EVALUATION OF THE INTERNAL CONTROL SYSTEM OF BANKS LISTED ON THE IRAQ STOCK EXCHANGE ACCORDING TO THE COSO FRAMEWORK DURING THE COVID-19 PANDEMIC

Purpose: This study aims to assess the internal control system in the banks listed on the Iraq Stock Exchange in accordance with the COSO framework during the Covid-19 pandemic period by contrasting the internal control system components for the research sample with the internal control system components of the COSO framework and determining the degree of compatibility between them as well as the importance of applying the internal control system procedures


INTRODUCTION
The nature of the internal control system according to the COSO framework The term COSO stands for (The Committee of Sponsoring Organizations of the Treadway Commission) which is a non-profit private sector committee, consisting of the Institute of Management Accountants (IMA), the American Institute of Certified Public Accountants (AICPA), the American Association of Accountancy (AAA), the Institute of Internal Auditors (IIA), and the of Financial Executives Institute (FEI) (Hurt & Zhen,2008).
Since its establishment in the eighties of the last century, this committee has sought to pay attention to the development and improvement of control systems for institutions in line with economic changes.This was obvious through its various publications regarding internal control systems, the most important of which is the Integrated Framework for Internal Control 1992.In 1992, the Committee issued an integrated internal control framework, which provides assistance to management to evaluate and strengthen internal audits.This framework is a widely accepted reference for organizations to rely on when they formulate policies, develop laws, and enact regulations used to regulate the control activities (Romney & Steinbart, 2017).
This framework was updated in 2013 and this update still stipulates three objectives; operations, reporting and compliance.It also involves five components of internal control: internal control environment, risk assessment, control activities, information, communication, and control or following-up.The changes brought by this model are to change control to activity control to expand the concept of control and to change "financial reporting" to "reporting" to expand the scope of preparing reports to include external financial and non-financial reports and internal reports as well as making some other changes (Hurt & Zhen, 2008).Thus, an internal control is no longer just a means to ensure the protection of the assets of the institution only.It has developed to become a set of components and interrelated elements developed by senior management to ensure the achievement of the objectives of the economic unit.Therefore, the internal control system is the basic essence of the functioning and organization of the economic unit's works and of the achievement of the aspired visions and objectives.(Moeller, 2013) The internal control system has been defined according to the (COSO) as an organizational plan that includes all methods and styles followed by the organization in order to protect its assets, ensure the accuracy and reliability of its accounting data, develop operational efficiency, and encourage compliance with management policies (Janvrin & et al, 2012).

Objectives and controls of the internal control system in accordance with the COSO framework
According to the COSO framework, the internal control system aims at achieving a set of objectives: (Moeller, 2013) Efficiency and effectiveness of operational processes: the elements of the control are put in the organization to promote the effective and efficient use of resources to achieve the objectives of the organization and protect assets and records.One of the most important aspects of the control elements is to provide accurate information for internal decision-making.
Confidence in the financial statements: it is the responsibility of the management to prepare the financial statements.It has a professional legal responsibility to ensure that the information included in the financial statements is fairly presented in accordance with the requirements of the generally accepted accounting principles.
Commitment to laws and regulations: There are some rules and laws, whether internal or external, direct or indirect, that the organization must commit to.Examples of indirect laws are those related to environmental protection or laws of public freedoms, while direct laws are related to the aspects of accounting, taxes, and insurance.
The Regulatory controls of the system are (Whitehouse, 2014):

Preventive Controls
They are the controls that were developed to prevent errors and deviations and are placed within the system so that they are part of the normal business of the institution, such as appropriate delegation of powers, physical protection of assets, and the presence of passwords to access computer systems.

Detective Controls
They are the controls that are designed in the system to detect errors and deviations when they occur, such as performance evaluation, and conducting matches among accounts.

Corrective Controls
They are the controls that are designed in the system to ensure that corrective actions for deviations have been adopted, or that these deviations did not occur again.These controls deal with deviations after discovery, such as the existence of a system to address the detected errors and deviations.

