INTERNAL CONTROL: AN ANALYSIS OF THE PERCEPTION OF THE PURCHASING CENTER OF A STATE GOVERNMENT ACCORDING TO THE COSO FRAMEWORK

The internal control systems in public agencies are fundamental instruments for the management of work environments, processes, and risks to which these structures are exposed. Thus, the present work aimed to evaluate the perception of the public servants of the Purchasing Center of a state government regarding the level of adherence to the components of internal control based on the COSO ERM framework. The research was characterized as a case study, in which data collection took place through the application of a questionnaire, structured to the components of COSO ERM, along with a sample of public servants from the Purchase Center, as well as a semi-structured interview with the executive director and participant observation was used to have a more critical view of the perception of those observed. The main results showed a uniform perception of the participants regarding the governance and culture component while the differences found were directed to the performance component, both results report the absence of well-defined governance structures and the inconsistency of information between the public servants. Despite this, the internal control practices carried out in the Purchasing Center, according to the perception of the interviewed groups, present higher levels of adherence to the components of strategy and definition of objectives and review, a result that evidenced the commitment of the Purchasing Center with the strategic planning and monitoring of its activities.

The unstable environment generated by fraud and corruption scandals poses challenges for public administration in managing their organizations. The reflection of this scenario is seen through the strengthening of instruments that promote transparency and accountability in public management.
In this way, internal control frameworks arise, consisting of conceptual control structures that propose methodologies for making risk management systems more effective. Control instruments have been adopted in the public sphere, because, according to Fernandes et al. (2017), the Brazilian State is undergoing an incremental process of implementation of a new management model, proposed in the Management Reform, which uses concepts derived from the private sector together with the public administration.
Among the frameworks proposed internationally, the model of the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) stands out. COSO was developed after several corporate scandals in the United States. These scandals gave rise to the Sarbanex-Oxley Act of 2002, which established governance requirements to be adopted by institutions, including the adoption of an adequate internal control system.
Although the Sarbanes-Oxley Act does not define which model or reference of internal control system should be adopted, according to Dantas et al. (2010), COSO has been, for years, the prevailing practice among public and private organizations. As a consequence of its capacity for organizational flexibility, the model has become internationally used in all management environments.
In the governmental environment, public procurement, according to Cabral et al (2015), is characterized as one of the most regulated processes in Brazil. At the federal level, procurement processes are governed by Law No. 8.666/93, known as the Bidding Law, which defines public purchases as any and all acquisitions of goods, or provision of services contracted by the public administration.
Úbed, Alsua and Carrasco (2015) explain that public procurement acts as an essential tool for the development and improvement of public organizations. However, public procurement processes are constantly exposed to possible failures, which may be of a procedural, legal or financial nature. Despite this finding, there are still few consistent data and information on the operationalization of governance and risk management factors linked to public procurement processes (TERRA, 2016). Therefore, the present study was motivated by the need to understand the perception of levels of internal control that permeate public procurement processes. Studies of this nature have been carried out in federal agencies, that is why the present research innovates by exploring the level of internal control in a State Government, a smaller structure than the agencies of the Federal Public Administration, more specifically exploring the operationalized public procurement processes in the observed state.
For the study of internal control structures, we chose to use the COSO ERM assessment framework, which is the most recent version of the COSO models and because it presents differentials in its approach to risk interpretation, definition of objectives and components for all levels of the organization, in addition to being a model recognized by important public organizations, such as the Federal Audit Court (TCU -Tribunal de Contas da União) (COSO, 2017).
Thinking at the local level, the State Purchasing Center is the entity responsible for operating the bidding processes, thus being an economically important instrument for the State. The activities performed in its environment move large volumes of public resources, which results in the need for robust levels of internal control to help manage risks and guarantee public assets. With this, the present research proposes to answer the following Matos, G. B., Silva, M. D. O. P. & Almeida, K. K. N Internal Control:  problem: What is the perception of the servers and the board of the Purchasing Center of a state government regarding the level of adherence to the internal control components of the COSO ERM framework?
Thus, considering the strengthening of governance structures, risk management and the strengthening of a culture of accountability aimed at the local scope of a state government, the present study is ahead of those carried out previously.

