Internal Auditing & Risk Management _________________ Anul VI, Nr.

3(23), Septembrie 2011

INTERNAL CONTROL - MANAGEMENT RESPONSIBILITY

Ph.D. Emilia VASILE Assistant lecturer Ion CROITORU

E-mail: [email protected] E-mail: [email protected]
„Athenaeum” University Bucharest „Athenaeum” University Bucharest

Abstract:
Internal control is a process designed, implemented and maintained by the
management of the organization in order to provide reasonable assurance
concerning the fulfilment of tasks that refer to the credibility of financial reporting,
also to the effectiveness and efficiency of operations according with laws and
regulations.
Internal control has the fallowing general objectives: achieving at an
appropriate level of quality the functions of the organization, established in
accordance with its mission in terms of regularity, efficiency, economy and
efficiency; protection of public funds, compliance with laws, regulations and
management decisions; development and maintenance of systems for collecting,
storing, processing, updating and dissemination of data and information, and also
development and maintenance of information systems and procedures and periodic
reporting.
Internal control system consists of policies and procedures designed to
provide officers that are responsible for corporate governance and executive
leadership, with reasonable assurance that the entity achieves its objectives
through the strategies adopted.
Keywords: reasonable assurance, internal control, efficiency, effectiveness,
risk assessment, risk management, liability management, control instruments,
objectives, internal control system.
JEL Classification: G34

The role of internal control

In our view, internal control is considered as a dynamic process that has
specific responsibility for protecting the heritage assets of the entity and preventing
and detecting errors, fraud, waste, abuse and poor management.
To ensure the functionality, internal control must be continuously adapted to
changes inside the entity. A functional internal control provides assurance that the
assets of the organization are safeguarded, that reports are reliable and accurately
reflect the economic and financial situation of the organization.
In literature, internal control is defined as the process designed, implemented
and maintained by the management and staff at all levels, in order to provide

15
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

reasonable assurance regarding the achievement of organizational objectives,

relating to the application of instructions, heritage protection, and improving the
quality of information activities.
In practice, internal control is held in the functional structure of an
organization, including resources, systems, processes, structure, tasks and
organizational culture and contribute to the objectives set, grouped as follows:
- effectiveness and efficiency of operations includes the organization's
mission and objectives relating to the use, in terms of economy, efficiency and
effectiveness of resources and resource protection objectives of the organization
concerning misuse or loss.
- reliability of the information, includes the objectives concerning proper
accounting and reliability of the information used in the organization and also the
objectives of protecting documents against fraud.
- compliance with laws, regulations and policies includes the objectives that
give assurance that the organization's activities are conducted in accordance with
the obligations imposed by laws and regulations and those regarding compliance
with internal policies.
For these reasons, internal control is a set of devices established by the
management and implemented by managers at any level for performance
evaluation activities. The devices must be implemented to provide assurance
regarding the achievement of organizational objectives.
The design and practical implementation of an internal control system aims at
decentralization of control activities towards the leaders of functional structures of
the organization. This means that each leader, at his level, is responsible for
establishing and implementing internal control that are necessary and appropriate
for the functioning and achievement of activities they coordinate. In this way the
management gains autonomy to achieve objectives, also transparency and
accountability in revenue collection and efficiency and effectiveness in managed
funds.
Developing a system of internal control regarding the organization own
culture, meets international standards and best practice in the field. A system of
internal control is characterized by the following:
- full process, internal control involves a series of instruments of control
which are integrated into activities of the entity;
- designed by management, setting goals and responsibility regarding the
establishment and operation of internal control monitoring. Management tools to
plan and implement internal control, monitor and evaluate their functionality;
- implemented by all staff, operationality of internal control is provided by
the staff of the entity, what they do, each at his post. To be able to achieve internal
control, personnel must know their duties, responsibilities and authority limits of
the job;

16
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

- in pursuit of the mission, the organization was established to achieve a

purpose and should be concerned, in particular, to fulfill its mission.
- risk identification, to carry out the mission of the organization, risks are
encountered, that is why management is required to identify and manage the risks,
to limit the probability of occurrence and keep them within acceptable limits.
- provide reasonable assurance, the design and implementation of a system
of internal control does not give to the management of the organization an absolute
assurance regarding the achievement of objectives, no matter how well is designed
and implemented, but a reasonable assurance. This level of insurance is one of trust,
being determined by the management, based on the inherent risks evaluations, and
associated to the activities in a quantitative and qualitative manner.
- objectives, internal control contributes to the overall objectives of the
organization, to the specific objectives established at the level of functional
structures and also to the individual objectives, set per each job in the organization.
The achievemnet of objectives is limited by the inherent limits that specific to any
system of internal control.
The aim is to ensure consistency of internal control objectives, to identify key
factors of success and to communicate to the organization leaders, in real time, the
information about performance and prospects. Whatever the nature or size of the
organization, the efforts to implement a satisfieng internal control are related to
aplying the rules and procedures related to internal control at all levels.

