Internal Control and the Impact on Corporate Governance, in Romanian Listed Companies

Journal of Eastern Europe Research in Business and Economics

Download PDF  | Download for mobile

Dumitrascu Mihaela and Savulescu Iulian

Academy of Economic Studies, Bucharest, Romania

Volume 2012 (2012), Article ID 676810, Journal of Eastern Europe Research in Business and Economics, 10 pages, DOI: 10.5171/2012.676810

Received date : ; Accepted date : ; Published date : 15 June 2012

Copyright © 2012 Dumitrascu Mihaela and Savulescu Iulian. This is an open access article distributed under the Creative Commons Attribution License unported 3.0, which permits unrestricted use, distribution, and reproduction in any medium, provided that original work is properly cited.


In Europe and around the world, after the financial crisis, some measures have been taken in order to stabilize the financial system. Through present research we analyze the statements regarding the internal control in corporate governance, statements made by both external auditors and those responsible with the management of listed entities. These statements help the auditor in preparing the audit plan. Following this review, the auditor determines necessary staff and time needed for the audit. We analyzed effectiveness of internal control in companies listed on Bucharest Stock Exchange. An effective internal control leads to a fair presentation of the financial statements and thus increases stakeholders’ confidence in the financial statements. Control risk is a risk that the auditor can’t eliminate it, but may decrease it.

Keywords: internal control, corporate governance, audit, control risk.


The most used definition is that corporate governance is the sound system of the internal control. This represented the start point of our research.
Both the United States and the European Union, after the financial crisis, have created new regulations to improve the entities’ internal control.

Internal control system represents all the approved policies and procedures used by the management in order to achieve an effective management of business. Control system includes internal control and internal procedures.
Lack of internal controls and their deficient operation make companies vulnerable to a number of risks, such as improper recording of accounting transactions, making unauthorized transactions, fraud, all these having a significant impact on financial performance and competitiveness.

Warranty provided by the auditors is to reduce the risk of distortion. Bankruptcy costs are paid by both shareholders and society. Auditors have an important role in establishing confidence in the market and protection of investors.

Based on a documentation carried out on the listed companies from Bucharest Stock Exchange, this article rather ambitiously attempts to sketch out the relationship between the Internal Audit Function (IAF) and Corporate Governance (CG) issues among the selected listed companies in the Bucharest Stock Exchange (BVB). ‘Attempts’ we said advisedly, because we aren’t convinced that the results obtained — in terms of percentages and observations — have provided with a solid basis for the textured and nuanced overview we were aiming at. In corporate governance, boards are being charged with the responsibility for the effectiveness of their organizations’ internal control systems.

Without an effective internal control system companies can confront with loses. Risk is that possibility of loss as the result of mixing of uncertainty.

Research Methodology

Regarding the research methodology, were selected the companies listed on Bucharest Stock Exchange, both first class and second class. We conducted a qualitative research based on observation of some aspects, but also a quantitative one. Information was extracted on the basis of reports like: corporate governance code, “Apply and explain” statement, auditor report, annual report and other financial reports. To achieve homogeneity of the selected sample, we excluded financial institutions like SIFs (financial investment company) and banks. A major importance has the category to which the companies analyzed are listed. Through research we analyzed the organization of internal control performed at 44 listed companies.

The Board has the obligation of submitting a report where are described the features of internal control system. Although the board’s report is not part of the financial statements, it is very important for the stakeholders, because it describes the organization of internal control system. The auditors check internal control system related to the preparation of financial statements.

Literature Review

Corporate governance is based on a set of attributes, including ensuring accountability to shareholders or stakeholders (Keasey and Wright, 1997), creating mechanisms to control managerial behavior (Tricker, 1994), ensuring that companies are run according to the laws and answerable to all stakeholders (Dunlop, 1998), ensuring that reporting systems are structured in such a way that good governance is facilitated (Kendall, 1999).

These aspects we also find in the OECD Principles (1999), first adopted by the 30 member countries of the OECD in 1999, which have become a reference tool for countries all over the world.

Rules governing the internal control are Ministry of Finance Order No. 3055/2009, Accounting Law No. 82/1991 and International Standards of Auditing. Public entities are required to monitor the effectiveness of internal control system and risk management under the Emergency Ordinance No 90/2008. This monitoring is part of the task of the audit committee. Internal control activity is regulated by the Chamber of Financial Auditors of Romania.

All companies that must be audited are required to organize the internal control of that institution and thus to have internal audit department. Internal control can be achieved by foreign entities or by internal department.

Under the French Commercial Code, the auditor must publicly justify, together with a report on the annual accounts, the audit opinion. This justification includes assessments on internal control processes.

