Keywords

Internal Audit, Internal Control, COSO III, Medium-Sized Companies, Small Companies.

Introduction

Mantilla (2012) states that "internal control is a process carried out by the board of directors, managers and other personnel from an entity. It is designed to provide reasonable assurance that objectives are being met in specified categories". For companies, maintaining an adequate Internal Control system is equivalent to a well-functioning organization, since the performance of its departments will depend on it. The different departments of the organization are responsible for its success or failure, that’s because in the absence of a guide and / or a model to follow which allows the control of all of them, chaos that puts at risk the business growth will emerge.

Internal Control is important for companies worldwide since its objective is to take care of the company against any existing irregularities. For Aguirre & Armenta (2012) Internal Control varies depending on the needs within the company so it is different for each department. Likewise, Internal Control is understood as a plan that the organization owns; that is to say, the methodology it applies aiming to protect its assets, guarantee the veracity of the accounting information, promote efficiency in its operations and encourage compliance with established policies. (Mantilla, 2013).

A guide to implement an internal control system in a company is the COSO Report, defined as

A framework model that describes professional practices for establishing preferred business systems and processes that promote efficient and effective internal processes; besides, it is an important model for guidance materials that companies should follow when developing their systems and procedures (Moeller, 2013).

For Moeller, (2013) the application of internal control based on the COSO III Report contributes to the improvement of business performance, since it manages risks allowing the creation and preservation of business value. Internal controls are an important part of a company's governance system, considering that they are aimed at taking into consideration opportunities and facing possible threats. In risk management, the effort made by the managers, administrative and other personnel is essential to achieve the goals set.

The Committee of Sponsoring Organization of the Treadway (2013) in its last update in 2013, indicated that the Integrated Internal Control Framework COSO III will allow organizations to effectively and efficiently manage their internal control systems; which will be adaptable to the various business and operational environments and which in turn will reduce risks to tolerable conditions. This will benefit decision-making and the establishment of structured governance. Therefore, the Integrated Internal Control Framework COSO III, focuses mainly on the constant progress of the organization. It aims to become an effective Internal Control System, which guarantees its results in the application of the five components that work together with seventeen principles and 3 types of established objectives (Caguano, 2015).

The first component of the COSO II is the Control Environment, which refers to the group of procedures, models and structures that guide the Internal Control at different levels of the company. The Risk Assessment component oversees detecting and evaluating the existing risks that hinder the achieving of objectives. The Control Activities component deals with the policies and procedures that ensure the reduction of risks within the organization. The Information and Communication component is responsible for the disclosure of information by senior management. Finally, the Supervision and Monitoring component refers to the periodic evaluations carried out to determine if all the components of internal control are working as planned (Comité de Organizaciones Patrocinadoras de la Comisión Treadway, 2013).

Correa & Galloso (2018) claim that the five components applied together will allow the goal to be reached. In the same way they allow the establishing of policies that will conduct the organization and that will vary according to the business activity. The proper application of the five components of the COSO III Report allows creation a system capable of responding effectively to changes in the environment, meeting the needs of management and controlling operational activities. In other words, this system allows to maintain a total control based on previous experiences that have provided timely information to avoid errors that have already been made and thus ensure quality in the processes (Ladino, 2009).

On the other hand, the economic environment in Ecuador, as in many countries, is changing due to the creation of new businesses, technological dependence, and globalization, among others. This has allowed changes to be made in internal control, which will allow each of the existing types of companies to grow. Estupiñán (2015) states that economic needs are born mainly from human habit; they are permanently modified generating business possibilities, and risks too obviously, which must be coordinated between administrative and control entities.

Business enterprises are an important part of the Latin American economy. Studies carried out by the Universidad de los Andes show that the greatest concentration of businesses is in the commercial sector with a percentage of 49% compared to other sectors, thus conforming that these companies are generators of employment, with an average of 64.26%. (Saavedra & Hernández, 2017). Correa et al. (2018) added that their importance in the productive area and in employment makes them the axis of economic growth since their dynamism promotes the continuous sustainable development of a country which guarantees the viability and effectiveness within the exercise of their functions.

In Ecuador there are currently about 88,365 legally constituted companies, of which, 19,616 belong to the wholesale and retail economic sector. In the province of Azuay, 971 companies have been incorporated, of which 938 belong to the Canton of Cuenca. Out of these, 185 are corporations, which are the subject of this study. (Superintendencia de Compañias et al. 2019).

By means of a survey, this research determines the level of application of the internal control components in the Corporations of Cuenca, Ecuador in the year 2019. It will allow to know their critical areas to ease their strengthening. Finally, the information collected will contribute to the development of future research regarding this topic.