The internal control system's components according to the COSO framework
Internal control in accordance with the COSO framework consists of five components that are designed and implemented by the management to provide reasonable assurance that controls the achieved objectives: (Arens & et al, 2012):

Control Environment
The control environment is considered the basis of the internal control system in the organization.It affects the control awareness of officials and all components of internal control.The control environment means the policies and procedures that reflect the attitudes of senior management, managers, their perception and actions related to the internal control and its environment has an impact on the effectiveness of control procedures and their importance in the organization as it represents the umbrella for other components (Hall, 2015)

Risk Assessment
Any economic unit is exposed to many risks when conducting its business, such as operational, legal... etc.These risks must be identified and analyzed, identified the likelihood of their occurrence, and tried to reduce their impact to acceptable levels (Rochette, 2009).The COSO committee emphasized the existence of two types of risks: inherent risk, which is the risk that exists before management takes any control procedures to reduce these risks, and residual risk, which remains after management uses control procedures (Romney & Steinbart, 2017).

Control Activities
Control activities are policies and procedures that help ensure that management instructions are implemented correctly and on time (Rittenberg & Schwieger, 2005).Control activities relate to commitment and operation control, which is concerned with evaluating performance at all levels of management by measuring actual performance and comparing it with planned performance, adopting corrective actions, and following up on operational reports within each department.The COSO report also focused on the control of information systems under data automation (general control or application control) and on control related to protection against unauthorized use (Whitehouse, 2014).

Information & Communication
For internal control, in order to be effective, appropriate and timely information must be available.The required information, generated from the information system, must be identified and this requires data and reports (Konrath, 2002).For communication, financial reports control requires the establishment of clearly defined duties for the employees who are responsible for implementing control procedures, and this requires a clear job description, accounting manuals, policies, procedures, and training programs in order to achieve communication.

Monitoring
Monitoring is a process through which the quality of internal control performance is evaluated to provide reasonable assurance that the objectives of the economic unit will be achieved.The management must follow up on the internal control to determine the conditions that lead to operational effectiveness, especially since risks are in constant change.Therefore, the management needs to redesign control activities when risks change, and there are two forms for following-up that we can distinguish between them; continuous activities and separate evaluations at a certain moment in time (Vaassen & el.al, 2009).

Internal control system evaluation according to the COSO framework
In order to maintain the effectiveness of the internal control system, continuous evaluation should be carried out and the strengths and weaknesses of the system should be identified, as COSO indicated that the evaluation is carried out according to the following:

Control Self-evaluation:
It is the process of testing and evaluating the effectiveness of the internal control system within the organization.All employees in the organization participate in this process and this mechanism aims to educate employees at the operational level in order to identify, evaluate and analyze risks at the level of their jobs.Self-evaluation is carried out at the unit level or at the level of activities held by operational departments constantly through assessing and identifying risks that affect the achievement of the objectives of the control structures at the level of those activities and through facing those risks as required by each situation without prejudice to the achievement of objectives ( (Hamdan, 2019).

Internal control components' evaluation according to the COSO framework
In order to assess the components of the internal control system, it is necessary to understand the factors affecting it and determine the effects resulting from it according to certain indicators as follows: Control Environment: It is evaluated by identifying the following points (Chang & el.al., 2019).
Integrity and ethical values: They are evaluated by having a behavioral and ethical system; establishing a senior management approach; adhering to ethics in dealing with external parties (customers, investors, creditors, etc.); and establishing appropriate procedures to deal with abuses and violations to the ethical behavior system code.

Commitment to specialty:
The evaluation is carried out on the basis of job descriptions, whether formal or informal, to identify the concepts that include the utilization of knowledge and skills to achieve efficiency and operate the appropriate efficiency management in the appropriate places.
Organizational structure: It is evaluated through the extent of the appropriateness of the facility's organizational structure and its ability to provide an appropriate flow of information necessary for managing the activities in addition to the adequacy and identification of the main managers' responsibilities and their understanding of those responsibilities.

Management philosophy and operating style:
The factors on which management philosophy is evaluated are the nature of acceptable business risks, for example, whether management adopts high-risk projects or there is a strong reticence in accepting risks; the sequence of interaction between senior management and operational management; and the attitudes and actions towards financial report and the application of accounting treatments.

Board of directors and audit committee:
The Audit Committee is evaluated independently from management, sequencing, and timing associated with meetings with key officials, financial personnel, accountants, internal auditors and accounts monitors (Martinelli, Friedman & Lanz, 2020); adequacy and timeliness associated with the availability of information to the Board and Committee members and allowing to follow-up management objectives and strategies (Sallal, Mohammed & Jabal, 2022).
Determination of empowerment and responsibility: Responsibility determining and authority delegating is meant to deal with organizational goals and objectives, operational functions, and organizational requirements, including responsibility for information systems, licensing procedures for changes, suitability of standards, and job descriptions of employees.
Policies and practices related to human resources: They are represented by the existence of policies for recruiting, training, promoting, and compensating employees, procedures to make new employees familiar with their responsibilities, and the efficiency of procedures related to verifying the information of employees nominated for employment.

Risks evaluation
It is carried out according to (D'Aquila, 2013) Strategic plan: It should include a mission, vision, and ethical values and provide guidance for what the organization should want to achieve, and what can be achieved by having a business plan, budget, and strategic plan.
Operational objectives: They must be linked to all the objectives of the organization and must be clear, easy to understand, and measurable, and the achievement of objectives must be linked to the available resources.
Identifying, analyzing, and managing risks: Identifying risks at the level of the strategic plan and at the level of operational objectives.Risks may be from internal or external sources, and risk analysis means estimating the strength and importance of risks, and analyzing the conditions that may increase them and how to manage them.
Change management: There is a need for a mechanism to identify and respond to events that may affect the achievement of goals.

Control Activities
The various types of control tools and methods, that the internal audit system follows, include: the existence of written policies and procedures; the practice of control on the senior management levels, material control; the existence of performance indicators; and the separation of conflicting functions (Romney & Steinbart, 2017).

Information & communication
The information must be appropriate to the possibility of managing the organization's business.
The information can be financial or non-financial, and it must be provided to the persons concerned with the presence of internal channels of communication among employees within the organization in addition to the existence of contacts with external parties.Communication channels can be used to make recommendations that will improve the productivity level.

Monitoring
Monitoring are evaluated through the following (Vaassen & el.al.,2009):Monitoring through internal audit: Internal audit is one of the pillars of the internal control system, through which management can discover and improve weaknesses in the internal control system and strengths and maintain them.The internal audit of the internal control system provides three services: preventive services, evaluation services, and development services.
Monitoring through external information: Management can track the effectiveness of the internal control system through communications with external parties that may indicate the existence of specific problems, procedures, or transactions that need to be reviewed and improve their deficiencies.

Internal control and Covid-19 pandemic
Organizations faced many difficulties and challenges, yet, the Covid-19 pandemic crisis is considered one of the largest crises in the modern era.According to the Organization for Economic Cooperation and Development (OECD), COVID-19 represents a major threat to the global economy and has long-term economic implications ( Kaka, 2020).The rapid development of the Coronavirus (COVID-19) has created an unprecedented level of risk, causing significant losses for investors in a short period of time .Therefore, this crisis had a significant impact on financial and economic markets around the world .Bogasiu (2020) and Joshi (2020) pointed to the impact of the Covid-19 pandemic on financial accounting (disclosure, recognition, measurement, and presentation) and on increased personal judgment and over-reliance on estimates by financial reporters, which leads to an increased likelihood of cheat and fraud in financial reports (Bagherpour Velashani, Sallal & Salehi, 2022).(Martinelli, Friedman & Lanz, 2020;Kizil,Kizil & Dolaz, 2021;Zelie, 2021) pointed to the impact of this pandemic on the internal control structure in companies and showed the importance of companies' interaction and adaptation to the changes and adjustments resulting from this crisis.Therefore, companies have introduced adjustments and replaced internal controls that can have an impact on risk evaluation, and on internal control methodology and procedures (The Institute of Charted Accountants of Pakistan, 2020).The internal control is a means to achieve a goal and not to get the goal itself.One of the purposes of internal control systems is to reduce the risk of inability to achieve the company's predetermined objectives, in light of its strategies and related policies, and to manage these risks in a way that allows those responsible for managing the company to be rational in dealing with them.It is an ongoing process aimed at identifying, evaluating their nature and scope, and managing them efficiently, effectively, and economically (D'Aquila, 2013) (Kayhan, 2023;Ciobu & Tataru, 2021;Hamdan , 2019;Salman, 2021).Internal control provides independent safeguards and advice that help organizations manage crises effectively.Therefore, internal control has a major role in facing the risks resulting from the Coronavirus epidemic.As a result of the change in the behavior of companies' business, the implementation of the tasks required from them in a work environment affected by quarantine and compulsory closure of many economic units, and the tendency to work from home and complete online sales and purchases and more (Kaka, 2021).All that leads to the emergence of new risks that must be taken into account when developing the internal control system as the required system must help the company's management to follow up the work of employees remotely and monitor sales and incomes, which are carried out through the Internet (Fernandes, 2020).That was to reduce the risk of fraud and corruption to the lowest level, with the need to ensure the effectiveness of the flow of information and communication so that all employees of the company receive the necessary instructions, to fulfill their responsibilities.In addition, the company's management can obtain information that helps it follow up and monitor the performance of its employees, (Zelie, 2021).The organization's procedures for work are implemented in light of commitment to laws and regulations, even if the work is done remotely and not at the company's headquarters.Therefore, it requires a review of internal control procedures to suit the work environment imposed by the Coronavirus epidemic and the precautions to reduce it (Wang, Cui & Jin, 2023).This financial and economic crisis caused by the pandemic ripped the global economy apart and put both banks and borrowers under severe pressure.Thus, control facilities found themselves facing unprecedented challenges that push them to decisive action to ensure the support of banking systems and maintain financial stability.The banking sector plays a crucial role in mitigating the macroeconomic and financial shock caused by the pandemic.Because of this crisis, defaults will increase and pressure on the banking system will intensify (Genç, 2023).Thus, many authorities have taken supportive procedures to provide immediate relief to affected borrowers and maintain sufficient liquidity in the banking system, such as debt repayment deferrals and the provision of credit guarantees (Ciobu & Tataru, 2021).Control facilities were integral part of this policy level.Based on the guidance of the standards' specialized authorities, several control authorities implemented a wide range of interventions in the financial sector (Kizil, Kizil & Dolaz, 2021).These procedures aim at using the capital safety and liquidity margins currently available in banks and encourage the transparency of balance sheets, to maintain the continuity of work in banks (Rinaldi, 2020).Therefore, the role of the internal control system in banks is now more important than ever.It must be ensured that an effective internal control system is present (Ciobu & Tataru, 2021) and that this system includes a set of modern technological methods and procedures, which support the achievement of the set objectives to ensure the orderly and effective conduct of business, in a predictable and unpredictable risks' environment (Okharedia, Muritala & Ibrahim, 2023).Therefore, banks and all companies should start allocating part of their investments to technological capabilities, training human staff to deal through the available technological capabilities of digital transformation applications and remote dealing, and using technology in the implementation and follow-up of business (Castka, Searcy & Fischer, 2020).This makes banks and companies later able to deal with problems imposed on them by a different environment and working conditions than in the past (Zelie, 2021).Based on the above, the importance of the internal control system is one of the important elements for the advancement of institutions and access to what they aspire to.It requires the need to work to improve the performance of banks by building effective internal control systems and adopting best practices represented in the framework of (COSO) for internal control.Therefore, the research problem can be formed by searching for the answer to the following question (Does the internal control system in banks listed on the Iraq Stock Exchange match the internal control system according to the COSO framework?) This question is divided into the following sub-questions: Are the components of the internal control in the banks listed on the Iraq Stock Exchange compatible with the internal control components of the COSO framework?How important is the application of the procedures of the internal control system in accordance with the COSO framework in banks listed on the Iraq Stock Exchange during the Covid-19 pandemic?
According to the nature of the research problem and its objective, the research community includes the employees of the 17 banks listed in the Iraq Stock Exchange according to the statistics of 2021.The banking sector represents the largest sector in the companies listed on the Iraq Stock Exchange.It has an infrastructure that fits with the current study (having financial, administrative, and accounting systems and regulated accounting records and it uses advanced technological systems and programs) For the purpose of testing the research questions, 300 questionnaires were distributed, and 197 of them were retrieved.

Fourth: Findings
To test the validity of the questionnaire to study the phenomenon, Cronbach's alpha was used to measure multi-level questions (Likert five-point scale), and Cronbach's alpha coefficient for these questions was estimated at 0.769, which indicates the relevance and credibility of these questions.

Descriptive statistics
To achieve the objectives of the research, a questionnaire was prepared and distributed to workers in banks listed on the Iraq Stock Exchange.The personal characteristics of the members of the research sample were shown in Table ( 1), the percentage of males was (81%), which is higher than the percentage of females, which was (19%).As for the highest age category, the (45-55) group won the highest percentage of (36%).Concerning academic achievement, bachelor's degree holders obtained the highest percentage (41%).The number of years of service was (36%), which is the highest percentage of those who have service of (15-25).The accountant category got a percentage of (34%), which is the highest percentage in the job title of the research sample.

Research Test
Regarding the statistical analysis of the responses of the sample members, the Chi-Square Test was used to determine the compatibility of the internal control components in the banks listed in the Iraq Stock Exchange with the internal control components of the COSO framework as shown in Table (3).It was found that there is compatibility in all components of internal control in banks with the internal control components of the COSO framework, as the p-value of all components was less than 0.001> according to the table below.To know the importance of applying the internal control components of the COS framework during the period of the Covid-19 pandemic, the Chi-Square test was used and the p-value of all components was less than 0.001>.This indicates the importance of applying the internal control system of the COSO framework with all its components during the period of the Covid-19 pandemic, according to the table below.The findings of the statistical analysis of the opinions of the research sample revealed that all of the internal control procedures in the banks listed on the Iraq Stock Exchange are in accordance with the COSO framework's internal control system components.The findings also highlighted the significance of implementing these procedures during the Covid-19 pandemic.Information and communication are the most crucial elements, followed in order by risk assessment, control activities, a control environment, and monitoring.this means that, in contrast to the findings of (Hamdan, 2019) and (Salman, 2021), information and communication are the most essential component, while monitoring are the least important component (Hamdan, 2019) and (Salman, 2021) .The Covid 19 epidemic has forced people in charge of monitoring and audits to adapt new working practices that allow them to conduct their duties remotely and to take full advantage of chances for digital transformation, cloud computing, and technological techniques to complete their tasks.In light of the Covid 19 epidemic, it follows that the information and communication component is one of the most crucial.The study advises that, in order to achieve an effective control system, it is necessary to adopt the COSO framework when designing the internal control system's structure, which will help to increase the efficiency and effectiveness of the internal control elements.This will help to make the internal control system in banks more integrated and harmonious and will help to increase the efficiency and effectiveness of the internal control elements.Moreover, there is

Table 1 :
Demographic information of respondents

Table 2 :
Internal control components compatibility

Table 3 :
The importance of applying the internal control system according to the COSO framework during the Covid-19 pandemicThe Friedman test was used to compare the importance of the application of the internal control system components of the COSO framework.It was found that the most important component during the Covid-19 pandemic period is information and communication (3.98), followed by risk evaluation (3.08), control activities (2.92), control environment (2.86), and finally Monitoring (2.16).

Table 4 :
Arranging the importance of the internal control components of the COSO framework during the Covid-19 pandemic