INTERNAL CONTROL IN PUBLIC ADMINISTRATION
A major milestone in Brazilian public administration consists of the implementation of managerialism, marked by the adoption of the values of efficiency and quality in the provision of public services, opening space for greater participation of individuals and civil society organizations in the reconstruction of the State.
According to Sano (2003), the State's improvements, integrated to the new public management, required essential mechanisms for the development of an administration focused on results, with defined objectives and goals. Some of these instruments would enable greater transparency for citizens and the emergence of new concepts such as accountability and risk management.
The discussion about internal controls in Brazil began with the publication of the Accounting Code of the Union, in 1922, in which the performance of the control was established from the perspective of observing and validating the information regarding its legality and formality, as well as how to meet the inspection bodies (Calixto & Velázques, 2005).
According to the Brazilian Accounting Standards Applied to the Public Sector, internal control is a set of resources, methods and procedures adopted by public sector entities in order to contribute to greater operational efficiency. within public and private organizations (Brasil, 2008).
Control is an activity inherent to the State, highlighted in art. 74 of the 1988 Federal Constitution, which provides for internal control systems and their purposes, as well as in Law number 4.320/64, which divides control in public administration into two areas of action, with internal control exercised by each public entity according to its structures and the external control that is exercised by the Legislative Power. The internal control system is carried out in several ways, whose responsability for its maintenance is of everyone integrates the organization. In the execution of this system, it is necessary to pay attention to the guidelines and technical regulations aimed at verifying the legality of the acts and the behavior of the agents, notwithstanding their position or function (Castro, 2014).
There are several benefits arising from an internal control system, such as strengthening the guarantee of process efficiency, allocation of resources, reduction of fraud, waste and risk prevention, in addition to being a decision-making instrument used by the manager (Júnior, 2018).
According to Carvalho Neto and Papariello (2012), internal control must be carried out on a continuous basis, requiring the commitment of the entire institution, through an effective structure with well-defined rules and a committed staff, in order to establish standardized structures that follow internal control assessment models.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is one such internal control assessment model. It proposes to standardize the definitions of controls, defining principles, components, objectives and objects in an integrated way. The COSO model is considered suitable for evaluating internal controls, insofar as it is configured in a flexible methodology, in order to guarantee an efficient execution of the achievement of Matos, G. B., Silva, M. D. O. P. & Almeida, K. K. N Internal Control:  objectives and goals, taking into account the variables that permeate the entire flow of processes (COSO, 2013).
The first framework presented by COSO was launched in 1992, called Internal Control -Integrated Framework, popularly known as COSO I, addressing the structure of an entity's internal control systems. The second framework, Enterprise Risk Management -Integrated Framework or COSO II, sought to expand the scope of internal controls by focusing on risk management incorporated into the existing components of COSO I.
In 2017, the most recent model was launched, the Integrating with Strategy and Performance -COSO ERM, which sought to highlight the importance of considering risks in the process and in establishing strategies to improve the performance of internal controls.
As shown in Figure 1, COSO ERM differs from the others by incorporating contemporary concepts in the development of risk management application, also presenting principles organized into 5 components: i) governance and culture, ii) strategy and definition of objectives, iii) performance, iv) review, v) information, communication and dissemination. The governance and culture component is composed of five principles that establish which values and behaviors should be adopted to strengthen and consolidate the organization's structures. However, the components of strategy and definition of objectives and performance structure the risk management in the organization, in which the risk appetite, the classification of these risks and the possible solutions that can be taken will be defined.
The review and information, disclosure and communication components characterize the organization of actions that will assess the need for changes in internal flows seeking to improve risk management.
Despite the modifications of the COSO models, their structures do not replace each other but complement each other. The evolution of these methodologies demonstrates their flexibility in adapting to different contexts. COSO I focuses on the evaluation of internal controls, COSO II emphasizes risk management and COSO ERM brings the integration of new concepts of strategy and performance into management.
