The financial management and control system is extremely important for every enterprise, regardless of the economic field in which it operates. It gives certainty that the enterprise will achieve the goals for which it was created and set for itself. For public sector enterprises, this activity is regulated by the Law on Financial Management and Control in the Public Sector and the additional instructions of the Ministry of Finance approved by order N ЗMF 184/06.03.2020 including: Methodological guidelines on the elements of the elements of financial management and control, Guidelines for Ex-ante Compliance Checks in Public Sector Organizations, Guidelines for Risk Management in Public Sector Organizations, Guidelines for Ex-post Performance Assessments in Public Sector Organizations.
Article 2 of the law regulates this obligation:
” Art. 2. (1) The provisions of the law are applied in public sector organizations .
(2) Pursuant to this law, organizations from the public sector are:
1. budgetary organizations within the meaning of the Law on Public Finances, as well as municipal enterprises within the meaning of the Law on Municipal Property;
5. organizations disposing of funds guaranteed by the Republic of Bulgaria;
6. the organizations disposing of funds under ZMF funds and programs from the European Union;
7. the state enterprises under Art. 62, para. 3 of the Commercial Law;
8. commercial companies, including medical facilities, with more than 50 percent state and/or municipal participation in the capital;
9. commercial companies whose capital is wholly owned by the companies under item 8.
With this law, the State guarantees the protection and efficient management of public funds. The construction of such a system is in the interest of every single enterprise owner, regardless of the economic activity of development. That is why my advice to every entrepreneur, manager of an enterprise in the private sector, manager to familiarize themselves with this law. The fact that it applies to public sector enterprises is irrelevant. However, the interest of ownership implies that every enterprise, regardless of whether it is private or state-owned, must build such a system depending on its size and activity.
The law as a whole steps on the five elements of COSO, introducing them through Art. 10:
Art. 10. (1) The heads of the organizations under Art. 2 implement financial management and control through the following interconnected elements:
1. control environment;
2. risk management;
3. control activities;
4. information and communication;
5. monitoring.
Let’s look at these five elements in their essence and how they are filled with meaning and substance when the management of an enterprise purposefully works for it. The formal attitude to the construction of such systems leads to poor management of the company’s resources. There are not rare cases in which the answer to the question “Do you have a built-in SFUK in the enterprise” is “We have some. We’ve put it there in a folder,” but with this answer there is only one conclusion: There are some written rules that only their creator knows about, but the contractors in the chain have no idea of their existence, and in practice they are not in effect. The creation of proforma regulatory documents cannot guarantee the fulfillment of the objectives for which the enterprise was created.
SFUK means not only written rules for work in the enterprise. SFUK means covering the enterprise’s activity with internal regulations that are accessible to everyone and are not in some dusty folder. This ensures knowledge, understanding and implementation by employees.
What does control environment mean? This is the first element of COSO and I would say the most important. It starts from the personal example of the management, from his will and skills to impose in the enterprise ethical norms of behavior, compliance with laws, effective and efficient management of resources, an environment of mutual respect with employees, etc. This first principle is imposed in the enterprise with a written code of ethics, with written rules for hiring employees, with rules for maintaining the qualifications of employees, written (informal) job descriptions, rules for staff attestation, written structure of the enterprise and relationships between individual units, rights delegation rules, and more. We cannot expect an enterprise to cope and achieve its goals if there is management laxity, neglect of problems, bad treatment of staff, which will lead to turnover, etc. In a word, as the people said “a ladder sweeps from top to bottom” and for things to happen in the right way we must first start with the leadership.
The second element is “Risk Management” . What does it mean to manage risk? Every business is characterized by its business processes, the environment in which it operates, its size, the legal basis on which it stands and, above all, the goals it sets for itself. The business risks to which each enterprise is exposed, according to the source, are divided into external and internal, which are generally considered as “inherent” risks. External risks are the result of external factors determined in the environment in which the business operates – political events, legislative changes, natural phenomena, etc.. Different businesses have different, inherent risks that are built into them due to all their specifics. The goals that a school sets for itself and the goals that a construction company has are different, and hence the inherent risks that could prevent the achievement of these goals are different. Management’s role is to regularly review these risks and to consider and implement such control actions as will minimize these risks. In general, we could systematize some types of risks valid for any enterprise. We will list some of them without going into details related to their manifestation in different business sectors.
And while the “Risk Management” element depends on the management to the extent that it is able to identify the risks and give a correct assessment of their impact on the business, if certain events occur or certain facts are present, then the control activities are entirely in the hands of the management . Control activities are structured and enforced in the enterprise in response to identified and assessed risks. These two elements of COSO are inextricably linked to each other, as no control can exist in isolation. Sometimes in enterprises there are such controls that do not lead to anything, but only increase the administrative burden. Control activities in enterprises can be conditionally divided into two types:
In my opinion, preventive controls are extremely important because they prevent certain wrongdoing from happening.
Here I am tempted to tell something that I was terribly impressed by. Some time ago I was in the Rila Monastery and in the museum I saw the “chest” in which the monks kept the money of the monastery. The chest has five locks, the keys of which were kept by five monks. In order to open the chest, all five had to be there. That’s called control!
Control activities in the enterprise can be carried out by specially appointed employees, as is the requirement in the public sector regarding the appointment of financial controllers, but they can also be embedded in information systems. The volume and types of control activities in enterprises vary, as they themselves are different, in terms of types, size, automation, etc.
The fourth element “Information and communication” ensures the knowledge of management and control systems in enterprises. The company’s management must ensure that its employees are familiar with the company’s internal regulations. On the one hand, management must be aware of what is happening in the enterprise, the execution of tasks, the various projects, contracts, etc. The way of organizing this bottom-up awareness process happens in different companies in a different way:
In turn, the management’s management decisions must reach the personnel they lead in a timely and reliable manner. The practice existing in some enterprises of “verbal orders” and subsequent “rejection” of them is bad and only leads to misunderstandings. Good governance is directly related to well-written internal regulations and tasks for implementation are put in writing, to an appropriate employee, with reasonable deadlines.
The last element “Monitoring” is the supervision of the management and control system. This last fifth element ensures the proper functioning of the system. In principle, there is no system that is super perfect, so that there is no need for corrections and checks that it functions in the predetermined way. Business changes, circumstances change, and people are not always conscientious enough and do everything as written in the rules. Some managers think that it is enough to order certain actions, but this is not the case. It is important to have a follow-up check that these orders are being executed as intended and that there is no need to make any adjustments to the orders themselves. As the saying goes “verification is the highest form of trust”. In companies with internal auditing, this activity is usually performed by internal auditors who report directly to top management.
As we have already mentioned several times, the management and control systems must be designed so that they are accessible and known by the employees in the respective enterprise. Apart from the public sector enterprises, for which, on the basis of the Law on Financial Management and Control in the Public Sector, the State as the owner of these enterprises imputes to them the obligation to build such systems, the other type of enterprises that have the obligation to build such systems are audit enterprises. For them, this obligation arises from professional standards to which their activity is subject. Independent auditors, for example, on the basis of IASQ1 and IASQ2, must build a system for the quality of audit services. These two standards are also based on the five elements of COSO, but they give policy and procedure requirements to auditors that are specific to their activity and adopting and implementing them will lead to quality management of the audit activity.
This article is not intended to address individual standards related to individual occupations or business processes. Here we could also mention the many ISO standards, the implementation of which leads to the improvement of the management of various processes in enterprises.
Designing management and control systems in enterprises is a complex and long process. Very often in enterprises there are no specially appointed people who are only engaged in “legislative” activity. That is why it is good to seek external consultants to help with structuring and systematization. You will find what we can help you with at:
https://www.ada-soft.bg/bg/mproducts/forbudget/sfuk
In addition, as we said, the preliminary control is extremely important. It’s good to be automated to get instant information about contracts, budgets, etc. necessary when issuing an opinion.
https://www.ada-soft.bg/bg/mproducts/forbudget/finansov-kontrolior
In conclusion, I would like to say that in the end only enterprises remain on the “market” that have adequate management and control systems, whose management understands their meaning and regularly improves them.
