Journal of Governance and Regulation / Volume 7, Issue 2, 2018CORPORATE GOVERNANCE AND INTERNALCONTROLS: A CASE STUDY FROM GREECEAndreas G. Koutoupis *, Evangelia Pappa*** Corresponding author, Technological Educational Institute of Thessaly, University of the Aegean & Hellenic Open University, GreeceAddress: Technological Educational Institute of Thessaly, 411 10 Larisa, Greece** Panteion University of Social and Political Sciences, GreeceAbstractHow to cite this paper: Koutoupis A. G.,& Pappa, E. (2018). Corporategovernance and internal controls: a casestudy from Greece. Journal ofGovernance & Regulation, 7(2), 91-99. v7 i2 p8Copyright 2018 The AuthorsThis work is licensed under the CreativeCommons Attribution-NonCommercial4.0 International License (CC BY-NC ISSN Print: 2220-9352ISSN Online: 2306-6784Received: 24.03.2018Accepted: 13.06.2018JEL Classification: G3, G34, M4, M42DOI: 10.22495/jgr v7 i2 p8The objective of this paper is twofold. Firstly, it portrays andevaluates the existing corporate governance structure and secondly,highlights its connection with internal audit function andmanagement practices. It is adopted a descriptive research analysisusing the quantitative approach on a sample of listed companies inAthens Stock Exchange for the year 2016. Our methodologicalresearch instrument is based on COSO (2013) Internal Control Integrated Framework. The paper concludes that corporategovernance is driven to managerial excellence and effectivegovernance because of internal audit processes, risk assessment,control activities, information and communication, and monitoringactivities. The research contributes to the corporate governanceliterature by providing valuable insights into the major aspects of awell-functioning internal control system and its relevance tomanagement performance. Proposed areas for future researchdirections should be discussed.Keywords: Corporate Governance, Internal Controls, Management,COSO Model, Greek Listed Enterprisesat the expense of the company (McCahery andVermeulen, 2010).Although Agency theory is the dominanttheoretical scheme in corporate governance studies,Stewardship theory is proposed as challenge thatmanagers are “self-interested rational maximizers”(Chamber, et. al. 2013:18), having its roots inorganizational psychology and sociology (Donaldson,1990; Davis et. al. 1997; Cornforth 2003). Managersare good stewards of the corporate and work closelywith the principal to achieve a “goal alignment” (Fan,2004:3).Under these perspectives, the OECD inPrinciples of Corporate Governance qualified thedefinition cited below: “Corporate governanceinvolves a set of relationships between a company’smanagement, its board, its shareholders and otherstakeholders. Corporate governance also provides thestructure through which the objectives of thecompany are set, and the means of attaining thoseobjectives and monitoring performance aredetermined” (OECD, 2015:9). As such, corporategovernance is a cornerstone of trust, transparency,ethics, accountability and risk managementsupporting long-term investment, financial stabilityand integrity to both listed and state-ownedcompanies (Nerantzidis and Filos, 2014).InGreece,thecorporategovernanceframework has mainly developed through theadaptation of binding rules. For instance, the most1. INTRODUCTIONIn a constantly changing economic landscape, theparamount importance of corporate governance ishighly debated among academics, executives,investors, and policymakers. Although the term“Corporate Governance” was first evolved in the1980s (Earl, 1983), the field of corporate governancedates back to the dominant paradigm of PrincipalAgent (Agency) theory. Jensen and Meckling(1976:308), in their seminal work on agency theory,defined agency relationship as “a contract underwhich one or more (principals) engage another person(the agent) to perform some service on their behalfwhich involves delegating some decision – makingauthority to the agent”.A contract relationship may result rs) and agent (top management) due toasymmetric information, adverse selection, andmoral hazard. Such conflict of interest creates agencycosts (Zain, et. al., 2010). In other words, shareholdersmay encounter problems of the hidden pursuit ofprivate interests and opportunistic behavior bydirectors and management. Moreover, informationand collective action problems not only prevent closemonitoring of management performance but alsoenable directors and managers to develop a variety oftechniques to tunnel assets and extract private gain91

