The Internal Control Systems Integrated into the Various Profiles of Governance, Audit, Risk and Compliance

It is necessary to distinguish the internal controls from external ones: the former are the responsibility of the appropriate bodies and business functions belonging to the organization of the companies, while the latter are exercised by subjects who fall outside the company and the functional structure of the company (audit company, Consob, Bank of Italy, etc.). In recent decades there have been several scandals that have hit large enterprises, also Italian ones, which have increased interest in the issue of corporate governance and in the inefficiencies presented in internal corporation controls (Munroa & Stewart 2011). Enhancing the effectiveness of controls, in particular the internal ones, has become a need increasingly felt by international and national legislators. Internal controls are an essential tool to achieve business goals (operating constantly in terms of efficiency and effectiveness), and at the same time to avoid wastage of resources, to safeguard corporate assets, producing accounting information and reliable management, to observe the strategies, the policies and the corporate procedures and, especially, to ensure compliance with laws and regulations. in this work, it will discuss, in the italian context, the role of the board of directors and the board of statutory auditors within the (SCIGR) System of Internal Control and Risk Management (Jaggi, Allini, Manes Rossi, & Caldarelli, 2016). Moreover, the study moves the analysis to other corporate figures well determined and in constant evolution, including the head of internal audit, the activity of compliance, the supervisory body ex D.Lgs.231/2001 and the manager in charge of drafting corporate accounting documents.

responding appropriately to risks, it enables organizations to take advantage of the opportunity and generate value for stakeholders in the course of time (Kaplan, Donnell, & Arel 2008;Prawitt, Smith, & Wood, 2008).
In Italy, the argument regarding the internal controls, has been the subject of multiple interventions, starting from the separation between control of legality and accounting control in listed companies, with the law 216/1974.However, the expression "Internal Control System" emerged for the first time in 1998 (Draghi law) for the companies for listed shares.It is followed by, with D. Lgs.231/2001, the introduction of the discipline of the administrative liability of companies, thus enhancing the extra-corporate meaning of internal controls, as tools for the prevention of certain criminal offenses (Barontini, & Bozzi, 2011).The instrument is composed then, for listed companies, of additional normative and regulated blocks, up to the intervention of the committee for internal control in the accounting audit, of which art. 19, D. Lgs.27 January 2010.n. 39, and the changes relating to the Compliance Committee 231.However, only with the Code of Corporate Governance for listed companies does it have a precise definition of internal control; a definition borrowed from the international framework (Corporate Governance Committee, 2015): a significant contribution is provided, moreover, by the special framework of which the supervised areas, from the banking sector to the insurance sector.The code specifies, firstly, that the internal control system is also a system of risk management, highlighting appropriately and consistently within the guidelines of the community the primary object of the procedures and organizational structures of monitoring.The clarification is not merely lexical but expresses the need that the control system is neither "a latere" nor "ex post" organizational procedure, but a coordinated and homogeneous element to the entire organizational structure of the company.The system is emancipated from a conception of so-called sanctions to act instead as an element of running of the undertaking consistent with the corporate objectives and as an instrument for the implementation of the principle of proper management, from the point of view of informative and procedural completeness that manifests itself in the taking of informed decisions (Montalenti, 2013).A strategic role in the definition of the internal control system is to have risk analysis; the current conception of controls revolves, in fact, around the concept of corporate risks, their identification, assessment and to their monitoring.To function optimally, however, the internal control system must be integrated into the organizational structure; all the staff, from the employees up to senior administration, in different measure, is responsible for the activities of which the system is composed (Parmeggiani, 2009).Only an integrated system allows ensuring the adequacy of the control modes with respect to the needs arising from the risks to be guarded against and such functionality depends on the ability to choose between alternative checks on the basis of homogeneous criteria for recognition and measurement which allow comparability and selection.This assumes that the different subjects making up the system are mutually coordinated and interdependent, as indicated by the same Code of Corporate Governance.In fact, there are many actors involved in the network of internal controls: the board of directors, the control and risks committee, the person in charge of the functioning of the internal audit (internal audit), the board of statutory auditors, and the manager in charge of drafting corporate accounting documents (Acero, & Alcade, 2014;Brown, Beekesc, & Verhoeven 2011).The supervisory board ex D.Lgs.231/2001 the compliance officer and many others by reason of the scale and nature of the undertaking.The central problem consists precisely, of identifying effective rules for coordination between organs and functions, issues closely linked to the theme of overlapping.However, one should be aware both of the need for a rationalization and simplification of the institutions but also of the need to locate systematic principles around which to implement the coordination of different elements that have grown, sometimes dramatically, and in the greater confusion of roles and functions (Fortunato, 2015).On the other hand, studies on the subject of internal control, confirm that limited attention still has been dedicated to these issues in business areas other than those of listed companies and for which, on the contrary, the generally smaller sizes and less pervasive external controls should move the focus just on the internal constituent of the control (Bierstaker, & Thibodeau, 2006;Prawitt, Smith, & Wood, 2008).
In Italy, the companies listed in the law 58/1998 to art.149, paragraph 1, letter c, the internal control system, are explicitly included among the subjects of the vigilance on the part of the board of statutory auditors.By contrast in the Civil Code, art.2403, in which is specified the duties of the same component of governance, does not mention the internal control system (Allegrini, Greco, 2013).Still, it can be observed in the Civil Code, how the specific reference to the monitoring of the internal control system is not present in the general rules on the board of directors; the only trace in this respect refers to the monistic model, among the tasks of the audit committee on management appointed within the scope of the board of directors.However, it is a disparity of adjustment which does not find justification, since the alternative administration models, dualistic and monistic, arise as unsorted models, applicable to any type of enterprise (Montalenti, 2011).The aforementioned literature, rightly considers that we should reach the conclusion that the binding nature of the internal control system must be recognized in terms of the adequacy of the organizational structure of the company, assessed in relation to the size of the undertaking and not on the basis of the administrative systems adopted.It can be said that there is no internal control system equal to another.Both the architecture and the operation of each system depends always and in any case on the characteristics of the structure in which it is inserted (Baglioni, & Colombo, 2013).The organizational model, sector of activity, size, are only some of the elements to which the control must, from time to time, comply so as to assume different configurations in the various contexts.
