness, ultimately impairing efficiency.
Despite these benefits, the authors caution that several limitations exist. In the U.S., the scarce data on internal control over operations (ICO) limits empirical analyses. Although more information on ICO is disclosed in China, concerns remain regarding data accuracy and endogeneity because ICO cannot be easily disentangled from ICFR and internal control over compliance (ICC). As a result, most Chinese studies using the Internal Control Index provide evidence that overall internal control quality affects firm operations, without further decomposing the index into ICFR, ICC, and ICO.

4.3. Internal Control over Compliance

China’s internal control framework incorporates the objective of asset safety to create a more comprehensive system that covers all key internal control objectives. Due to China’s emphasis on enterprise-wide risk management, asset safety is often considered part of compliance. From the perspective of safeguarding a firm’s assets from insider exploitation, Ge et al. used the Internal Control Index to examine how internal controls affect insiders’ resource extraction [13]. They found that strong internal controls help prevent the extraction of resources through practices such as expense reimbursement fraud, embezzlement, accepting bribes to use substandard suppliers, and tunneling cash out of the firm through loans. This indicates that internal controls are crucial in curbing resource extraction and achieving the asset-safeguarding objective. These findings highlight the importance of internal controls in maintaining integrity and ethical standards within an organization, thereby fostering a culture of compliance and accountability.
Although compliance is a core objective of internal control, few have studied this area. Since governance mechanisms may also play a role in ensuring compliance, it is difficult for researchers to clearly isolate the impact of internal control on compliance outcomes.

4.4. Internal Control over Strategies

Because the original COSO (1992) internal control framework does not explicitly include strategic objectives within its scope, empirical research examining the relation between internal control and corporate strategies remains limited. Addressing this gap, Yang utilized the feature where China’s internal control framework includes strategic objectives to empirically investigate the role of internal control in shaping corporate diversification strategies [7]. The study found that the risk management capabilities embedded in high-quality internal control systems are positively associated with a greater degree of diversification, particularly among non-state-owned enterprises (NSOEs). Unlike state-owned enterprises (SOEs), NSOEs operate with greater autonomy in strategic decision-making, including choices about whether to diversify and which industries to enter. This suggests that effective internal controls help firms pursue strategic initiatives that are better aligned with their long-term objectives and risk tolerance, thereby enhancing competitive advantage and market positioning. Furthermore, the study underscores the importance of internal control in facilitating strategic decision-making by providing a structured framework for identifying, assessing, and managing the risks inherent in diversification.
Related U.S. studies provide similar insights. Bauer et al. investigated how internal control quality affects strategic resources such as customer-supplier relationships [54]. Specifically, they demonstrated that suppliers’ internal control quality significantly influences the duration and stability of customer-supplier relationships, indicating that internal control mechanisms play an important role in maintaining long-term strategic partnerships [54]. Baugh et al. provided supportive evidence that high-quality internal control helps improve banks’ risk-taking behavior, which is a key aspect of strategic decision-making [55]. This differs from Bargeron et al.’s finding that SOX inhibits corporate risk-taking [56]. The discrepancy can be explained by different orientations of internal control regulations. SOX, which applies to public firms, focuses primarily on financial reporting risks (e.g., frauds), whereas the Federal Deposit Insurance Corporation Improvement Act of 1992 (FDICIA), which governs banks, emphasizes broader operational and developmental risks [56].
Taken together, these studies do not provide direct evidence on the role of internal control in corporate strategy. However, the authors included them under the assumption that diversification and risk-taking are often determined by a firm’s strategic focus and that the supply chain constitutes a strategic resource. More qualitative research, such as interviews and surveys, is encouraged to uncover direct evidence and provide deeper insights into how internal control influences strategy formulation, implementation, monitoring, and evaluation.
In summary, the key empirical findings regarding the relations between internal control quality and financial reporting, operations, compliance, and strategic outcomes are synthesized in Table 2.

