Next Article in Journal
Extending Approximate Bayesian Computation to Non-Linear Regression Models: The Case of Composite Distributions
Previous Article in Journal
The Asymmetric Effects of Geopolitical Risks on Vietnam’s Exports
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Risks
Volume 13
Issue 11
10.3390/risks13110219
risks-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Determinants of Internal Control System Effectiveness: Evidence from Greek Listed Companies

by
Vasileios Giannopoulos
1,*,
Antonios Lymperopoulos
1,
Spyridon Kariofyllas
1 and
Charalampos Kariofyllas
2
1
Department of Accounting and Finance, University of the Peloponnese, 24 100 Kalamata, Greece
2
Department of Management Science and Technology, University of the Peloponnese, 22 131 Tripoli, Greece
*
Author to whom correspondence should be addressed.
Risks 2025, 13(11), 219; https://doi.org/10.3390/risks13110219
Submission received: 4 September 2025 / Revised: 14 October 2025 / Accepted: 23 October 2025 / Published: 5 November 2025
Browse Figures
Versions Notes

Abstract

This paper examines the interrelationship between Corporate Governance (CG), Internal Control System (ICS), and Organizational Performance (OP), with a particular focus on the effectiveness of the ICS in relation to the quality of its components. Drawing on recent literature and empirical evidence, the study demonstrates that strong governance frameworks—characterized by board independence, effective audit committees, and proactive risk management—are closely linked to robust internal control environments. Together, these mechanisms enhance transparency, reduce risks, and foster stakeholder trust. The analysis further highlights that governance and internal control are evolving beyond compliance, increasingly serving as strategic levers for creating sustainable value. The findings underscore important implications for practitioners and policymakers. Organizations are encouraged to strengthen internal controls, invest in audit and risk management capacity, and embed ethical and sustainability considerations into governance structures. Regulators, in turn, should support frameworks that promote both accountability and innovation. Overall, the study contributes to a deeper understanding of how governance and control mechanisms can secure organizational resilience and drive long-term performance in a rapidly changing business environment.

1. Introduction

According to the principles of Corporate Governance (CG) of the Organization for Economic Co-operation and Development (OECD), CG involves a set of relationships between a company’s management, its shareholders, employees, and other stakeholders, and aims to create, sustain, and develop strong and competitive companies (Hellenic Corporate Governance Code—HCGC 2021).
The importance of CG for the credibility of listed companies trading on regulated markets is widely recognized. Good CG practices strengthen the confidence of shareholders in companies that have invested or intend to invest, as well as the credibility of the markets in which these companies operate (Directorate of Studies of the Hellenic Capital Market Commission 2019). Additionally, the adoption of CG best practices was intended to guide the operation of the Board of Directors (BoD) and ensure that decisions would protect the interests of shareholders and other stakeholders (Cullinan et al. 2016).
In accordance with the new legislative framework of CG in Greece, listed companies are required to adopt and implement an effective Internal Control System (ICS) that continuously covers all their activities.
The relationship between corporate governance, internal control, and organizational outcomes has been extensively examined in recent years, reflecting growing recognition of the interdependence between governance quality, control mechanisms, and performance. A recurring theme in the literature is that effective governance frameworks, reinforced by robust internal controls, enhance decision-making, improve the quality of financial reporting, and foster stakeholder trust.
Several studies emphasize the synergy between corporate governance and internal control systems. Z. Xu (2025) demonstrate that strong governance structures, coupled with effective internal control, contribute to superior Mergers and Acquisitions (M&A) outcomes, highlighting the strategic value of these mechanisms in complex transactions. Similarly, Al Astal et al. (2024) propose a strategic framework aligning risk management, board accountability, and control systems, underscoring their centrality in governance architectures. X. Xu (2024) complements this perspective by adopting an audit-centric view, showing that control maturity serves as a reliable predictor of governance robustness and compliance.
The literature also identifies the crucial role of audit committees and internal auditing in advancing governance and sustainability. Olteanu Burca et al. (2024) argue that active audit committee engagement improves Environmental, Social, and Governance (ESG) reporting and fosters stakeholder trust, while Pangastuti (2023) highlights the role of risk-based and ethics-driven audits in enforcing governance standards. Lenz and Chesshire (2023) extend this debate by reframing internal audit as “governance gardening,” a forward-looking and proactive process that cultivates ethical cultures and strategic foresight, rather than merely reactive compliance.
A growing body of research focuses on the impact of governance and control mechanisms on the quality of financial reporting. Akbar and Choiriah (2025) find that governance quality, internal control systems, and human resource competence jointly enhance reporting reliability, with internal control serving as a mediating variable. Hakimi et al. (2023) similarly conclude that integrated governance frameworks significantly reduce misstatements and increase financial credibility. These findings align with Djamshidovna (2025), who emphasize that auditing and internal controls not only enhance governance but also improve organizational performance and foster stakeholder confidence.
Beyond reporting quality, internal control and governance mechanisms are also closely linked to an enterprise’s financial performance. Hossain et al. (2025) demonstrate that internal audit effectiveness and board independence reduce non-performing loans in emerging economies, highlighting the role of governance in risk management. Alshaiti (2023) notes that information systems enhance the effectiveness of internal controls, thereby improving decision accuracy and overall firm performance. Likewise, Aguilera et al. (2023) highlight that in Taiwanese parastatals, maturity control supports ethical governance and curbs political interference.
Taken together, the literature underscores that internal control and governance mechanisms are mutually reinforcing, shaping not only organizational performance but also ethical accountability and stakeholder trust. However, the evolving emphasis on ESG, digital tools, and proactive audit practices suggests a paradigm shift: governance and control are increasingly seen not just as compliance safeguards but as strategic levers for sustainable value creation.
The purpose of this paper is to examine the effectiveness of the ICS in relation to the quality of its constituent elements, namely (a) Controls and Procedures (CP), (b) Internal Audit (IA), (c) Risk Management (RM) and (d) Compliance, based on the provisions of the new CG legislative framework in listed companies on the Athens Stock Exchange (ATHEX). For the identification and analysis of the factors that affect the quality of the constituent elements of the ICS, have been taken into account not only the provisions of the above legislation, but also the results of research from the international literature and articles, best practices such as the International Professional Practices Framework of the Institute of Internal Auditors (IIA’s IPPF) and the ICS framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), to make the research more complete.
The contribution of our research is significant, both in the scientific and business communities, because it is the first to examine the ICS of Greek listed companies as a whole, based on the new legislative framework of CG in Greece, in combination with those mentioned above, internationally recognized standards, and the results of domestic and international research. Also, the contribution of the work lies in studying the degree of compliance of Greek listed companies with the new CG framework and, by extension, the effectiveness of their ICS in protecting them from risks.
In continuation of this work, Section 2 presents recent developments in CG in Greece, and Section 3 provides an analysis of the literature review. In Section 4, we present the research methodology, which includes our empirical survey sample, data collection, and the proposed regression model. Section 5 presents the descriptive statistics of the survey, and Section 6 provides the empirical results. Finally, Section 7 presents the conclusion and outlines the expected future outcomes.

2. Legislative Framework of Corporate Governance in Greece

The new legislative framework of CG in Greece (Law 4706/2020—hereafter the Law—in application of Directive (EU) 2017/828 of the European Parliament and of the Council, measures for the implementation of Regulation (EU) 2017/1131 and the Decision 1/891/30.9.2020 of the Hellenic Capital Market Commission (HCMC) that followed as a result of the previous Law as provided for in Art. 14, para. 4 thereof), as well as Law 4548/2018—Law reform of Sociétés Anonymes (SAs) in Greece, form a more demanding framework than ever for SAs, especially for listed ones.
In particular, Art. 13, para. Article 1 of the Law provides that listed companies should adopt and implement a Corporate Governance System (CGS) in accordance with Articles 1–24 of the Law, taking into account the size, nature, scope, and complexity of their activities. The CGS should include at least the following: (a) an adequate and effective ICS, including RM and Compliance systems, (b) adequate and effective procedures to prevent, detect and remedy conflicts of interest situations, (c) adequate and effective communication mechanisms with shareholders to facilitate the exercise of their rights and active engagement shareholder and (d) remuneration policy, which contributes to the business strategy, long-term interests and sustainability of the company.
The previous CG framework in Greece, Law 3016/2002, was a significant policy measure aimed at enhancing the governance of listed companies on the ATHEX. This Law introduced provisions that further clarified the obligations and duties of the members of the Board of Directors (BoD), reorganized and rationalized the board’s structure and composition, and introduced the concept of an independent board member, along with the conditions of its independence. At the same time, they established the obligation to formulate and publish the remuneration policy for the members of the BoD, the Internal Rules of Procedure, and the obligations related to the European Union (EU), shareholder service, and corporate announcements. In addition, this Law introduced provisions on transparency and accountability regarding the use of funds raised in cases of share capital increase (Directorate of Studies of the HCMC, 2019).
Today, in Greece, the CG framework for companies with securities listed on a regulated market consists of, on one hand, the adoption of compulsory legal rules and, on the other hand, the application of CG principles, along with the adoption of best practices and recommendations through self-regulation. Specifically, it includes the Law, the decisions of the HCMC issued by delegation of the previous Law, specific provisions of Law 4548/2018 on public limited companies and authorities, as well as best practices and recommendations for self-regulation, which are incorporated into the present CG code (HCGC 2021).
The HCGC, as a self-regulatory text, is adopted based on the specific characteristics of the companies, their shareholding composition, and the criteria they choose, where appropriate. Moreover, the HCGC is applied based on the ‘Comply or Explain’ principle, does not replicate legislative provisions as its own, nor does it interpret the legislation. The primary objective of the HCGC is to create an accessible and understandable reference guide that codifies high-level requirements and corporate governance standards in a single text (HCGC 2021).
Lastly, the decision No.1/891/30.9.2020 of the BoD of the HCMC determines, as provided by Article 14, paragraph 4 of the Law, the time, the procedure, the periodicity, and any other specific issue necessary for the implementation of the evaluation of the ICS, as well as the characteristics concerning the persons who carry it out. In particular, the evaluation process of the ICS shall be carried out based on best international practices, to ensure the provisions of the ICS related to the above decision of the HCMC.

3. Literature Review

3.1. Internal Control System

The term “Internal Control” (IC) was first defined by the American Institute of Accountants in 1949. The Institute further refined this definition in 1958 and 1972. The definition offered was: “IC comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies” (Heier et al. 2005).
Effective IC is one of the essential enablers for entities to grow with confidence and integrity in a multi-stakeholder world filled with volatility, uncertainty, disruption, and complexity. IC goes beyond statutory compliance requirements; it helps entities build trust, confidence, and a positive reputation in achieving strategic business outcomes. Entities’ operating models are being challenged. The need to be responsive to customer needs within shorter timeframes, combined with advances in technology and data, has given rise to innovative cultures and transformation initiatives (2022, IC and the Transformation of Entities, ACCA, IIA, IMA).
According to the Law the ICS is a subset of the CGS of a listed company and define as the set of IC mechanisms (controls) and procedures, including RM, IA and Compliance, which covers on an ongoing basis every activity of the company and contributes to its safe and effective operation (Law 4706/2020, Art. 2, para. 7). In addition, according to COSO framework, the ICS is a set of procedures, which are influenced by the BoD, the senior executive management and the rest of the staff of an organization, which are designed to provide reasonable assurance regarding the achievement of business objectives in the following categories: (a) Effectiveness and efficiency of business operations, (b) Reliability of financial reporting and (c) Compliance with Laws and regulations.
According to the COSO framework (COSO 2013), the effectiveness of an ICS depends on five interrelated components: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring Activities.
The COSO framework also has 17 principles. Generally, for internal controls to be adequate, these principles must be present, functioning, and integrated. Table 1 describes the COSO framework.
The Federation of European RM Associations and the European Confederation of IIA have published a three-line defense position paper to enhance understanding of CG, RM, and control by clarifying roles and duties. In 2020, IIA refined ‘The Three Lines’, which can be briefly described as follows.
The Three Lines Model enables organizations to identify structures and processes that best support the achievement of objectives and facilitate effective governance and risk management. The model applies to all organizations and is optimized by: (a) Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances, (b) Focusing on the contribution RM makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value, (c) Clearly understanding the roles and responsibilities represented in the model and the relationships among them and (d) Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.
Management’s responsibility to achieve organizational objectives encompasses both first- and second-line roles. First-line roles are most directly aligned with delivering products and/or services to the organization’s clients and include roles within support functions. Second-line roles assist with managing risk.
Internal Audit (IA—third line role) provides independent and objective assurance and advice on the adequacy and effectiveness of governance and RM. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It reports its findings to management and the governing body to promote and facilitate continuous improvement. In doing so, it may consider assurance from other internal and external providers.
Above these three lines is the organization’s governing body. The governing body typically sets the direction of the organization by defining the vision, mission, values, and organizational appetite for risk. It then delegates responsibility for achieving the organization’s objectives to management, along with the necessary resources and support. The governing body receives reports from management on planned, actual, and expected outcomes, as well as reports on risk and its management.
In Greece, research for the ICS is limited. Our study identifies articles published in foreign journals after searching well-known online search engines and scientific networks (such as ResearchGate, Google Scholar, SSRN, Elsevier, Springer, etc.), as well as three dissertations from the National Archive of Doctoral Dissertations. These studies exploring the ICS are mainly based on the COSO framework and concern specific business sectors (such as the Hotel sector). At the same time, they refer to an earlier legislative framework (such as Law 3016/2002). Moreover, the current literature related to the present proceedings primarily concerns the CG and the quality of individual components of the ICS, with a focus on the IA and the RM. At the same time, no studies have been found on the quality of Compliance in enterprises, especially outside the banking sector.
In his thesis, Koutoupis (2009) explored the impact of the CG on the ICS and the activities of the IA on Greek listed companies, and through which the urgent need to adopt optimal international standards in combination with the regulatory framework was extracted, both in CG and in the management of business risks, ICSs, and their procedures.
Drogalas (2010) investigated, in his dissertation, the application and contribution of ICS to companies in the hotel industry operating in Greece, distinguishing between companies that apply ICS and those that do not. In addition, when selecting companies to participate in the survey, the criteria used included turnover, profit and loss account, total assets, total equity, and number of employees. The processed data were collected using two methodological approaches: one for data extracted from financial statements and the other for data collected through questionnaires. The conclusions were the following: (1) the contribution of the ICS, as long as it remains and is applied to the hotel business, increases over time, (2) the ICS of the hotel businesses, while operating at a reasonably satisfactory level, presents sectors with room for improvement, and (3) the added value that comes from the ICS is great.
Koutoupis and Pappa (2018) depict and evaluate the existing structure of CG, highlighting the connection between CG and the functioning of IA and management practices. For the conducted research, a descriptive research analysis was adopted using a quantitative approach with a sample of listed companies on the ATHEX for the year 2016. The methodological research tool was based on the COSO Integrated Framework (COSO 2013). The paper concludes that CG leads to administrative excellence and effective governance due to IA processes, RM, Controls and Procedures, Information and Communication, and Monitoring activities.
In the international literature, we found several articles on the ICS and its interactions with its components or with the CGS in general.
Rae et al. (2017) examined the relationship between COSO components and how the monitoring function of organizations is affected by them. They point out an association between the control environment and three dimensions of information and communication. In addition, two dimensions of information and communication are associated with RM. Finally, an indirect association between control environment and RM is also indicated through the associations among the three dimensions of information and communication.
Lai et al. (2017) examine the correlation between internal control weaknesses and firm performance, as outlined in the COSO framework. The authors utilized secondary data on firms active in the U.S. stock market from 2004 to 2007. According to the findings, the control environment, information technology, accounting policies, procedures, and documentation, along with control design, significantly impact a firm’s performance.
According to the ACCA, IIA, and IMA (2022) report on IC and the transformation of entities, the results indicate that to support business transformation and increase enterprise value, IC must continually transform to remain fit for purpose in a digital and disruptive environment. This transformation requires training and upskilling.