On an organizational level, however, three levels can be distinguished in which the system of internal control can be divided:

•
The first level requires special skills in business and associated risks; it identifies, assesses, manages and monitors the risks of competence in relation to which it identifies and implements specific actions of treatment.This level represents the so-called permanent checks; • On the second level, it oversees the process of identification, assessment, management and control of the risks of the operation and ensuring coherence with respect to the business objectives and responds to the criteria of segregation which allow an effective monitoring.This level is constituted of periodic inspections by the compliance function, of risk management, which by their nature are independent and autonomous; • The third control level refers to the typical activities of the internal audit that lends an assurance and a general assessment on the correct operation of the whole system of internal control.
Apart from the figure of the manager in charge of drafting accounting and corporate documents, who is responsible by law for providing adequate administrative and accounting procedures for laying out the documents for financial reporting, there are no general specifications applicable to all the issuers regardless of their sector, on the subject of risk management (Bauer, Günster, & Otten 2004).On the contrary, certain sector regulations provide for the establishment of suitable structures or business roles dedicated to risk management, such as the chief risk officer, the compliance function, a risk committee, made up of managers charged with assisting the social organs in the process of risk assessment.In the comments in the Code of Corporate Governance of art.7, it is considered that it is up to each issuer to establish whichever organizational structure is more suitable, in relation to the characteristics of the company, to allow an effective presidium on risks.

The Board of Directors and the Board of Auditors
The Corporate Governance Code, the rules of which have now become indispensable in the context of the discipline on the corporate governance of listed companies, has greatly impacted on the current configuration of the control tasks attributed to the administrative bodies.In self-regulation, the role of the latter in the context of the system of internal control and risk management, is described in a detailed way.In particular, the Code observes the activities carried out by the nonexecutive component of the same which monitors the management of the company set up by the bodies with delegated powers, i.e. by the so-called executive directors, in addition, it dedicates an entire article to the figure of the independent director.In the main legislation it is with the company law reform of 2003, that there is a clear-cut demarcation of duties, on the one hand, for managing directors and on the other for the board as a plenum.Moreover, also, the provisions in the Consolidated Law on Finance have helped to shape the new animus of the board, the controller of the asset management activity.In fact, the introduction of the figure of the administrator elected by the minority and of independence requirements also for one or more components of the administrative body, are a way to protect the interests of the whole of the social structure, and in particular of minorities shareholdings (art.147-ter.paragraph 3).
The Consolidated Law on Finance and the Corporate Governance Code give absolute peculiar powers concerning internal controls to the board of auditors.As regards to its functions provided for by law, article 149 D.Lgs 58/1998 (letter c) states that it is the duty of the board of auditors to monitor a listed company: on the adequacy of the organizational structure of the company for the aspects within its competence, of the control system intention, of the system of administrative and accounting procedures and on the reliability of the latter to represent the facts of management.With regard to the adequacy of the organizational structure the verifications of the college will focus on the consistency of the attitude of corporate structures in the light of the dimensional characteristics of the company, of its territorial distribution and market areas in which it operates (Bebchuk, Cohen, & Ferrell 2009).It becomes clear how the concept of organizational adequacy not only settles on a static profile-structural but necessarily on a dynamic-functional one, imposing the periodicity of the underlying assets, the care, the design and the practical implementation of an adequate organizational structure and internal control system (Sfameni, 2009).

Organizational Aspects, Activities and Information Flows with the Different Parties Involved in the Process of Internal Control
The board of directors, since it is a component of strategic supervision, primarily has the task of defining the line of direction of the system of controls, in coherence with the risk profile of the issuer determined by the latter.This assessment is made periodically, but the occurrence of unforeseen events in the course of the company lifetime may require extraordinary reexamination, aimed at verifying the effectiveness of controls in relation to particular situations.The composition of the board is an instrument for the implementation of good corporate governance of the company; its diversification is an instrument for checking the correct operation of the various components.From different sources and from the overall context it emerges that the role of the independent members should not be underestimated, indeed today it seems to respond above all to the marked monitoring needs and internal controls of the business organization and to the need to ensure a more varied composition of the board (Adams, Hermalin, & Weisbach, 2010).In addition to providing a monitoring activity on the activities of the executive component, the independent directors may develop a more articulated board debate and help to ensure the substantial and procedural fairness of particularly delicate operations.It is believed that the presence of the administrators, qualified as independent directors on boards of directors, is the most appropriate solution to ensure the composition of the interests of all the shareholders, both majority and minority (Ciampaglia, 2009).In addition, their preponderance within committees through which it articulates the board of directors, allows better pondering of the decisions that concern the profiles of the internal management of the company to guarantee the interests of investors.The activity of the board also involves identifying from among its members those specific figures who can support it in the exercise of those functions.Among these are, firstly, the administrator in charge of the system of internal control and risk management, obliged to identify the main business risks and bring them to the attention of the board.An organizational procedure that can increase the efficiency and effectiveness of the work of the board is represented by the establishment, within the board, of specific committees with consultative and advisory functions.(Stella Richter, 2002).These committees play an investigative role, which takes place in the formulation of proposals, recommendations and opinions, in order to enable the board to take their own decisions with greater knowledge of the facts.The Corporate Governance Code recommends the establishment of a nomination committee (article 5), a remuneration committee (article 6) and a control and risk committee (article 7), also defining their composition and responsibilities.
In its function of supervision over the internal control system, according to the wording of the provision, The board of statutory auditors is involved not only in the simple monitoring of the efficiency of controls, but also invests a supervisory role of last instance in the subject.It is not limited to a mere examination of the functioning of the system but also elaborates a judgment on its overall design, stability and effectiveness (Parmeggiani, 2009).The Corporate Governance Code, in fact, highlights the role of the board of statutory auditors with reference to different activities falling hazard an opinion on the general opportuneness underlying the adoption of a certain organizational model, but merely to ascertain the rational preparation of the said model in relation to the strategic objectives and the risk factors planned by senior management.Therefore, the college must be preliminarily able fully to understand the structure that the management, following indications of the senior administration, imparts to the system of controls.This involves a full knowledge of the distribution of roles, the areas of intervention, the instruments of intervention and information channels provided, any internal codes designed to regulate this type of activity.It should be noted, the board of statutory auditors independence is a requirement that must characterize all the components, different from the administrative body where only some members are expressly required to have this qualification.Safeguarding the independence of the board of statutory auditors, the regulations of listed companies provides for a series of situations that, if originating, prevent the office of statutory auditor from being validly assumed, if that arose, involving the forfeiture of the office.Independence that is also underlined by the Code of Conduct at art.8 dedicated to statutory auditors.The new discipline of auditing (article 16, paragraph 1, letter a of D.Lgs.n. 39/2010) foresees that in public bodies of interest supervision of a) the financial reporting process; b) the effectiveness of internal control systems, internal audit and risk management; c) audit of the accounts; d) the independence of the statutory auditor.It is carried out by the "Committee for Internal Control in the Audit" (art.19, paragraph 1, D.Lgs.39/2010) and that this Committee is identified with the supervisory board.This introduction of a new committee has raised the question of possible overlapping within the structure of internal controls, in particular with the control and risks committee.However, the role and functions of the latter distinguish it in a clear manner from the committee for internal control and auditing.Recently, the legislature with the law of stability 2012 (law 12 November 2011, n. 183) art 14, paragraph 12, has amended art.6. D.Lgs.8 June 2001, n. 231, by inserting paragraph 4-bis under which "in companies with share capital the board of statutory auditors and the supervisory committee and the committee of management control can carry out the functions of the supervisory body...".It seems, therefore, the choice of whether to give the functions of the board of supervision or not to the board of statutory auditors is at the discretion of the administrative body.The hypothesis of a coincidence of the oversight board and the board of statutory auditors, albeit advanced by some also authoritative interpreters is altogether opposed by the majority of the literature and rarely to be found in the Italian enterprises (Pesenato & Barcovi, 2012).

Relations and Interaction Modes
The Corporate Governance Code recommends that companies entrust the chief administrator with certain operational tasks of undoubted importance such as the identification of the main corporate risks (with regard to the characteristics of the activities carried out by the issuer and its subsidiaries).To submit periodically to the board of directors, design, implementation and management of the system of internal control and management of risks (running of the lines defined by the European Board itself) constantly checking the adequacy and effectiveness as well as the adaptation of the system itself to the dynamics of the operating conditions and the legislative landscape (Montalenti, 2011).These monitoring activities are of primary importance as they are designed to ensure that the operational management of the firm takes place efficiently and properly hence to assess the way in which the managerial decisions that make up the corporate governance comply with directives coming from hierarchically superior levels (Parmeggiani, 2009).In support of the administrator, especially in the delicate task of constant verification of the adequacy and effectiveness of the SCIGR, there is the internal audit.In fact, the administrator can take the advice of the head of internal audit for conduct checks on specific operational areas and in compliance with the internal rules and procedures in the execution of business operations.What emerges from these interactions, is the subject of contextual communication to the president of the board of directors, the chairman of the control and risks committee and to president of the board of statutory auditors.In addition, the audit plan, prepared by the head of the internal audit must be approved by the board, after consulting the board of statutory auditors and the chief executive officer responsible for the SCIGR, at least on a yearly basis.Still on an annual basis, the board of directors performs an assessment on the adequacy of system.This is expressed in the annual report on corporate governance together with the terms of coordination of the various factors involved in the network of internal controls (Alipour, 2013).Therefore the control and risks committee plays an important role, in which as said, the institution of the Self Governance Code is strongly recommended.This committee, together with the director proposed is called upon to evaluate, having heard the statutory auditor and the board of statutory auditors, the proper application of accounting principles and, in the case of groups, their homogeneity in the drafting of the consolidated financial statements.The Committee examines the reports with the Internal Audit and ensures the autonomy, adequacy, effectiveness and efficiency of this internal presidium.In addition, after simultaneous communication to the president of the board of statutory auditors, it can ask the person responsible for the internal auditors to check on specific operational areas.Finally, the same committee reports at least every six months on its activities to the board of directors and supports, through appropriate preliminary activities, assessments and decisions of the board of directors concerning the management of risks arising from the injurious facts of which the board of directors have become aware (Corporate Governance Committee, 2015).
Referring to the recent praxis (more precisely to the "Norms of Conduct of the Statutory Auditors for Listed Companies", prepared by the National Board of Certified Public Accountants) at the beginning of the appointment and during the same, the board identifies the administrator or administrators in charge of the SCIGR, the control and risk committee and the persons responsible for the internal control system, the head of the internal audit function, as well as other bodies and divisions to which are assigned specific tasks in the area of internal control and risk management.Inside the board of statutory auditors the figure of the president stands out, to whom the functions of coordination of the work of this body belong and connecting with other corporate entities involved in the governance of the system of controls (Enriques, & Volpin, 2007).The Corporate Governance Code recommends a regular exchange of information between the board and the organs and the functions that in the context of the issuer carry out important duties regarding internal controls.In particular, the board of statutory auditors acquires information on any reports or periodic reports regarding the internal control, addressed to the board of directors, administrators responsible to the control and risks committee, the statutory auditor or comptroller, or to the supervisory board or managers of business functions.Also it acquires information related to possible irregularities encountered in the control procedures, as well as to the risks identified and procedures defined for the management and containment of the same.More specifically, the board of statutory auditors by the interaction with the person in charge of the internal audit is aware of the audit plan prepared and then of the activity carried out by the same as well as the reports issued, and the results of the checks carried out at the request of the same college.The board of statutory auditors can establish the terms and procedures for the exchange of important information by agreeing a program of meetings during the year with the internal auditors (Leong, Paramasivam, Sundarasen, & Rajagopalan, 2015).The possibility of attributing the functions of the supervisory body to the board of statutory auditors has been stated; wherever the choice is to maintain a distinction between the two bodies, the college has to obtain the information relating to the organizational model adopted by the company from the supervisory body.The statutory auditors may establish terms and procedures for the exchange of relevant information by agreeing a possible program of meetings during the course of the year with the supervisory board.It should also be added that the college exchanges timely information with the statutory auditor or audit firm legal, for the purpose of performing the supervisory function (art 150, paragraph 3, of D. Lgs. 58/1998).Moreover, as the committee for internal control and auditing, from the statutory auditor or comptroller it receives a report on fundamental issues arising in the course of legal review and, in particular, on significant deficiencies found in the internal control system in relation to the financial reporting process (D.Lgs.39/2010, art 19, paragraph 3).