5. Conclusions

The current entry provides a comprehensive overview of China’s COSO-based internal control practices and related empirical studies. U.S. internal control regulations, prompted by responses to major accounting scandals, focus narrowly on financial reporting through SOX Section 404, whereas China adopts a broader COSO-based framework that integrates risk management and addresses both financial and non-financial reporting areas such as operations, compliance, and strategies. As seen in the comparison between the U.S. and China, the contrast between narrow and comprehensive regulatory models offers insights into the effectiveness of internal control systems.
The review in previous sections indicates a growing interest in how internal control affects specific operational and managerial activities. China’s COSO-based internal control framework provides distinct advantages, allowing for direct investigation into the role of internal control in these areas without relying on the spillover effects from accounting information to operations and governance. Moreover, as a continuous, independently compiled measure of internal control quality across all listed firms in China, the Internal Control Index enables more refined and comprehensive analyses of enterprise risk management. Accordingly, several promising directions for future research on internal control in China are highlighted as follows.
First, future research can move beyond the limitations of ICFR by directly examining how internal control influences specific operational and managerial activities. While U.S. studies often rely on the spillover from accounting information to assess internal control’s broader impacts on operations, recent work has begun to focus on account-specific weaknesses regarding inventories [34], accounts receivables [17], and tax avoidance [51]. Building on this trend, researchers could collect operation-level data to provide direct evidence of internal control’s role in key business functions.
Second, comparative research between China and the U.S. can focus on how differences in internal control orientation result in different economic consequences. While U.S. internal control systems focus on financial reporting and risk minimization, China’s approach emphasizes operational and managerial control, aligning more closely with broader risk management. Thus, researchers could examine sector-specific uses or obstacles related to the implementation of internal controls across various types of Chinese businesses.
Third, most internal control research remains at the firm level, yet its implications extend further. As a foundational mechanism, internal control can be viewed as a comprehensive institutional arrangement for risk management. Future research could adopt a “micro-to-macro” approach, examining how aggregated firm-level internal control affects the governance of local governments and contributes to the broader economic and social development.
Fourth, future research could explore the factors that influence the effectiveness of internal control regulations. The broad scope of these regulations may create challenges for enforcement and monitoring, potentially leading to superficial compliance. This risk is particularly pronounced when regulatory requirements do not account for the diverse internal control needs of different firms, which may lead entities to emphasize one category of internal control at the expense of others.
Fifth, recently reported internal control practices, such as the restatement of internal control reports, warrant closer examination, as they reveal how firms adapt their control systems under external pressures [57]. Future research could explore the motivations, conditions, and consequences associated with these disclosures to better understand their impact on corporate transparency and investor confidence.
Finally, further research is needed to uncover new factors driving the firm’s demand for internal control, especially in the context of evolving risks and rapidly changing technologies. While conventional determinants of internal control quality, such as auditors [58], management [59,60], employees [61,62,63], audit committees [64,65], firm-specific characteristics [66,67], and country-level institutional factors [68,69], have been well studied, emerging challenges (e.g., ESG risks, cyber security, and data privacy) and advanced technologies (e.g., artificial intelligence, blockchain, and big data) are reshaping internal control practices. Understanding how these developments influence the design, implementation, and effectiveness of internal controls may lead to interesting findings.

Author Contributions

Conceptualization, supervision, and validation, H.C., D.Y. and N.Z.; project administration, D.Y. and N.Z.; writing—original draft, S.W., D.Y. and N.Z.; writing—review and editing, H.C., S.W., D.Y. and N.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This paper is supported by the National Nature Science Foundation of China (No. 72472024) and the Key Project of Chinese Ministry of Education for Philosophy and Social Sciences. (No. 22JZD010).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Acknowledgments