Public Company Accounting Oversight Board (PCAOB) is a nonprofit organization created after entry in force of the law Sarbanes Oxley from United States to oversee audits of public companies. According to P.C.A.O.B., the auditor is required to present an opinion regarding the entity’s internal control quality and also this view is part of a financial statements audit. This requirement is not mentioned in the International Auditing Standards.

The Public Sector Committee from the European Union by its supervisory bodies from national level, Public Oversight Board of the Statutory Audit Activity and Romania Chamber of Financial Auditors may require statutory auditors from European Union to show how they check the internal control related to the preparation of financial statements.

Corporate governance represent “the system by which companies are directed and controlled” (Cadbury, 2000: 8). The control aspect of corporate governance includes the notions of compliance, accountability, and transparency (MacMillan, Money, Downing and Hillenbrad, 2004).

These principles, originally adopted by the 30 member countries of the OECD in 1999, have become a reference for other countries all over the world (Jesover and Kirkpatrick, 2005), providing an international benchmark for corporate governance.

An audited financial statement does not mean that there is no distortion within. Auditors give reasonable assurance that the financial statements reflect a fair and accurate view according to the reporting requirements and that the financial statements are not affected by material misstatement due to fraud or error.

Internal control risk cannot be removed, but auditors, through their experience, can provide tips for improving it.

Analysis of Internal Control

Internal Control Review by Auditor

Auditors currently play an important role, fulfills a social function, giving an opinion on the veracity of financial statements.

Auditor’s responsibility is to express an opinion on the financial statements. It has evolved from a background check of income and expenditure assets and liabilities to a risk-based verification. The reasonable assurance means that financial statements are prepared under the regulatory framework.

The auditor’s opinion enhances the credibility of the financial statements providing a high level of certification. The absolute level cannot be achieved by use of the auditor’s professional judgment and inherent limitations of the accounting system and internal control. For example, management may ignore internal control.

Planning audit activities helps to focus attention to important areas and achieve the stated terms of audit procedures. Extent of planning may vary, depending on the size and complexity of the entity and auditors experience. Acquiring knowledge about the client’s business is an important part of planning the audit. Were taken into account various aspects such as knowledge of the entity, understanding the accounting and internal control, risk and materiality, the nature and extent of audit procedures, coordination, monitoring and other. The selected procedures depend on the auditor’s judgment in assessing the risks of material misstatement of financial statements, whether due to fraud or error.

In making those risk assessments, the auditor considers internal control relevant for the preparation and fair presentation of financial statements of the individual company, to design relevant audit procedures on given circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control of company. Determination of audit risk is fundamental to planning an audit properly.

Auditors should conduct the audit with professional skepticism. Accounting and internal control system should be reviewed in order to assess the suitability as the basis in preparing the financial statements. External factors may affect the accounting and internal control systems.

At determination of material misstatement the external auditor should communicate to management the information detected, to those charged with corporate governance and in some cases to regulators and implementation authorities.

Preliminary assessment of control risk is the effectiveness of the entity’s accounting and internal control in preventing and detecting material misstatements.



Figure No. 1.  Information of Internal Control on Audit Report

(Source: Own Projection of the Authors)


86% of the companies analyzed have presented in the audit opinion, information on the entity’s internal control, in order to express an opinion on the financial statements.

14% of companies surveyed have provided no information on the entity’s internal control.

According to International Auditing Standards, the auditors for public companies from European Union should only consider internal control relevant to the preparation and presentation of financial statements, while United States auditors should submit an opinion on internal control according to SOX law.

Based on the efficiency of internal control the auditor may decide to take into account the internal control or not and apply substantive tests.

Likelihood of fraud may affect the assessment of inherent and control risk.

An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by management.

Presentation of Internal Control in Manager Report

The Order no. 3055/2009 issued by the Ministry of Public Finance says that the Board of Directors has the requirement of including in Managements’ Report a description of the main features of the control system and risk management applied in financial reporting processes.

The internal control is not only an accounting function. It involves people and relations between them. It is an additional system that helps management to financial reporting. It is not a static system of rules and procedures but one that evolves.

The auditor should obtain written representations of management responsibilities regarding the implementation and operation of accounting and internal control systems. Also in statements issued by management must be identified the management’s attitude regarding internal control.

External auditors, together with those dealing with supervision and corporate governance, should contribute to financial system stability. Auditor’s role is to provide information about the veracity of corporate financial health.

Role of those charged with governance is to monitor management among others. It also must ensure integrity of accounting and financial reporting systems, to ensure that there are adequate controls to monitor risk including financial control and compliance with legislation.

Were analyzed the statements regarding internal control and after audit planning can be discussed with management and staff of the entity’s internal control issues in order to improve efficiency and effectiveness of audit and audit procedures to coordinate the  staff’s activity.

Sarbanes Oxley can be a model for companies that are not required to report, but want to improve their internal control system.