Methodology

For this investigation, the Directory of Companies of the Superintendence of Companies, Securities and Insurance was taken as the source of information; from which a total of 88,365 companies legally constituted in Ecuador were obtained. Subsequently, such information was filtered by economic activity, type of company, province and canton, obtaining a total of 185 Corporations dedicated to wholesale and retail trade in the Canton of Cuenca, province of Azuay. Information corresponding to the year 2017 was used for this purpose. The companies that had foreign investment and presented atypical information were excluded, obtaining a population of 71 companies.

For the collection of the information a survey was formulated that consisted of two sections. The first section was designed to collect informational data and the second section was related to the analysis of the implementation of the COSO III Report. The first section included data such as: gender of the owner, educational background, size of the business, presentation of audited financial statements and the existence of an internal audit department. With regard to the size of the company, the classification according to the National Institute of Statistics and Census (INEC) was taken as a reference (2020) which sorts them according to the volume of annual sales and the number of people employed. It was therefore classified as follows: Microenterprise as the one that includes from 1 to 9 employees. Then, the Small Enterprise that includes from 10 to 49 employees. After that, comes the Medium-sized "A" companies that include 50 to 99 employees. And finally, those of type Medium "B" which include a staff of between 100 and 199 employees.

While in the second section of the surveys a Likert scale was used. It measures individual attitudes or predispositions in attention to specific constructs, through coded items that act as reagents that allow determining the intensity and direction, positive or negative, of the attitude of each subject (Neris Guzmán, 2017). In the survey, 5 response options were used; they were (5) Always, (4) Most of the time yes, (3) Sometimes yes, sometimes no, (2) Most of the times no, (1) Never, which were answered by the directors of the companies studied.

The reliability of the survey was confirmed with the Cronbach's Alpha Coefficient, which according to Dos Santos (2017) "allows to estimate the homogeneity of the measurement items". This coefficient was applied in the pilot test with a sample of 10 surveys resulting in 0.961, which proves the reliability of the questions asked. Later, the validation was carried out for the rest of the sample, and a result of 0.963 was obtained, which is a positive outcome. Ruiz (2002) mentions that the value obtained after its application should be between 0.8 and 1, where values close to 1 state that the items are reliable; however, if the result is lower than 0.8 the items evaluated may lead to erroneous conclusions.

The results were analyzed in SPSS software and the following hypotheses were evidenced:

1. Hypothesis 1: The percentage of accomplishment of the COSO III Report depends on the existences of an audit department in the companies.

2. Hypothesis 2: There is a direct relationship between the components of the COSO III Report.

For the hypothesis 1, the Chi-square test was carried out, which according to Ubillos Landa et al. (2016), is defined as "the instrument that allows to determine the existence of a relationship between two qualitative or categorical variables". For hypothesis 2, a test was performed based on the correlation among the five components. According to Lind et al. (2012) the Pearson's correlation coefficient "describes the strength of the relationship between two sets of variables on an interval or ratio scale".

Results

The results are shown in 3 sections: 1) General description of the companies studied, 2) Level of application of Internal Control, 3) Hypothesis testing.

General Description of The Studied Companies

Figure 1 shows the interrelationship between the size of companies and the educational background of their managers. It shows that the presence of the Third Level among managers is notorious within small companies with a percentage of 29%. These companies, together with the micro-enterprises, are the most studied in our analysis of the wholesale and retail trade sector.

Figure 1 Level of Educational Instruction and the Relationship with the size of the Companies

Within the results obtained in Figure 2, it can be seen that of the total number of respondents there is a high percentage of male managers. Third level educational instruction stands out in the analysis, 51% of male executives have this instruction, while the female gender barely reaches 17%.

Figure 2 Level of Education Among Owners of Wholesale and Retail Companies

Level of application of Internal Control

Figure 3 shows the average use of Internal Control components. Considering as relevant data that the Control Activities component obtained an average of 4.2 (most of the time, yes), which is a high value in relation to the other components.

Figure 3 Average of COSO III Report Components

In Table 1, there is a reference to the Control Environment component, where it is evident that when staff is hired, job descriptions and the functions involved are made known. However, in most cases these companies do not have a formally established code of ethics and conduct.

In Table 2, the information collected from the Risk Assessment component is presented, where it is clear that the surveyed companies manage documents carefully, since they are always filed in a suitable and safe place. On the other hand, it is evident that one of the weaknesses of these companies is, that most of the time, they do not have formally established tools to identify risks in the company.

With regard to the Control Activities component presented in table 3, it is shown that companies have order points to initiate the purchasing process in a timely manner, but at the same time, it is evident that they do not have procedures in place to periodically reconcile existing physical assets with those in the accounting records.

Table 4, related to the Information and Communication component, indicates that most of the time companies provide partners with sufficient, timely and reliable information from management. But on the other hand, they do not have space for staff suggestions.

Table 5 details the information about the Supervision and Monitoring component, where it is shown, that companies; most often supervise staff in their regular activities. But, at the same time, it is evident that there are never written justifications for the acceptance or rejection of recommendations made by employees, customers, or suppliers.

Finally, Figure 4 shows a comparison between the values obtained in the questions that had lower scores per component against the average for that component. These data directly influence the Internal Control of each evaluated company. The biggest gap between the average of the component and the value obtained in the Supervision and Monitoring component can be seen with regard to the written justifications for the recommendations.

Figure 4 Critical Components COSO III

Hypothesis Testing

Hypothesis 1: The percentage of compliance with the COSO III report depends on whether there is an Audit department in the company.

In Table 6, the acceptance or rejection of the hypothesis raised for each component is displayed.

H0: The compliance of the component does not depend on having an audit department.

Ha: The compliance of the component depends on having an audit department.

Regarding the posed hypothesis, it is concluded that Ho is rejected: Compliance with the Control Environment component does not depend on having an audit department; since the p value 0.039 obtained from the SPSS program is less than 0.05 of significance level, which indicates that dependence exists, and therefore, Ha is accepted.

Similarly, in relation to the Supervision and Monitoring component, Ho is rejected: Compliance with the Supervision and Monitoring component does not depend on having an audit department; since the p value 0.048 obtained is less than 0.05 of significance level showing that dependence exists, which is why the Alternative Hypothesis is accepted (Table 7).

Hypothesis 2 There is a direct relationship between each of the components of the COSO III Report.

H0: The correlation between the components of the COSO III Report is ≤ 0.

Ha: The correlation between the components of the COSO III Report is > 0.

Conclusions

In conclusion, in the descriptive analysis, it could be clearly seen that in the companies analyzed, 51% of the managers with a third level educational background are male, while only 17% of the same category belong to the female gender.

In turn, and in accordance with the objective of this research, we can conclude that most companies, in relation to the level of application of the COSO III Report, present an average compliance of 4.20 for the Control Activities component, due to the fact that these companies maintain general controls, such as the issuance of registration documents, collection policies, efficient registration processes, among others, which are necessary to safeguard the productive activity. Demonstrating the highest level of application in relation to the rest of the components. However, they present a deficiency in the procedures for periodically reconciling physical assets with the related accounting records.

As for the Risk Assessment component, it was determined that its average application is 3.38. Among its shortcomings, it was determined that most of the time, the company does not have action or improvement plans within the execution of the strategic plan and does not have tools that identify the risks within them. At the same time, the importance of caring for information for these companies is evident, as well as in the assignment of personnel who will have access to it; demonstrating once again that these companies give greater priority to day-today tasks and do not carry out long-term strategies, such as prevention measures in the event of risk.

On the other hand, about the Control Environment component, an average compliance rate of 3.18 was determined. It is stated that this is applied when it comes to operational activities. It is understood that one of the particularities of the companies surveyed is the implementation of rules in a verbal manner, such as when the functions of the position or the different sanctions are made known, among others. They present, as a considerable weakness, the application of long-term activities due to the implementation of an organizational chart, or the creation of a formally established code of ethics and conduct. This result is quite detrimental to the companies analyzed, since this component represents the structure of the business, as Mantilla (2012) states, it is responsible for structuring the business activities; it is here that the objectives are formed, the value of the risks are determined, the policies are implemented; in other words, its application is the most important of the components since it is the root of the efficient application of the COSO III Report.

Likewise, the Supervision and Monitoring component is considered critical, since its average obtained 2.96, indicates the lack of supervision in the activities carried out within the company. Mantilla (2012) mentions that monitoring ensures that Internal Control continues to operate effectively. Management states that written justifications were never provided for acceptance or rejection of recommendations made by employees, customers or suppliers. It is also reported that most of the time, they do not follow up on the action and improvement plans that were the result of the evaluations carried out.

Finally, the Information and Communication component for the analyzed companies turned out to be the most critical one, as its average of 2.50 was the lowest. This indicates the deficiency in the lines of communication. That is, among their departments there is no idea of how the activities they do affect or are related to the other departmental areas. According to the results of the surveys, these companies do not have spaces to make suggestions; in other words, suggestions made by their staff are not taken into account. It also indicates that, in most cases, they do not hold regular meetings in which they inform the staff about the progress of the company. On the other hand, it is necessary to emphasize the evident stagnation, in terms of their computer systems, which are not updated, nor do they provide training to those responsible for their management.

Through hypothesis testing, it was possible to conclude that the implementation of the Control Environment and Monitoring and Supervision components are directly dependent on the existence of an Audit Department. These components are directly linked to compliance with regulations that must be constantly monitored.

And finally, it was demonstrated that the relationship between the five components is direct and significant, as stated by the Committee of Sponsoring Organizations of the Treadway Commission (2013). The joint implementation of the five components will permit to meet the objectives set by the company, as well as to generate a rapid response to changes in the environment and risk management.

References

1. Mantilla B.S.A. (2012). Internal Control - COSO Report. Bogotá: Kimpres Ltda.
2. Aguirre, R., & Armenta, C.E. (2012). The importance of internal control in small and medium-sized companies in Mexico. The Pacioli Mailbox, 1-17.
3. Mantilla, S. (2013). Internal Control Audit. Bogota: Ecoe.
4. Moeller, R.R. (2013). Executive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework. John Wiley & Sons, Incorporated. New Jersey: WILEY.
5. Committee of Sponsoring Organizations of the Treadway Commission. (2013). The Committee of Sponsoring Organizations of the Treadway Commission COSO. Retrieved from Executive Summary: https://www.coso.org/Pages/ic.aspx
6. Caguano, J.M. (2015). Implementation of an internal control system under the methodology of arena iii for "servyacon hardware store" located in the province of cotopaxi, canton of latacunga. Latacunga: Technical University of Cotopaxi.
7. Correa, J.R., & Galloso, B.T. (2018). Internal control based on the coso iii report and its influence on the production area of ??the ecological tannery of the north e.i.r.l., district of hope. Trujillo - Peru: Antenor Orrego Private University.
8. Ladino, E. (2009). Internal control: Coso report. El Cid Editor, notes.
9. Estupiñán Gaitán, R. (2015). Internal control and fraud: COSO I, II and III report analysis based on transactional cycles. Bogotá, Colombia: Ecoe Ediciones.
10. Saavedra, M., & Hernández, Y. (2017). Characterization and importance of MSMEs in Latin America: A comparative study. , Consultation date May 5, 2020]. ISSN: 1316-8533. Available in. Actualidad Contable Faces, 122-134.
11. Correa, F., Leiva, V., & Stumpo, G. (2018). MSMEs and structural heterogeneity. MSMEs in Latin America: A fragile performance and new challenges for development policies, 560.
12. Superintendency of Companies, Securities and Insurance. (2019). Superintendency of companies, securities and insurance. Retrieved from https://www.supercias.gob.ec/portalConstitucionElectronica/
13. National Institute of Statistics and Censuses. (2020). Ecuador in Figures. Retrieved from https://www.entaciónrencifras.gob.ec/documentos/web-inec/Estadisticas_Economicas /DirectorioEmpresas/Directorio_Empresas_2018/Boletin_Tecnico_DIEE_2018.pdf
14. Neris Guzmán, R.A. (2017). Theoretical-methodological conception for the design and management of educational resources at the Central University of the East. Havana: Editorial Universitaria.
15. Dos Santos, M.A. (2017). Market research: university manual. Spain: Díaz de Santos Editions.
16. Ruiz Bolívar, C. (2002). Educational Research Instruments. Venezuela: Fedupel.
17. Ubillos Landa, S., Líbano Miralles, M., & Ambrona Benito, T. (2016). Practical manual of statistical analysis in social education: transversal and longitudinal analyzes. Burgos: Editorial University of Burgos.
18. Lind, D., Marchal, W., & Wathen, S. (2012). Statistics applied to business and economy. México, D.F .: McGRAW-HILL.
19. Coopers & Lybrand. (1997). The new concepts of internal control (COSO Report). New York: Díaz de Santos Editions.
20. Graham, L. (2015). Internal Control Audit and Compliance: Documentation and Testing under the New COSO Framework. John Wiley & Sons, Incorporated. New Jersey: Wiley.
21. Celina Oviedo, H., & Campo Arias, A. (2005). Approach to the use of Cronbach's alpha coefficient. Colombian Journal of Psychiatry, 572-580.
22. Bertram, D. (2008). Likert Scales. Topic Report, 1-11.
23. Naiman, A. (1987). Introduction to statistics. Mexico: McGraw-Hill Interamericana.
24. Pimienta Prieto, J.H., & De la Orden Hoz, A. (2017). Investigation methodology. Mexico: Pearson.
25. Webster, A. (2001). Statistics applied to business and the economy. Colombia: Irwin Professional Publishing.