Developing an Internal Control Model for the Social Security Organization of Iran with a Risk Management Approach

This study aimed to develop an internal control model for the Iranian Social Security Organization with a risk management approach. This exploratory study is applied in terms of objective


Introduction
Nowadays, issues such as the new corporate management system, risk management, and internal control are so profoundly intertwined with organizational excellence and better operations that neglecting them will indeed mark the end of business success.Nowadays, the world faces many challenges arising from the knowledge-based economy, the staggering intensification of changes in various fields, rising customer expectations and competition in various aspects, the global economy's exacerbating vulnerability, and many other emerging phenomena.Business sustainability in such a turbulent environment certainly requires an effective management system, better risk management, the risk in achieving strategic goals and establishing adequate internal control for reasonable assurance of achieving said goals (Khodamipour et al., 2015).The growing size and complexity of enterprises in today's advanced world, the pressures arising from the shortage of resources, the intensifying competition, and the numerous internal or external financial and administrative business risks that threaten organizational objectives and policies have focused governance bodies on effective control of resources and activities as important issues.Internal controls can be essential a significant factor in optimal organizational management.Good internal controls while strengthening effective and efficient control systems is a clear and necessary issue, and its weakness could result in significant losses (Shirvani & Fathi, 2019).Therefore, it is considered essential for every organization to establish an internal control system (Moeller, M. 2011).At the same time, identifying and managing risks in organizational planning is unavoidable for managers to make and monitor decisions.Organizations are under intense pressure to identify all the business risks they face (e.g., social, environmental, financial, and operational) and explain how to manage them reasonably.Therefore, organizational risk management has grown due to the recognition of its advantages over supervision-light approaches (Mahama et al., Z.2023).Meanwhile, internal controls help risk management in different ways.Given the critical role of risk management in businesses, including identifying potentially important events, responding adequately to existing risks, and creating reasonable assurance of achieving organizational goals, implementing risk management requires the proper foundation to ensure the achievement of set goals.This platform facilitates risk management (Bierstaker et al., 2022).Analyzing successful businesses' operational, legal, and financial reporting environments suggests that an extensive internal control network pervades all aspects of businesses.Despite differences, the proximity of internal control goals with risk management suggests that implementing risk management based on internal controls can guarantee successful management toward achieving the set objectives (Naderi et al., 2018).
In this regard, some researchers (Khulkhachieva et al., 2022) showed that the developed risk-based internal control model helps to identify organizational problems in risk management to ensure efficient and continuous operation.Hanh & Huy (2021) significantly correlated with corporate internal controls and risk management functions.Bakar et al. (2020) also showed that internal control components are vital to risk management.Moreover, Vakilifard et al. (2013) showed that potential weaknesses of internal control systems increase the systematic corporate risk index.Fenderski & Safarigharayeli's findings (2018) suggest that internal controls effectively reduce the risk of falling stock prices of companies.The literature regarding the factors affecting internal controls and their effect on risk management indicates that there have yet to be comprehensive studies.Therefore, to fill the research gap, this study aims to formulate an internal control model for risk management in the Social Security Organization of Iran.Given the lack of research in the Social Security Organization regarding important internal control factors and their effect on risk management, a model was designed to better introduce internal controls to the Social Security Organization for risk management.It was the result of the opinions of various experts and presents a comprehensive perspective regarding internal controls and the required mechanisms to ensure its efficacy for risk management in the Social Security Organization, allowing the target population to discover its needs and strive to succeed in this field.To this end, all the important factors in the Social Security Organization's risk management and internal controls were examined by reviewing the literature and extracting the measurement indicators of risk management and internal controls in the Social Security Organization.Then, interviews were held with experts to identify the causal factors and components of risk management and factors affecting internal controls in the Social Security Organization.Next, a qualitative questionnaire was designed to model structural equations, and the final model was implemented after collecting and analyzing data from experts to confirm the model.
There is a clear need for an internal control system in the organization (Belina et al., D. V. 2022).Proper design and implementation of the internal control system will improve the accuracy and efficiency of information systems and the organization's reporting quality to comply with the relevant rules.Therefore, it is crucial to design and implement internal controls for organizations properly.By designing and implementing a suitable internal control system, managers should ensure with reasonable certainty that the predicted goals are achieved, all activities are appropriately implemented, any financial violations, fraud, and misuse of resources and assets are prevented, and to ensure accountability for activities (Esmailikia & Soleimanizadeh, 2018).Moreover, sound internal control can lead to adopting the correct and risky management decisions, increasing the likelihood of failure.At the same time, the pressures of lacking resources, intensifying competition, and various risks in all areas threaten organizational objectives and policies internally and externally.All these factors have caused management to focus on numerous problems, making direct control and personal risk management practically impossible.The indirect control of organizational operations and the senior management's avoidance of all business activities have led management to consider establishing an effective internal control system as an integral part of the efficient management system to fulfill its stewardship duties (Zabihzadeh et al., 2020).
Since most of the Social Security Organization's activities are focused on finance, an internal control system is essential for financial monitoring and risk management.Hence, various models have been designed and introduced for internal controls with specific weaknesses and strengths.The most important reasons for poor internal control systems in the Social Security Organization are the system's traditional and outdated nature.The model proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is the most important and well-known internal control system regarding comprehensiveness, effectiveness, and widespread adoption (Moeller, M. 2011).This study aimed to develop an internal control model for risk management in the Social Security Organization.Therefore, the main research question is, what is the optimal internal control model for risk management in the Social Security Organization?Identifying the factors affecting internal controls and their potential impact on risk management could be essential for the Social Security Organization since identifying these factors can stop the waste of resources and reduce violations of ethical and legal norms in administration, finance, and organizational risk management.
Thus, the following will present the theoretical background, including existing views on the risk management impact of internal controls, followed by the literature review to state the primary research objective.The following section will present the research methodology and findings; the last section will present the research conclusions and recommendations.