The Internal Auditing and the Compliance
The pursuit of the objectives of efficiency and cost-effectiveness of the internal control system as a whole requires a mode that allows a homogeneous identification and evaluation of the controls in the various areas of business application, useful not only to the ex post identification of systems characterized by gaps or inefficiencies, but also the planning of ex ante control modes that meet the minimum requirements necessary.These considerations are of particular importance to the internal auditing function that is typically called to provide an assurance (Cortesi, Fossati, Spertini, Tettamanzi, 2009) overall on the design and operation of the internal control system through independent evaluations.The same to IIA (Institute of Internal Auditors, 1999) defines the internal auditing as: "An independent and objective activity of assurance and consultancy aimed at improving the efficiency and effectiveness of the organization.It assists the organization in the pursuit of its objectives through a systematic professional approach that generates added value in order to evaluate and improve the control processes, risk management and corporate governance".In the Italian context, the decision to implement the internal audit is not yet a legal requirement.Common regulation involving joint-stock companies is almost absolutely silent in this regard.The same law 58/1998 dedicates to internal auditing fleeting references (article 150, paragraph 4).Ample space, conversely, is reserved for the internal auditing as part of secondary legislation and self governance.Precisely the Governance Code recognizes the internal audit function a peak role in the context of the system of internal control and risk management (Gasparri, 2013).
In the context of risk management the activity of compliance has been, already for several years, subject to the attention of banks, insurance companies and large multinational groups.For the world of financial institutions, in particular, there are provisions that make the existence of a specific compliance function compulsory.For non-financial institutions, the presence of the function in question is not mandatory, but the progressive widening of the scope of application of the D.Lgs.231/2001 on the administrative liability of legal persons, constitutes an element which should increase the attention of enterprises toward the establishment of the activity of compliance.However, the spread of this institution among Italian companies for the management of the risk of non-compliance is still limited to large firms.

Organizational Aspects, Activities and Information Flows with the Different Parties Involved in the Process of Internal Control
The internal attribute, has the task of classifying the objective for which this type audit is implemented.In other words, the internal audit is such because it is performed for internal purposes, which are to inform and document in a systematic way the senior management on the status and operation of the system of checks that have been activated to cope with the specific risks of the company.We can highlight a fundamental classification of the internal audit function, in which according to the aims pursued, we distinguish two levels: a) a review of compliance; b) a review of adequacy (Troina, 2010).The compliance review is essentially aimed at verifying the consistency of really activated controls from institutionally budgeted ones.This audit is resolved, in fact, in a series of operations for the mere establishment of their existence and correspondence and in this audit level the internal auditor is not required to go into the merits of the controls.This function has a considerable importance, since it has the task of informing senior management whether the control actions laid down therein in the individual business subsets, are respected or not.The second type, the audit of adequacy, allows the internal auditor to express his professional judgment also with respect to the substance of the controls.The appointment of the internal auditor is formalized in a mandate that must be approved by the board of directors.It is also the same board that approves all decisions relating to the appointment, the revocation of the appointment and remuneration of the person in charge of the internal audit.Firstly, the role of the person in charge of the internal audit function is defined, who is responsible for verifying that the system of internal control and risk management is always working and adequate (Corporate Governance Code).In particular, with the purpose of verifying the operation and the suitability of the system, the manager prepares an audit plan based on a structured process of analysis and prioritization of the principal risks which must be approved by the board of directors; in this plan the verification about the reliability of information systems is expressly required, including systems of accounting recognition (Corporate Governance Code application criteria 7.C.5 letter a, g).Generally, an assignment of internal auditing has four main stages, i.e. preliminary analysis, detailed analysis of the process, verification and reporting (Cortesi, Fossati, Spertini, & Tettamanzi., 2009).The preliminary analysis consists in the study of the activity object of the analysis; a study supported by the collection of data and general information.Important in this phase is the support provided by the auditors to management in identifying, quantification and subdivision in importance of the strategic and business risks on the basis of which the audit plan is elaborated.The second phase is the natural continuation of the first; the deepening of the knowledge level allows identification of the most significant areas and allows the auditors to program the verifications.The verification activity follows where, in the course of this work, the findings are analyzed between what was detected in the planning and what was actually carried out, the effectiveness is verified with respect to the business procedures and any faults are sought.The evidence generated by this phase is the product of the work of the auditor.The aim is to assess the adequacy and effectiveness of the controls that preside over the risks relating to the processes to be audited, to identify any important risks and formulate recommendations for the improvement of the effectiveness and the efficiency of the processes to be audited (Arena, & Azzone, 2009).Finally there is the reporting, i.e. the synthesis step of the work, regarding the criticalities detected and plans of action identified.Given the nature of the functions assigned to the Corporate Governance Code recommends the internal audit be provided with a distinct independence, either by granting independent powers in the preparation of audit plans and in the activation of individual interventions, or providing for an organizational position that foresees its autonomy.The organizational structure of the company must then place the function under discussion in such a position as to allow the activity to be free of interference in the execution of the work and in the communication of the results.The function of the internal audit, in any case, as a whole or for segments of operation, can be entrusted to a subject external to the issuer, provided he is equipped with the appropriate requirements of professionalism, independence and organization (Institute of Internal Auditors, 2009; Sarens, & De Beelde, 2006).
Compliance is the structure responsible for safeguarding against the risk of non-compliance, and also has a fundamental role in protecting the company from reputational risk.The risk of non-compliance, in fact, can be defined as the risk of weakening of the business model, the reputation and the financial situation of a company resulting from failure to comply with laws and regulations, with respect to policy and internal standards and to meeting the expectations of key stakeholders such as customers, employees and society in general (Laurenti, Orlandi, & Panebianco, 2010).Briefly, the system of corporate compliance is to be understood as a tool that helps businesses to promote and consolidate their ethical principles, and avoid incurring judicial or administrative sanctions, significant financial losses or reputational damage as a result of violations of mandatory rules (laws or regulations), or self-regulation.Compliance becomes in this way, the most effective means to protect against reputational risk.It is necessary to highlight that in order to carry out fully the task for which internal supervision is predisposed, it is not enough to limit the activity to a mere ex post monitoring of regulatory risk and non-compliance, it becomes crucial to recognize the figure of the compliance officer, an autonomous and independent function, naturally integrated with other business procedures and structures (Floreani, & Altieri, 2013).The compliance controls are, therefore, to be inserted in the wider scenario of the system of monitoring of business risks; therefore, to ensure that these checks can be carried out optimally and the compliance function operates effectively, it is essential to coordinate with other areas of the company and in particular with the functions that safeguard the system of internal controls and risk management, ensuring a precise definition of the spheres of action and responsibility of each of these functions, in order to avoid overlap and redundancy in control activities.The process of compliance can be schematically divided into the following four sub-processes: a) identification and implementation of the legislation; b) risk assessment; c) implementation of rules and procedures defined as necessary in order to rebalance misalignments internal to the company due to non-compliance with local regulations; development of skills and professionalism necessary to ensure effective enforcement of such rules, by means of an adequate process of communication and training; d) monitoring and reporting.(Altieri & Floreani, 2013).An absolutely fundamental aspect for all risks of non-compliance is prevention, especially where the violation of the regulation involves exposure to important criminal penalties and reputational damage or severe administrative sanctions, as happens, for example, for the so-called administrative liability of companies.Think of the internal change initiatives, which are becoming more frequent and crucial for the survival of companies in a competitive environment.It should be noted that in order for the function to operate effectively, it is essential not only that it is independent with respect to the other business areas of operation but also that it is equipped with qualitatively and quantitatively adequate resources to the tasks to be performed (Stewart & Subramaniam, 2010).The set of rules, regulations and procedures (in relation to which businesses operate for the maintenance of compliance and for the implementation of corrective or preventive actions) is composite and variable in relation to the specific operating sector of each firm in its sphere of activity and its characteristics.Generally, among the main regulations that are made to fall within all companies in the context of risk of non-compliance include: the administrative liability of legal persons D.Lgs.231/2001; the rules on money laundering and countering the financing of terrorism; the rules on health and safety on work sites; the legislation on environmental damage and pollution; the privacy and protection of personal data; the informatics safety legislation; for listed companies Law 262/2005 provisions for the protection of savings and discipline of financial markets; the US federal Sarbanes-Oxley Act (SOX), for listed companies on the US stock exchanges and at the subsidiaries of listed companies in the United States.

Relations and Interaction Modes
The audit plan describes the operations, activities and systems subject to verification, the frequency of the same and the necessary resources; it must also include a system of reporting and follow-up.During the development of the auditing, the auditor is in contact with a considerable mass of data and facts, correct and irregular as they are found.In themselves they would be of very limited use if there were no assessment in a general synthesis in the context of internal controls: the auditing report.The follow-up phase, that is, following the report, consists in ascertaining whether the recommendations have been implemented or not, by the responsible sectors (Mauro & Stoppa, 1989).It is the responsibility of the head of the internal audit function to prepare periodic reports containing adequate information on its activities, and on the way in which the risk management is carried out as well as the respect for the plans defined for their containment.These reports will contain, also an assessment regarding the suitability of the system of internal control and risk management.In addition, in the case of events of particular importance, it requires the timely provision of additional reports relating to these events, still by the person responsible for the internal audit (Corporate Governance Code, application criteria 7.C.5, letter d and c).The internal audit plays a crucial role in the construction of the structure of internal controls in listed joint stock companies (Malaguzzi, 2007).This function acts as a technical aid to activities that the law entrusts to the administrative body and to the control organ with regard to the task of evaluation and monitoring the adequacy of assets.By virtue of this a rapport is built between the internal audit and component of corporate governance that is marked by well defined lines of carryover (Giansante, 2012).These relations may have a different nature and can occur with different frequency according to the administration and control model selected by the company.Special attention should be given to information flows generated by the function of internal audit: the results of the checks carried out should be made known in a contextual way to the presidents of the board of administration, the board of statutory auditors of committee and control risks and to the administrator in charge of the internal control and risk management system, setting aside that the latter can receive advances in relation to the work carried out.The frequency and content of the communication activities are defined in consultation with the board, taking into account the importance of the information to be communicated and the urgency of related measures that are the responsibility of the organ of government (Giansante, 2012).In listed companies it is the control and risks committee that acts as a link and a filter between the internal auditor and the board of directors (Paletta, 2008).In order to ensure an effective relationship between the two bodies, it is clear that there must be frequent contact in such a way as to make sufficiently clear the purpose and the needs of the audit work carried out by the function and expected by senior management.According to practice, the person responsible for internal auditing sends reports to the control and risks committee; the latter will express its evaluations and then to provide broad communication to the organ of government.The process also has a projected return: in fact, the administrative body, through the internal committee, communicates the priorities of intervention and the objectives to be pursued to the internal auditing presidium.The support that the internal audit function provides the board of statutory auditors (since it is also the committee for internal control and auditing) is also evident, since it oversees the conformity of the work of the different company sectors, performing investigations seek out to any irregularities and verifying their removal (Seol, Sarkis, & Lefley, 2011).The head of the internal auditing function is by his nature a source of privileged information about the correct operation of the system of internal control and, to this purpose, the Corporate Governance Code indicates that the board of statutory auditors may require the person responsible for internal control the carrying out of verifications on specific operational areas or business operations.Finally, it must be considered that the Internal Audit constitutes a valuable support for the accomplishment of the task of external auditing.Although the internal auditor and the external ones have different areas of responsibility, specific types of audits carried out by the internal audit, among all the accounting audits, are often of considerable help to the work of the external auditor for the purposes of carrying out the duties of the audit of the budget since the two parties will exchange information about the scope of coverage, the way to hold and the findings of the audit.It is evidenced that the internal audit function of the company may be important for the purposes of the audit, if the nature of the responsibilities of this function and the activities carried out by the same are related to the financial information of the company (D.Lgs. 27 January 2010, n. 39, article 19).In these cases the external auditor may provide for using the work of the internal auditors in order to change the nature or the timing of the review procedures to be performed, namely to reduce the extension (Assirevi, 2015).The external auditor to be able to note the importance of the internal audit department must first understand its nature and positioning within the organization, besides being an object of the activity carried out.