Journal of Governance and Regulation / Volume 7, Issue 2, 2018important Law 3016/2002 for listed companies,which stipulates, inter alia, particular duties of themanagement about the composition of Board ofDirectors, non-executive directors' remuneration, theoperation of internal audit units and the adoption ofinternal audit procedures (Koutoupis, 2012; Spanos,2003).In addition, the incorporation of legislativeacts into the Greek legal framework creates a new setof corporate governance rules. This includes Law3693/2008, which requires the creation of auditcommittees as well as important disclosureobligations regarding ownership and governance of acompany. Meanwhile, Law 3884/2010, /EC, brought about changes in thepreparation of the General Meeting of shareholdersand the information, which is posted on company’swebsite. With regard to the provisions of Law3873/2010, which transfer the European Directive2006/46/EC on the annual and consolidates accountsof companies of certain legal type.The Athens Stock Exchange and the nted the corporate governance frameworkby introducing Rulebooks, Decisions and Directivesconcerning the requirements for the listing ofsecurities, the operation of securities exchanges, theinsider trading, the take-over offers, the requirementsfor the publication of a prospectus for the purposesof initial public offering and listing.Our analysis is focused on particular traits ofcorporate governance and management controlsystem in the context of the current situation in theGreek capital market. In this way, it aims to capturevia the COSO Framework, the fundamental premisethat the implementation of these traits contributes The remaining of this paper is organized asfollows: Section two briefly presents an overview ofCOSO 2013 Internal Control – Integrated Framework.Section three is dedicated to the literature review,whilst section four describes the researchmethodology. The empirical results are presented insection five and the last Section summarizes thepaper’s conclusion and further research.2. BACKGROUNDSTRUCTUREOFINTERNALorganizations to effectively and efficiently developsystems of internal control that adapt to changingbusiness and operating environments, mitigate risksand acceptable levels, and support sound decisionmaking and governance of the organization” (COSO,2013:1). The COSO framework provides guidance formanagement on how to implement and ement of governance processes. Thus, it setsout a standard leadership umbrella for governing andmanaging a successful organization (COSO, 2014).The COSO Framework sets forth three distinctbut overlapping categories of objectives, which alloworganizations to focus on separate aspects of internalcontrol. Firstly, Operations Objectives refer toeffectiveness and efficiency of the entity’s operationsand include operations and financial performancegoals and safeguarding assets against loss. Secondly,Reporting Objectives pertain to the reliability ofreporting and include internal and external financialand non-financial reporting. Thirdly, ComplianceObjectives relate to adherence to laws and regulationsto which the entity must follow (COSO, 2013).In this sense, internal audit is not limited to e control but included the broaderconcept of management control and the importanceof non-financial information. So, it is unequivocallydefined as “a process, effected by an entity’s board ofdirectors, management, and other personnel,designed to provide reasonable assurance regardingthe achievement of objectives in the followingcategories: i) effectiveness and efficiency ofoperations, ii) reliability of financial reporting and ii)compliance with applicable laws and regulations.”(COSO, 1994:13).Consequently, the aforementioned definitionemphasizes fundamental concepts of internal controlincluding that is a) a process consisting of ongoingtasks and activities, b) effected by people, not merelyby policy manuals, systems, and forms, c) able toprovide reasonable assurance, not absoluteassurance, to an entity’s senior management andboard, d) geared to the achievement of objectives inone or more separate but overlapping categories ande) adaptable to the entity structure (Babkin, et. al.,2017; COSO 2014).The internal control system consists of fiveessential components which are subdivided intoseventeen principles. According to COSO’s executivesummary “These principles representing thefundamental concepts associated with eachcomponent. Because these principles are drawndirectly from the components, an entity can achieveeffective internal control by applying all principles.All principles apply to operations, reporting andcompliance objectives” (COSO, 2014:2).CONTROLS’The structure of corporate governance is comprisedof distinctively interrelated components designed tosafeguard the interests of shareholders and eliminatethe agency costs. In order to fulfill these objectives,there is an imperative need for implementing aneffective internal control system. The mostwidespread and recognized framework nance Committee, 2008), regulators (PCAOB,2004) and professional bodies (Institute of InternalAuditors) that applied the internal audit dimension isthe Committee of Sponsoring Organizations (COSO)Internal Control-Integrated Framework (referred to as“the COSO Framework”) (Swinkels, 2009).The COSO Framework was initially publishedin 1992 and in accordance with the evolution of theorganization's operating environment updated in2013. It was developed in order to “enableComponent 1: Control environment“Control environment is the set of standards,processes, and structures that provide the basis forcarrying out internal control across the organization(COSO, 2013:31)”. It influences the quality of a soundinternal control system by ensuring that internalcontrol is embedded into the structure and thinkingof the company on both the management and stafflevel. It can be characterized as the “controlconsciousness” of the organization (Herz, et. al.92