3.2. Controls and Procedures

Control mechanisms are actions (generally described in policies, procedures, and standards) that help management mitigate risks to ensure the achievement of its set goals. Control mechanisms can be of a nature: (a) preventive, (b) detective, and (c) corrective of risks, and can be carried out at all levels of the organization (COSO Integrated Framework 2013).
The IA activity must assist the organization in maintaining adequate controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (IPPF 2130-Control 2017). The IA activity must assess the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: (a) achievement of the objectives of the organization, (b) reliability and integrity of financial and operational information, (c) effectiveness and efficiency of operations and programs, (d) safeguarding of assets and (e) compliance with laws, regulations, policies, procedures, and contracts (IPPF 2130.A1 2017).
Koutoupis and Pappa (2018) investigated the association between IA and the ICS in their study, concluding that all elements of the ICS are essential. Still, a combination of them leads to administrative excellence and effective governance. The environmental control element is the foundation of the ICS, fostering an ethical climate (tone at the top) within the organization and providing policies, procedures, discipline, structure, and integrity. Additionally, the organization inevitably faces various levels of risk. The managers of the organization that performs an effective risk assessment mechanism focus on identifying specific risk-based factors (internal and external) and defining and monitoring stable preventive actions. In addition, the flow of adequate information, at all levels of management regarding internal controls, facilitates communication and ensures effective decision-making.
According to ACCA (2022), IC should have the following objectives:
(a)
Efficient business conduct: Controls should be in place to ensure that processes flow smoothly and operations are free from disruptions. This mitigates against the risk of inefficiencies and threats to the creation of value in the organization.
(b)
Safeguarding assets: Controls should be in place to ensure that assets are deployed for their proper purposes and are not vulnerable to misuse or theft.
(c)
Preventing and detecting fraud and other unlawful acts: Even small businesses with simple organizational structures may fall victim to these violations. However, as organizations increase in size and complexity, the nature of fraudulent practices becomes more diverse, and controls must be capable of addressing these evolving threats.
(d)
Completeness and accuracy of financial records: An organization cannot produce accurate financial statements if its financial records are unreliable.
(e)
Timely preparation of financial statements: Organizations should be able to fulfill their legal obligations to submit their account accurately and on time. They also have a duty to their shareholders to produce meaningful statements. Internal controls may also be applied to management accounting processes, which are necessary for effective strategic planning, decision-making, and monitoring of organizational performance.
According to the above, the first research hypothesis can be developed as follows:
H1: 
The quality of the Controls and Procedures has a positive effect on the effectiveness of the Internal Control System.

3.3. Risk Management

Risk is defined as “the probability that events will occur that will affect the achievement of the strategy and business goals.” The risks considered in this definition include those related to all business objectives, including Compliance. Compliance risks are the risks associated with possible violations of applicable laws, regulations, contractual terms, standards, or internal policies, when such violations could lead to direct or indirect financial liability, civil or criminal sanctions, regulatory sanctions, or other negative consequences for the organization or its staff (COSO-ERM Framework 2020).
According to the IPPF Standard 2120—Risk Management (IPPF 2019), the internal audit activity must evaluate the effectiveness and contribute to the improvement of RM processes.
Determining whether RM processes are effective is a judgment resulting from the internal auditor’s assessment that: (a) Organizational objectives support and align with the organization’s mission, (b) Significant risks are identified and assessed, (c) Appropriate risk responses are selected that align risks with the organization’s risk appetite, (d) Relevant risk information is captured and communicated promptly across the organization, enabling staff, management, and the board to carry out their responsibilities.
According to Fourie and Ackerman (2013), numerous changes to laws and to business conditions have increased the levels of accountability and responsibility for the entity’s well-being required from the BoD. This translates into pressure that extends from the BoD to the audit committee and to management. Management is necessary to design, implement, and maintain internal controls to manage the risks faced by the business, highlighting the importance of management’s accountability role. IC, therefore, plays an essential role in any organization. For them, however, without a balancing authority, management’s controls could be biased and weak, thus allowing personal gain and other non-business interests to take root. Internal Auditors play a key balancing role in this area, independently assessing the efficiency and effectiveness of the IC implemented by management.
The need to integrate the IC and RM was analyzed by Pang and Li (2013). They stated that to ensure the effectiveness and efficiency of company operations, reliable financial reporting, adherence to the Law, and a sound internal system are required. Additionally, they further argued that IC is only a function of management, which helps to control the pre- and post-business objectives. Meanwhile, RM has undergone all aspects of the management process, including pre- and post-control, and full consideration is given when risk occurs during the process. Moreover, RM has more objectives to be achieved than IC. They finally argued that internal control and RM should be organically integrated, as this will help achieve the best effects.
Ahmad et al. (2015) examine the level of RM and IC disclosures among Malaysian listed companies. From the findings, it has been observed that most publicly listed companies in Malaysia communicate their RM and IC to shareholders and stakeholders, reflecting a high level of compliance among these companies. The second objective of this study is to investigate the relationship between board characteristics and RM and IC among publicly listed companies in Malaysia. The results reveal a significant and positive relationship between independent non-executive directors and the BoD, on one hand, and financial literacy and RM disclosure levels, on the other. However, female directors had a weak and insignificant relationship with the RM and IC disclosure level.
Drogalas et al. (2017) aim to analyze specific factors related to effective RM. For the survey, primary data were selected using questionnaires distributed to the employees of the listed firms on the ATHEX. Multiple regression analysis was conducted to examine the relationship between effective RM, risk-based IA, internal auditors’ involvement in RM, and top management support. The paper’s findings demonstrate that the above factors contribute positively to effective RM.
Building on the above, the following research hypothesis is developed:
H2: 
The quality of Risk Management has a positive effect on the effectiveness of the Internal Control System.

3.4. Internal Audit

Research in the field of IA has focused mainly on measuring its quality and effectiveness through the creation of indicators like the IAFQ—Internal Audit Function Quality (Prawitt et al. 2009; Johl et al. 2013; Regoliosi and d’Eri 2014; Jiang et al. 2017; Vadasi 2018). Additionally, academic research has explored various approaches to measuring the effectiveness of IA and defining the concept of “Internal Audit Quality”. Due to the intangible nature of the IA function, it is difficult for an organization to evaluate the quality of IA and measure the contribution of audit services to a company (Regoliosi and d’Eri 2014).
Karagiorgos et al. (2011) investigated the effectiveness of IA using questionnaires from 52 large hotels in Greece. The effectiveness assessment criteria were selected in accordance with the COSO framework. According to the results, all components of the ICS received a high score, with the Control Environment receiving the highest (4.03/5) and the monitoring receiving the lowest (3.70/5). Overall, the results underscore the pivotal role of all components of the ICS in the success of Greek hotels.
The implementation of new rules and regulations concerning IA, the evolution of new technologies, the economic crisis, and the need for more intensive and continuous auditing by companies have resulted in many changes, not only in the process of IA but also in the role of internal auditors and the general scope of IA (Bekiaris et al. 2013).
Drogalas et al. (2015) investigated the factors influencing the effectiveness of IA in the Greek business environment. Research has shown that the main factors influencing the effectiveness of IA are the suitability of the IA team, the independence of the IA, and the support of senior management. Furthermore, the results of this work indicate that the independence of the IA is the foundation of its effectiveness.
Vadasi (2018), in her thesis, examined a two-way interaction of IA with CG, based on the Agency Theory (Jensen and Meckling 1976), on which a significant number of studies on the size, role, and specific characteristics of the IA are based (Cohen et al. 2002; Paape et al. 2003; Goodwin-Stewart and Kent 2006; Christopher et al. 2009; Sarens and Abdolmohammadi 2011; Regoliosi and d’Eri 2014). In this thesis, demographic characteristics, along with corporate data on activity, company, and the operation of the IA, were collected through a questionnaire and used as data. Based on the international literature, the IPPF, and the previous regulatory framework (Law 3016/2002, Law 3693/2008, HCCG (2013), Law 4449/2017), a quality measurement indicator for the operation of the IA was developed.
Oussii and Taktak (2018) investigate the association between internal audit function (IAF) characteristics and the quality of internal control. The study’s findings reveal that internal control quality is significantly and positively associated with IAF competence, the level of internal audit quality control assurance, the follow-up process, and the audit committee’s involvement in reviewing the internal audit program and results.
Chang et al. (2019) examine the association between IAF quality and internal control deficiencies in operations and compliance. The results suggest that a larger internal audit team can enhance internal audit performance for both operations and compliance. In contrast, internal auditor competence is positively associated with the effectiveness of internal control over compliance, but not operations.
According to the above, the third research hypothesis could be as follows:
H3: 
The quality of the Internal Audit has a positive effect on the effectiveness of the Internal Control System.