Entity’s internal control aimed at ensuring:

  • Compliance with legislation;
  • The decisions made by company management;
  • Proper functioning of the internal activities of the company;
  • Reliability of financial information;
  • Effectiveness of its operations;
  • Efficient use of resources;
  • Prevention and control risks of not reaching targets.


As a result, internal control procedures are designed to:

  • On the one hand, following registration of the firm and staff behavior in the framework of applicable laws, values, rules and internal rules of company;
  • On the other hand, check whether the accounting, financial and management information is communicated reflecting accurately the activity and situation of the company.


Analyzing the annual reports of companies, we see that the management company is controlled by the highest shareholders and an independent financial auditor is required by law. It ensures the rights and interests of shareholders. Company fully complies with the laws in force continues to provide transparency and information to shareholders and capital market investors. Internal control established by the management company covers compliance with legislation in force, the decisions made by company management, ensuring proper functioning of the internal activity, resource efficiency, prevent and control potential risks. Internal controls established by management of the company are found in the following forms:

  • Hierarchical control
  • Control partnership
  • Quality-control
  • Control and heritage management
  • Control accounting
  • Administrative control
  • Internal Audit


Control is produced annually by inventory heritage assets, liabilities and equity. Regarding the auditor’s report in assessing the risks of fraud or error, the auditor considers the internal control is the management entity responsibility;
Control activities are a component part of the process through which the company management achieves its objectives. These rules and procedures supervise internal control at all levels and functional: approval, authorization, verification, evaluation of operational performance, securing assets, segregation of duties.


Figure 2: Companies that Have Presented the Main Features of the Management Report of Internal Control

(Source: Own Projection of the Authors)


More than half of listed companies have not shown in Management Report a summary on internal controls. Although the Management Report is not part of the financial statements that present important information on the internal control and other information. External auditors only check compliance the financial information presented in the Management Report with information in the financial statements. United States pays more attention to internal control, external auditors are required to submit an opinion on internal control of the entities.

The Review of the Internal Control from “Apply and Explain” Statement within Corporate Governance Code

Corporate governance can be defined as the way in which companies are directed and controlled. The notion has a broader scope, including the concepts of internal audit, transparent financial reporting. Internal Audit is a function of corporate governance.

Declaration “Apply or Explain” is in compliance by organizations’ principles of corporate governance codes. At the same time, they try reporting the compliance or breach of these reports. These aren’t binding, providing freedom of decision and action.

Entities that choose to adopt partial or total regulation presented in the Code of Corporate Governance recommendations must provide the Bucharest Stock Exchange (BSE) an annual statement of compliance or noncompliance with the code. The statement is called “Apply or explain” and will include information on Corporate Governance Code recommendations actually implemented by them and how they have been implemented or not. It is prepared in the format of BSE. Statement of conformity (“Apply or Explain”) appeared in 2010 and must be submitted with the BSE administrator’s report. If it is not implemented the requirement of the Code of Governance the administrators have to explain in the Management Report and the statement of conformity the reasons for not applying these provisions.

The point R28 of the statement says that “The Board and Audit Committee regularly examines the effectiveness of financial reporting, internal control and risk management system adopted by the company”.


Figure No. 3:  The Board and Audit Committee Regularly Examines the Effectiveness of Financial Reporting, Internal Control and Risk Management System Adopted by the Company

(Source: Own Projection of the Authors)


At the end of the research we established that 41% of the companies are in line with code of governance requirements. When we say that 59% of companies are not in line with the requirements of the statement of conformity we mean that their Board of Directors or Audit Committee do not regularly examine one of those three elements: the effectiveness of financial reporting, internal control and management system risk or even all three elements taken together.

Information on Internal Control in Statute / Rules of Corporate Governance.

Through research we examined whether listed companies have mentioned in the Statute. Following the analysis we have established that 46% of listed companies have mentioned in the Statute / Rules of Governance information regarding internal control. 19% of companies provided information of internal control and 35% have not published the Statute / Rules of Corporate Governance.

The Code of Corporate Governance issued by Bucharest Stock Exchange Market (BSE) companies is required to make a Regulation/Status of Corporate Governance (CG) who will describe the main aspects of corporate governance. The Management Report will include a chapter on Corporate Governance If one or more requirement of the Regulation/Status of Corporate Governance are not met, will be explained in the chapter related to the Corporate Governance, in the Management Report and in the Statement of Conformity.

The Governance Code states that the Board of Directors will meet at least twice a year, with the internal auditors, to discuss financial reporting, internal control and risk management aspects.


Figure No.4: Information of Internal Control on Regulation/Status of Corporate Governance

(Source: Own Projection of the Authors)


Our research could represent a support for organizations, suggesting that must be a convergence in the context of both corporate governance and internal control. Despite familiarity with international codes, rules and principles, companies reported serious hurdles in way of best practice implementation from both internal control and corporate governance.