Journal of Governance and Regulation / Volume 7, Issue 2, 20182017:21). The board of directors and seniormanagement establish the tone from the topregarding the importance of internal control andexpected standards of conduct. The controlenvironment consists of principles such asestablished ethical values, management philosophy,assignment of responsibility and the leadership andguidance provided by senior management on internalcontrol. There are five principles relating to controlenvironment:Commitment to integrity and ethics.Oversight for internal control by the boardof directors, independent of management.Structures, reporting lines and appropriateresponsibilities in the pursuit of objectivesestablished by management and overseen bythe board.A commitment to attract, develop and retaincompetent individuals in alignment withobjectives.Holding individuals accountable for theirinternal control responsibilities in pursuit ofobjectives.The decision-making-driven organization relies oninternal and external sources of information.Information is necessary for the entity to carry outinternal control responsibilities in support of theachievement of its objectives (INTOSAI, 2014).Communication is defined as “the continual, iterativeprocess of providing, sharing and obtainingnecessary information (COSO, 2014:105). The on are:Obtaining or generating relevant, highquality information to support ,including objectives and responsibilities,necessary to support the other componentsof internal control.Communicating relevant internal controlmatters to external parties.Component 5: MonitoringMonitoring is defined as “management’s activitiesthat assess whether each of the five components ofinternal control and the relevant principles arepresent and functioning” (COSO, 2014:124). It is animperative need to monitor the internal controlsystem because of the changing technology thatinfluences the potential existence of risks. Thus,monitoring should be part of the operationalbusiness as well as a supervisory activity performedby management on behalf of the board. An effectivemonitoring foundation is dependent on:Selecting, developing and performingongoing or separate evaluations of thecomponents of internal control.Evaluating and communicating deficienciesto those responsible for corrective action,including senior management and the boardof directors, where appropriate.Component 2: Risk assessment“Risk assessment involves a dynamic and iterativeprocess for identifying and analyzing risks toachieving the entity’s objectives, forming a basis fordetermining how risks should be managed.Management considers possible changes in theexternal environment and within its own businessmodel that may impede its ability to achieve itsobjectives” (COSO, 2013:59). The risk is defined as“the possibility that an event will occur and adverselyaffect the achievement of objectives” (COSO,2013:59). There are four principles of riskassessment:Specifying objectives clearly enough forrisks to be identified and assessed.Identifying and analyzing risks in order todetermine how they should be managed.Considering the potential of fraud.Identifying and assessing changes that couldsignificantly impact the system of internalcontrol3. RECENT LITERATURE REVIEWFollowing a well-constructed search strategypreviously applied by Neratzidis and Tsamis (2017),we conducted a literature review based on variouswell-known scholarly databases such as GoogleScholar, Research Gate, Scopus, Social ScienceResearch Network (SSRN) and Web of Science. Welimited our focus extensively to articles publishedbetween 2014 and 2018, as the updated COSOFramework emerged in 2013. The search criteria arerestricted to the following fields: “Internal audit”,“COSO 2013 Framework”. Relevant papers wereselected in a systematic manner by title, abstract andKeywords. Thus, a total of 07 highly relevantpublications were identified and analyzed indescending chronological order according to thepublished year.Lawson, et. al (2017) gather evidence from 155U.S. accounting professionals to examine viewsconcerning the framework and its impact on keyareas related to internal controls. The study finds thatrespondents