3.5. Compliance

Compliance is the new CG. The Compliance function is the means by which firms adapt behavior to legal, regulatory, and social norms. Formerly, this might have been conceived as a typical governance matter to be handled at the discretion of the board of directors. Compliance, however, does not fit traditional models of CG. It does not come from the BoD, state corporate Law, or federal securities Law. Compliance amounts to an internal governance structure imposed upon the firm from the outside, by enforcement agents. This insight has important implications, both practical and theoretical, for corporate Law and CG. Compliance establishes internal mechanisms to prevent and detect violations of Law and regulation. Compliance officers thus build and administer programs to prevent money laundering, bribery, and fraud. However, the scope of compliance extends beyond the enforcement of Law and regulation. Compliance officers also administer corporate “ethics” policies on a wide variety of subjects. Other soft standards, such as “reputation risk,” also fall within the ambit of the contemporary compliance function (Griffith 2016).
Although the most extensive statutory, regulatory, and non-regulatory guidance on Compliance & Ethics (C&E) programs has emanated from the U.S., many other countries have issued various forms of requirements for and guidance on C&E programs. In some instances, guidance on C&E programs outside the U.S. is limited in application to specific areas of the Law, such as bribery and corruption or antitrust/competition. In others, it is broader, as in the U.S., and applicable to many areas of the Law. Much of the guidance issued globally mirrors many of the concepts and elements described in the USSG.
A sampling of guidance from outside the U.S. reveals a broadly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s Ministry of Justice has provided guidance on the Bribery Act 2010, outlining procedures that commercial organizations can implement to minimize the risk of bribery. Those procedures are summarized into the following six principles, which closely align with the USSG: (a) Proportionate procedures, (b) Top-level commitment, (c) Risk assessment, (d) Due diligence, (e) Communication (including training), and (f) Monitoring and review.
Guidance has also been issued by the International Organization for Standardization (ISO) in the form of the ISO 37001 Anti-bribery Management Systems standard. Beyond bribery, ISO has also issued guidance on compliance management systems more broadly, in the form of ISO 19600:2014. Most recently, ISO/DIS 37301 was proposed in 2020 to replace ISO 19600. A variety of other legal and regulatory developments, which do not directly reference C&E programs, nonetheless affect them. For example, the 2019 EU regulations, which aim to provide new protections for whistleblowers, support a critical element of an effective C&E program. Similarly, data protection and privacy laws commonly differ from one country to another, but frequently have direct or indirect effects on C&E programs.
COSO defines IC in Integrated Framework (2013) and Enterprise Risk Management—Integrating with Strategy and Performance (2017) as follows: “A process, effected by an entity’s BoD, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”. As this definition clearly points out, IC is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of IC (COSO ERM Framework 2020). Thus, the last research hypothesis of our study is:
H4: 
The quality of Compliance has a positive effect on the effectiveness of the Internal Control System.
Although the literature on internal control systems (ICS), corporate governance (CG), and related functions (internal audit, risk management, compliance) is abundant, much of it remains descriptive and fragmented. Two recurring strengths in the literature are (1) robust conceptual grounding in COSO/IPPF frameworks and (2) repeated empirical confirmation that audit committees and internal audit matter for reporting quality. However, closer inspection reveals several systematic weaknesses that constrain cumulative knowledge and policy relevance.
First, many empirical studies use single-country or single-sector samples (e.g., the hotel sector or country-specific theses), which limits their external validity. Second, a substantial share of prior research relies on cross-sectional self-report surveys, which are predominantly completed by internal auditors or audit managers, raising concerns about common-method and perspective bias. Third, measurement practices are inconsistent: some studies build short scales without reporting full psychometric validation, or they omit reliability and distributional diagnostics, which weakens confidence in construct validity (an issue directly mirrored by the weak RMQ alpha and CPQ kurtosis we observe). Fourth, the literature frequently focuses on the presence/structure of functions (existence of IA/RM/Compliance) rather than on operational characteristics that drive effectiveness—e.g., staffing adequacy, segregation of duties, continuity, and integration with strategy. Finally, longitudinal and objective-outcome studies (linking ICS measures to restatements, loss events, or financial performance) are scarce, which limits the ability to make causal inferences. Table 2 presents a summary of key empirical studies.
This study addresses these gaps by: (a) explicitly mapping Greek regulatory requirements (Law 4706/2020 and HCGC 2021) to the COSO/IPPF constructs, (b) measuring operational features of the ICS (including IA staffing levels and independence), and (c) transparently reporting scale reliability and distributional diagnostics (and discussing their implications). While still cross-sectional, the study strengthens internal validity by using complementary estimators (GLMM and Ridge) and by documenting sample composition (notably the high share of internal-audit respondents), thus enabling more guarded, context-aware inferences and more precise directions for future longitudinal and multi-stakeholder research.
Figure 1 illustrates the interconnection of the IPPF and COSO components, along with the adaptations of Greek legislation and their connection to the variables of this research. Appendix A and Appendix B provide a detailed presentation of the above interconnections.

4. Research Methodology

4.1. Sample

For the conduct of our empirical research, only private listed companies on the ATHEX’s Main Market were selected, and those from the financial sector were excluded, as the CGS they apply is strictly regulated (Regoliosi and d’Eri 2014; Vadasi et al. 2021). Additionally, we exclude companies in the public sector and listed non-convertible corporate bonds from this empirical research. In particular, our sample is analyzed as shown in Table 3.
The empirical survey targeted all private companies listed on the Athens Stock Exchange (ATHEX) Main Market, excluding entities in the financial sector due to their distinct regulatory framework and stricter governance obligations. The initial research population consisted of 121 eligible firms, after excluding eight suspended entities and 28 financial, bond-listed, or public-sector companies. Of these, 118 questionnaires were successfully distributed via email, and 51 responses were received, corresponding to a response rate of 43.2%. Following screening for completeness and validity, two responses were excluded due to missing or inconsistent data, resulting in a final sample of 49 valid observations.
The relatively high response rate for corporate governance research in Greece reflects the growing importance of internal control compliance and awareness among listed firms. Nevertheless, certain limitations should be acknowledged. Non-participation may be linked to factors such as a lack of dedicated internal audit staff, time constraints, or sensitivity surrounding internal control disclosures. To assess the risk of non-response bias, early and late respondents were compared on key firm characteristics (sector, size, and ICS effectiveness). No statistically significant differences were observed (p > 0.10), suggesting that late responses did not differ systematically from early ones, and that non-response bias is unlikely to affect the findings materially.
Exclusions were made to enhance the homogeneity and comparability of the sample. Financial institutions and public-sector firms were excluded due to their specific regulatory supervision (e.g., the Bank of Greece, the Hellenic Accounting and Auditing Oversight Board) and mandatory adherence to sectoral internal control frameworks. Similarly, companies under suspension were excluded because their governance and reporting mechanisms were not active at the time of data collection. These criteria ensured that the analysis focused exclusively on private listed companies operating under Law 4706/2020, thereby enhancing the study’s internal validity and relevance to the Greek corporate governance environment.

4.2. Data Collection

The methodology of our empirical research is based on both published and unpublished data. The published data were extracted from the official websites of the listed companies, the ATHEX website, and the companies’ internet publications (e.g., financial information pages). In contrast, the unpublished ones were drawn from an empirical survey conducted from 29 April 2022 to 13 July 2022. A questionnaire was sent to the official email of each listed company or to the email of executives using a “Google Forms” questionnaire form, and anonymous responses were received.
In our research, we follow the methodological steps of previous studies (Vadasi 2018; Van Der Nest et al. 2017; Drogalas et al. 2015, 2017; Karagiorgos et al. 2011; Paape et al. 2003). We send questionnaires to Chief Audit Executives, Chief Compliance Officers, Chief Risk Officers, and Internal Auditors. Questionnaire-based research is considered the most appropriate method for searching for information that is not publicly available, as it facilitates the rapid collection of data. Responses are usually anonymous, which encourages transparency and honesty (Karagiorgos et al. 2011; Drogalas and Siopi 2017; Koutoupis and Pappa 2018).
The questions in our empirical research questionnaire are considered the most relevant and essential to the study’s subject, based on research hypotheses, current Greek legislation, international standards, and international literature/articles. The questionnaire is structured as follows:
  • A section of 3 questions for the characteristics of the listed company.
  • A section of 7 questions for the demographic characteristics of the respondent executive.
  • A section of 6 questions for the attributes of the BoD of the listed company.
  • A section of 47 questions for the ICS of the listed company is analyzed as follows: 5 questions for the effectiveness of the Internal Control System (ICS), 9 questions for the quality of Controls and Procedures (CP), 12 questions for the quality of Internal Audit (IA), 10 questions for the quality of Compliance, 11 questions for the quality of RM.
The questions on the questionnaire are in multiple-choice, short-answer (qualitative or quantitative), and Likert scale formats (ranging from 1: Not at all to 5: Absolutely). To create the variables used in the functions presented below, questions were formulated in Likert scale format (ranging from 1: Not at all to 5: Absolutely). Specifically, 5 questions were used to calculate the “Internal Control System Effectiveness” (ICSE) variable, 3 questions were used to calculate the “Controls and Procedures Quality” (CPQ) variable, 3 questions were used to calculate the “Risk Management Quality” (RMQ) variable, 5 questions were used to calculate the “Internal Audit Quality” (IAQ) variable. Finally, 4 questions were used to calculate the “Compliance Quality” (CQ) variable. Table 4 presents the questions per variable.

4.3. Variables and Models

Based on the definition of the CG legislation in Greece and taking into consideration all the above-mentioned literature review, the constituent elements of the ICS are the following: (a) Controls and Procedures (CP), (b) Risk Management (RM), (c) Internal Audit (IA), and (d) Compliance. Therefore, these are the fundamental pillars for implementing and operating an Internal Control System (ICS) within an entity.
To assess the determinants of Internal Control System effectiveness (ICSE), we employed a Generalized Linear Mixed Model (GLMM), an Ordinary Least Squares (OLS) Ridge Regression, and a Partial Least Squares Regression (PLS). These models were selected to ensure robustness and address potential issues of multicollinearity, non-normality, and small sample size. The GLMM framework allows for the inclusion of both fixed and random effects, enabling control for unobserved heterogeneity across respondents. In contrast, Ridge Regression introduces a penalization term that stabilizes coefficient estimates in the presence of correlated predictors. Finally, PLS is more appropriate for latent variables with small sample sizes.
In particular, the proposed model is the following:
I C S E i = β 0 + β 1 C P Q i + β 2 R M Q i + β 3 I A Q i + β 4 C Q i + γ 1 M u l t i i + γ 2 S i z e i + γ 3 G e n d e r i + γ 4 A g e i + u i + ε i
where ICSE: Internal Control System Effectiveness, CPQ: Controls and Procedures Quality, RMQ: Risk Management Quality, IAQ: Internal Audit Quality, CQ: Compliance Quality, and βi are the coefficients, as random effects we use the dummy variable “Multi” which takes the value 0 if the company operates only within Greece and the value 1 if it operates internationally, the variable “Size” which takes values from 1 to 4 depending on the number of employees working in the company, the variable “Gender” which takes the value 0 if the respondent is male and the value 1 if they are female, and the variable “Age” which takes values from 1 to 4 depending on the age category of the respondent. The term ui denotes random effects capturing unobserved firm-level variance, and εi is the residual error term.
Each composite index (ICSE, CPQ, RMQ, IAQ, and CQ) was constructed as the arithmetic mean of the items derived from corresponding Likert-scale questions (1 = Not at all, 5 = Absolutely). This approach aligns with the standard practice in governance and internal control research (e.g., Vadasi 2018; Drogalas et al. 2017).
Table 5 presents an explanation of the variables, dimensions, indicators, and reference sources.
The combination of GLMM, Ridge Regression, and PLS provides complementary analytical strengths. The GLMM accounts for random variation across respondents, improving estimation efficiency under non-normal conditions, while Ridge Regression mitigates multicollinearity arising from potential correlations among IC components. Collectively, these techniques enhance the robustness and interpretability of the estimated effects of IC determinants on overall system effectiveness.

5. Descriptive Statistics

Table 6 presents general information about the participating companies and respondents, including their operating sector, number of employees, and the respondent’s position within the company.
According to Table 6, most companies participating in the survey engage in both industrial and commercial activities, at a rate of 57.40%. A significant rate of 20.41% affects businesses in the service sector, while companies in the construction and technology/telecommunications industries are impacted at rates of 10.20% each. The rest deals with the fuel/energy sector. Regarding company employees, the 44.90% figure refers to companies with more than 251 staff, while the 28.57% percentage pertains to companies that employ between 101 and 250 employees. Cumulatively, 73.47%. This is followed by the rate of 20.41% concerning businesses with up to 50 employees. The rest is about companies with staff between 51 and 100. This result can be explained, as the sample consisted of listed companies on the ATHEX. Regarding the respondent’s position in the company, most (65.31%) are Heads of Internal Audit, and 26.35% are Internal Auditors. In total, 91.84% of the respondents are involved in IA activities.
This result is connected to the following findings, which concern the independence or coexistence of the IA unit, the RM unit, and the Compliance unit in the listed companies, as well as their staffing arrangements. In particular, these results are presented in Table 7.
Regarding the results of the survey in Table 7, the IA unit accounts for the majority (85.71%) of the sample, as an independent activity, as stipulated in the provisions of the Law and the IPPF. The listed companies on ATHEX comply with the Greek CG framework and the IPPF standards. On the contrary, RM operates as an independent unit in only 38.78% of the sample and in 36.73% of the total, co-existing with other units such as Compliance (20.41% of the sample), IA (20.41%), and other organizational units, i.e., the Finance Division (4.08%). In two cases (4.08%), respondents mentioned that the RM functions as a risk committee made up of company executives. In one case, the role of the RM unit is played by the Information Security unit. The results of Compliance are similar, with 36.73% of the responses indicating that it is a purely independent unit. A significant percentage of 28.57% states that the Compliance unit is not independent, while 20.41% commented that Compliance co-exists with RM. In one case (2.04%), it was stated that Compliance co-exists with IA, and similarly, in another case, it was noted that Compliance co-exists with Legal Services. Lastly, 10.20% of the sample responded that Compliance does not exist at all.
It is found that most of the sample consists of IA, RM, and Compliance units, which indicates that Greek listed companies broadly apply the new CG legislation and international best practices. Clearly, a well-organized ICS means that, in addition to the IA, Compliance and RM should exist and operate independently of each other. Moreover, Compliance and RM in the 3 lines role model are part of the second line of roles and should work closely together, especially on compliance and fraud RM. However, units of the second and third line of roles (IA) should not co-exist, because this catalyzes the independence of IA and thus decisively weakens the effectiveness of the ICS. Additionally, according to Greek CG legislation, IA must be an independent unit. At the same time, RM and Compliance are referred to as committees or units or services or the staff to which these responsibilities have been assigned (HCMC, Dec. 1/891/30.9/2020), without stating that they must be independent of each other, but only of the business sectors they audit (Law 4706/2020, Art.4, para.3).
According to Figure 2, in the majority of companies in our sample (59.18%), the IA unit consists of a single member (more details about the members of the IA are presented in Appendix B, Table A3). However, considering the results of Table 4 regarding the number of employees at each company, we find that 22 out of 49 companies employ over 251 employees, and 14 companies employ between 101 and 250 employees. Taking into account these results and the provision of the Law (Art. 16, para. 1), which states that the number of IA members is proportional to the size of the company and the number of employees, it is found that IA units of the responding companies do not have the appropriate number of members. This fact raises questions about the effectiveness of IA and the ICS of these companies in general. As a result, the majority of companies in our sample need to increase the number of internal auditors to enhance their effectiveness. Sarens and Abdolmohammadi (2011) reached the same conclusion: a high ratio of auditors to the total number of employees in the organization appears to be a crucial indicator.
In Appendix B, Table A4, we present the results of the research on the characteristics of the BoD and compliance with the Law. The results show that listed companies comply with the CG legislative framework and Law 4548/2018 (the Law reform of SA) and have the appropriate structure. In particular, the BoD has between 3 and 15 members (column “a”) in all cases, and the proportion of independent non-executive members is at least 1/3 of the BoD members. In any case, greater than 2 (columns “d”, “a*1/3”, “e”, “d–e”) and the proportion by gender is at least 25% (columns “b”, “f”, “b–g”).