Faced with growing complexity, the compliance officer should certainly articulate his work into specialized units, able to manage, the challenges posed by the various rules also with substantial skills and qualifications.An important contribution will be made by the achievement of a shared corporate vision within which the risks of non-compliance are perceived not as a standalone risks, but as links in a chain.It is necessary to launch the compliance functions and integrates them into the heart of organizational and creation of value models.This implies conferring a not only formal, but substantial role, the driving force of the corporate team towards normative and regulatory compatibility and sustainability (Bebchuk, Cohen, & Ferrell, 2009).The composition of the activity in question can be specified independently and individually by each company, which can choose to entrust the task of responsibility for the control of conformity to a single corporate entity, rather than to entrust it to a plurality of internal resources operating in different areas of the organization.More precisely, opting for the constitution of a specific function dedicated to it or, alternatively, if the company deems it appropriate, it may allocate the competences of the conformity check to subjects or pre-existing functions within the company.The possibility of attributing assessment tasks to control bodies outside the company should not be excluded.It should be specified that the adequacy and effectiveness of the function of conformity is subject to periodic review by the head of the internal audit (Soh., & Bennie, 2011).For this reason, in order to guarantee the impartiality of these verifications would seem necessary to rule out the possibility of entrusting the function of conformity to the internal audit function.

The Supervisory Board Pursuant to Legislative Decree 231/2001 and Manager in Charge of Preparing Accounting and Corporate Documents
The control functions analyzed in the preceding paragraphs, intersect with the tasks of the supervisory body ex D.Lgs.231/2001.The argument connects the rest closely to the theme of organizational arrangements.In fact, in principle, the disposition of Model 231 is technically, a burden: the penalty for failure to adopt, on the basis of the special law might be imposed ex post, as an administrative sanction, in the case of commission of the offense in the interest of the company.The expansion of responsibilities aims to involve in the punishment of certain criminal offenses entities that have benefited from the commission of the offense.The legislator speaking recently on the subject with the law of stability 2012 (law 12 November 2011, n. 183) to art 14, paragraph 12, amended art.6, of the Italian D.Lgs.n. 8 June 2001, n. 231, by inserting paragraph 4-bis under which "in companies with share capital the board of statutory auditors and the supervisory committee and the committee of management control can carry out the functions of the supervisory body...".
Art.14 law 262/2005 introduced into Italian law with art 154-bis 58/1998, the figure of the manager responsible for preparing corporate accounting documents.Finally D.Lgs.29 December, 2006, n. 303 amended and supplemented the rules laid down by article 154-bis, 58/1998 to make it clearer and more consistent with the rapid time required by the financial reporting of listed companies.The responsible officer is a figure provided for mandatorily for listed issuers which are attributed organizational tasks (provision of adequate administrative and accounting procedures for the formation of the budget) and certification (adequacy of the procedures and on the fairness of the formation of the financial statements).He is in charge of producing corporate accountant reporting to be submitted to the administrative body.The activity of the responsible officer is to pursue, also, an internal purpose of guarantee since his role is intended to enable the board of directors to take decisions for the purposes of the formation of the budgets and other documents and communications of financial and accounting with the guarantee that the basic data are already filtered and suitably screened (Gasparri, 2013).

Organizational Aspects, Activities and Information Flows with the Different Parties Involved in the Process of Internal Control
The supervisory board is responsible for internal control of a more limited scope, to corporate decision coverage, execution and control of several sensitive activities identified, in order to cancel or limit the risks to the committee in its interest or to its advantage of a typical crime.Instead, the board of statutory auditors is assigned a role of control over the management of the company, whose work of contrasting illegality is to safeguard diverse interests connected, in turn, to the members of holders of the company, to the creditors, to the different stakeholders as far as the context of the general public interest and the protection of savings.The practice of awarding the task of surveillance to internal auditing function seems to find favor on the part of the literature.This would be made possible by the fact that this function is often placed, in the organogram, reporting directly to the company's top executive and, therefore, could be sufficiently distinct and independent (Valensise, 2009).According to the aforementioned literature it seems quite to agree with the more restrictive view that the autonomy and independence of the supervisory board (if this function is attributed to business structures) might be said to be guaranteed where regulations and / or policies internal to the companies establish that the recipient of the information flows and the activity reports of the supervisory board is only the corporate body (board of directors or management board) and not even the executive delegates and / or managers.The supervisory board in its supervisory function reports internal control by means of questionnaires, verifies that internal control is implemented through the walk-through, judges the internal control according to the reliability of the same and the risk of identified company, points out (in the letter to the direction) the weaknesses and shortcomings, it proposes adjustments to the procedures in place (Pesenato, 2008).This vigilance extends to the entire corporate structure, including the social organs, and concerns only the adequacy of the model in a preventive perspective of criminal offenses (Fung, 2014).This activity is aimed at preventing and/or avoiding adverse effects arising from the establishment of the commission, to the advantage of the body, of one of the offenses covered by the reference standard.Every company should adopt its organizational model, the code of ethics and appoint its own supervisory body.However, in practice, it often occurs that, within the business groups, the parent company adopts its organizational model, structured on the basis of its own business reality, as a function of the mapping of its activities at risk of commission of offenses provided for by D.Lgs.231/2001.Then on the guidelines drawn from this model, each company of the group does this by adapting its own model that often does not respond to the purpose for which it is adopted.This mode of operation can be shared only concerning the general and objectively shareable aspects such as ethical code of conduct rules that express their need to be made by each company and applied regardless of the corporate structure or the relevant sector.For the construction of the real and proper model it is necessary that each company is responsible for the drafting of its own made-to-measure model.A standardized model cannot be effectively adopted even when it is perfect for a similar reality.The companies in the group should have full autonomy in the formation and application of the model that best meets the company size and its operational requirements.
The peculiarity of this figure is to be located at the highest levels of the organizational structure, equipped with a great autonomy of action and management and at the same time having certain powers and responsibilities.The functions of the responsible officer practically consist of the investiture of a super employee which link in the chain is fundamental for the functioning of the complex and structured corporate mechanism (Khansalar, Dasht-Bayaz, & Maboodi, 2015) This activity, which relates to the creation of an efficient system of detection and representation of accounting facts and collection of information, monitored and also coordinated with the precise activities of internal auditors, falls in the overall definition of the organizational, administrative and accounting structure of the company and therefore constitutes a task that belongs to the area of management of the company which invests the regulatory sphere of competence of the delegated bodies, with the consequence that the functions pertaining to the latter should be coordinated with those of the responsible officer .The indicated procedures involve also the coordination of the manager with control bodies, essentially in the shape of information flows in accounting (Gasparri, 2013).The responsible manager, together with the delegated administrative bodies, are responsible for drafting a report in which certifies: a) the adequacy and effective application of the administrative and accounting procedures for the formation of the budgets and other financial communications; b) the conformity of accounting documents to international accounting standards; c) the correspondence of accounting documents to the findings of the books and records; d) the suitability of the financial reports in presenting a true and fair view of the financial position, results and cash flows of the companies included in the consolidation; e) the fact that the management report includes a reliable analysis of the operational results as well as the situation of the company and the companies included in the consolidation, together with a description of the principal risks and uncertainties (Gasparri, 2013).It is further contemplated that the acts and communications of the company (provided that they are characterized by twofold connotation to be addressed to the market and to have as sole object the accounting information annual or interim, including data sheets) are always accompanied by a written declaration by the responsible officer, with which the same attests to the correspondence to the documented results, books and accounting records (art.154-bis, paragraph 2, law 58/1998).It pointed out that such certification tasks do not result in an audit activity on documents prepared by other corporate bodies, as occurs for example for the statutory auditor or audit firm legal, but is substantiated in claims made by one of the subjects which contributes, in apical position, to their relative processing (Benvenuto, 2012).

Relations and Interaction Modes
As noted, the supervisory body in the D.Lgs.no.231/2001 is only sketched in a few key references, mainly on the basis of the objective assigned to it: the task of supervising the functioning and observance of the models and to care for their updating.The regulation says nothing about how to coordinate the supervisory board with different subjects having the task of vigilance, such as the board of statutory auditors, the auditor or audit firm, the internal audit, the responsible officer, etc.It is clear, then, that there may be an overlap of the different actors in the management of the same areas of risk and carrying out checks on the same entity transactions (Pesenato, Barbacovi, 2012).For a consistent and effective performance of all its activities, the supervisory board should, in general, facilitate the flow of information on the part of the whole corporate structure, as well as prepare in detail in the model and carefully coordinated flow of information with the corporate bodies, primarily the board of directors and statutory auditors (if it is not the same and perform the functions of the supervisory body).With reference to the manager responsible for preparing corporate accounting documents, whereas corporate crimes are assets and risk pursuant to D.Lgs.no.231/2001 and that the administrative and accounting procedures prepared pursuant to law 262/2005 represents a safeguard in the face of this risk, the supervisory board evaluates the adequacy of these procedures in relation to the model.To ensure the constant alignment between the activities carried out with respect to substantial reciprocal autonomy and different purposes, it is appropriate to put periodic meetings with the supervisory manager in charge in the model or in the regulation body, as well as the participation of the latter in the meetings of the supervisory board for the relevant materials.The competencies of the supervisory board, while being restricted in the context of supervision, necessarily intertwine with the work of the supervisory bodies, and with the internal audit, which seems, therefore, to assume a liaison function between the supervisory board itself and the operational functions of the company until it reaches the board of directors.What we must avoid is the risk of duplication of the verification activities that has as a consequence an obvious organizational and operational stress on the company (Allini, Manes Rossi, & Hussainey 2016).
By virtue of the provisions of art 5, D.Lgs.231/2001, about the criteria for attributing responsibility to the institutions, it is believed that the accounting manager is particularly involved in the practical application of the rules and procedures foreseen in the field of administrative liability.And the subject that in some cases, even before the administrators has control of certain procedures and manages information relevant to the commission of the crimes foreseen by articles 25-ter and 25-sexies of the D.Lgs.231/2001.It highlights, the fact that the responsible officer is located, together with the entire corporate management in a top position with respect to which operates the D.Lgs.231/2001, if these subjects have committed the aforementioned offenses in the interests and for the benefit of the institution.It is clear that the responsible officer cannot be ruled out, given the functions and powers attributed to him, from control by the supervisory board (Di Pietra, Grambovas, Raonic, & Riccaboni, 2008).For this reason, as said, there should be coordination and close collaboration with the supervisory body, which leads to the participation in regular meetings convened by the body for the matters pertaining to the responsible officer.Organizational models should include among the activities at risk all those relating to the operating area of the responsible officer, evaluating the goodness of the procedures provided for the prevention of offenses arising from activities carried out by the responsible officer.The relationship between the board of statutory auditors and responsible officer must be able to be expressed through the exercise of any power of inspection and information on the part of the college regarding the officer and, possibly, by means of a regular dialog between the same, whenever this proves necessary.

Conclusions
It should see the different wording provided respectively by the art.150law 58/1998 that concerns the listed companies and art.2403 civil code which concerns the unlisted ones.We have examined the regulatory data, distinguishing between the two regulations and recognizing a literal difference.It is not made for the establishment of a compulsory system of internal controls for unlisted joint stock companies.As previously reported, for the majority of commentators this difference is unjustified, it would be appropriate for legislative action that takes into account the internal control system also regarding corporations that do not resort to the risk capital market.We would also emphasize, as already discussed, that the issuer has the task to coordinate the different actors in internal control to avoid a confusion of roles and encourage, instead, synergies that will lead to a strengthening of the system (Dubis, Jain, Manchanda, & Thakkar, 2010;Gillan, 2006).The coexistence of different bodies subject to control could give rise, paradoxically, to dangerous flaws in efficiency and completeness of checks where the subject actually obliged considered its own supervisory activity, wrongly, to be the competence of others.It might even be considered as a probable feeling of empowerment, if responsibility were divided and shared by too many subjects (Pesebato, Barbacovi, 2012).The various components must therefore be integrated within the system of controls to avoid that; otherwise, the same result to be safeguarding themselves, in this way coming up against inefficient overlapping and unnecessary duplication of activities.It is difficult to identify the relationships and duties belonging to each body, just as it is difficult to determine the content, the frequency and the type of information flows between the various subjects; the whole to the disadvantage of the impact and effectiveness of the checks.The corporate governance code makes a significant contribution in this area by providing a first solution to the problems of overlapping and coordination that the grid of checks imposes.However, a substantial regulatory intervention in the area of internal controls would be advantageous, perhaps taking reference from self-regulation.A deficiency which is really unjustified for listed companies for which the discipline is quite scanty and still more for the unlisted joint stock companies for which it is almost completely absent (Jan & Sangmi, 2016).
Considering the individual figures, reflecting in particular on the safeguarding of the internal audit, we can say that this institution is the hub around which the whole system of internal controls of the company rotates.However, this internal audit function needs to be well set to have the political recognition that it deserves to be autonomous with respect to all operational areas subject to its control.In addition, it must have a structure which is appropriate to the conduct of delicate tasks, besides being technically equipped with all the necessary skills for a global control of the management.It is said that the compulsory introduction of a specific compliance function is not foreseen for companies, although this institution is spreading in a progressive manner.However, the joint stock companies, mostly large-sized, which have established this function or that deem it profitable to set it up, are left to themselves in defining the functional and organizational management of the activities in question, except for the possibility of referring to the special provisions (banking and insurance) or international.Still, it was discussed in the literature on the day opportunity to match the supervisory board with the board of auditors and the nature of its relations between them (James, 2003).Surely it has to be considered that the board of auditors cannot ignore the effective implementation of Modello 231 in view of the concrete impossibility of extrapolating the supervisory activity on the model itself from the larger supervision over the organizational, administrative and accounting structure for which the college is responsible.While the supervisory board are entitled to a more restricted flow control role (supervising of business processes of decision, execution and control of several sensitive activities identified, in order to cancel or limit the risks to the committee in its interest or to its advantage of a typical crime) to the board of auditors is assigned a supervisory role on the wider management of the company, which operates to contrast lawlessness and is aimed at safeguarding multiple interests referring, from time to time, to the business partners, to creditors, to different stakeholders up to the context of the general public and the protection of savings.The option to recognize the functions of the supervisory board does not seem very convincing in the literature.In conclusion, the difficulties in the definition of the boundaries between the different roles and distinct activity plans will increase if we consider the task of certification awarded to the responsible officer.The fundamental operating task that prompted the responsible officer, as specified, is the definition of adequate administrative and accounting procedures for the formation of the financial statements of the consolidated balance sheet and other financial communications (Perini, Rossi, & Rovetta, (2008).This activity forms part of the overall definition of the organizational, administrative and accounting structure of the company.It is therefore a task that belongs to the area of management of the company and falls within the exclusive competence of the administrators.These activities do not seem to exhaust the tasks under the responsibility of the responsible officer.He is also required to draft a report which certifies: the adequacy and effective application of the administrative and accounting procedures for the formation of the budgets and other financial communications; the compliance of financial reports to international accounting standards; the correspondence of accounting records to the books and accounting records; the suitability of the accounts in providing a true and fair view of the financial position, results and cash flows of the companies included in the consolidation (Montrone, 2000).The certification required of the responsible officer is the final declaration of the work he brought into being.The issue of a certificate with the above content implies, therefore, the conduct of an upstream activity and does not end in the preparation of the administrative and accounting procedures.The problem becomes, at this point, what is the nature of the activity that constitutes the basis of the certification.This activity does not qualify as a control activity on documents predisposed by others, as mentioned, but they are statements made by one of the entities which contribute at the forefront of their processing.For this reason, it would be appropriate to limit the competences in the field of procedures of the responsible officer to the drafting of corporate accounting documents to the provision of adequate administrative and accounting procedures for the formation of the budgets as part of the literature points out (Montalenti, 2013).Contextually attributing, instead, in the context of control over compliance with internal procedures in the broad sense, to the person responsible for internal control (head of internal audit) verification on the effective respect of the administrative and accounting procedures, today allocated instead to the responsible officer.