perceive the 2013 Framework as anoverall improvement to the 1992 Framework and viewthe explicit inclusion of the 17 principles as abeneficial addition. However, respondents indicatesignificant time and resources devoted by theirComponent 3: Control activities“Control activities are the actions established by thepolicies and procedures to help ensure thatmanagement directives to mitigate risks to theachievement of objectives are carried out. Controlactivities are the “things a company does” to reducethe effect of risk from both an operational andfunctional reporting (COSO, 2013:87). They may bepreventive or detective in nature and econciliations, and business performance reviews(INTOSAI, 2014). The three principles for establishingeffective control activities are:Selecting and developing controls that helpmitigate risks to an acceptable level.Selecting and developing general controlactivities over technology.Deploying control activities as specified inpolicies and relevant procedures.Component 4: Information and communication93

Journal of Governance and Regulation / Volume 7, Issue 2, 2018internal audit department to the implementationprocess, with some firms also engaging outsideconsultants. Respondents also view the 17 principlesas a set of rules for achieving effective internalcontrols but indicate these principles still allow forsufficient management judgment over internalcontrol systems. In addition, most respondentsreport some type of change to at least one of the fivecomponents of internal control, with the RiskAssessment component receiving the greatestnumber of changes. Furthermore, a majority ofrespondents indicated improvements to controlsacross several IT-related areas.Rae, et. al. (2017) examines the associationsamong COSO components and how they affect themonitoring function of organizations. Structuralequation modeling was used to run confirmatoryfactor analysis to determine the measurement modelsfor the five COSO components. The results show thatcontrol environment is associated with threedimensions of information and communication(informationaccuracy, informationopenness,communication, and learning). Additionally, twodimensions of information and communication(communication and learning and informationfeedback flow) were found to be associated with riskassessment. An indirect association is supported bythe results between control environment and riskassessment through the associations among threedimensions of information and communication(information accuracy, information openness andinformation feedback flow. Risk assessment isassociated with control activities, which issubsequently associated with monitoring.Bruwer et. al. (2017) determines the empiricalrelationships between internal control activities andmanagerial conduct, and the perceived sustainabilityof South African small, medium and microenterprises. Data were obtained from 120 membersof management and 120 employees and 240stakeholders of SMEs operating in the Fast MovingConsumer Goods industry. From the results, it isobvious that managerial conduct and internal controlactivities have a weak influence on the perceivedsustainability. The latter is strengthened whenmanagement is skilled and knowledgeable, an philosophies, and do not allowemployees to authorize transactions without theirconsent.The research of Lai, et. al. (2017) investigatesthe relationship between internal control weaknessesand firm performance based on the COSO fivecomponent framework. They use secondary datafrom the Audit Analytics database and Compustatdatabase for firms that are traded in the U.S. stockmarkets during the period 2004 to 2007. The resultsindicate that the control environment, informationtechnology, accounting policies, procedures anddocumentation, and control design have a significantnegative impact on firm performance. Lastly, thestudy reveals that delays in remedying rmance.Agyei-Mensah, (2016) examined the impact ofcorporate governance factors on the disclosure ofinternal control information by firms in Ghana. A dataset from 110 firms for the year ending of 2013 wasused. The main finding is that most of the sampledfirms did not disclose sufficient internal controlinformation in their annual reports. Also, theregression analysis shows that board independenceexplains the internal control disclosure. Specifically,independent directors help to improve the quality ofdisclosure and increase the transparency ofinformation.The study of Adetula, et. al. (2016) assesses theinternal control system of tertiary institutions inNigeria using four tertiary institutions in South-West,Nigeria. Primary data was collected throughquestionnaire. Findings revealed that the universitiesadhered to internal controls established bymanagement such as segregation of duties,performance of supervisors’ role, internal auditfunctions and the management review function.Furthermore, many