We thank the three anonymous reviewers for their insightful comments and helpful suggestions that have greatly improved our paper.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Chen, H.; Dong, W.; Han, H.; Zhou, N. A comprehensive and quantitative internal control index: Construction, validation, and impact. Rev. Quant. Financ. Account. 2017, 49, 337–377. [Google Scholar] [CrossRef]
  2. Brown, N.C.; Pott, C.; Wömpener, A. The effect of internal control and risk management regulation on earnings quality: Evidence from Germany. J. Account. Public Policy 2014, 33, 1–31. [Google Scholar] [CrossRef]
  3. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control-Integrated Framework. 1992. Available online: https://egrove.olemiss.edu/cgi/viewcontent.cgi?article=1199&context=aicpa_assoc (accessed on 20 July 2025).
  4. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control-Integrated Framework: Addendum to “Reporting to External Parties”. 1994. Available online: https://egrove.olemiss.edu/cgi/viewcontent.cgi?article=2421&context=aicpa_assoc (accessed on 20 July 2025).
  5. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management-Integrated Framework: Executive Summary. 2004. Available online: https://egrove.olemiss.edu/aicpa_assoc/38/ (accessed on 20 July 2025).
  6. Chen, H.; Yang, D.; Zhang, J.H.; Zhou, H. Internal controls, risk management, and cash holdings. J. Corp. Financ. 2020, 64, 101695. [Google Scholar] [CrossRef]
  7. Yang, D. Beyond Internal Control Over Financial Reporting: The Chinese Experience; Routledge: London, UK, 2024. [Google Scholar]
  8. Public Company Accounting Oversight Board (PCAOB). An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements (AS 2201). 2004. Available online: https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201 (accessed on 20 July 2025).
  9. Bhaskar, L.S.; Schroeder, J.H.; Shepardson, M.L. Integration of internal control and financial statement audits: Are two audits better than one? Account. Rev. 2019, 94, 53–81. [Google Scholar] [CrossRef]
  10. Gunn, J.L.; Li, C.; Liao, L.; Zhou, S. Is it better to kill two birds with one stone? Internal control audit quality and audit costs for integrated versus nonintegrated audits. Account. Rev. 2019, 98, 251–283. [Google Scholar] [CrossRef]
  11. Gupta, P.P.; Weirich, T.R.; Turner, L.E. Sarbanes-Oxley and public reporting on internal control: Hasty reaction or delayed action? Account. Horiz. 2013, 27, 371–408. [Google Scholar] [CrossRef]
  12. Rice, S.C.; Weber, D.P. How effective is internal control reporting under SOX 404? Determinants of the (Non-) Disclosure of Existing Material Weaknesses. J. Account. Res. 2012, 50, 811–843. [Google Scholar] [CrossRef]
  13. Ge, W.; Li, Z.; Liu, Q.; McVay, S. Internal control over financial reporting and resource extraction: Evidence from China. Contemp. Account. Res. 2021, 38, 1274–1309. [Google Scholar] [CrossRef]
  14. Chen, H.; Yang, D.; Zhang, X.; Zhou, N. The moderating role of internal control in tax avoidance: Evidence from a COSO-based internal control index in China. J. Am. Tax. Assoc. 2020, 42, 23–55. [Google Scholar] [CrossRef]
  15. Chen, J.; Chan, K.C.; Dong, W.; Zhang, F. Internal control and stock price crash risk: Evidence from China. Eur. Account. Rev. 2017, 26, 125–152. [Google Scholar] [CrossRef]
  16. Chen, H.; Li, T.; Zhang, C. Going too far is as bad as not going far enough: An inverted U-shaped relationship between internal controls and operational efficiency. J. Int. Account. Res. 2021, 20, 25–50. [Google Scholar] [CrossRef]
  17. Chen, H.; Liu, S.; Yang, D.; Zhou, N. COSO-based internal control and accounts receivable management. J. Int. Account. Res. 2025, 24, 131–154. [Google Scholar] [CrossRef]
  18. Li, P.; Shu, W.; Tang, Q.; Zheng, Y. Internal control and corporate innovation: Evidence from China. Asia-Pac. J. Account. Econ. 2019, 26, 622–642. [Google Scholar] [CrossRef]
  19. Doyle, J.; Ge, W.; McVay, S. Accruals quality and internal control over financial reporting. Account. Rev. 2007, 82, 1141–1170. [Google Scholar] [CrossRef]
  20. Ashbaugh-Skaife, H.; Collins, D.W.; Kinney, W.R.; LaFond, R. The effect of SOX internal control deficiencies and their remediation on accrual quality. Account. Rev. 2008, 83, 217–250. [Google Scholar] [CrossRef]
  21. Altamuro, J.; Beatty, A. How does internal control regulation affect financial reporting? J. Account. Econ. 2010, 49, 58–74. [Google Scholar] [CrossRef]
  22. Krishnan, G.V.; Yu, W. Do small firms benefit from auditor attestation of internal control effectiveness? Audit. J. Pract. Theory 2012, 31, 115–137. [Google Scholar] [CrossRef]
  23. Oh, K.; Choi, W.; Jeong, S.W.; Pae, J. The effect of different levels of internal control over financial reporting regulation on the quality of accounting information: Evidence from Korea. Asia-Pac. J. Account. Econ. 2014, 21, 412–442. [Google Scholar] [CrossRef]
  24. Srinivasan, S.; Wahid, A.S.; Yu, G. Admitting mistakes: Home country effect on the reliability of restatement reporting. Account. Rev. 2015, 90, 1201–1240. [Google Scholar] [CrossRef]
  25. Christensen, B.E.; Neuman, S.S.; Rice, S.C. The loss of information associated with binary audit reports: Evidence from auditors’ internal control and going concern opinions. Contemp. Account. Res. 2019, 36, 1461–1500. [Google Scholar] [CrossRef]
  26. Goh, B.W.; Li, D. Internal controls and conditional conservatism. Account. Rev. 2011, 86, 975–1005. [Google Scholar] [CrossRef]
  27. Asare, S.K.; Wright, A. The effect of type of internal control report on users’ confidence in the accompanying financial statement audit report. Contemp. Account. Res. 2012, 29, 152–175. [Google Scholar] [CrossRef]
  28. Lennox, C.S.; Wu, X. Mandatory internal control audits, audit adjustments, and financial reporting quality: Evidence from China. Account. Rev. 2022, 97, 341–364. [Google Scholar] [CrossRef]
  29. Wilford, A.L. Internal control reporting and accounting standards: A cross-country comparison. J. Account. Public Policy 2016, 35, 276–302. [Google Scholar] [CrossRef]
  30. Lu, H.; Richardson, G.; Salterio, S. Direct and indirect effects of internal control weaknesses on accrual quality: Evidence from a unique Canadian regulatory setting. Contemp. Account. Res. 2011, 28, 675–707. [Google Scholar] [CrossRef]
  31. Enomoto, M.; Yamaguchi, M. Discontinuities in earnings and earnings change distributions after J-SOX implementation: Empirical evidence from Japan. J. Account. Public Policy 2017, 36, 82–98. [Google Scholar] [CrossRef]
  32. Xue, C.; Ying, Y. Financial quality, internal control and stock price crash risk. Asia-Pac. J. Account. Econ. 2022, 29, 1671–1691. [Google Scholar] [CrossRef]
  33. Hu, N.; Qi, B.; Tian, G.; Yao, L.; Zeng, Z. The impact of ineffective internal control on the value relevance of accounting information. Asia-Pac. J. Account. Econ. 2013, 20, 334–347. [Google Scholar] [CrossRef]
  34. Feng, M.; Li, C.; McVay, S. Internal control and management guidance. J. Account. Econ. 2009, 48, 190–209. [Google Scholar] [CrossRef]
  35. Clinton, S.B.; Pinello, A.S.; Skaife, H.A. The implications of ineffective internal control and SOX 404 reporting for financial analysts. J. Account. Public Policy 2014, 33, 303–327. [Google Scholar] [CrossRef]
  36. Arping, S.; Sautner, Z. Did SOX Section 404 make firms less opaque? Evidence from cross-listed firms. Contemp. Account. Res. 2013, 30, 1133–1165. [Google Scholar] [CrossRef]
  37. Ogneva, M.; Subramanyam, K.R.; Raghunandan, K. Internal control weakness and cost of equity: Evidence from SOX Section 404 disclosures. Account. Rev. 2007, 82, 1255–1297. [Google Scholar] [CrossRef]
  38. Beneish, M.D.; Billings, M.B.; Hodder, L.D. Internal control weaknesses and information uncertainty. Account. Rev. 2008, 83, 665–703. [Google Scholar] [CrossRef]
  39. Ashbaugh-Skaife, H.; Collins, D.W.; Kinney, W.R.; LaFond, R. The effect of SOX internal control deficiencies on firm risk and cost of equity. J. Account. Res. 2009, 47, 1–43. [Google Scholar] [CrossRef]
  40. Kim, J.B.; Song, B.Y.; Zhang, L. Internal control weakness and bank loan contracting: Evidence from SOX Section 404 disclosures. Account. Rev. 2011, 86, 1157–1188. [Google Scholar] [CrossRef]
  41. Costello, A.M.; Wittenberg-Moerman, R. The impact of financial reporting quality on debt contracting: Evidence from internal control weakness reports. J. Account. Res. 2011, 49, 97–136. [Google Scholar] [CrossRef]
  42. Dhaliwal, D.; Hogan, C.; Trezevant, R.; Wilkins, M. Internal control disclosures, monitoring, and the cost of debt. Account. Rev. 2011, 86, 1131–1156. [Google Scholar] [CrossRef]