Our findings suggest the important linkages between the two fields of corporate governance and internal control. Both aspects have attracted increasing attention nowadays.

This research has made a clear image that those two aspects of internal control and corporate governance share more in common in theory, practice and interpretation.


United States requirements regarding the audit activities are more restrictive than international auditing standards adopted by the European Union.

The research conducted concludes that some audit reports do not mention al the necessary information in the audit opinion. Also a significant proportion of the studied companies do not mention in their Management Reports the description of main features of internal control.

From the Statement of Conformity (Apply or Explain), which is transmitted to B.S.E., we have noticed that, for more than half of surveyed companies, Board of Directors or Audit Committee does not perform regular financial reporting, internal control and management system risks examinations.

The main conclusion that can be drawn is that corporate governance and internal control should not be considered and sustained independently. An organization without an efficient long-term view of leadership, effective internal control mechanisms cannot be sustainable. So, corporate governance is not entirely effective without a good internal control.

Reflecting further on the theoretical and practical implications of this study, our findings challenge the interest of parts like managers and academics and could represent a step for forward studies and researches.

While this paper has provided fruitful insights into the link between corporate governance- internal control interfaces from our country perspective, the research, admittedly, has a number of limitations. The findings are from a single-country investigation perspective. This, combined with the small sample size (we eliminated the financial institutions from the sample), may imply that the results cannot be readily generalized, although they are likely to have a big relevance and applicability.

The perspectives on future research could be on internal control within bank system, an interesting subject in this area.

Improving internal control in companies listed on BSE and other companies, especially in Romania, may lead to improvement of financial reporting and decrease of the bankruptcy risk. Romania could follow the examples of France or the United States and could increase the conditions in internal control but also should take into account the additional costs for doing this.



Cadbury, A. (2000). “The Corporate Governance Agenda,” Journal of Corporate Governance, Practice-Based Papers, 8: 7—15.
PublisherGoogle Scholar – British Library Direct

Denis, D. K. & McConnell, J. J. (2003). “International Corporate Governance,” Journal of Financial and Qualitative Analysis, 38: 1—36.
PublisherGoogle Scholar – British Library Direct

Dunlop, A. (1998). Corporate Governance and Control, Pag 17.
PublisherGoogle Scholar

‘Green Paper Audit Policy Lesson from Crisis,’ European Commission, Bruxelless 13.10.2010 page 94., [Retrieved March 22, 2012]., [Retrieved March 22, 2012].
Publisher,  [Retrieved March 22, 2012].
Publisher [Retrieved March 22, 2012]. 
Publisher, [Retrieved March 22, 2012].

Jesover, F. & Kirkpatrick, G. (2005). “The Revised OECD Principles of Corporate Governance and their Relevance to Non-OECD Countries,” Corporate Governance: An International Review, 13: 127—36.
PublisherGoogle Scholar

Keasy, K. & Wright, M. (1997). ‘Corporate Governance — Responsibilities, Risks and Remuneration,’ John Wiley & Sons, New York.
Google Scholar

Kendall, N. (1999). ‘Good Corporate Governance, Accountants’ Digest,’ Issue 40. The ICA in England and Wales.

Lee, T. A. (2007). Financial Reporting and Corporate Governance,  Pag 38.
PublisherGoogle Scholar

MacMillan, K., Money, K., Downing, S. & Hillenbrad, C. (2004). “Giving Your Organization SPIRIT: An Overview and Call to Action for Directors on Issues Of Corporate Governance,” Journal of General Management, 30: 15—42.

Schartmann, B. (2010).   ‘The Role of Internal Audit in Corporate Governance in Europe: Current Status,’ ed Erich Schmidt Verlag GmbH & de Bernd.

Solomon, J.  Corporate Governance and Accountability , Pag. 150-152.
PublisherGoogle Scholar

Sun, W., Stewart, J. &  Pollard, D. (2011). Corporate Governance and the Global Financial Crisis, Pag 229.
PublisherGoogle Scholar

Tricker, R. I. (1994). International Corporate Governance: Text, Readings and Cases, Prentice Hall, New Jersey.
PublisherGoogle Scholar

Vallabhaneni, S. R. (2005). Internal Audit Activity’s Role in Governance, Risk, and Control: Vol 1, Pag 183.
PublisherGoogle Scholar

Van Frederikslust, R. A. I.,  Ang, J. S. & Sudarsanam, P. S. (2008). Corporate Governance And Corporate Finance: A European Perspective, Pag 4.
PublisherGoogle Scholar

Willekens, M., Sercu, P. & Desender, K. (2005). Corporate Governance at the Crossroads, Pag127.
PublisherGoogle Scholar