Literature Review
In recent years, internal controls have become increasingly important due to their essential role in improving financial reporting quality and financial statement reliability.Legislators and professional organizations have also started to pay attention to and evaluate internal controls.Based on the internal guidelines and monitoring of the publishers listed on the Tehran Stock Exchange and Farabourse, the board of directors must implement the appropriate and effective internal control system to achieve the goals and protect the organizations' assets.The provisions of this guideline require management to evaluate the organization's internal control system at a minimum interval of one year and submit an internal control report to investors and shareholders.Independent auditors should also report and comment on the adequacy and effectiveness of internal controls (Nikjo et al., 2021).Adequate organizational internal controls will mean managers will make better use of accounting and financial reports in decision-making and reasonably ensure the exact and regular implementation of financial and administrative procedures in the organization.An efficient internal control system makes accounting reports more credible (Arjomandnejad, 2016).This idea for the internal control framework is based on control, meaning that any deficiency, inefficiency, and poor performance in achieving objectives is an integral component of the control system.However, environmental changes, including rapid technological and IT breakthroughs, have imposed an environment of competition on businesses and various operational and financial risks.To withstand various risks, businesses should establish effective risk management, and managing, controlling, and reducing risks requires an effective internal control system (Woods et al., 2008).Risk management is a dynamic and recurring process for identifying and analyzing risks toward achieving organizational goals.Generally, there may be a need to revise internal controls in the risk management department to investigate new risks or risks previously considered uncontrollable in appropriate ways.Moreover, in the new framework, inherent risk and fraud risk (manipulation) are more important in risk management, including risk identification, analysis, and response (Sarraf et al., 2015).
After a string of business scandals and failures, such as Enron in 2001 and WorldCom in 2002, there was a demand for more advanced risk management and corporate governance systems.To address the need for principles-based guidance to assist businesses in designing and implementing an enterprise-wide risk management approach, COSO published the report titled "Enterprise Risk Management-Integrated Framework (ERM)."This report was published in 2004 in association with Price Waterhouse Coopers.This developed framework considers internal control an integral part of enterprise risk management.This framework was developed based on internal control concepts and focused on enterprise risk management (COSO, 2004).Enterprise risk management is broader than internal control.In other words, organizational risk management explains internal control and directly focuses on risk.While internal control is integral to enterprise risk management, enterprise risk management is part of the governance process (Moeller, 2011).
Risk management works with a holistic approach to optimal performance control.Implementing a risk management system will improve organizational performance and its status in accordance with the growth of active industries and competitors (Hosseini et al., 2014).Risk management considers four management objectives: macro-level strategic goals, operational efficacy and efficiency, reporting reliability, and compliance with rules and regulations.Gelinas & Dull (2008) and Merna & Al-Thani (2008) believe the risk management process should be dynamic and regularly reviewed.Risk management is a way to mitigate any risks that could harm the organization as it tries to achieve its goals, and it enables the organization to manage common operating risks properly.In other words, risk management refers to risk assessment and implementing appropriate strategies.Risk management helps organizations to achieve their vision while avoiding risks and surprises in the process (Panter, 2012).Organizations are constantly seeking ways of dealing with operating uncertainties.Here, risk management has been introduced as an effective tool for managers.In fact, risk management is risk assessment and devising risk identification strategies.Risk identification and management is a novel approach to strengthening and improving organizational efficacy (Babaei & Vazir Zanjani, 2005).Meanwhile, management will be responsible for corporate risk management.Therefore, the management needs assistance in evaluating projects, monitoring services, and proposing solutions, and the internal control system could help managers address their needs (Staciokas & Rupsys, 2005).