  43. Elder, R.; Zhang, Y.; Zhou, J.; Zhou, N. Internal control weaknesses and client risk management. J. Account. Audit. Financ. 2009, 24, 543–579. [Google Scholar] [CrossRef]
  44. Gao, X.; Jia, Y. Internal control over financial reporting and the safeguarding of corporate resources: Evidence from the value of cash holdings. Contemp. Account. Res. 2016, 33, 783–814. [Google Scholar] [CrossRef]
  45. Cheng, M.; Dhaliwal, D.; Zhang, Y. Does investment efficiency improve after the disclosure of material weaknesses in internal control over financial reporting? J. Account. Econ. 2013, 56, 1–18. [Google Scholar] [CrossRef]
  46. Cheng, Q.; Goh, B.W.; Kim, J.B. Internal control and operational efficiency. Contemp. Account. Res. 2018, 35, 1102–1139. [Google Scholar] [CrossRef]
  47. Darrough, M.; Huang, R.; Zur, E. Acquirer internal control weaknesses in the market for corporate control. Contemp. Account. Res. 2018, 35, 211–244. [Google Scholar] [CrossRef]
  48. Harp, N.L.; Barnes, B.G. Internal control weaknesses and acquisition performance. Account. Rev. 2018, 93, 235–258. [Google Scholar] [CrossRef]
  49. Gallemore, J.; Labro, E. The importance of the internal information environment for tax avoidance. J. Account. Econ. 2015, 60, 149–167. [Google Scholar] [CrossRef]
  50. D’Mello, R.; Gao, X.; Jia, Y. Internal control and internal capital allocation: Evidence from internal capital markets of multi-segment firms. Rev. Acct. Stud. 2017, 22, 251–287. [Google Scholar] [CrossRef]
  51. Feng, M.; Li, C.; McVay, S.E.; Skaife, H. Does ineffective internal control over financial reporting affect a firm’s operations? Evidence from firms’ inventory management. Account. Rev. 2015, 90, 529–557. [Google Scholar] [CrossRef]
  52. Bauer, A.M. Tax avoidance and the implications of weak internal controls. Contemp. Account. Res. 2016, 33, 449–486. [Google Scholar] [CrossRef]
  53. Imdieke, A.J.; Li, C.; Zhou, S. Does the presence of an internal control audit affect firm operational efficiency? Contemp. Account. Res. 2023, 40, 952–980. [Google Scholar] [CrossRef]
  54. Bauer, A.M.; Henderson, D.; Lynch, D.P. Supplier internal control quality and the duration of customer-supplier relationships. Account. Rev. 2018, 93, 59–82. [Google Scholar] [CrossRef]
  55. Baugh, M.; Ege, M.S.; Yust, C.G. Internal control quality and bank risk-taking and performance. Audit. J. Pract. Theory 2021, 40, 49–84. [Google Scholar] [CrossRef]
  56. Bargeron, L.L.; Lehn, K.M.; Zutter, C.J. Sarbanes-Oxley and corporate risk-taking. J. Account. Econ. 2010, 49, 34–52. [Google Scholar] [CrossRef]
  57. Feng, M.; Li, C.; Raghunandan, K.; Sun, L. Restating internal control reports following financial statement restatements: Determinants and consequences. Contemp. Account. Res. 2022, 39, 117–156. [Google Scholar] [CrossRef]
  58. Cohen, J.R.; Joe, J.R.; Thibodeau, J.C.; Trompeter, G.M. Audit partners’ judgments and challenges in the audits of internal control over financial reporting. Audit. J. Pract. Theory 2020, 39, 57–85. [Google Scholar] [CrossRef]
  59. Maksymov, E.; Pickerd, J.; Wilks, T.J.; Williams, D. The ICFR process: Perspectives of accounting executives at large public companies. Contemp. Account. Res. 2023, 40, 1671–1703. [Google Scholar] [CrossRef]
  60. Imdieke, A.J. The role of timing and management’s remediation actions in preventing failed remediation of material weaknesses in internal controls. Contemp. Account. Res. 2022, 39, 157–198. [Google Scholar] [CrossRef]
  61. Guo, J.; Huang, P.; Zhang, Y.; Zhou, N. The effect of employee treatment policies on internal control weaknesses and financial restatements. Account. Rev. 2016, 91, 1167–1194. [Google Scholar] [CrossRef]
  62. Estep, C. Auditor integration of IT specialist input on internal control issues: How a weaker team identity can be beneficial. Account. Rev. 2021, 96, 263–289. [Google Scholar] [CrossRef]
  63. Gao, J.; Merkley, K.J.; Pacelli, J.; Schroeder, J.H. Do internal control weaknesses affect firms’ demand for accounting skills? Evidence from US job postings. Account. Rev. 2023, 98, 203–228. [Google Scholar] [CrossRef]
  64. Krishnan, J. Audit committee quality and internal control: An empirical analysis. Account. Rev. 2005, 80, 649–675. [Google Scholar] [CrossRef]
  65. Zhang, Y.; Zhou, J.; Zhou, N. Audit committee quality, auditor independence, and internal control weaknesses. J. Account. Public Policy 2007, 26, 300–327. [Google Scholar] [CrossRef]
  66. Doyle, J.; Ge, W.; McVay, S. Determinants of weaknesses in internal control over financial reporting. J. Account. Econ. 2007, 44, 193–223. [Google Scholar] [CrossRef]
  67. Luo, B.; Tian, Z. Improving internal control quality as a corporate response to the Forbes Rich List. China J. Account. Res. 2023, 16, 100317. [Google Scholar] [CrossRef]
  68. Xiao, J.Z.; Weetman, P.; Sun, M. Political influence and coexistence of a uniform accounting system and accounting standards: Recent developments in China. Abacus 2024, 40, 193–210. [Google Scholar] [CrossRef]
  69. Mao, J.; Ettredge, M. Internal control deficiency disclosures among Chinese reverse merger firms. Abacus 2016, 52, 441–472. [Google Scholar] [CrossRef]
Table 1. Differences in internal control regulation between the U.S. and China.
Table 1. Differences in internal control regulation between the U.S. and China.
DifferenceU.S.China
Scope of internal control self-assessment Internal control structure and procedures of the issuer for financial reportingEntire internal control system, covering both financial and non-financial reporting
Contents of internal control audit reportOnly contains audit opinion on ICFR Also discloses internal control material weaknesses (ICMWs) over non-financial reporting, if detected
Standard/guideline for internal control auditsIntegrated into financial statement auditing standardsSeparate guidelines for internal control audits
Auditors of internal control auditsSame as those auditors auditing financial statementsCan be different from those auditors auditing financial statements
Presentation of internal control audit reportIntegrated into Form 10-K’s Item 9A without requiring disclosure in a separate sectionStandalone section in annual report, with additional website disclosure and summarized presentation in the annual report.
ICFR mandate for all listed firmsPermanently exempts small public companies and emerging growth companiesAll listed firms, effective in 2023.
Table 2. Summary of findings on the relation between internal control quality and outcome variables.
Table 2. Summary of findings on the relation between internal control quality and outcome variables.
Control AreaOutcome VariableDirectionRepresentative Studies
Financial ReportingEarnings managementNegative[19,20,21,22,23]
Financial restatements Negative[24,25]
Accounting conservatism Positive[26]
Audit qualityPositive[27]
Negative[28]
Stock price crash riskNegative[15,32]
Value relevance of accounting informationPositive[33]
Earnings guidancePositive[34]
Analyst forecastsPositive[35,36]
OperationsEquity financingNegative[37,38,39]
Debt financingNegative[40,41,42]
Cash holdingPositive[6,44]
Investment efficiencyPositive[45]
Operational efficiencyPositive[46,53]
Inverted U-shaped[16]
Mergers and acquisitions (M&A)Positive[7,47,48]
Tax avoidancePositive[49,52]
Nonlinear relation[14]
Resource allocationPositive[50]
Inventory managementPositive[51]
Accounts receivable managementPositive[17]
ComplianceResource extractionNegative[13]
StrategiesDiversification strategies Positive[7]
Customer-supplier relationshipsPositive[54]
Risk-takingNegative[56]
Nonlinear relation[55]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Chen, H.; Wang, S.; Yang, D.; Zhou, N. COSO-Based Internal Control and Comprehensive Enterprise Risk Management: Institutional Background and Research Evidence from China. Encyclopedia 2025, 5, 106. https://doi.org/10.3390/encyclopedia5030106

AMA Style

Chen H, Wang S, Yang D, Zhou N. COSO-Based Internal Control and Comprehensive Enterprise Risk Management: Institutional Background and Research Evidence from China. Encyclopedia. 2025; 5(3):106. https://doi.org/10.3390/encyclopedia5030106

Chicago/Turabian Style

Chen, Hanwen, Shenghua Wang, Daoguang Yang, and Nan Zhou. 2025. "COSO-Based Internal Control and Comprehensive Enterprise Risk Management: Institutional Background and Research Evidence from China" Encyclopedia 5, no. 3: 106. https://doi.org/10.3390/encyclopedia5030106

APA Style

Chen, H., Wang, S., Yang, D., & Zhou, N. (2025). COSO-Based Internal Control and Comprehensive Enterprise Risk Management: Institutional Background and Research Evidence from China. Encyclopedia, 5(3), 106. https://doi.org/10.3390/encyclopedia5030106

Article Metrics

Back to TopTop