Observing the methodology of COSO ERM in the context of the public sector, specifically focused on its performance within the public procurement activities carried out by the Purchasing Center, it appears that the search for innovation in the provision of public services and in the maintenance of the quality and speed of processes, allied to the development of evaluation technologies by the external control bodies, made it adapt to internal control mechanisms that strengthen its structures and change over time to accompany its needs regarding the implementation of preventive and risks, among others. Studies on the application of internal control frameworks in the governmental area seem to be scarce. Menezes, Libonati and Neves (2015) analyzed the degree of similarity between the elements of the internal control system of the Federal University of Pernambuco (UFPE) and the components of COSO II. They found that in the view of the surveyed university servers, the components of the COSO approach, with the greatest similarity to the entity's internal control elements, are "control environment", "objective setting" and "event identification", respectively presenting between 40% and 70% of presence in respondents' answers. While the components "risk assessment", "response to risks", "control activities", "information and communication" and "monitoring", respectively, presenting between 33% and 38% of presence in the respondents' answers, present dissimilarities. The study also verified conceptual differences between the University's internal controls and the internal control structure proposed by the COSO model. Wanderley et. al (2015) used content analysis of data and information extracted from documentary research and semi-structured interviews, to observe the levels of theoretical and practical harmonization of the acquisition department of the Brazilian Navy, based on the COSO I model. The results showed that the theoretical guidelines, that is, the regulations that define what must be performed by the department's employees, superficially approach the conceptual bases of COSO, through specifically the components of "control environment" and "control activities". However, in terms of practice, there were differences among the servers regarding their knowledge and skills, in addition to the adoption of inconsistent goals and objectives by the agency and non-punctual control procedures. With that, the authors came to the conclusion that divergences such as these can harm the sustainability of an internal control system within the body.
The case study proposed by Gattringer and Marinho (2018) in order to measure the level of internal control operation, according to the COSO I methodology, in the Municipalities of Santa Catarina, showed that schooling, length of service in the body and in the function impact the efficiency of internal control in municipalities. It was also observed that the five components of COSO are satisfactorily preserved by the municipalities, however, the research revealed the need to improve the components "control environment" and "information and communication". It was evidenced that, despite the small difference between the adaptation to the COSO components, the internal control systems effectively contribute to the operational efficiency of Santa Catarina's municipalities.
The research by Sousa, Souto and Nicolau (2017) identified how public and private organizations implement the concept, dimensions of internal control and challenges, based on the COSO I model. The results showed that in both segments, public and private, there is a tendency for organizations to be neither efficient nor effective in their internal control systems, with the greatest difficulties in absorbing and institutionalizing the components of "risk management", "control activities", "control environment" and "information systems and communication". Braga et al. (2018), in a technical report on the application of the COSO I model as a paradigmatic reference for the evaluation of administrative contracts of a public administration entity in the state of Rio de Janeiro, found that the application of the model in contract management made it possible to map gaps and good practices, promoting the improvement of processes, pointing out solutions and favoring the improvement of accountability.
In a study on the perception of employees of a federal agency regarding the adherence of its internal control system to the COSO II methodology, Soares and Junior (2019), found that the components of the model and its principles have a medium level of adherence in internal control of the autarchy, with the exception of the principle focused on integrity and ethical values, which had a high level of adherence, thus demonstrating which are the principles most adopted by the body. Chagas et. al (2019), in a diagnosis of the internal control structures in the Brazilian Navy, through the COSO I approach, realized that the components that add the most within military organizations are monitoring, risk assessment and the control environment and that, in addition, organizations, in general, have shown good levels of internal control.
The studies on the levels of internal control carried out in the Brazilian public sphere, mentioned in this brief review, mostly showed considerable gaps in terms of adherence to internal control systems. No agency was able to fully meet the structures of COSO methodologies, moreover, most studies sought to study and understand agencies at the federal level. With that, the present study explores the lack of work in state and municipal administrations.