components of the internalcontrol system are properly situated except that theinternal audit unit of those universities is notindependent. So, the study recommends that internalaudit unit should be independent department and thehead of that department should report directly to thehighest level of management within the institution.Yudianti and Suryandari (2015) evaluate theimplementation of internal control and riskmanagement in private universities and collegeslocated at Special Province of Yogyakarta. Primarydata was collected by the use of a questionnaire thatwas addressed to the head of higher educationinstitutions. The research found that the majority ofthe Higher Education Institutions have implementedinternal control system which is related to internalcontrol environment, risk assessment, controlactivities, information and communication, andmonitoring. Other result showed that internal Controland risk management positively influenced theimplementation of Good University Governance.Until October 2016 the Index consisted of the following 25companies: Alpha bank (ALPHA), Aegean Airlines S.A.(AEGN), Viohalco S.A. (VIO), Gekterna (GEKTERNA),Grivalia Properties (GRIV), Power Public Corporation S.A.(PPC), Coca- Cola Tria Epsilon (EEE), Ellaktor (ELLAKTOR),Hellenic Petroleum (ELPE), National Bank of Greece (ETE),EYDAP S.A. (EYDAP), Eurobank (EUROB), Athens ExchangeGroup (EXAE), METKA (METKK), Motor Oil (MOH), Jumbo(BELA), Holdings Mytilineos (MYTIL), Piraeus Port AuthorityS.A. (PPA), OPAP (OPAP), Hellenic Telecom OrganizationS.A. (HTO), Piraeus Bank (TPEIR), Terna Energy (TENERGY),TITAN Cement (TITK), Folli Follie (FFGRP), LamdaDevelopment (LAMDA).4. RESEARCH METHODOLOGY4.1 SampleFor the accomplishment of the research only listedcompanies were selected, as they are obliged by thelaw to set up an Internal Audit department.Specifically, our pool of participants was drawn fromthe Index FTSE/ATHEX Large Cap that consists of 25of the largest and most liquidated companies thattrade in the Athens Stock Exchange in 2016. Thesecompanies, considering their market capitalizationand high reputation, have the largest compositevalue, growth, and profitability score3.394

Journal of Governance and Regulation / Volume 7, Issue 2, 2018majority of researchers use this measurement as it isreliable, accurate and easy to use (Karagiorgos, et. al.,2011). The questionnaire was created in a GoogleForm format to facilitate the rapid supplementingand to be assessed and processed in real-time.4.2 Data collection methodPrimary data were collected using the quantitativetechnique of questionnaire. The questionnaire-basedsurvey is considered the most appropriate researchmethod as to seek information that is not publiclyavailable, collect data quickly and anonymityfeedback encourage openness and honesty (Drogalasand Siopi, 2017; van der Nest, 2017; Karagiorgos, 2011; Agbejule and Jokipii, 2009).The structured questionnaire was parted fromtwo sections. The first one includes three questions,the completion of which is mandatory, ensuring theanonymity and confidentiality. It intends to gatherspecific information in respect to the type of IndustrySector, the relative size of the company and also thenumber of auditors that a company employs. Thesecond part consists of 17 close-ended statementsabout Control Environment, Risk Assessment,Control Activities, Information and Communicationand Monitoring Activities. Respondents were asked toindicate how much the statements are true in termsof a five-point Likert scale that ranged from “VeryMuch” (scored as 1) to “Not at all” (scored as 5). A vast4.3 Data analysisA total of 25 companies were invited to participate inthe survey, yielding a response rate of 52%.Concerning the descriptive data for participants’companies, it is obvious from the Figure 1 that thereis an unbalanced distribution among industrysectors. A substantial majority of companies (46.2%)belong to the segment “others” that includes Gaming,Manufacturing, Metal Construction and Real Estate,followed by Trade industry (30.8%). According to thenumber of employees as a proxy of company’s size,the majority of companies can be classified as largesized employing more than 500 employees (53.85).Lastly, the 76.9% of the companies have 1 to 5auditors, when only 15.4% have more than 15auditors.Figure 1. Descriptive statistics for companies participated in the researchSource: Field survey 20165. EMPIRICAL RESULTSRegarding the perspective of “Control Environment”it can be stated that most respondents (76.1%)strongly believe that the organization demonstrates acommitment to integrity and ethical values. To alesser extent (53.8%), the Board of Directorsdemonstrates independence from management andexercises oversight of the development nts verify that a job description at all levelshas been done and the separation of duties andresponsibilities of workers is clear (61.5% and 58.3%,respectively). Lastly, respondents (69.2%) support theview that management establishes structures,reporting lines, authorities, responsibilities in thepursuit of organizations’ objectives (Table 1). So,strong controls exist in the (operating) controlenvironment incorporating the principles of integrityand ethical values, attention, and oversight providedby the Board of Directors, management philosophyand operating style, organizational structure, mannerof assigning authority and responsibility, and humanresources policies and procedures.95