6. Empirical Results

Table 8 presents the descriptive statistics of the survey on factors contributing to Internal Control System Effectiveness (ICSE), including the mean, median, standard deviation, skewness, and kurtosis. Skewness (γ1) measures the degree of asymmetry in a probability distribution, where values close to zero indicate approximate symmetry, positive values suggest a longer right tail, and negative values indicate a longer left tail. Kurtosis (γ2) assesses the weight of the distributional tails relative to the normal distribution, with a reference value of 3 denoting mesokurtosis (normal distribution), values greater than 3 indicating leptokurtosis (heavy tails and sharper peak), and values less than 3 indicating platykurtosis (light tails and flatter peak). The results suggest that, overall, respondents perceive their organizations as largely adopting practices that strengthen ICSE (ICSE_ave mean = 3.96/5.00). The highest mean score is associated with the item “The Internal Audit Unit monitors the ICS and provides objective assurance regarding its effective operation (ICSE_3)” (mean = 4.20/5.00).
In contrast, the lowest mean score corresponds to “The Risk Management Unit effectively implements risk assessment, risk response, and risk monitoring procedures (ICSE_5)” (mean = 3.84/5.00). All items exhibit negative skewness, indicating that the distributions are skewed to the left, with relatively longer or heavier left tails and a concentration of responses at the higher end of the scale. Kurtosis values range from 1.62 to 3.81, with the composite ICSE_ave displaying a kurtosis of 3.085, a value close to the standard benchmark of 3. This indicates a mesokurtic distribution, implying that the overall ICSE_ave has tail thickness and peak sharpness broadly consistent with those of a normal distribution.
Table 9 reports the descriptive statistics for the quality factors of Controls and Procedures (CPQ). Overall, respondents evaluate the quality of controls and procedures in their organizations as relatively high (CPQ_ave mean = 4.01/5.00). The highest mean score is associated with the item “To what extent do you consider that the Internal Audit Unit effectively supervises risk management procedures and controls, thereby contributing to their improvement? (CPQ_3)” (mean = 4.20/5.00). In contrast, the lowest mean score corresponds to the item “To what extent do you consider that controls and procedures help limit risks to levels acceptable to the company? (CPQ_2)” (mean = 3.90/5.00). All items exhibit negative skewness, indicating that the distributions are left-skewed, with relatively longer or heavier left tails and a concentration of responses toward higher values on the scale. Kurtosis values are consistently high, with the aggregate CPQ_ave reaching 7.07, substantially above the reference value of 3. This result indicates a leptokurtic distribution, characterized by heavier tails and a sharper central peak compared to the normal distribution, thereby reflecting the presence of more extreme observations (outliers).
Table 10 reports the descriptive statistics for the quality factors of Risk Management (RMQ). Overall, respondents evaluate the quality of Risk Management in their organizations as moderate to high (RMQ_ave mean = 3.76/5.00). The highest mean score is associated with the item “To what extent do you assess that the size, complexity, and nature of your company’s activities affect the quality of the Risk Management work? (RMQ_2)” (mean = 3.90/5.00). In contrast, the lowest mean score corresponds to the item “How effective do you assess the oversight of Risk Management to be? (RMQ_1)” (mean = 3.65/5.00). All items exhibit negative skewness, indicating that the distributions are left-skewed, with relatively longer or heavier left tails and a concentration of responses toward higher values on the scale. Kurtosis value of CPQ_ave is consistently high (6.069), substantially above the reference value of 3. This result indicates a leptokurtic distribution, characterized by heavier tails and a sharper central peak compared to the normal distribution, thereby reflecting the presence of more extreme observations (outliers).
Table 11 presents the descriptive statistics of the survey regarding the factors contributing to Internal Audit Quality (IAQ), including the mean, median, standard deviation, skewness, and kurtosis. Overall, the findings indicate that respondents perceive the quality of Internal Audit in their organizations as relatively high (IAQ_ave mean = 3.99/5.00). The highest mean score is observed for the item “To what extent do you consider that Internal Audit has access to the required sources of information? (IAQ_2)” (mean = 4.41/5.00). In contrast, the lowest mean score is associated with “To what extent do you believe Internal Audit will become more effective as a result of the mandatory external evaluation of the ICS (HCMC Dec. No 1/891/30.09.2020)? (IAQ_5)” (mean = 3.71/5.00). All items exhibit negative skewness, suggesting left-skewed distributions, characterized by longer or heavier left tails and a concentration of responses toward the higher end of the scale. Kurtosis values range from 0.31 to 5.09, while the composite IAQ_ave exhibits a kurtosis of 1.834, which is below the mesokurtic benchmark of 3. This result indicates a platykurtic distribution, characterized by lighter tails and a flatter peak relative to the normal distribution, implying a lower frequency of extreme values.
Table 12 reports the descriptive statistics for the factors of Compliance Quality (CQ). Overall, respondents evaluate the quality of Compliance in their organizations as moderate to high (CQ_ave mean = 3.74/5.00). The highest mean score is associated with the item “To what extent do you estimate that Compliance has access to the required sources of information? (CQ_2)” (mean = 3.96/5.00). In contrast, the lowest mean score corresponds to the item “How effective do you think Compliance supervision is? (CQ_1)” (mean = 3.55/5.00). All items exhibit negative skewness, indicating that the distributions are left-skewed, with relatively longer or heavier left tails and a concentration of responses toward higher values on the scale. Kurtosis value of CQ_ave is consistently high (4.984), substantially above the reference value of 3. This result indicates a leptokurtic distribution, characterized by heavier tails and a sharper central peak compared to the normal distribution, thereby reflecting the presence of more extreme observations (outliers).
Before we began the reliability analysis, we used Harman’s Single Factor Test to detect Common Method Bias, a type of systematic error that occurs when the same measurement method is used for all variables. We found that a single factor in the unrotated solution accounts for 44.58% of the total variance, which is below 50%. Therefore, we do not detect a Common Method Bias problem in our variables.
Table 13 presents the results of the reliability analysis for the examined variables. Cronbach’s alpha is a widely used measure of internal consistency, reflecting the extent to which a set of items collectively assesses the same underlying construct. It is derived from the inter-item correlations and provides an index of scale reliability. Higher alpha values indicate stronger internal consistency, with a commonly accepted threshold of 0.70 or above denoting adequate reliability (Tavakol and Dennick 2011). As shown in Table 14, satisfactory levels of reliability are achieved for the variables ICSE, CPQ, IAQ, and CQ, with ICSE demonstrating excellent reliability and CPQ reaching a reasonable level. In contrast, the RMQ variable exhibits weak reliability (Cronbach’s alpha = 0.520). Nonetheless, the overall results allow for the application of Principal Component Analysis (PCA) across the five categories of variables.
Table 14 reports the values of the Kaiser–Meyer–Olkin (KMO) measure and Bartlett’s test of sphericity, together with the number of components and the corresponding Eigenvalues for each variable. The KMO statistic assesses the adequacy of the sampling procedure, that is, whether the partial correlations among variables are sufficiently small to justify the application of factor analysis. As suggested by Kaiser (1974), a minimum threshold of 0.50 is required for acceptability, with values between 0.70 and 0.80 regarded as satisfactory, and values exceeding 0.90 considered excellent. Bartlett’s test of sphericity examines the null hypothesis that the correlation matrix is an identity matrix, implying that the variables are unrelated and therefore unsuitable for factor extraction. A significance value of less than 0.05 provides evidence that the data are suitable for factor analysis. As indicated in Table 15, the KMO values range from 0.536 to 0.846. Accordingly, the measure demonstrates an excellent level of sampling adequacy for ICSE (0.846), whereas the values for CPQ, RMQ, IAQ, and CQ fall within the minimally acceptable range. In addition, the significance level of Bartlett’s test is less than 0.001 across all variables, further supporting the appropriateness of applying factor analysis to the present dataset.
Table 15 presents the correlation analysis using both Pearson’s (r) and Spearman’s (ρ) coefficients, which revealed strong, positive, and statistically significant associations among the core components of the internal control framework. ICSE displayed high correlations with IAQ (r = 0.563), CPQ (r = 0.571), CQ (r = 0.541), and RMQ (r = 0.394), underscoring the interdependent nature of these dimensions in shaping overall system effectiveness. Similarly, the high correlations among IAQ, CPQ, CQ, and RMQ (ranging from 0.59 to 0.80) confirm that these subsystems operate in close alignment, consistent with the integrated structure of COSO-based internal control systems.
The strong association between Compliance (CQ) and Risk Management (RMQ) (r = 0.703) suggests that these two functions are particularly intertwined, reflecting their joint role in ensuring regulatory adherence and risk mitigation within Greek listed firms. Although these high inter-variable correlations point to possible multicollinearity, the use of Ridge Regression mitigates this concern in subsequent analyses.
Control variables exhibited limited influence: firm size and international activity were moderately correlated (r = 0.651), but showed weak associations with IC dimensions. In contrast, the age and gender of respondents had negligible effects. These findings suggest that organizational structures and governance mechanisms, rather than demographic factors, primarily influence the perceived effectiveness of internal control.
Subsequently, a Generalized Linear Mixed Model (GLMM) was estimated. In this specification, Internal Control System Effectiveness (ICSE) was introduced as the dependent variable, while Controls and Procedures Quality (CPQ), Risk Management Quality (RMQ), Internal Audit Quality (IAQ), and Compliance Quality (CQ) were included as fixed effects. The variables Multi, Size, Gender, and Age were incorporated as random effects to account for unobserved heterogeneity. The results of the GLMM are presented in Table 16.
The findings indicate that CPQ exerts a positive and statistically significant effect on ICSE at the 1% significance level (β = 0.439, p = 0.008). This result suggests that higher Quality in Controls and Procedures significantly enhances the effectiveness of the Internal Control System, thereby supporting Hypothesis H1. This result aligns with the findings of previous research (Koutoupis and Pappa 2018).
Similarly, IAQ demonstrates a positive and statistically significant effect on ICSE at the 10% level (β = 0.431, p = 0.089), confirming Hypothesis H3 and highlighting the role of Internal Audit Quality in strengthening ICS effectiveness. This result is consistent with the existing literature (Oussii and Taktak 2018; Chang et al. 2019).
In addition, CQ is found to exert a positive and statistically significant influence at the 10% level (β = 0.299, p = 0.086), thus confirming Hypothesis H4 and underscoring the contribution of Compliance Quality to ICSE. This result is consistent with the results of previous studies (Griffith 2016).
In contrast, the effect of RMQ on ICSE is not statistically significant (β = −0.079, p = 0.706), indicating that Risk Management Quality does not exert a measurable impact on the effectiveness of the Internal Control System. Consequently, Hypothesis H2 is rejected. This result contrasts with similar findings from previous studies (Fourie and Ackerman 2013; Pang and Li 2013), which confirmed the existence of a positive and statistically significant relationship between RMQ and ICSE.
Figure 3 illustrates the correlations between the independent and dependent variables, along with the degree of statistical significance for each variable. The greater the statistical significance, the wider the line connecting the independent and dependent variables.
Moreover, the random effect covariances were found to be statistically insignificant, indicating that the variability of random intercepts and slopes does not covary across groups. In other words, differences in baseline levels do not appear to be systematically related to differences in the predictor effects. This result suggests that modeling covariance among random effects (Internationalization, Size, Gender, and Age) does not add explanatory power and that the random effects may be considered essentially independent of each other.
The application of OLS Ridge Regression further supports the findings. As shown in Table 17, the model was trained on 37 cases and validated on 12 additional cases. It explains 59.3% of the variance in ICSE_ave within the training set and 48.9% in the holdout sample, indicating good predictive power and generalization. Among the predictors, CPQ emerges as the strongest, followed by CQ and IAQ, while RMQ contributes little and is effectively shrunk to zero. By penalizing significant coefficients, ridge regression reduced overfitting and minimized the impact of weaker predictors.
In Table 18, the Partial Least Squares (PLS) regression analysis was conducted to examine the relationship between ICSE_ave (the dependent variable) and four predictors—CPQ_ave, IAQ_ave, CQ_ave, and RMQ_ave. Cross-validation identified the optimal model with two latent components, explaining approximately 59% of the variance in ICSE_ave (R2 = 0.5895). The root mean square error (RMSE) of 0.50 indicates a satisfactory level of predictive accuracy given the sample size (n = 49). Among the predictors, CPQ_ave emerged as the dominant factor, exhibiting the most significant coefficient (0.40) and the highest Variable Importance in Projection (VIP = 1.56), surpassing the conventional threshold of 1.0. Thereby, the Hypothesis H1 is supported. The evidence for the IAQ_ave coefficient (0.12) is positive but weaker (VIP = 0.76). So the Hypothesis H3 is somehow confirmed. The remaining variables—CQ_ave and RMQ_ave—had VIP values much below 1, indicating comparatively lower contributions to the model. So the Hypotheses H2 and H4 are rejected.
The scatter plot of actual versus predicted ICSE values (Figure 4) demonstrates a strong positive alignment along the 45-degree reference line, indicating that the Partial Least Squares (PLS) regression model achieves a satisfactory level of predictive accuracy. Most data points cluster closely around the diagonal, suggesting that the model captures the underlying pattern in the observed data reasonably well. A few moderate deviations are visible, reflecting some unexplained variability, which is expected given the relatively small sample size. Overall, the plot visually confirms the model’s goodness of fit, which is consistent with the R2 value of approximately 0.59, indicating that the PLS model explains about 59% of the variance in ICSE.
Bootstrap resampling (1000 iterations) provided additional evidence regarding the stability of the regression coefficients. The 95% bootstrap confidence interval for CPQ_ave (0.21 to 0.60) did not include zero, confirming its statistically robust and positive association with ICSE_ave. In contrast, the intervals for IAQ_ave, CQ_ave, and RMQ_ave all encompassed zero, suggesting that their effects were weaker and less reliable. Overall, the PLS findings highlight the central role of CPQ_ave in predicting ICSE_ave, while IAQ_ave has a marginal influence, and other predictors appear to exert uncertain influences. These results underscore the importance of focusing on CPQ-related dimensions when seeking to enhance ICSE_ave outcomes.

7. Conclusions

This study has examined the effectiveness of Internal Control Systems (ICS) in Greek listed companies within the framework of the new corporate governance legislation. By operationalizing ICS effectiveness through its four core dimensions—Controls and Procedures Quality (CPQ), Risk Management Quality (RMQ), Internal Audit Quality (IAQ), and Compliance Quality (CQ)—and applying a Generalized Linear Mixed Model (GLMM), a Ridge Regression, and a PLS Regression, the research provides robust empirical evidence regarding their relative impact.
The findings confirm that CPQ, IAQ, and CQ exert positive and statistically significant effects on ICS effectiveness, with controls and procedures emerging as the most influential determinants. When using the PLS Regression, the substantial impact of CPQ and a marginal positive effect of IAQ are confirmed. These results are consistent with the existing literature (Koutoupis and Pappa 2018; Oussii and Taktak 2018; Chang et al. 2019; Griffith 2016) and underscore the central role of strong operational controls, a reliable audit function, and a culture of compliance in enhancing accountability, transparency, and resilience. By contrast, RMQ did not demonstrate a significant effect, suggesting that risk management practices may not yet be sufficiently integrated or mature within the governance structures of Greek listed firms.
In addition, the finding of a substantial impact of CPQ reinforces the Greek regulatory framework. Specifically, in accordance with Law 4706/2020, CPQ constitutes an integral component of the Internal Control System (ICS), contributing to its secure and efficient operation. Furthermore, according to HCMC Decision 1/891/2020, an ICS is deemed effective only when it adequately implements CPQ. Likewise, the finding of a marginally positive effect of IAQ aligns with the provisions of Greek legislation mandating the establishment of an independent Internal Audit (IA) unit in listed companies, responsible for monitoring and enhancing the firm’s operations and policies related to the ICS. The results also substantiate the regulatory requirements for effective supervision of the IA function by the Audit Committee. Additionally, they support the legal provision granting the IA unrestricted access to all organizational units and any information necessary for the performance of its duties, utilizing appropriate audit methodologies and tools. Conversely, the findings related to RMQ and CQ do not corroborate the expectations set by the Greek regulatory framework, as their effects are not statistically significant. This lack of significance suggests that these dimensions do not currently contribute to confirming the effectiveness of the ICS in Greek listed firms, contrary to what the regulatory standards would imply.
Overall, the analysis reinforces the argument that ICS and corporate governance are not static compliance mechanisms but dynamic, interdependent processes that enable organizations to navigate complexity, safeguard stakeholder trust, and support sustainable value creation.
The results of this study have important implications for corporate leaders, regulators, and policymakers. Implementing adequate controls and procedures at all levels of a listed company positively contributes to achieving the goals set by its management. Thus, the Boards of Directors should adopt more effective methods, including appropriate controls to identify risks, limit them to acceptable levels, and protect the company’s assets.
The Boards of Directors of Greek listed companies, through their committees, should continue to effectively supervise Internal Audit without interfering with its independence, ensure the necessary resources for its operation, and adopt advanced auditing tools to enhance their contribution to ICS effectiveness. Additionally, the IA function of the Greek listed companies could be more effective through improvements to the Control Environment (e.g., ethical tone, organizational structure, accountability, and values among all employees). Moreover, regulators should strengthen the supervision and accountability of independent external evaluators of ICS (HCMC 1/891/2020), as the survey results indicate that companies have not yet recognized the significant contribution of evaluations to the effectiveness of IA.
The results of this study indicate that Compliance in Greek-listed companies is mainly dependent on the availability of required information. Thus, Compliance officers should establish control mechanisms to prevent and detect violations of Laws and regulations, thereby preventing money laundering, bribery, and fraud. Moreover, compliance should be embedded in corporate strategy rather than treated as a reactive obligation. This entails continuous monitoring, ethical training programs, and active oversight at the board level.
Additionally, the insignificant role of RMQ highlights a gap between regulatory expectations and actual practice. Firms should integrate enterprise risk management (ERM) into strategic planning, linking risk assessment with decision-making and performance evaluation. Policymakers should refine the legislative framework by providing clear implementation guidelines, offering incentives for innovation in governance practices, and enforcing accountability through periodic ICS evaluations. Finally, both executives and auditors should receive continuous training on emerging risks, digital transformation, and ESG (Environmental, Social, and Governance) integration to align ICS with international best practices.
A noteworthy practical implication of our findings is that the majority of firms in the sample maintain internal audit (IA) units staffed by a single individual. While this arrangement may satisfy the minimum legislative requirement for establishing an IA function, it raises significant concerns about independence, audit coverage, and adequacy of resources. A one-person IA unit is structurally vulnerable to conflicts of interest, lacks the capacity for adequate segregation of duties, and cannot ensure sufficient breadth of audit testing across complex business processes. Moreover, such units are constrained in their ability to develop specialized expertise, apply advanced audit methodologies, or maintain continuity during periods of absence. Policymakers and regulators should therefore consider issuing more detailed guidance on proportional staffing of IA functions, linking the number of auditors to company size, complexity, and risk exposure. Strengthening this dimension would substantially improve the robustness of internal controls in Greek listed companies.
While this study advances understanding of ICS effectiveness in Greece, it also opens several avenues for further investigation. Cross-country analyses, particularly within the EU, can shed light on how institutional, cultural, and regulatory environments impact the effectiveness of ICS. Future research could explore differences across industries, particularly comparing regulated sectors (e.g., banking, energy) with less-regulated industries. Tracking ICS practices over time would reveal how reforms, digital tools, and crises (such as financial downturns or geopolitical shocks) influence governance effectiveness. Further studies should investigate how ESG initiatives, sustainability reporting, and digital technologies (e.g., AI-driven auditing, blockchain) impact ICS and governance outcomes. Qualitative approaches could investigate how board dynamics, organizational culture, and leadership styles mediate the relationship between ICS components and corporate performance.
From a methodological standpoint, two crucial issues emerged in the statistical analysis. First, the Risk Management Quality (RMQ) variable exhibited weak reliability (Cronbach’s alpha = 0.520), which may reflect the limited number of items (three) used to capture the construct as well as the heterogeneity of risk management practices across firms. This result indicates that future research should refine the RMQ scale, potentially incorporating additional items to capture dimensions such as integration with strategy, monitoring effectiveness, and board oversight. Second, the Controls and Procedures Quality (CPQ) variable exhibited a very high kurtosis value (7.07), indicating a leptokurtic distribution with strong clustering of responses and the potential presence of outliers. This distributional irregularity may be linked to standard practices across firms that produce highly homogeneous responses. Both issues highlight limitations of the dataset, which may affect the generalizability of findings and should be interpreted with caution.
Finally, the study is subject to several methodological constraints that should be acknowledged. The sample size, although relatively high in terms of response rate (43%), remains small in absolute terms, which may limit statistical power. In addition, the majority of respondents (over 90%) were internal auditors or audit managers, which creates the possibility of perceptual bias in favor of internal audit perspectives and reduces the representativeness of other governance functions, such as compliance or risk management. Non-response bias may also be present, as companies with weaker internal control environments may have been less inclined to participate.
In summary, this study emphasizes the importance of having robust internal control and governance mechanisms to achieve organizational resilience and sustainable growth. Strengthening ICS in practice and policy will not only enhance the credibility of Greek listed companies but also contribute to a more robust and transparent capital market environment.

Author Contributions

Conceptualization, V.G., A.L., S.K. and C.K.; Methodology, V.G., A.L., S.K. and C.K.; Software, V.G.; Validation, V.G. and A.L.; Formal analysis, V.G.; Resources, V.G.; Writing—original draft, V.G., A.L., S.K. and C.K.; Writing—review & editing, V.G., A.L., S.K. and C.K.; Visualization, V.G., A.L., S.K. and C.K.; Supervision, V.G.; Project administration, V.G. All authors have contributed equally to the writing and development of this paper. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki, but approval from the Institutional Ethics Committee is not required.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data presented in this study are available on request from the corresponding author.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
CGCorporate Governance
ICSInternal Control Systems
OPOrganizational Performance
LDLinear dichroism
ESGEnvironmental, Social, and Governance
OECDOrganization for Economic Co-operation and Development
HCGCHellenic Corporate Governance Code
BoDBoard of Directors
M&AMergers and Acquisitions
CPControls and Procedures
IAInternal Audit
RMRisk Management
ATHEXAthens Stock Exchange
IPPFInternational Professional Practices Framework
IIAInstitute of Internal Auditors
COSOCommittee of Sponsoring Organizations
HCMCHellenic Capital Market Commission
SASociétés Anonymes
CGSCorporate Governance System
C&ECompliance & Ethics
ISOInternational Organization for Standardization
ERMEnterprise Risk Management
ICSEInternal Control System Effectiveness
CPQControls and Procedures Quality
RMQRisk Management Quality
IAQInternal Audit Quality
CQCompliance Quality

Appendix A

Table A1. Regulatory Overview Matrix.
Table A1. Regulatory Overview Matrix.
REGULATORY OVERVIEW MATRIX
CONSTRUCTSQUALITY FACTORS PER CONSTRUCTCG FRAMEWORK IN GREECECOSOIIA’s IPPF
LAW 4706/2020HCMC DECISION
1/891/2020		HCGC (2021)
DEPENDENTInternal Control System Effectiveness (ICSE)The Board of Directors shall ensure the effectiveness and independence of the functions constituting the ICS by providing the necessary resources and powers (ICSE_1).Article 4N/APart C, 6.2N/AN/A
Controls and procedures work effectively against risks, ensuring the achievement of management’s objectives (ICSE_2).N/AControl ActivitiesN/AControl Activities2130—Control
The Internal Audit Unit of the ICS provides objective assurance for the effective operation of the ICS (ICSF_3).Article 16N/AN/AN/AAdd Value
The Compliance Unit implements a practical ethics and compliance program to prevent fraud and corruption risks, and to avoid fines or criminal sanctions (ICSE_4).Article 13Monitoring (Compliance)N/ACompliance objectivesN/A
The Risk Management Unit effectively implements risk assessment, risk response, and risk monitoring procedures (ICSE_5).N/ARisk ManagementPart C, 6.10Risk AssessmentN/A
INDEPENDENTSControls and Procedures Quality (CPQ)How much do you estimate that controls and procedures secure the company’s assets? (CPQ_1)N/A 2130-ControlPart C, 6.10Operations ObjectivesN/A
How much do you estimate that controls and procedures help to limit risks to levels acceptable to the company? (CPQ_2)N/AN/AN/AControl ActivitiesN/A
How much do you estimate that the Internal Audit Unit effectively supervises the risk management procedures and controls, contributing to their improvement? (CPQ_3)2120—Risk Management N/AN/AN/A2130—Control
Risk Management Quality (RMQ)How effective do you assess the oversight of Risk Management to be? (RMQ_1)Article 4Risk Management N/AN/AN/A
To what extent do you assess that the size, complexity, and nature of your company’s activities affect the quality of the Risk Management work? (RMQ_2)N/A Risk Management N/ARisk AssessmentN/A
To what extent do you assess that the PESTEL factors (P: Political, E: Economical, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country (ies) of activity affect the quality of the Risk Management work? (RMQ_3)N/AN/AN/ARisk AssessmentN/A
Internal Audit Quality (IAQ)How effective do you think IA supervision is? (IAQ_1)Article 4Monitoring (IA Unit) Part C, 6.5N/A1000—Purpose, Authority, and Responsibility
To what extent do you estimate that IA has access to the required sources of information? (IAQ_2)Article 15Monitoring (IA Unit)N/AN/A1000—Purpose, Authority, and Responsibility
How much do you estimate that IA uses effective tools and techniques for conducting audits? (IAQ_3)N/AMonitoring (IA Unit)N/AN/A1220—Due Professional Care
How much do you estimate that the control environment (Company Organizational Structure, Board of Directors, Corporate Responsibility, Human Resources) of your company affects the effectiveness of IA? (IAQ_4)Article 4 Control EnvironmentPart C, 6.9Control EnvironmentControl Environment
How much more effective do you think IA will become, due to the mandatory external evaluation of the ICS (HCMC Dec. No 1/891/30.09.2020)? (IAQ_5)Article 4Monitoring (IA Unit)Ν/AΝ/AΝ/A
Compliance Quality (CQ)How effective do you think Compliance supervision is? (CQ_1)Article 4Monitoring (Compliance) Ν/A Principle 1
(COSO ERM 2020)		Ν/A
To what extent do you estimate that Compliance has access to the required sources of information? (CQ_2)Article 13Monitoring (Compliance)N/APrinciple 18
(COSO ERM 2020)		N/A
How much do you think the size, complexity, and nature of your company’s activities affect the quality of Compliance’s work? (CQ_3)Article 13N/AN/APrinciple 15
(COSO ERM 2020)		N/A
How much do you estimate that the PESTEL factors (P: Political, E: Economic, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country (es) of activity affect the quality of Compliance’s work? (CQ_4)N/AN/AN/APrinciple 6
(COSO ERM 2020)		N/A
Table A2. Risk Management Components—The 20 principles.
Table A2. Risk Management Components—The 20 principles.
COMPONENTGovernance &
Culture		Strategy &
Objective-
Setting		PerformanceReview & RevisionInformation,
Communication & Reporting
PRINCIPLES1. Exercises Board Risk Oversight6. Analyzes Business Context10. Identifies Risk15. Assesses Substantial Change18. Leverages Information and Technology
2. Establishes Operating Structures7. Defines Risk Appetite11. Assesses Severity of Risk16. Reviews Risk and Performance19. Communicates Risk Information
3. Defines Desired Culture8. Evaluates Alternative Strategies12. Prioritizes Risks17. Pursues improvement in Enterprise Risk Management 20. Reports on Risk, Culture, and Performance
4. Demonstrates Commitment to Core Values9. Formulates Business Objectives13. Implements Risk Responses
5. Attracts, Develops, and Retains Capable Individuals 14. Develops Portfolio View

Appendix B

Table A3. Staffing of IA, RM, and Compliance units.
Table A3. Staffing of IA, RM, and Compliance units.
How Many Members Does the IA Consist of in Your Company? FrequencyRates
1 member2959.18%
2 members510.21%
3 members510.21%
4 members12.04%
5 members24.08%
6 members12.04%
8 members12.04%
17 members12.04%
18 members24.08%
20 members12.04%
37 members12.04%
TOTAL49100.00%
Table A4. Board of Directors members’ characteristics.
Table A4. Board of Directors members’ characteristics.
SURVEY RESULTSCOMPLIANCE AUDIT WITH LAW 4706/2020
Resp.
No.
(Firms)		How Many Members Does the BoD of Your Company Consist of?
(a)		How Many Members of the BoD Are Women?
(b)		How Many Members of the BoD Are Executive?
(c)		Number of Independent Non-Executive Members of the BoD
(d)		Independent Non-Executive MembersRepresentation by Gender
Min. Members/FirmMin. Members/Firm
At least 1/3 of Total Members (in Any Case, >2 Members)
(a)*1/3		Decimals Round to the Nearest Whole Number
(e)		Compliance
Audit
# ≥ 0: Comply
# < 0: Non-Compliant
(d)–(e)		Representation 25% by Gender on the BoD
(f)		Decimals Round to the Previous Whole Number
(g)		Compliance Audit
# ≥ 0: Comply
# < 0: Non-compliant
(b)–(g)
151231.67211.2510
271242.33221.7510
372232.33211.7511
4103433.33302.5021
5112243.67402.7520
6113373.67432.7521
7112643.67402.7520
872322.33201.7511
9112243.67402.7520
1071222.33201.7510
111536105.00553.7530
1271322.33201.7510
13134154.33413.2531
1475322.33201.7514
1561122.00201.5010
1692333.00302.2520
1792433.00302.2520
18113343.67402.7521
19103233.33302.5021
2092433.00302.2520
2151221.67201.2510
22102333.33302.5020
2383442.67312.0021
24123474.00433.0030
25103743.33312.5021
2672332.33211.7511
2772432.33211.7511
2861322.00201.5010
2993533.00302.2521
30102233.33302.5020
3171322.33201.7510
3282432.67302.0020
3362242.00221.5011
3492333.00302.2520
35155555.00503.7532
3682332.67302.0020
3751221.67201.2510
3871232.33211.7510
3951321.67201.2510
4071322.33201.7510
4151121.67201.2510
42153865.00513.7530
4362322.00201.5011
4492333.00302.2520
4573222.33201.7512
46113343.67402.7521
47123544.00403.0030
4871132.33211.7510
4971432.33211.7510

References

  1. Archival Sources

    Law 4706/2020, Corporate governance of Sociétés Anonymes, modern capital market, incorporation into Greek Law of Directive (EU) 2017/828 of the European Parliament and of the Council, measures for the implementation of Regulation (EU) 2017/1131 and other provisions (Government Gazette A’ 136/17.07.2020).1/891/30.9.2020,
    Decision of the BoD of the HCMC, “Specializations of Article 14 para. 3 approx. i and para. 4, Evaluation of the Internal Control System (ICS) and the Implementation of the provisions on Corporate Governance of Law 4706/2020” (Government Gazette B’4556/15.10.2020).
    Law 4548/2018, Reform of the Law of Sociétés Anonymes (Government Gazette A’ 104/13.06.2018).
    Law 3016/2002, Hellenic Capital Market Commission, “On corporate governance, payroll issues and other provisions” (Government Gazette 110/17.05.2002).

  2. Published Sources

  3. Aguilera, Chen Tien, Tien Waheed Niroula, and Chung Kwang Zhang. 2023. Influence of internal control systems on governance among parastatals in Taiwan. Journal of Public Policy & Governance 11: 105–23. [Google Scholar] [CrossRef]
  4. Ahmad, Raja Adzrin Raja, Norhidayah Abdullah, Nur Erma Suryani Mohd Jamel, and Normah Omar. 2015. Board Characteristics and Risk Management and Internal Control Disclosure Level: Evidence from Malaysia. Procedia Economics and Finance 31: 601–610. [Google Scholar] [CrossRef]
  5. Akbar, Abitya, and Siti Choiriah. 2025. The effect of good corporate governance, internal control system, and human resource competence on financial reporting quality. Research Horizon 5: 183–94. [Google Scholar] [CrossRef]
  6. Al Astal, Ahmad Y.M., Ali Ateeq, Marwan Milhem, and Dalili I. Shafie. 2025. Corporate Governance and Internal Control Mechanisms: Developing a Strategic Framework. In Business Sustainability with Artificial Intelligence (AI): Challenges and Opportunities. Studies in Systems, Decision and Control. Edited by Esra AlDhaen, Ashley Braganza, Allam Hamdan and Weifeng Chen. Cham: Springer, vol. 566. [Google Scholar] [CrossRef]
  7. Alshaiti, Hani. 2023. Influences of internal control on enterprise performance: Does an information system make a difference? Journal of Risk and Financial Management 16: 518. [Google Scholar] [CrossRef]
  8. Association of Chartered Certified Accountants, The Internal Audit Foundation and The Institute of Management Accountants. 2022. Internal Control and the Transformation of Entities. Available online: https://www.accaglobal.com/gb/en/professional-insights/technology/transformation-of-internal-control.html (accessed on 15 October 2022).
  9. Bekiaris, Michalis, Thanasis Efthymiou, and G. Andreas Koutoupis. 2013. Economic crisis impact on corporate governance and internal audit: The case of Greece. Corporate Ownership and Control 11: 55–64. [Google Scholar] [CrossRef]
  10. Burca, Olteanu, Andreea Larisa, Badea Florea, Elena Claudia, and Madalina Preda. 2024. Role of audit committees and internal audit in the context of the evolution of ESG indicators. Polish Journal of Management Studies 29: 123–38. [Google Scholar] [CrossRef]
  11. Chang, Yu-Tzu, Hanchung Chen, Rainbow K. Cheng, and Wuchun Chi. 2019. The impact of internal audit attributes on the effectiveness of internal control over operations and compliance. Journal of Contemporary Accounting and Economics 15: 1–19. [Google Scholar] [CrossRef]
  12. Christopher, Joe, Gerrit Sarens, and Philomena Leung. 2009. A critical analysis of the independence of the internal audit function: Evidence from Australia. Accounting, Auditing & Accountability Journal 22: 200–20. [Google Scholar] [CrossRef]
  13. Cohen, Jeffrey., Krishnamoorthy Ganesh, and M. Arnold Wright. 2002. Corporate governance and the audit process. Contemporary Accounting Research 9: 573–94. [Google Scholar] [CrossRef]
  14. Cullinan, Charles P., Lois S. Mahoney, and Pamela Roush. 2016. Corporate social responsibility and shareholder support for corporate governance changes. Social Responsibility Journal 12: 687–705. [Google Scholar] [CrossRef]
  15. Djamshidovna, Akhmedova Latifa. 2025. Auditing and internal controls: Enhancing organizational governance and performance. Multidisciplinary Journal of Science and Technology 5: 542–46. [Google Scholar]
  16. Drogalas, George. 2010. Evaluation of the Implementation and Contribution of Internal Control Systems from the Point of View of Accounting and Finance in Hotel Businesses in Greece. Ph.D. thesis, University of Macedonia, Thessaloniki, Greece. [Google Scholar]
  17. Drogalas, George, and Stiliani Siopi. 2017. Risk Management and Internal Audit: Evidence from Greece. Risk Governance & Control: Financial Markets & Institutions 7: 104–10. [Google Scholar]
  18. Drogalas, George, Iordanis Eleftheriadis, Michail Pazarskis, and Evgenia Anagnostopoulou. 2017. Perceptions about effective risk management. The crucial role of internal audit and management. Evidence from Greece. Investment Management and Financial Innovations 14: 1–11. [Google Scholar] [CrossRef]
  19. Drogalas, George, Karagiorgos Theofanis, and Konstantinos Arampatzis. 2015. Factors associated with Internal Audit Effectiveness: Evidence from Greece. Journal of Accounting and Taxation 7: 113–22. [Google Scholar] [CrossRef]
  20. Fourie, Houdini, and Christo Ackerman. 2013. The impact of COSO control components on internal control effectiveness: An internal audit perspective. South African Journal of Accountability and Audit Research 14: 31–44. [Google Scholar] [CrossRef]
  21. Goodwin-Stewart, Jenny, and Pamela Kent. 2006. The use of internal audit by Australian companies. Managerial Auditing Journal 21: 81–101. [Google Scholar] [CrossRef]
  22. Griffith, Sean J. 2016. Corporate Governance in an Era of Compliance. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2766661 (accessed on 10 January 2025).
  23. Hakimi, Natalia, Salwa Zolkaflil, Khalid, and Nurliyana Haji. 2023. The role of internal audit, internal control systems, and corporate governance practices toward financial report quality. MAHSA International Journal of Business & Social Sciences 3: 24–36. [Google Scholar]
  24. Heier, Jan R., Michael T. Dugan, and David L. Sayers. 2005. A Century of Debate for Internal Controls and their Assessment: A Study of Reactive Evolution. Accounting History 10: 39–70. [Google Scholar] [CrossRef]
  25. Hellenic Corporate Governance Council. 2021. Hellenic Corporate Governance Code—HCGC. Available online: https://www.esed.org.gr/web/guest/code-listed (accessed on 10 October 2022).
  26. Hossain, Mohammad Kamal, Fazlur Rahman, Uttam Golder, and Humayun Kabir. 2025. Effectiveness of internal corporate governance mechanisms in controlling NPLs in an emerging economy. Schmalenbach Journal of Business Research 77: 560–80. [Google Scholar] [CrossRef]
  27. Jensen, Michael, and William Meckling. 1976. Theory of the firm: Managerial behavior, agency costs, and ownership structure. Journal of Financial Economics 3: 305–60. [Google Scholar] [CrossRef]
  28. Jiang, Like, Andre, Paul, Richard, and Chrystelle. 2017. An International Study of Internal Audit Function Quality. Accounting and Business Research 48: 1–57. [Google Scholar] [CrossRef]
  29. Johl, Shireenjit K., Satirenjit Kaur Johl, Nava Subramaniam, and Barry Cooper. 2013. Internal audit function, board quality and financial reporting quality: Evidence from Malaysia. Managerial Auditing Journal 28: 780–814. [Google Scholar] [CrossRef]
  30. Kaiser, Henry F. 1974. An index of factorial simplicity. Psychometrika 39: 31–36. [Google Scholar] [CrossRef]
  31. Karagiorgos, Theofanis, George Drogalas, and Nikolaos Giovanis. 2011. Evaluation of the Effectiveness of Internal Audit in Greek Hotel Business. International Journal of Economic Sciences and Applied Research 4: 19–34. [Google Scholar]
  32. Koutoupis, Andreas. 2009. The Effects of the Institutional Framework of Corporate Governance and Best Practices on the Development of Internal Audit Systems of Enterprises. The case of companies listed on the Athens Stock Exchange. Ph.D. thesis, Panteion University of Social and Political Sciences, Athens, Greece. [Google Scholar]
  33. Koutoupis, Andreas, and Evangelia Pappa. 2018. Corporate Governance and Internal Controls: A Case Study. Greece Journal of Governance and Regulation 7: 91–99. [Google Scholar] [CrossRef]
  34. Lai, Syou-Ching, Hungchih Li, Henghsiu Lin, and Frederick Wu. 2017. The influence of internal control weaknesses on firm performance. Journal of Accounting and Finance 17: 82–95. [Google Scholar]
  35. Lenz, Rainer, and John Chesshire. 2023. Rethinking internal audit: Governance needs gardening. EDPACS 68: 7–15. [Google Scholar] [CrossRef]
  36. Oussii, Ahmed Atef, and Neila Boulila Taktak. 2018. The impact of internal audit function characteristics on internal control quality. Managerial Auditing Journal 33: 450–69. [Google Scholar] [CrossRef]
  37. Paape, Leen, Scheffe Johan, and Pim Snoep. 2003. The relationship between the Internal Audit Function and Corporate Governance in the EU—A Survey. International Journal of Auditing 7: 247–62. [Google Scholar] [CrossRef]
  38. Pang, Yanhong, and Qing Li. 2013. Game Analysis of Internal Control and Risk Management. International Journal of Business and Management 8: 103–12. [Google Scholar] [CrossRef]
  39. Pangastuti, and Leli Agustina. 2023. The role of internal auditing in upholding corporate governance standards. Advances in Managerial Auditing Research 1: 45–60. [Google Scholar] [CrossRef]
  40. Prawitt, Douglas F., Jason L. Smith, and David A. Wood. 2009. Internal Audit Quality and Earnings Management. The Accounting Review 84: 1255–80. [Google Scholar] [CrossRef]
  41. Rae, Kirsten, John Stephen Sands, and Nava Subramaniam. 2017. Associations among the Five Components within COSO Internal Control-Integrated Framework as the Underpinning of Quality Corporate Governance. Australasian Accounting, Business and Finance Journal 11: 3. [Google Scholar] [CrossRef]
  42. Regoliosi, Carlo, and Alessandro d’Eri. 2014. “Good” corporate governance and the quality of internal auditing departments in Italian listed firms: An exploratory investigation in Italian listed firms. Journal of Management & Governance 18: 891–920. [Google Scholar]
  43. Sarens, Gerrit, and Mohammad J. Abdolmohammadi. 2011. Monitoring Effects of the Internal Audit Function: Agency Theory versus other Explanatory Variables. International Journal of Auditing 15: 1–20. [Google Scholar] [CrossRef]
  44. Tavakol, Mohsen, and Reg Dennick. 2011. Making Sense of Cronbach’s Alpha. International Journal of Medical Education 2: 53–55. [Google Scholar] [CrossRef] [PubMed]
  45. Vadasi, Christina. 2018. Internal Audit and the Quality of Accounting Reporting: Corporate Governance and Quality of Internal Audit in Listed Companies of the Athens Stock Exchange. Ph.D. thesis, University of the Aegean, Chios, Greece. [Google Scholar]
  46. Vadasi, Christina, Michalis Bekiaris, and Andreas Andrikopoulos. 2021. Internal Audit Function Quality and Corporate Governance: The Case of Greece. Multinational Finance Journal 25: 1–61. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3866954 (accessed on 18 February 2025).
  47. Van Der Nest, Daniel P., Louis Smidt, and Dave Lubbe. 2017. The use of generalised audit software by internal audit functions in a developing country: A maturity level assessment. Risk Governance and Control: Financial Markets & Institutions 7: 189–202. [Google Scholar] [CrossRef]
  48. Xu, Xiaotong. 2024. The impact of internal control on the quality of corporate governance from an audit perspective. Paper presented at the ICEMCI 2023, Beijing, China, 17–19 November 2023; Dordrecht: Atlantis Press, pp. 450–60. [Google Scholar] [CrossRef]
  49. Xu, Zhiyi. 2025. The relationship among corporate governance, internal control, and M&A performance. SHS Web of Conferences 218: 03031. [Google Scholar] [CrossRef]
Risks 13 00219 g001
Figure 1. A combination of Greek regulations and international standards with research variables.
Figure 1. A combination of Greek regulations and international standards with research variables.
Risks 13 00219 g001
Risks 13 00219 g002
Figure 2. Staffing of IA, RM, and Compliance units.
Figure 2. Staffing of IA, RM, and Compliance units.
Risks 13 00219 g002
Risks 13 00219 g003
Figure 3. Fixed Coefficients.
Figure 3. Fixed Coefficients.
Risks 13 00219 g003
Risks 13 00219 g004
Figure 4. Actual vs. Predicted Values of Internal Control System Effectiveness (ICSE) from the PLS Regression Model. Note. Each “×” mark represents an individual observation, where the horizontal position corresponds to the observed ICSE_ave value and the vertical position represents the model-predicted ICSE_ave. The yellow dashed line denotes the line of perfect prediction (the 45-degree identity line), where predicted values would exactly match the actual ones.
Figure 4. Actual vs. Predicted Values of Internal Control System Effectiveness (ICSE) from the PLS Regression Model. Note. Each “×” mark represents an individual observation, where the horizontal position corresponds to the observed ICSE_ave value and the vertical position represents the model-predicted ICSE_ave. The yellow dashed line denotes the line of perfect prediction (the 45-degree identity line), where predicted values would exactly match the actual ones.
Risks 13 00219 g004
Table 1. The COSO framework.
Table 1. The COSO framework.
COMPONENTControl
Environment		Risk
Assessment		Control
Activities		Information & CommunicationMonitoring
Activities
PRINCIPLES1. Demonstrates commitment to integrity and ethical values6. Specifies suitable objectives10. Selects and develops control activities13. Uses relevant information16. Conducts ongoing and/or separate evaluations
2. Exercises oversight responsibility7. Identifies and analyzes risk11. Selects and develops general controls over technology14. Communicates internally17. Evaluates and communicates deficiencies
3. Establishes structure, authority, and responsibility8. Assesses fraud risk12. Deploys through policies and procedures15. Communicates externally
4. Demonstrates commitment to competence9. Identifies and analyzes significant change
5 Enforces accountability
Table 2. Summary of Key Empirical Studies on Internal Control, Internal Audit, Risk Management, and Compliance.
Table 2. Summary of Key Empirical Studies on Internal Control, Internal Audit, Risk Management, and Compliance.
Study (Year) Context/SampleMethodsMain FindingsLimitationsThe Gap Addressed by the Current Study
Koutoupis (2009)Greek listed firms (doctoral thesis)Questionnaire, descriptive analysisCorporate governance is positively associated with internal audit activities and the adoption of ICS.Outdated regulatory context; focuses solely on IA; lacks psychometric validation.Updates the Greek context under Law 4706/2020 and assesses multiple ICS components
Drogalas (2010)Greek hotel sectorMixed methods: questionnaire and financial dataICS contributes added value and operational efficiency in hotelsSingle-sector focus; small sample; limited generalizabilityExtends analysis across ATHEX-listed sectors for broader representativeness
Karagiorgos et al. (2011)52 large Greek hotelsSurvey: COSO-based evaluationHigh overall ICS scores; the monitoring component is the weakestSector focus; descriptive approach; cross-sectional designExamines IA staffing adequacy and independence across listed companies
Prawitt et al. (2009)Various international contextsConstruct validation and empirical testingIAF quality linked to internal control effectivenessScale development requires replication; limited context detailAdopts IAQ measures and reports Cronbach’s alpha for transparency
Drogalas et al. (2015, 2017)Greek listed firms/employeesQuestionnaire; multiple regressionTop management support, risk-based IA, and IA involvement improve RM effectiveness.Cross-sectional design; self-reported measuresTests the joint effects of CPQ, RMQ, IAQ, and CQ using GLMM and Ridge Regression
Rae et al. (2017)Australian organizationsCOSO component analysisLinks between control environment, information flow, and RM monitoringDescriptive focus; lacks regulatory integrationIntegrates Greek Law 4706/2020 and HCGC 2021 within the COSO framework
Lai et al. (2017)U.S.-listed firmsSecondary data: regression on control weaknesses and performanceIC weaknesses negatively affect firm performanceHistorical dataset; limited to financial outcomesExamines perceived control quality and operational features (e.g., IA staffing)
Z. Xu (2025); Olteanu Burca et al. (2024)Multinational samplesRegression/mixed methodsStrong governance and controls linked to ESG and financial outcomesHeterogeneous measures and institutional settingsPositions Greek compliance and ICS quality in an international governance context
Note. The table summarizes representative empirical studies cited in the manuscript. It highlights methodological approaches, main findings, limitations, and the specific gaps addressed by the present study.
Table 3. ATHEX’s Main Market—Listed Companies on 29 April 2022.
Table 3. ATHEX’s Main Market—Listed Companies on 29 April 2022.
Total listed companies 157
Companies under suspension−8
Financial sector/corporate bonds/public sector −28
Research population=121
Unsent questionnaires −3
Sent questionnaires=118
Responses51
Invalid responses−2
Valid responses (sample)=49
Response rate % 43%
Table 4. Questions per variable.
Table 4. Questions per variable.