Methodological Procedures
The present work is a case study, with participant observation, carried out in the board of the Purchasing Center of a state government, whose characteristics involve the researcher as a member of the investigated entity, with real participation in the object of study. Through participant observation, the researcher had access to internal documents and reports, which allowed the triangulation of data in order to assess the levels of perception of the servers and the board of the Purchasing Center in relation to the internal control components of the COSO ERM framework.
The survey was carried out in the eight departments of the Purchasing Center, which structure six managements, from April 26 to April 30, 2021, with these managements being divided into i) Executive Management of Specification and Standardization; ii) Price Registration Executive Management; iii) Executive Bidding Management; iv) Operational Management of Supplier Registration; v) Operational Management of Materials and Equipment Specifications and vi) Operational Management of Price Research, and two more sectors, the Sorting Sector and the Executive Board.
To make the answers more reliable, the questionnaire link was sent to the servers with the longest service in the Purchasing Center and, necessarily, to the managers, as they understand that the more experienced ones can have a better understanding of the internal control practices of the sector. Thus, the responses of 13 servers were analyzed, as shown in Table 1.

Data Collection and Analysis Instruments
To carry out the research, a questionnaire was applied to the servers and an interview was carried out with the board. The questionnaire was structured with sentences related to the components and principles of the COSO ERM model and the responses were collected by the Google Forms software.
The components of COSO ERM evaluated were: i) governance and culture; ii) strategy and definition of objectives; iii) performance; iv) review, and v) information, dissemination and communication. The sentences were analyzed based on three response options, which were: a. Non-existent level -featuring no adherence to the evaluated COSO ERM internal control component; B. Partial Level -characterizing partial adherence to the component; and c. Total Level -characterizing total adherence to the investigated component in the sentence.
Regarding the Executive Board of the Purchasing Center, an interview was carried out in person, based on the same questions presented to the servers. The semi-structured interview aimed to obtain an insight into the level of internal control present in the structuring of the Purchasing Center, this time from the point of view of the strategic planning of the Purchasing Center's senior management.
The answers obtained in the questionnaires were analyzed based on descriptive statistics, while the semi-structured interview was recorded, transcribed and analyzed based on content and description analysis. According to Bardin (2006), the content analysis process comprises information analysis techniques with the purpose of obtaining indicators that allow the deduction of knowledge from the messages. In the content of the interview, the components and principles of the COSO ERM argued in the answered questions were considered. Subsequently, the content was reviewed and described in order to obtain the levels of internal control, according to the vision of the director who holds a planning position.

State Government Purchasing Center
Within the scope of the Executive Branch of the investigated State, the Purchasing Center studied was implemented in 2006, with the function of commanding, coordinating and executing the control and guidance of activities related to government purchases. Thus, the Purchasing Center is characterized as a department integrated into the State Administration Department, which is a subordinate body to the State Government.
The Purchasing Center is structured by six managements and two sectors, one of the sectors being characterized as the Executive Board. The Executive Board of the Purchasing Center ) is headed by the executive (DECEC -Diretoria Executiva da Central de Compras director who counts on the assistance of a secretary and has the function of coordinating the subordinated sectors, receiving and carrying out the demands of the State Executive Power bodies and interacting with the other departments. Directly reporting to the Executive Board, there are the Executive Managements and the Screening Sector. It was thinking about the decentralization of functions within the board that the Triage Sector was implemented in 2020, responsible for controlling the initial procedural instruction of public procurement processes.
The Screening Sector carries out internal control practices through the application of checklists to safeguard public procurement processes essential for the results of any government's strategic planning and public policies.
In The Price Registration Executive Management (GEREP -Gerência Executiva de Registro de Preços) performs the function of opening bidding processes through the Price Registration System, receiving documents, evaluating them, in addition to controlling and using the Price Registration minutes already in force.
The last management that directly assists the Executive Board of the Purchasing Center is the Executive Bidding Management (GELIC -Diretoria Executiva da Central de Compras é a Gerência Executiva de Licitações), currently composed of the executive manager and 10 (ten) trading teams formed by an auctioneer and two servers from the support team, in addition to the support of an assistant secretary and an intern.
GELIC is responsible for carrying out the bidding processes, developing activities such as receiving the processes, preparing public notices, holding public and online sessions, judging price negotiations, as well as providing information to the TCE (Soares, 2019).
All managements and sectors of the Purchasing Center work to operationalize the public procurement processes related to the state Executive Branch. In this way, they are characterized as an important instrument in the maintenance of public services at the local level. The organizational structure of the Purchasing Center's managements and sectors is arranged as shown in Figure 2

Purchasing Center's Perception of Internal Control
When analyzing the components of the COSO ERM framework, according to the perception of the Purchasing Center servers, it was observed that the internal control practices adopted in the carried out processes, even if informal, are recognized by most servers, which directly reflects on the results found exposed in table 3.
None of the five components of the COSO ERM and their respective principles were considered as non-existent in the work environment and in the performance of their functions, according to the perception of the servers and the Board of Directors of the Purchasing Center. The components of Strategy and Definition of Objectives, Performance and Review were pointed out by the servers with full adherence, which demonstrates that the objectives and risk management practices are already in place in the Purchasing Center routine.
The perception of the board, through the interview, strengthens the perception of the servers. For the director, "the Purchasing Center is constantly seeking to improve its Internal Controls...". The content analysis of the interview showed that, in the perception of the board, the components of Strategy and Definition of Objectives and Review present total adherence, with the components of Governance and Culture, Performance and Information, Communication and Disclosure showing partial adherence. The partial adherence to the aforementioned components comprises the informality of the control structures, as well as for the servers, the Governance and Culture structures are not well structured in the Purchasing Center, also exposing the director in her speech "the lack of structuring of governance in the Purchasing Center is a consequence of the lack of normative instruments that institutionalize it…". This result is directly linked to the lack of autonomy of the public sectors in relation to the legislation that governs them.
Still between both perceptions, from the servers and the board, it was possible to observe divergences regarding the level of adherence to the Performance components. The difference between the strategic and planning views lies in the issue of accountability to senior management.
In the view of the servers, accountability is periodically held to the top management for the activities carried out by them, while in the director's perception this return from the servers is low, thus needing to be demanded by the top management, represented by her. In the interpretation of the question, the civil servants may have suppressed the fact that the rendering of accounts is only made through demanding, while for the top management this fact is more visible, since this demand is their responsibility. In addition, deadlines or periods for the return of activities carried out by the servers may not have been defined within the Purchasing Center, making the need for this greater for the director.
Despite this, the operational and planning vision being in tune with the other components of strategy and definition of objectives, review and information, communication and dissemination, confirms the finding that the objectives of the Purchasing Center are defined at all hierarchical levels. In addition, it suggests that the operational team is aligned with the strategies stipulated by the senior management of the Purchasing Center in order to achieve the expected objectives.
In parts, all the internal control practices used in the Purchasing Center are similar to the COSO ERM model, highlighting the review component which, in both perceptions, was the component that fully complied with the internal control structures proposed by COSO, thus concluding that, despite the differences noted, the Purchasing Center has considerable levels, that is, high levels of adherence to the internal control components of the COSO ERM framework. Matos, G. B., Silva, M. D. O. P. & Almeida, K. K. N Internal Control:

DISCUSSION OF RESULTS
In the evaluation of the results by component, there were total levels of adherence to three of these, being strategy and definition of objectives, performance and review. Adherence to these components reflects the existence of the dissemination of organizational pillars within the Purchasing Center, which has its objectives defined and in accordance with the general principles of the organizational environment. In addition, they call attention to the operationalization of the identification and treatment of risks.
In the director's view, the components strategy and definition of objectives and review showed high levels of adherence to the COSO ERM methodology. Adherence to these components reflects that senior management perceives the importance of risk management linked to the performance of activities carried out in the Purchasing Center.
Also, the joint analysis of both groups revealed a uniform perception regarding partial levels of adherence of the governance and culture and information, communication and dissemination components. This common perception reports the absence of well-defined governance structures that can cause the organizational internal control system to become misaligned. However, as an alternative to such results, it is suggested the standardization and formalization of these structures through operational procedures such as the development and review of policies, norms, manuals and internal regulations.
The results also showed divergences in the findings regarding the performance component. The disagreement regarding the periodicity of accountability can be justified by the fact that the top management is directly responsible for the collection of these actions, which allows it to add more relevance to this activity. This divergence could be dealt with with the implementation of an organizational calendar, in which it would be agreed between the operational and the planning sector when and how the accountability of the activities performed would be given, such an instrument would help the control of activities and the identification of possible risk events.
Also, the results found showed disagreement between the studies by Menezes et. al. (2015) and Wanderley et. al. (2015), who showed differences between the internal control systems of public bodies and the components proposed by the COSO model. The difference between the results is directly linked to the evolution and strengthening of internal control structures in the public sphere.
The strengthening of transparency and accountability structures within the Purchasing Center can provide elements that will assist in the performance of safer and more reliable processes, in addition to reducing information asymmetry. The investigated State has one of the best transparency indices in its management, therefore, with the strengthening of internal control in the Purchasing Center, processes that fail in the future can be avoided, which may harm the provision of public services or contribute to increasing the indices of economy in the bids.

CONCLUSION
The main objective of the present work was to evaluate the perception of the servers and the board of the Purchasing Center of a state government regarding the level of adherence to the internal control components of the COSO ERM framework. To achieve this objective, we sought to identify internal control practices in the operational perception, that is, of the servers, and in the planning perception, of the direction of the Purchasing Center, linked to the components and principles of the COSO ERM.
Based on the perception of the servers and of the board, it was possible to verify that the Purchasing Center has high levels of adherence to the components of internal control of Matos, G. B., Silva, M. D. O. P. & Almeida, K. K. N Internal Control:  COSO ERM, despite these good levels highlighted, it is also important to continue the construction of an accountability culture.
It is observed as the main limitations of this research, that there was not adhesion of all the servers of the Purchasing Center, since the selection of the investigated subjects was directly affected by the unavailability of some due to the pandemic context established by Covid-19. In addition, the data collection instrument used, the questionnaire, has restrictions when trying to assess individuals' perceptions.
In this sense, it is up to future research to identify the levels of adherence to the internal control components of the COSO model within the scope of other public sector entities, given that this is a study that is believed to present change as new normative instruments are approved, increasingly institutionalizing internal control in public administration. It is also recommended to carry out a similar study, but with a focus on risk management.