Journal of Governance and Regulation / Volume 7, Issue 2, 2018Table 1. Perceptions of the Control EnvironmentStatementsPercentage231Q1. The organization demonstrates a commitment to integrity and ethicalvalues.Q2. The Board of Directors demonstrates independence from managementand exercises oversight of the development and performance of internalcontrol.Q3. A job description at all levels has been done.4576.123.100038.553.87.70061.515.415.47.70Q4. The separation of duties and responsibilities of workers is clear.58.323.123.100Q5. Management establishes, with board oversight, structures, reportinglines, and appropriate authorities and responsibilities in the pursuit ofobjectives. Field survey 2016The results about the perspective of “RiskAssessment” indicate that the organization specifiedclear objectives for identification and assessment ofrisks (58.3%) and determined risk managementprocesses (61.5%). In addition, respondents stronglyagree (61.5%) that the organization considers thepotential for fraud and significant changes identifiedand assessed (53.8%) (Table 2). Thus, it is generallyaccepted that strong controls exist in the riskassessment process incorporating the principles ofspecifying organization-wide objectives, analyzingprocess-level objectives, assessing the potential offraud.Table 2. Perceptions of the Risk AssessmentStatementsQ6. The organization specifies objectives with sufficient clarity to enable theidentification and assessment of risks relating to objectives.Q7. The organization identifies risks to the achievement of its objectives acrossthe entity and analyzes risks as a basis for determining how the risks shouldbe managed.Q8. The organization considers the potential for fraud in assessing risks to theachievement of objectives.Q9. The organization identifies and assesses changes that could significantlyimpact the system of internal control.133.3Percentage23453.8 ce: Field survey 2016Next, the research examines views concerning“Control Activities”. The vast majority of respondents(approximately 92%) agree to a great extent that theorganization selects and develops control activities tomitigate the risks and achieve its objectives.Additionally, more than half of the respondents(53.8%) agree that general Information andTechnology activities are selected and developed.Similarly, the respondents (53.8%) agree that controlsdeployed policies and procedures (Table 3). Hence, itis widely accepted that organization develops strongcontrol activities including policies and proceduresthat mitigate risks and also technology controlactivities.Table 3. Perceptions of the Control ActivitiesStatementsQ10. The organization selects and develops control activities that contribute tothe mitigation of risks to the achievement of objectives to acceptable levels.Q11. The organization selects and develops general activities over technology tosupport the achievement of objectives.Q12. The organization develops control activities through policies that establishwhat is expected and procedures that put policies in action.Source: Field survey 201696146.2Percentage23446.2 7.7 05038.553.87.70038.553.87.700

Journal of Governance and Regulation / Volume 7, Issue 2, 2018Respondents’ notion about “Information andCommunication” is that management obtains,generates and uses quality information to support theinternal control system (53.8%). In addition, effectiveinformation and communication are vital for an entitytoachieve its objectives.Particularly,theorganization management needs access to relevantand reliable communication related to internal as y) (Table 4). As a result, the guidingprinciple of strong information and communicationrelated controls include the use of relevantinformation and the communication with internal andexternal parties.Table 4. Perceptions of the Information and CommunicationStatementsQ13. The organization obtains or generates and uses relevant, qualifiedinformation to support the functioning of internal control.Q14. The organization internally

making and governance of the organization” (COSO, 2013:1). The COSO framework provides guidance for management on how to implement and evaluate internal control processes leading to the improvement of governance processes. Thus, it sets out a standard leadership umbrella for governing and managing