Internal Control System Effectiveness (ICSE):
The Board of Directors shall ensure the effectiveness and independence of the functions constituting the ICS by providing the necessary resources and powers (ICSF_1).
Controls and procedures work effectively against risks, ensuring the achievement of management’s objectives (ICSF_2).
The Internal Audit Unit of the ICS provides objective assurance for the effective operation of the ICS (ICSF_3).
The Compliance Unit implements a practical ethics and compliance program to prevent fraud and corruption risks, and to avoid fines or criminal sanctions (ICSF_4).
The Risk Management Unit effectively implements risk assessment, risk response, and risk monitoring procedures (ICSF_5).
Controls and Procedures Quality (CPQ):
How much do you estimate that the controls and procedures secure the company’s assets? (CPQ_1)
How much do you estimate that controls and procedures help to limit risks to levels acceptable to the company? (CPQ_2)
How much do you estimate that the Internal Audit Unit effectively supervises the risk management procedures and controls, contributing to their improvement? (CPQ_3)
Risk Management Quality (RMQ):
How effective do you assess the oversight of Risk Management to be? (RMQ_1)
To what extent do you assess that the size, complexity, and nature of your company’s activities affect the quality of the Risk Management work? (RMQ_2)
To what extent do you assess that the PESTEL factors (P: Political, E: Economical, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country (ies) of activity affect the quality of the Risk Management work? (RMQ_3)
Internal Audit Quality (IAQ):
How effective do you think IA supervision is? (IAQ_1)
To what extent do you estimate that IA has access to the required sources of information? (IAQ_2)
How much do you estimate that IA uses effective tools and techniques for conducting audits? (IAQ_3)
How much do you estimate that the control environment (Company Organizational Structure, Board of Directors, Corporate Responsibility, Human Resources) of your company affects the effectiveness of IA? (IAQ_4)
How much more effective do you think IA will become, due to the mandatory external evaluation of the ICS (HCMC Dec. No 1/891/30.09.2020)? (IAQ_5)
Compliance Quality (CQ):
How effective do you think Compliance supervision is? (CQ_1)
To what extent do you estimate that Compliance has access to the required sources of information? (CQ_2)
How much do you think the size, complexity, and nature of your company’s activities affect the quality of Compliance’s work? (CQ_3)
How much do you estimate that the PESTEL factors (P: Political, E: Economic, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country (es) of activity affect the quality of Compliance’s work? (CQ_4)
Table 5. Variables, Dimensions, Indicators, and Reference Sources.
Table 5. Variables, Dimensions, Indicators, and Reference Sources.
VariableDimensionsIndicators/Items (Questionnaire Codes)Reference Sources
Internal Control System Effectiveness (ICSE)
Effectiveness of Internal Control SystemICSE_1: The Board of Directors ensures ICS effectiveness and independence; ICSE_2: Controls and procedures mitigate risks; ICSE_3: The Internal Audit Unit provides objective assurance; ICSE_4: The Compliance Unit implements practical ethics and anti-fraud programs; ICSE_5: The Risk Management Unit effectively assesses and monitors risksCOSO (2013); Law 4706/2020, Art. 4 & 13; HCMC Decision 1/891/30.9.2020; Institute of Internal Auditors [IIA], IPPF (2017); Vadasi (2018)
Controls and Procedures Quality (CPQ)Safeguarding of assets, risk limitation, and audit oversightCPQ_1: Controls secure company assets; CPQ_2: Controls limit risks to acceptable levels; CPQ_3: Internal Audit supervises controls and contributes to improvementCOSO (2013); IIA (Standard 2130, 2017); ACCA, IIA, & IMA (2022); Koutoupis and Pappa (2018)
Risk Management Quality (RMQ)Oversight, contextual influence, external environmentRMQ_1: Effectiveness of Risk Management oversight; RMQ_2: Impact of size, complexity, and nature of activities; RMQ_3: Influence of PESTEL factors on Risk Management qualityCOSO Enterprise Risk Management Framework (2020); IIA (Standard 2120, 2019); Fourie and Ackerman (2013); Drogalas et al. (2017)
Internal Audit Quality (IAQ)Supervision, access to information, tools and techniques, organizational environment, and regulatory enhancementIAQ_1: Effectiveness of Internal Audit supervision; IAQ_2: Access to required information sources; IAQ_3: Use of audit tools and techniques; IAQ_4: Effect of control environment on Internal Audit effectiveness; IAQ_5: Expected improvement from external ICS evaluationIIA (2019); Prawitt et al. (2009); Regoliosi and d’Eri (2014); Drogalas et al. (2015); HCMC Decision 1/891/30.9.2020
Compliance Quality (CQ)Oversight, access to information, organizational, and environmental influenceCQ_1: Effectiveness of Compliance supervision; CQ_2: Access to required information; CQ_3: Impact of company size and complexity; CQ_4: Effect of PESTEL factors on Compliance qualityCOSO (2013, 2017); International Organization for Standardization [ISO] (2014, 2020); Griffith (2016); UK Ministry of Justice (2010)
Control VariablesCompany characteristics, respondent profileMulti: Internationalization (domestic vs. international operations); Size: Number of employees; Gender: Respondent gender; Age: Respondent age categoryLaw 4706/2020, Art. 13 (proportionality principle); Organisation for Economic Co-operation and Development [OECD] (2021); Drogalas et al. (2017); Vadasi (2018)
Note: The variables were derived from the Greek Corporate Governance Law (Law 4706/2020), international internal control frameworks (COSO, IPPF), and prior empirical studies. Items were measured on a five-point Likert scale (1 = Not at all, 5 = Absolutely).
Table 6. General information about companies.
Table 6. General information about companies.
In which sector does your company operate?FrequencyRates
Industrial1632.65%
Commercial1224.49%
Construction510.20%
Fuels/Energy12.04%
Technology/Telecommunications510.21%
Services1020.41%
Total49100.00%
How many employees does your company employ?FrequencyRates
Up to 501020.41%
51–10036.12%
101–2501428.57%
More than 2512244.90%
Total49100.00%
Please select your position in the company.FrequencyRates
Head of Internal Audit3265.31%
Head of Compliance12.04%
Head of Risk Management24.08%
Internal Auditor1326.53%
Other (Response: IA Manager of 2 countries)12.04%
Total49100.00%
Table 7. Independence/coexistence of IA, RM, and Compliance units.
Table 7. Independence/coexistence of IA, RM, and Compliance units.
Is IA a purely independent organizational unit in your company?FrequencyRates
Yes4285.71%
No714.29%
TOTAL49100.00%
Is RM a purely independent organizational unit in your Company?FrequencyRates
Yes1938.78%
No (Co-exists with Compliance)1020.41%
No (Co-exists with Internal Audit)1020.41%
No (Co-exists with Compliance and Internal Audit)36.12%
No (Co-exists with Finance Division)24.08%
No (Co-exists with Information Security)12.04%
No (Risk Committee)24.08%
No (Risk Management does not exist at all)24.08%
TOTAL49100.00%
Is Compliance a purely independent organizational unit in your company?FrequencyRates
Yes1836.73%
No 1428.57%
No (Co-exists with RM)1020.41%
Νο (Compliance co-exists with Internal Audit)12.04%
No (Compliance co-exists with Legal Service)12.04%
Compliance does not exist at all510.21%
TOTAL49100.00%
Table 8. Factors of the Internal Control System Effectiveness.
Table 8. Factors of the Internal Control System Effectiveness.
Please Rate the Following Factors of Internal Control System Effectiveness (ICSE): NMeanMedianStd. DeviationSkewness (γ1)Kurtosis (γ2)
The Board of Directors shall ensure the effectiveness and independence of the functions constituting the ICS by providing the necessary resources and powers (ICSE_1).493.904.000.984−1.1561.620
Controls and procedures work effectively against risks, ensuring the achievement of management’s objectives (ICSE_2).493.964.000.889−1.5893.811
The Internal Audit Unit, in collaboration with the ICS, provides objective assurance of the ICS’s effective operation (ICSE_3).494.204.000.816−1.3593.496
The Compliance Unit implements an effective program of ethics and compliance to prevent risks of fraud and corruption, and to avoid fines or criminal sanctions (ICSE_4).493.924.001.057−1.2641.663
The Risk Management Unit effectively implements risk assessment, risk response, and risk monitoring procedures (ICSE_5).493.844.000.874−1.0341.623
ICSE_ave493.964.000.791−1.2553.085
Table 9. Factors of the Controls and Procedures Quality.
Table 9. Factors of the Controls and Procedures Quality.
Please Rate the Following Factors of Controls and Procedures Quality (CPQ): NMeanMedianStd. DeviationSkewness (γ1)Kurtosis (γ2)
How much do you estimate that the controls and procedures secure the company’s assets? (CPQ_1)493.9440.719−1.6615.766
How much do you estimate that controls and procedures help to limit risks to levels acceptable to the company? (CPQ_2)493.9040.895−1.4273.167
How much do you estimate that the Internal Audit Unit effectively supervises the risk management procedures and controls, contributing to their improvement? (CPQ_3)494.2040.735−1.6556.341
CPQ_ave494.014.000.690−1.9197.066
Table 10. Factors of Risk Management Quality.
Table 10. Factors of Risk Management Quality.
Please Rate the Factors of Risk Management Quality (RMQ): NMeanMedianStd. DeviationSkewness (γ1)Kurtosis (γ2)
How effective do you assess the oversight of Risk Management to be? (RMQ_1)493.6540.879−0.9700.968
To what extent do you assess that the size, complexity, and nature of your company’s activities affect the quality of the Risk Management work? (RMQ_2)493.9040.714−1.2784.667
To what extent do you assess that the PESTEL factors (P: Political, E: Economical, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country(ies) of activity affect the quality of the Risk Management work? (RMQ_3)493.7340.861−1.0832.570
RMQ_ave493.7640.649−1.5516.069
Table 11. Factors of Internal Audit Quality.
Table 11. Factors of Internal Audit Quality.
Please Rate the Factors of Internal Audit Quality (IAQ): NMeanMedianStd. DeviationSkewness (γ1)Kurtosis (γ2)
How effective do you think IA supervision is? (IAQ_1)493.844.000.874−1.0341.623
To what extent do you estimate that IA has access to the required sources of information? (IAQ_2)494.415.000.814−1.8625.091
How much do you estimate that IA uses effective tools and techniques for conducting audits? (IAQ_3)494.024.000.750−1.2714.346
How much do you estimate that the control environment (Company Organizational Structure, Board of Directors, Corporate Responsibility, Human Resources) of your company affects the effectiveness of IA? (IAQ_4)493.984.000.721−1.3585.086
How much more effective do you think IA will become, due to the mandatory external evaluation of the ICS (HCMC Dec. No 1/891/30.09.2020)? (IAQ_5)493.714.000.957−0.7210.310
IAQ_ave493.994.000.488−0.3811.834
Table 12. Factors of Compliance Quality.
Table 12. Factors of Compliance Quality.
Please Rate the Factors of Compliance Quality (CQ):NMeanMedianStd. DeviationSkewness (γ1)Kurtosis (γ2)
How effective do you think Compliance supervision is? (CQ_1) 493.554.001.062−1.0640.799
To what extent do you estimate that Compliance has access to the required sources of information? (CQ_2)493.964.001.079−1.5742.518
How much do you think the size, complexity, and nature of your company’s activities affect the quality of Compliance’s work? (CQ_3)493.734.000.93−1.5382.937
How much do you estimate that the PESTEL factors (P: Political, E: Economic, S: Social, T: Technological, E: Environmental, L: Legal) of the company’s country (ies) of activity affect the quality of the Compliance’s work? (CQ_4)493.734.000.995−1.0191.557
CQ_ave493.744.000.776−1.7034.984
Table 13. Reliability Test of Variables.
Table 13. Reliability Test of Variables.
Variable Cronbach’s Alpha Standardized ItemsF TestSig.
Internal Control System Effectiveness (ICSE)0.9062.9830.029
Controls and Procedures Quality (CPQ)0.8564.6520.014
Risk Management Quality (RMQ)0.5204.6090.003
Internal Audit Quality (IAQ)0.7625.4580.003
Compliance Quality (CQ) 0.7173.7520.031
Table 14. Principal Component Analysis.
Table 14. Principal Component Analysis.
Variable KMOBartlett’s Test (Sig.)No of
Components		Eigenvalue% of Variances
Internal Control System Effectiveness (ICSE)0.846161.51
(<0.001)		13.65073.01
Controls and Procedures Quality (CPQ)0.62380.43
(<0.001)		12.33777.92
Risk Management Quality (RMQ)0.53641.74
(<0.001)		11.94464.81
Internal Audit Quality (IAQ)0.60146.20
(<0.001)		21.25966.70
Compliance Quality (CQ) 0.53697.38
(<0.001)		21.25489.70
Table 15. Correlations Matrix.
Table 15. Correlations Matrix.
MultiSizeGenderAgeICSE_aveCPQ_aveIAQ_aveCQ_aveRMQ_ave
Multi10.562 **−0.052−0.145−0.004−0.1830.091−0.0620.062
Size0.651 **1−0.119−0.0290.111−0.0460.1420.0730.052
Gender−0.052−0.0911−0.446 **−0.025−0.0480.127−0.1010.058
Age−0.151−0.137−0.449 **1−0.042−0.052−0.2030.057−0.158
ICSE_ave0.0150.126−0.031−0.05610.571 **0.563 **0.541 **0.394 **
CPQ_ave−0.188−0.069−0.018−0.0490.695 **10.538 **0.371 **0.290 *
IAQ_ave0.0330.1170.100−0.1510.679 **0.689 **10.557 **0.531 **
CQ_ave−0.1190.0750.046−0.0990.639 **0.593 **0.657 **10.703 **
RMQ_ave−0.0300.0390.058−0.0980.578 **0.591 **0.686 **0.800 **1
Note: The table presents the Pearson correlation coefficients (lower diagonal) and the Spearman correlation coefficients (upper diagonal). **. Correlation is significant at the 0.01 level (2-tailed). *. Correlation is significant at the 0.05 level (2-tailed).
Table 16. Generalized Linear Mixed Model.
Table 16. Generalized Linear Mixed Model.
Fixed Effects a
SourceFdf1df2Sig.
Corrected Model16.2944440.000
CPQ_ave7.6411440.008
IAQ_ave3.0221440.089
CQ_ave3.0811440.086
RMQ_ave0.1441440.706
Fixed Coefficients a
Model TermCoefficientStd. ErrortSig.95% Confidence Interval
LowerUpper
Intercept−0.3600.6341−0.5680.573−1.6380.917
CPQ_ave0.4390.15872.7640.0080.1190.758
IAQ_ave0.4310.24821.7380.089−0.0690.932
CQ_ave0.2990.17031.7550.086−0.0440.642
RMQ_ave−0.0790.2091−0.3790.706−0.5010.342
Random Effect
Random Effect CovarianceEstimateStd. ErrorZSig.95% Confidence Interval
LowerUpper
Var(Multi)0.0080.0390.2010.8404.63 × 10−7130.232
Var(Size)1.234 × 10−12 b
Var(Gender)0.000 b
Var(Age)9.537 × 10−7 b
Note: Probability distribution: Normal, Link function: Identity, Covariance Structure: Variance components, a Target: ICSE_ave, b This parameter is redundant.
Table 17. Ridge Regression Coefficients.
Table 17. Ridge Regression Coefficients.
NPercentR2
SampleTraining3775.5%0.593
Holdout1224.5%0.489
Valid49100.0%
Alpha1.000
Standardizing Values cStandardized CoefficientsUnstandardized Coefficients
Coefficients aMeanStd. Dev.
Intercept b 3.919−0.437
CPQ_ave3.9910.7290.3350.460
IAQ_ave3.9460.4910.1740.354
CQ_ave3.7640.6850.2150.314
RMQ_ave3.7660.693−0.010−0.015
Notes: a Dependent Variable: ICSE_ave, b The intercept is not penalized during estimation, c Values used to standardize predictors for estimation. The dependent variable is not standardized.
Table 18. PLS Regression Coefficients.
Table 18. PLS Regression Coefficients.
Featureoriginal_coefboot_meanboot_std2.5%97.5%p_approx_two_sidedVIP
CPQ_ave 0.40140.39590.09970.2080.59500.00001.5567
IAQ_ave0.12120.12080.0895−0.0390.28560.12400.7647
CQ_ave0.04430.04510.0701−0.0980.18920.55200.3701
RMQ_ave0.02070.01990.0644−0.1120.16320.70800.3103
Training R2 (original ICSE_ave): 0.5895
Training RMSE (original ICSE_ave): 0.5018
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Giannopoulos, V.; Lymperopoulos, A.; Kariofyllas, S.; Kariofyllas, C. Determinants of Internal Control System Effectiveness: Evidence from Greek Listed Companies. Risks 2025, 13, 219. https://doi.org/10.3390/risks13110219

AMA Style

Giannopoulos V, Lymperopoulos A, Kariofyllas S, Kariofyllas C. Determinants of Internal Control System Effectiveness: Evidence from Greek Listed Companies. Risks. 2025; 13(11):219. https://doi.org/10.3390/risks13110219

Chicago/Turabian Style

Giannopoulos, Vasileios, Antonios Lymperopoulos, Spyridon Kariofyllas, and Charalampos Kariofyllas. 2025. "Determinants of Internal Control System Effectiveness: Evidence from Greek Listed Companies" Risks 13, no. 11: 219. https://doi.org/10.3390/risks13110219

APA Style

Giannopoulos, V., Lymperopoulos, A., Kariofyllas, S., & Kariofyllas, C. (2025). Determinants of Internal Control System Effectiveness: Evidence from Greek Listed Companies. Risks, 13(11), 219. https://doi.org/10.3390/risks13110219

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop