Internal control factors affecting the effectiveness of business operations at commercial banks in Vinh Long province - 4

According to COSO 2013 report, “ Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations .”

COSO 2013 emphasizes 4 important contents of internal control including:

- Internal control is a process : Internal control includes a series of interrelated activities, present in every department and every activity of the organization. The unit's activities are carried out through the process of planning, implementation and supervision.

- Internal control is designed and operated by people : People in this internal control include managers, board of directors and employees of the unit, everyone participates in internal control activities. People set goals, build

establish policies, procedures and operate internal control to achieve the objectives. However, each person involved in internal control activities has different abilities, knowledge, experience and needs, so each member of the unit must clearly understand their responsibilities and authorities so that the internal control system can truly function.

- Internal control provides reasonable assurance : Internal control only provides reasonable assurance in achieving objectives, not an absolute assurance because every internal control system also has potential limitations related to human errors, collusion, abuse of power by managers or the influence of external events.

- Objectives : Internal control is established to provide reasonable assurance in achieving the unit's objectives, including 3 objectives of operations, reporting, and compliance.

Among the above definitions, the most commonly accepted definition today is the definition of the COSO report. Therefore, in this thesis, the author uses the definition of the COSO report as the official definition.

2.1.2. Objectives of KSNB

According to COSO 2013, internal control must ensure 3 goals that an organization is aiming for, which are operational goals, reporting goals and compliance goals.

Operational objective : emphasizes the efficiency and effectiveness of using resources. With this objective, internal control helps the unit protect and effectively use resources, implement business strategies,...

Reporting objective : emphasizes the honesty and reliability of financial statements provided by the unit. Internal control must ensure the honesty and reliability of information in financial statements and other reports.

Compliance objective : emphasizes compliance with laws and regulations. Internal control must ensure that members of the unit comply with the provisions of the law as well as comply with the policies and regulations of the unit to achieve the unit's objectives.

2.2. Calculate HH

According to the Vietnamese dictionary (2000), " HH means effective ". Thus, effectiveness is considered the level of goal completion or the unit's activities to meet the goal.

According to the COSO 2013 Report, an internal control system is effective (at a given point in time) if the Board of Directors and management provide reasonable assurance that the following three criteria are met:

“- They clearly understand the extent to which the organization's operational goals are being achieved.

- Financial statements are being prepared and presented reliably

- Laws and regulations are complied with.”

The above three criteria of COSO correspond to three objectives: operational objectives, reporting objectives and compliance objectives.

However, this thesis only studies the efficiency of commercial banks' operational goals, not other goals.

The common operational goal of production and business units is mainly to increase revenue and profit. Commercial banks also have similar operational goals as above. However, with the specific business field of commercial banks, credit activities are often high-risk activities because the principal and interest may not be recovered, meaning that if not well controlled, the bad debt ratio is likely to increase. Therefore, in addition to the common goal like other production and business units, commercial banks also have an additional goal for their operations which is to reduce bad debt.

In this study, the author used the following criteria to evaluate the efficiency of business operations at commercial banks in Vinh Long province: Banks achieve revenue targets according to the set plan, banks operate efficiently, and reduce and control bad debts.

2.3. Elements constituting the internal control system

According to the 2013 COSO Report as well as previous research results (A. Amudo and EL Inanga (2009), Sultana and Haque (2011), NK Douglas (2011), Gamage et al. (2014), O. Bubilek (2017)), there are 5 factors that make up the internal control system including: MTKS, GRR, TT & TT, HĐKS and GS. In this research, the author also puts forward the plan

Based on the above research, we use 5 factors of internal control to propose 5 hypotheses to test the factors affecting the effectiveness of internal control system, mainly using COSO 2013 report.

Below are the elements that make up internal control according to COSO 2013:

2.3.1. Control environment

“ MTKS is the foundation of awareness and culture of an organization, reflecting the general tone of an organization, affecting the control consciousness of all members of the organization. MTKS is the foundation for the remaining elements of the internal control system to build appropriate principles and operating structures. ” (COSO, 2013).

MTKS includes “integrity and ethical values”; “a set of guidelines that enable the board to carry out its supervisory responsibilities”; “organizational structure, authority, and responsibility”; “staffing”; “human resource policies” (COSO, 2013). MTKS affects not only the way an entity conducts business and its objectives, but also the remaining components of the internal control system.

MTKS factor has 05 principles including principles from 01 to 05. Specifically

can:

- “Principle 1 : The organization must demonstrate a commitment to integrity and ethical values.”

- “Principle 2 : The Board of Directors must demonstrate independence from the government.

Manage and assume the function of supervising the design and operation of the internal control system.”

- “Principle 3 : Managers under the supervision of the Board of Directors must establish an organizational structure, reporting responsibilities, and assign responsibilities and authorities to achieve the unit's objectives.”

- “Principle 4 : The unit must demonstrate its commitment to attracting, developing human resources and maintaining the use of employees with the capacity to match the unit's goals.”

- “ Principle 5 : The entity should require responsible individuals to report on their responsibilities in meeting the entity's objectives.” (COSO, 2013).

2.3.2. Risk assessment

The risk assessment process helps the unit identify and analyze risks to the implementation of the unit's objectives, thereby designing control procedures. This is considered a key factor in promoting the effectiveness and efficiency of the internal control system. The steps to implement this process are as follows: defining objectives, identifying risks, analyzing and assessing risks, and managing change.

The DGRR factor includes 04 principles, specifically:

“- Principle 6 : The unit must establish complete and clear objectives to help identify and assess risks related to the implementation of each unit's objectives.

- Principle 7 : The entity must identify risks to the achievement of its objectives and analyze risks as a basis for risk management.

- Principle 8 : The entity needs to consider potential fraud when assessing the risks in achieving objectives.

- Principle 9: The entity needs to identify and evaluate changes that may have a significant impact on the internal control system." (COSO, 2013).

2.3.3. Control activities

Control activities are performed at all levels of an organization and at all stages of the business process. Control activities can be divided into two types: preventive and detective controls. Control activities include a variety of manual and automated activities such as authorization and approval, verification, reconciliation and evaluation of business results. Delegation of tasks is a characteristic in the selection and establishment of control activities.

The HĐKS factor includes 03 specific principles:

“- Principle 10 : The unit must select and establish control activities to minimize risks in achieving objectives at an acceptable level.

- Principle 11 : The unit must select and establish general information technology control activities to support the achievement of objectives.

- Principle 12 : The entity must implement control activities based on establishing policies and developing procedures.” (COSO, 2013)

2.3.4. Information and communication

The IT & Communication system includes all information that helps in decision making and provides necessary information to managers within the unit and relevant individuals outside the unit. Information is collected, processed and communicated both internally and externally. Information includes financial and non-financial information, information on regular and irregular activities to serve the implementation of internal control objectives. Communication is the way of exchanging information between departments within the unit and outside the unit. Communication can be divided into two types: internal communication and external communication. Internal communication is the means by which information is disseminated throughout the unit, both vertically and horizontally. External communication is carried out in two directions: transmitting information from outside to the unit and providing information of the unit to external subjects.

The TT & TT factor has 03 related principles, namely:

“- Principle 13 : The unit must collect or create and use appropriate, quality information to support the performance of the internal control function.

- Principle 14 : The unit must transmit necessary information internally to support the performance of the internal control function.

- Principle 15 : The entity must communicate information to external parties regarding matters affecting the performance of internal control functions.” (COSO, 2013).

2.3.5. Monitoring

GS activities aim to ensure that the internal control system is always operating properly, promptly detect defects and take corrective measures as soon as possible. GS can be divided into two types: regular GS and periodic GS. Regular GS is carried out along with daily activities from planning to implementation and inspection. Periodic GS is usually carried out according to certain time frames such as programs.

Periodic internal assessment, periodic audits conducted by internal auditors and independent auditors; or when there are special cases such as changes in senior managers, restructuring, etc. GS activities are the main basis for improving the effectiveness of the internal control system.

The GS factor has two specific related principles:

“- Principle 16 : The entity must select, establish and conduct regular and/or periodic assessments to ensure that the components of internal control are present and functioning properly.

- Principle 17 : The unit must promptly assess and disclose internal control weaknesses to responsible parties such as senior managers, the Board of Directors and other relevant parties to find solutions." (COSO, 2013).

2.4. Overview of commercial banks

2.4.1. Concept

According to Law No. 47/2010/QH12 on Vietnam's Credit Institutions, it is defined as: "A commercial bank is a type of bank that is allowed to carry out all banking activities and other business activities as prescribed by this Law for the purpose of profit."

2.4.2. Nature

Firstly, a commercial bank is a special type of enterprise and is a credit institution operating in the banking and financial services industry.

Second , the activities of commercial banks are business activities. To conduct business, commercial banks must have capital and be financially autonomous; especially, business activities must achieve the ultimate financial goal of profit, and the business activities of commercial banks are no exception to that trend. However, the search for profit must be legitimate on the basis of compliance with state laws.

Third, the business activities of commercial banks are monetary business and banking services. This is a special field because first of all it is directly related to all industries, related to all aspects of economic and social life and on the other hand