Internal control and risk management

Risk is defined as the threat that an event or action will adversely affect the
organization's objectives and also the successful implementation of strategies. This
definition emphasizes that risk is a threat that has an impact on the achievement of
objectives.
In these circumstances, an adequate internal control policy should provide
reasonable assurance to the manager that objectives are met. For this reason, the
organization should in advance conduct activities relating to: defining the
objectives, process mapping, analysis and assessment of risks inherent to the
proces or the risks that could threat the achievement of the objectives of the entity.
Risk management is the most important part of any internal control activity,
as it identifies adequate internal control instruments based on risk analysis, and the
implementation activities for the control devices are answers to risk management.
Recognizing the essential nature of risk management in internal control
analysis resulted in the emergence of risk management concept, which requires the
modification of leadership style and provide the basic conditions of effective
internal controls that contribute to achieving the objectives in terms of
effectiveness.

17
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

Risk management is a process conducted by management and all staff and

aims to identify events that could affect the achievement of activities and
objectives, a process that involves the identification, evaluation, risk control and
reporting.
Risk identification is a systematic and ongoing process which identifies
potential hazards within the entity. This process is necessary to know the risks that
have not been seen previously, to know the circumstances of the identified risks
and risk assessment which occurred in the past, but currently has no importance for
the organization.
Risks must be identified at any level where there is danger on the
achievement of the objectives and measures are required to implement the
arrangement of control devices to reduce risk to acceptable levels and maintain
them identifing the risks has the purpose to detect any possible risk factors and
create the conditions for handling the risks and analyze them.
Risk management is the responsibility of general management, who must
organize the internal control system and to empower the staff of the organization.
Risk assessment involves evaluating the probability of materialization of
risks and their impact on the objectives. This can be done by evaluating the policies
and processes for managing risk related to their adequacy by determining the
limitations which generate risk, determining internal control deficiencies and
creating devices to improve internal control and their implementation so as to
ensure the expected results by implementing the objectives.
The purpose of risk assessment is to establish a hierarchy of risks inside the
organization and function of risk tolerance, to determine the most appropriate ways
to deal with them. Risk assessment involves the following steps:
- assessment of the likelihood of identified risk materialization;
- impact assessment objectives if the risk materializes;
- evaluating assessment as a combination of probability and impact
The ones responsible for risk should take into account that risk cannot be
avoided and under these circumstances the only concern should be to keep risks
within acceptable limits, tolerated by the organization and not to seek the total
elimination of risk, because the action can lead to other unexpected risks.
Risk control has the aim to transform uncertainty into an asset for the
organization, limiting the threat. Risk control activity involves:
- tolerance of risk is the level of risk that the organization is prepared to
accept or to whom the organization is willing to expose itself at a certain point,
namely the acceptable limits in wich the risk manifests. All risks that have a level
of exposure situated obove the tolerance limit should be managed by control
measures;
- treatment of risk assumed, means that, guring the development of the
activity that generat the risk, the control tools are established in order to decrease

18
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

the level of risk and keep it within acceptable limits. Control tools are designed to
limit the probability that an undesirable result materializes and to correct the results
if the risk has materialized.
- risk transfer is done in those cases in wich implementation of control
instruments do not lead to the limitation or decreasing the level of risk in such a
way that the entity can manage it. In these cases the best solution is to transfer
them to another organization.
- stopping the activity implies that some risks can be eliminated or kept
within reasonable limits by reducing or eliminating the activities.
Risk management aims to identify and assess risks in terms of impact and
likelihood of materializing and to determine appropriate ways of managing
significant risks. Viable risk management solution is to find a balance betwin the
risk we already tolerate and the risk we are prepared to tolerate.
Please note that the treatment risk can be achieved by applying the following
control tools:
- preventive control tools that limit the possibility that an event occurs, such
as segregation of duties;
- corrective control tools with which we correct undesirable outcomes of the
materialized risks;
- directive control tools that aim to ensure achievement of results, and it is
used to prevent an unwanted to take place;
- detection control instruments with which we identify hazardous situations
that have occurred.
Risk reporting, means that risk management process is subject to periodic
review with the help of wich the warning mechanisms of management can warning
future or alredy existing risks are established and also of the internal control
functioning. Risk supervision is required to monitor the progress of the risk profile
and ensure that the activity of risk management is appropriate.
Risk Review process ensures that all risk management activities are reviewed
at least once a year and that mechanism for informing the management on the new
risks or an changes to the assumed risks, are established. Review processes are
implemented to examine whether: risks persist, new risks have emerged, the impact
and likelihood of risks have changed, internal control instruments are effectively
put into work, or if certain risks must be treated or transferred.
To ensure effective management of risk is important to examine how specific
individual responsibilities fall within the general framework of the organization
and if every employee properly understands, their role on risk management. If this
is not achieved, risk management cannot be properly and homogeneously
integrated into the organization.
Risk management does not mean eliminating or minimizing the negative
results that risks could cause tothe organization's activities but to limit the

19
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

occurrence of risks. The objective is to identify the size of the organization which
is subject to risks, understanding the phenomena that maintain high levels of risks
and identifing the causes that give rise to risks.
Analysis and evaluation of risk management activities allow the
identification, the hierarchy and risk assessment in such a manner that the
organization can control them. This hierarchy will support decisions on risk
treatment options, as well as ensuring the continuous improvement of
organizational performance.

The requirements and the object of internal control implementation

Implementation of an adequate internal control system is an opportunity to
ensure the entity's performance, because it identifies failure and creates the best
control devices. This implies a profound and collective thinking on the strengths,
but also on vulnerabilities of the implemented processes.
Malfunctions or errors are due to failure in carrying out internal control tools
or improper implementation. Officials in charge of building the internal control
system create and develop tools for internal control to allow possession of a good
control over the functioning of the organization and the completion of each activity
or operation.
Internal control instruments vary from one organization to another,
depending on the size, complexity and nature of the activities and the applicable
legal rules. They can be grouped as follows: objectives, resources, information
system, organization, procedures and control.
The objectives are customized according to the business and functions of the
general objectives of the organization, precise and clearly formulated, contained in
a policy and strategy document, approved and notified to all staff. Based on these
general goals each person responsible for the management sets specific objectives
in carrying out the department he leads, ensuring that they are realistic and fully
consistent with the mission and duties department, distributed inside the
compartment, measurable, ie expressed in quantitative or qualitative indicators,
monitored through the existing information available to management and are
provided with realistic deadlines for achieving calendar.
The means are all human, financial and material, taken in conjunction with
the achievement. They must enable the objectives set.
Information system means all the processes, methods and tools used within
the entity, leading to an organic whole of the operations of collecting, processing,
systematization, transmission, recovery and storage of data and information. This
system should be integrated within the organization, in the form of journals, whose
construction should be based on ranking, correlation and sequential centralization
of information and indicators used by management to their business managers.

20
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

The organization is a set of measures, methods, techniques, tools and

operations that management established in accordance with certain principles, rules,
standards and criteria, procedural and structural components of the organization to
achieve objectives. Without proper organization there can be no control over
activities within the organization.
The procedure describes the steps to be followed, established working
methods and rules applied in the execution of activities, duties or tasks. They can
be grouped into: operational procedures relating to legal procedures, decision-
making procedure that relates to the exercise of judicial competence and procedure
liability covering.
Control consists of measuring results with the indicators set goals, finding the
underlying causes of deviations and take corrective or preventive measures of need.
Depending on the type of cases, corrective or preventive measures may be forward
looking in nature, organizational, coordination, training, evaluation or control.
Exercise-control evaluation function implies that the organization would develop
its own control strategy for limiting the risks that may cause unwanted deviations
from the policies and objectives.
Internal control activities in general, policies, methodologies and procedures
relating to the organization:
- separation of responsibilities in order to prevent fraud and error, that the
responsibility for asset management, the approval process, operational activities of
accounting tasks and functions of key information technology, functions related to
users;
- approval of the operations and activities of the entity, namely the
establishment of clear rules of general approvals for the specific;
- preparation and use of accounting documents in accordance with legal
requirements;
- protection of storage assets through entities, managing and securing
appropriate and adequate physical controls.
Internal control aims to reduce irregularities, fraud and ensuring sound
management. This is achieved by ensuring an adequate level of quality consistent
with the mission of the organization's tasks under conditions of regularity,
efficiency, economy and efficiency and the development and maintenance of
systems for collecting, storing, processing, updating and dissemination of data and
information systems and appropriate procedures. In this context, the internal
control requirements are:
- objectives, mastery and steering of business;
- ensuring financial transparency and efficiency of financial flows;
- strengthening internal control systems and financial management;
- providing management an effective tool to assist in observation of
activities and to facilitate the achievement of objectives.

21
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

Organization of internal control conducted at the functional structure is the

task of the manager, who has established responsibilities regarding the design,
implementation, operation and its improvement. Internal control should concern
any operation or transaction within the entity and perform the following functions:
financial, compliance and performance.
The head of the organization report on the design, implementation, operation
and performance level of internal control. Reporting is done on a statement that
shows that have been implemented adequate systems of control that ensure the
legality and regularity of operations and ensure policies and procedures developed
at all levels of the organization: approvals, authorizations, verifications,
reconciliations, performance review, security of assets and segregation of duties.

Internal control- the responsibility of management and all- staff

Overall and at all level management is responsible for internal control
steering of the whole device, each in their sphere of competence, ensuring it is
consistent and efficient as a whole and it covers the main risks.
Management shall be responsible for the implementation of internal control
within the organization, meaning that it is required to establish adequate internal
control policies and to regularly monitor its effective functioning of insurance.
Must also ensure the effectiveness of internal control in risk management.
Line management is responsible for developing internal control policies in
the organization of functional structures and to implement control activities
arranged by the leadership of the organization, takingi nto account the following:
- determination of the control, activities that require the implementation of
internal controls;
- internal control design tools suitable and appropriate manner of their
implementation;
- implement proper internal control;
- verification of the adequacy and functionality of control and ensure that the
control mechanisms are applied in full, according to necessity;
- maintaining and updating the controls, which is a continuous task and it
must occupy first place in the management concerns.
A good implementation of internal control does not guarantee success,
however, short-term approach and even less in the long term. The role of managers
is to get all the personnel of the organization's adherence to internal control system
development, through communication and training. Therefore, staff involvement is
through direct participation in the design of internal control device, particularly in
the diagnostic phase.
Control activities taking place within the organization ensures the
achievement of the objectives and ensures compliance with predetermined
operating procedures. Constraints and restrictions on control activities are designed

22
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

to ensure that the staff of the organization to fulfills its duties properly and are not
aware of activities that exceed the limit of responsibility.
Managers have the responsibility to define the nature, degree of aggregation
and data-collection period according to the objectives and level of responsibility.
This requires increased attention to the number and relevance of indicators of
activity and results.
Management involves the exercise of managerial responsibility of an
organization, within the limits of internal and external constraints in order to
achieve effective, efficient and in accordance with the law objectives,
communication in a transparent way and responsability for management failure.
Internal control device established by management should be constantly
adapted to the strategy and objectives of the entity, to the working environment, to
the activities and organization of the entity. Device must ensure permanence and
durability of internal control and internal control device efficiency.
Internal controls should not, in time, become the exclusive concern of
specialists. Management sets the controller to implement, but may delegate
operational pilotage charge of internal control department. The remaining staff
implements activities of control designed by management. However, managers
must remain, at their level, key actors in the adaptation to the realities of a public
entity and to diagnose regularly the processes which are responsible for regularly.
Preparing and making managerial decisions on improving organizational
performance requires knowledge of the progress of implementation of previous
decisions, but also functional status affected by the decision process. The relevance
and applicability in real-time decisions, and monitoring their implementation, in a
competitive environment requires a set of methods and techniques appropriate to
offer the manager the possibility of complete information on economic and
financial organization. Thus, internal control should be viewed in this context,
managerial assistance as a tool to derive a picture of the reality of the organization
as a whole.
General Manager and other persons occupying management positions in
public entities are responsible for the creation and the operation of an effective
internal control system to give reasonable assurance that objectives will be
achieved. In this regard, it notes that implementation of internal control within the
organization and adequacy of policies is the responsibility of overall management
objectives, and providing management with regard to functionality and efficiency
of the internal audit duties.
Internal audit is responsible and concerned with the organization of the
system of internal control within the organization and assists staff in maintaining
effective controls by evaluating their functionality and their continuous
improvement.

23
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

At the same time, supervision and monitoring process involves ongoing

assessment and regular reporting by the responsible of the correct application of
internal control mechanisms in order to determine the strength and consistency and
to implement new control devices where this is necessary. This process requires
that each responsible to organize and run their own business, to establish specific
tasks, supervise the work of subordinate staff to devise appropriate working
methods and procedures and consistent information system on coordinated
activities.

Contribution to improving internal control performance in organizations

Internal controls are all seen as contributing to security measures that
contributes to having control over the organization and aims on the one hand, to
ensuring protection of information quality, and on the other hand, promoting the
application of guidelines to improve performance management.
In organizing the system of internal control based on the concept of
managerial accountability there are the following prerequisites:
- The head of the organization is responsible for the organization and
operation, under optimal conditions, the internal control system;
- the organization's internal control system based on checks and corrective
measures, as well as internal evaluation and external evaluation;
- head of the organization is responsible for achieving the objectives of the
entity;
- head of the organization may delegate his power, but is not relieved of
overall responsibility;
- the employment of managerial accountability is achieved by ensuring
adequate competence;
- accountability requires transparency and accountability.
Internal control covers all structures, methods, techniques and procedures by
which management assures that the administration of property and funds are
properly and effectively administrated. This implies a control environment and an
appropriate culture within the organization, characterized by integrity, ethics,
management style, management philosophy, organizational structure, ensuring
accountability and authority, human resources policies and practices, personnel
competence.
Efforts to develop and modernize the internal control system in accordance
with industry standards are channeled to:
- harmonization of existing legislation with EU law and control of European
and international standards in the field;
- ensuring effective implementation of the regulatory framework and the
procedural;

24
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

- strengthening of internal controls to ensure prevention of irregularities and

recovery of losses due to irregularities or negligence;
- developing and strengthening institutional capacity;
For these reasons, leaders of organizations take the necessary steps to prepare
and develop internal control systems within their organizations. These measures
mainly consist of: internal control system development, building structure
responsible for monitoring, coordination and methodological guidance of the
internal control system, development of operational procedures for activities,
analysis and development of information on the operation and performance of the
system of internal control, internal control system development.
Internal control standards approved by the inspiration COSO, define a
minimum of rules of management and control, and aims at developing a uniform
and consistent control system. They act as a benchmark against which internal
control systems are evaluated, risk areas are identified and directions for
improvement are taken.
Internal control is a set of device, that management has established and it is
implemented by managers at all levels to control normal activities.
These devices are designed to provide reasonable assurance regarding the
achievement goals of the institution.
Functional characteristics of internal control are as follows:
- shift from ex post concept, pro-active techniques, which ensures continuity
of quality assessment of financial management and control systems;
- the organization to attain its objectives through systematic evaluation and
maintenance at an acceptable level of risk associated structures, programs, projects
and operations;
- ensuring the integrity and competence of management and executive staff,
along with a knowledge and understanding of the importance and role of internal
control;
- monitoring continuously, all activities and working properly, promptly and
responsibly whenever breaches of the legality and regularity in conducting
operations or carrying out activities;
- providing clear command relationships, execution, reporting and
accountability;
- the system of preventing of internal control must meet the requirements of
efficiency and effectiveness.
Internal control activities are even more effective as they are integrated into
separate procedures, rather than overlap with current tasks, because they are not
limited to verification operations made by managers on operations carried out by
subordinates, but the checks and controls done at each position within the
competences assigned.

25
Internal Auditing & Risk Management _________________ Anul VI, Nr.3(23), Septembrie 2011

The internal control system, existing in every public entity needs to be

developed, refined to the level that allows management to having a better control
over the functioning of the organization as a whole and over each activity in order
to achieve objectives.

BIBLIOGRAPHY:
1. Collins L. şi Vallin G., Audit et Contrôle Interne, Dalloz, Paris, 2000;
2. Domnişoru Sorin, Vânătoru Sandu Sorin, Audit et Contrôle Interne, Sitech
Publishing, Craiova, 2010;
3. Keith Wade & Andy Wynne, Control Self Assessment For Risk Management
And Other Practical Applications, West Sussex, England, 2006;
4. Munteanu Victor, Marilena Zucă, Ştefan Zucă, Control and audit financial,
Bucureşti, , Publishing Pro Universitaria, 2006;
5. Mihăilescu Ion, Marcu Niculina, Chilarez Dan, Covariu Galation, Audit et
Contrôle Interne, Publishing Economic Independence, Piteşti, 2010;
6. Munteanu Victor, Control and audit accounting, Lumina Lex Publishing,
Bucureşti, 2003;
7. Marcel Ghiţă, Emilia Vasile, Marin Popescu, Internal control and internal
audit, Bren Publishing, Bucureşti, 2004;
8. Renard Jacques, Theory and practice of internal auditing, the fourth edition,
the French translation made by the Ministry of Public Finance in a project
financed by PHARE, Bucureşti, 2002;
9. Ministry of Finance Public. Methodological guidelines on internal control,
2010.

26