Sutarto & Murtaqi (2022) sought to see whether risk management and internal control are correlated with goal achievement and the degree of correlation.The results showed that risk management and internal control have a moderate and robust correlation with goal achievement.Risk management and internal control also have a strong correlation with goal achievement.Khulkhachieva et al. (2022) presented a risk-based internal control model to correctly identify the risk factors affecting an agricultural organization's output and financial results.The results showed that the developed risk-based internal control model helps to identify organizational problems in risk management to ensure the efficient and continuous operation of the agricultural organization.Valinia et al. (2022) investigated the effect of poor internal controls on stock return fluctuations, realized profit management, and corporate risk.The results indicated that the weak internal control structure significantly impacts the stock return fluctuations of investigated companies.Additionally, companies with a poor internal control structure intervene further in actual activities (natural profit management) and face greater financial risk.
Hanh & Huy (2021) investigated the relationship between internal control, internal audit, and risk management in Vietnamese companies.The results showed that internal control helps to protect company assets, ensure information reliability, and improve organizational efficacy.The results also showed a positive correlation between internal audit and internal control with good governance.Furthermore, the results showed a significant correlation between corporate internal controls and risk management functions.
Ghafari Ghaziani et al. (2021) presented the internal control weakness model based on the accounting quality index control criteria.The results showed a significant correlation between the disclosure of risk components and the weakness of internal controls.However, there was no significant correlation between corporate governance structure (independence of the board of directors, institutional ownership) and the weakness of internal controls.There was also no significant correlation between operational risk and poor internal controls.2020) used the multiple linear regression model to test whether internal control components affect risk management and which internal control components are the main determinants of risk management.The results showed that internal control components, especially business structure, business philosophy, and allocation of power and responsibility, are vital components of risk management.This suggests that organizations should consider the role of internal controls in risk management.
Lisnawati & Apollo's study (2020) investigated the relationship between implementing internal control, regulations, and fraud with risk management.The research models somewhat support the hypotheses that a positive and statistically significant correlation exists between internal control, regulation, risk management, and fraud.Thabit et al. (2019) investigated the effectiveness of internal controls on organizational risk management based on COSO recommendations.The results showed that by strengthening the role of the internal auditor and raising independence and objectivity, internal auditors are essential to improving organizational risk management and internal controls.Fendereski and Safarigharayeli (2018) studied the correlation between internal control efficacy and the risk of falling stock prices.The research findings suggest that internal control effectively reduced the risk of falling company stock prices.While filling the research gap, these findings can be helpful in the decision-making of investors, capital market legislators, and audit market regulators.2018) concluded that internal control influences financial reporting and risk management indicators, which is particularly important.In addition, it can positively affect shareholder rights regarding corporate governance and improve shareholder satisfaction.Vakilifard et al. (2012) investigated the correlation between weak internal controls and systematic risk.The results showed that potential weaknesses of internal control systems increase the systematic corporate risk indicator.

Research Methodology
This study aimed to provide an internal control model for risk management in the Social Security organization and presented a new model, making it an exploratory study.Exploratory research aims to identify unfamiliar phenomena and expand knowledge by theorization.Given its exploratory nature, qualitative methods such as observation and interview were used for data collection.Thus, this qualitative study identifies the primary risk management indicators in the Social Security Organization by examining the literature, and the qualitative stage will follow.In this case, the study will be qualitativequantitative.The combined use of the qualitative and quantitative methods makes this a mixed-method study that characteristically uses the mixed exploratory design.The researcher selected the mixed-method research strategy (mixed method strategy and action research strategy) since, in this strategy, the researcher collects qualitative and quantitative information to explain, examine, and understand a phenomenon.Combining these two types of information provides a better understanding of the problem than merely focusing on one data type.The mixed methods strategy includes The explanatory mixed method design, the exploratory mixed method design, the embedded mixed method design, and the pluralistic mixed method design.The researcher employed the exploratory mixed method design and can also combine the qualitative exploratory data and the quantitative data.
The expansion of insurance and welfare coverage and social security increases life expectancy, improves the conditions and quality of life, and generally improves different (socio-economical) aspects of life.The Social Security Organization of Iran is the largest institution regarding the population covered.Social security is essential to the development of all countries.It is, therefore, essential to identify the factors affecting internal controls in the social security organization and their potential impact on risk management.Therefore, this study selected the social security organization as the statistical population.The statistical population comprised 2000 Social Security Organization financial department employees.The Cochran formula was used to set the size of the research sample.Since there were a total of 2000 participants in the statistical population, the sample size based on the Cochran formula should be 322 as a minimum.A total of 340 questionnaires were distributed and collected from the sample members.The random sampling method was used to determine the sample members.The data was collected through interviews and questionnaires.First, the factors affecting internal controls in the social security organization were obtained from interviews.After identifying the important factors of internal controls, the researcher-made questionnaire for each factor was designed with suitable items after consulting the supervisor and other experts based on the main research questions using the 5-point Likert scale.To evaluate the content and face validity, the questionnaire was delivered to several experts and professors to present their views and recommendations for its improvement.The questionnaire's reliability was also investigated using Cronbach's Alpha at the beginning after the preliminary implementation and collection of the first questionnaires.

Research Stages
There are five stages to this study: Stage One: Obtaining the primary indicators from the theoretical background (studying written sources) First, all written sources, including relevant articles, books, and theses, were studied to discover the scientific boundaries and reach theoretical adequacy.Thus, all existing risk management and internal control models in the Social Security Organization were studied, and risk management and internal control measurement indicators in the Social Security Organization were obtained.
Stage Two: Conducting interviews to identify the critical risk management factors in the Social Security Organization.
Since this study was conducted at the organizational level, experts were selected for interviews.Then, the list of primary criteria obtained with the literature review is used as a guide for interviewing experts, which continues until the answers from interviews converge.Then, the structural equation method in PLS is used to analyze interviews and obtain the risk management model's critical factors in the Social Security Organization based on expert opinion.

Stage Three: Classifying and Identifying Model Components
To identify the model's components, after formulating a questionnaire and evaluating its validity and reliability, data is collected from the statistical population using the snowball sampling method, which is a non-probability method with random selection.Snowball sampling is suitable when the members of a population or group cannot be easily identified.This method is also used for identifying experts in specific fields.Then, exploratory factor analysis is used to analyze the data and classification and identify the model's components.The conceptual model is presented at this stage.

Stage Four: Determining the intensity of correlation between model criteria and components
In this stage, the correlation intensity between the conceptual model's components and criteria was determined using the data from stage three and the structural equation concepts.Then, the collected data was analyzed, and the resulting output produced the final risk management and internal control model in the Social Security Organization.
Stage Five: Ranking the risk management and internal control indicators in the Social Security Organization by applying structural equation modeling A qualitative questionnaire is designed to model structural equations, and the final model is implemented after collecting and analyzing data from experts to confirm the model.

Data Analyses
This study first examined the written sources, including relevant articles, books, and theses, to examine all the important factors in risk management and internal controls in the Social Security Organization and obtain measures of risk management and internal control in the Social Security Organization.Since this study was conducted at the organizational level, experts were selected for interviews using snowball sampling.First, an expert manager with sufficient education and experience was selected, interviewed, and then asked to introduce other individuals with knowledge on the subject.To further enhance the study, there was an attempt to interview knowledgeable and experienced individuals with personal experience.This process continued until the theoretical saturation of data, and finally, data collection ended after interviewing 18 people.At the beginning of the interviews, the study's overall purpose was mentioned while stressing that the interviews would only be used for research purposes while keeping the identity of the individuals confidential in research reports and published articles.After interviews with experts, risk management and factors affecting internal controls in the Social Security Organization were identified.The demographic information of interviewees is as follows: This study investigated the proposed internal control model for risk management in the Social Security Organization.The descriptive statistics of research variables are as follows:

Reliability of Research Variables
According to Table (3), Cronbach's alpha of all constructs is above 0.70, which is the threshold for accepting Cronbach's alpha and suggests that the model is reliable.The results also show that each construct's composite reliability for the excellent model fit is 0.7.According to these values, this relationship is established for all constructs.Table (3) also shows that the average variance extracted for checking the convergent validity of all constructs is more significant than 0.5, suggesting a good construct fit.

Divergent Validity
Finally, divergent validity is the third index for analyzing the fit of measurement models in PLS.There are two methods of evaluating divergent validity in PLS: Developing an Internal Control Model for the Social Security… A) The Fornell & Larcker Criterion As this Table obtained from Fornell & Larcker (1981) shows, the root mean variance of research variables located in the main diagonal entries of the matrix is more significant than their correlation arranged in the lower-left entries of the main diagonal.Therefore, this model's constructs interact more significantly with their criteria than others.In other words, the model has a reasonable divergent Validity.In this model, the highest value is 0.833, and the lowest is 0.387.

B) The Mutual Factor Loadings Method
Factor loadings are obtained by measuring the correlation of a construct's criteria with that structure.Values equal to or greater than 0.4 indicate that the variance between the construct and its criteria is greater than the variance of its measurement error, and the reliability of that model is acceptable.However, some authors, such as Rivard & Huff (1988), have stated 0.5 as the measure of factor loadings.1), for factor loadings of variables to remain in the model, they must be greater than 0.5; otherwise, they will be excluded from the model.However, no variable was removed from this model.In other words, the results and expert interviews showed that the internal control factors of the Social Security Organization include the income bank system, the legal obligations system, compensation, the financial bookkeeping system, the movable and immovable property system, the financial management system, and check issuance requirements.Among these, the financial bookkeeping system has the highest factorial loading.According to interviewees, these are the main factors affecting the Social Security Organization's internal controls, which significantly impact this organization's internal controls.
According to Figure (1), the financial bookkeeping system (0.871), the income bank system (0.864), the financial management system (0.860), the movable and immovable property system (0.834), check issuance requirements (0.812), compensation (0.791), and the legal obligations system (0.798) respectively have the highest impact factor on internal controls, and consequently on risk management in the Social Security Organization.

Structural Equation Modeling
This section presents the structural equation modeling.First, the model's fit is examined, followed by examining the model with significance numbers (rejecting or confirming the hypotheses).Finally, the model is put in the path coefficient and coefficient of determination mode.

Model Fit
The PLS examines the model fitness criterion using the goodness of fit index.After evaluating the fit of the measurement and structural sections, the researcher can use this index to control the overall fit of the research model.Wetzels et al. (2009)  As this Figure shows, the 95% confidence interval requires the significant numbers to be greater than 1.96 to confirm the central hypothesis.As the model's significance values show, the effect of internal control on risk management is confirmed for this variable.As mentioned earlier, this study mainly aimed to investigate the efficacy of internal control on risk management.Table 5 shows the results of examining the main objective.According to the results, the significance level was 0.001, and the p-value was 7.462.Thus, the correlation between internal controls and risk management is confirmed.The coefficient of determination of 0.150 indicates that the independent variable determines 15% of the changes in the dependent variable.The path coefficient of 0.387 indicates a positive and good influence, meaning that one unit of increase in internal control results in a 0.387 increase in risk management.

Conclusion
The results of expert interviews showed that the income bank system, legal obligations system, compensation, financial accounting system, movable and immovable property system, financial management system, and check issuance requirements were significant factors in internal controls and can be used as causal factors and components for identifying and explaining risk management in the Social Security Organization.The results indicate that the financial bookkeeping system, the income bank system, the financial management system, the movable and immovable property system, check issuance requirements, compensation, and the legal obligations system, respectively, have the most significant impact on internal controls and, consequently, on risk management in the Social Security Organization.Internal controls are the procedures and policies used to identify the risks in achieving organizational goals.Internal controls are effective in all organizational functions and an integral part of organizational management, which provides reasonable assurance about the organization achieving its objectives.Given their awareness of the difficulty of achieving the organization's primary objectives and minimizing unexpected events without an effective internal control system, the managers of the Social Security Organization are always trying to determine the best internal controls, which will increase efficiency, reduce possible financial violations and risk of asset loss, and provide reasonable assurance regarding the reliability of financial statements and compliance with laws and regulations.The results shown in Figure ( 1) present the factors influencing the efficacy of internal controls that also have the most significant effect on risk management in the Social Security Organization.By order of effect, these factors include controls related to the financial bookkeeping system (such as checking and controlling bank balances for issuing checks and checking and controlling issued checks), the income bank system (such as checking the discrepancy in income statements (recording possible discrepancies and controlling the amounts recorded in financial books regarding insurance premium and commission by telegraphed receivables), the financial management system (such as checking and controlling the transfer of revolving funds to units, checking and controlling the number of employees, skills, and motivations), the movable and immovable property system (such as constant control and review of property inventory (location and recipient), control and follow-up of cash discrepancies between the bookkeeping system and the movable property system), check issuance requirements (such as the presence of supporting documents for payment and issuance of checks, issuance of checks by the highest authority in the department), compensation (checks and controls regarding the non-payment of allowances and benefits to employees, continuous review and control of salaries, and employee benefits based on regulations with the compensation system), and the legal obligations system (such as examining the use of new banking services regarding the payment of pensions, matching the costs stated in the legal obligations system with the bookkeeping system).
Internal control is a coherent set of financial, operational, and other continuous control processes developed by senior managers to ensure the set objectives are achieved and implemented throughout the Social Security Organization.Therefore, an effective internal control system will improve efficiency and effectiveness and help maintain credibility and goodwill.Indeed, there are several possible functions for an effective internal control system, including achieving proper monitoring and accountability of managers, helping the decision-making process, and achieving effective organizational management, improving the mechanisms related to the proper management of operating risks, strengthening control structures and operations, including segregation of duties for observing the process for obtaining permits and approved rules, resolving discrepancies and reviewing operating performance, improving control measures to prevent, identify, and correct inadequacies in a timely manner, including mistakes, violations, and embezzlement, improving communication and proper and timely and reliable information transfer among all levels of the social security organization, improving the timely and reliable reporting and information system of the Social Security Organization to the relevant authorities, and finally, ensuring that the Social Security Organization observes the rules, regulations, requirements, guidelines, and communications at all levels.Therefore, the operating model explains that the internal control system is expected to influence the risk management approach of the social security organization.The results of this study are statistically consistent with studies by Valinia et al. (2022), Ghafari Ghaziani et al. (2021), Fendereski & Safarigharayeli (2018), Beyrami et al. (2018), Sotaro and Martaghi (2022), Hanh &Huy (2021), andThabit et al. (2019).
According to the results obtained from research objectives, to ensure the specified goals are achieved to some extent, managers in the Social Security Organization should pay attention to the proper execution of operations in all areas, preventing embezzlement, fraud, and misuse of resources and assets, risk management, and realizing operating accountability, making proper use of the funds to improve internal controls related to the income bank system, legal obligations system, compensation, financial accounting system, movable and immovable property system, financial management system, and check issuance requirements as factors influencing internal controls.
The results of the impact factor of the financial bookkeeping system showed that it has the most significant impact on internal controls as a component of internal controls.Given the effect of internal controls on risk management, it is recommended that managers of the Social Security Organization pay attention to controls regarding financial bookkeeping (checking and controlling account balance for check issuance, checking and controlling issued checks (to the order of sellers and the keeping of check bottoms), checking and controlling administrative costs based on transactional instructions, checking and controlling the non-use of unauthorized accounts, and checking the unknown balance of annual incomes to the current year's balance).This will improve the effectiveness of controls related to the financial bookkeeping system on internal controls, thereby increasing the effectiveness of internal controls on risk management.
Given the obtained results and the effectiveness of internal controls and effectiveness of internal controls on risk management, it is recommended that the managers of the Social Security Organization pay attention to the income banking system, the financial obligations system, compensation, the financial bookkeeping system, the movable and immovable property system, the financial management system, and check issuance requirements to improve the effectiveness of internal controls and their effect on risk management.Some conditions in scientific and applied research lie outside the researcher's control and authority.This study is no exception, and one of its most important limitations was the need for similar studies regarding the presentation and explanation of an operational model for internal controls in the Social Security Organization, which limited the researcher in comparing findings.Other limitations of this study were the inability to evaluate and consider the many factors affecting internal controls and the limited data collection period.
Mortazavi et al. (2021) identified the essential factors in establishing the internal control system in banks based on Iran's environmental characteristics.Out of the 119 indicators obtained as influential factors in establishing an internal control system in Iranian banks, the results showed that 113 indicators (the establishment of the control environment (26 indicators), the establishment of risk assessment (26 indicators), the establishment of control activities (27 indicators), the establishment of information and communication (21 indicators), and the monitoring activities (13 indicators) obtained the Delphi process consensus.The factor analysis showed that all 113 were significant.Bakar et al. ( Evaluation of Factor Loadings: The following Figure shows the analysis of factor loadings for each measurement model.

Figure 1 .
Figure 1.Measurement of Factor Loading (Research Measurement Model) Figure 2. The Model in the Significance Values Mode

Table 2 . The Mean and Standard Deviation of Internal Control and Risk Management Scores
Cronbach's alpha and the composite reliability test were used to assess construct validity (convergent and divergent validity) and the reliability of research variables.Table(3) presents the validity and reliability of research variables: