Analysis of Manager and Teacher Opinions on the Management of School Risks in the Framework of the Internal Control Risk Management Model 1

In order for the educational processes in schools to be carried out as designed, all internal and external elements of the school should be in harmony and cooperation. In order to achieve this harmony, it is necessary to determine the situation of the school correctly and to manage the risks defined as uncertainty and opportunities for the future. The most important condition for making the right interventions are against risks are to develop measures by taking advantage of the experiences of people who are exposed to risks and who are most affected by these risks. In this way, the effectiveness and efficiency of the school can be increased. In this study conducted in this context, the opinions of school administrators and teachers on the measures that can be taken for risks that are considered to be of high importance in schools were examined. The study groups of the study consist of school administrators and teachers working in public high schools affiliated to the Ministry of National Education in Niğde city center. According to the results of the research carried out in qualitative design, regular inspections and risk analyzes of schools are among the measures that can be taken against risks with high scores, that the administrators appointed on the basis of merit are open to communication, fair, competent and impartial, and school staff create a corporate culture based on love, respect and mutual trust and the recommendations to respect disciplinary rules come to the fore.

Introduction each decision made in the institution to take precautions against these risks and determine whether the resulting return is adequate against the risk assumed (Tüzün, 2002).
For organizations, taking risks related to any future situation similar to the personal life, minimizing the size of the losses and maximizing the benefits; these events depend on early detection and preparation of the most appropriate actions (Derici et al., 2007). In this respect, Crouhy et al. (2000) argues that risk is a key to successful management. Therefore, it is necessary to make choices and make decisions in order to cope with the uncertainties that create profit and loss. In this regard, risk is not a destiny, but a choice. The actions we take with courage actually depend on how free we are in our choices. In other words, risk perception is a process with socio-psychological aspect (Bakkal, et al., 2016).
The source of the risks is future unknown events and uncertainties in the area of activity in which the organization operates. Therefore, organizations that focus on different risks according to their needs in their areas of operation need an effective risk management system to minimize the loss of uncertainties. Deciding which risks can be avoided, which ones prevented, and which risks can be undertaken is the most critical process in risk management. Necessary measures must be taken to avoid any potential future risks being negatively affected and these risks must be managed well and turned into opportunities. Otherwise, crises that occur as a result of risks will have many adverse effects. Risk management for organizations and businesses is seen as the most important way of eliminating the negative effects that are thought to hinder future strategies. Bolgün & Akçay (2009) states that organizations are required to take initiatives that may have different consequences in order to maintain their competitive edge. The likelihood of these results being realized also determines the risks that may arise during the execution of the organization's activities. Determining and managing factors that may disrupt the operations and services of the institutions and undermine their credibility is essential for achieving their fundamental strategies. This approach and understanding have introduced the concept of "Risk Management" (Fıkırkoca, 2003;FERMA, 2014). Risk management involves the planning, management and control processes of the necessary measures to ensure that organizations continue to operate efficiently, maintain the organization's ability to earn by ensuring the assets and resources of the organization, and to undertake the necessary measures to overcome unexpected losses at the least cost (Emhan, 2009).
Establishing an effective risk management system in the organization is one of the most important factors for making the right decisions. In this context, risk management is defined as the process of taking advantage of opportunities that will increase the success of the organization by identifying and eliminating the risks that may prevent the organization from achieving its goal or reducing them to an acceptable level (Kızılboğa, 2012). In other words, risk management can be defined as the process of preparing the organization and mitigating the effects of the shocks that result from risks. Risk management will play an active role to make the organization resistant to negative shocks, increase and protect its functional capabilities (WDR., 2014).
Risk management is performed in all organizations, whether or not it is noticed. Risk management in some organizations is handled more seriously and systematically implemented.
Instead of implementing risk management as a system, some organizations use a traditional perspective when making daily routine decisions. According to Arslan (2008), a good risk management is a systematic approach that involves identifying, assessing and managing all risks that may affect the organization and enhances confidence in achieving desired results, limits threats to an acceptable level, ensures decisions are made to take advantage of opportunities with the necessary information available, and helps increase stakeholders' trust in corporate management. The most challenging issue for managers in risk management is to make decisions about the risk level to be undertaken in the process of achieving the objectives. In order to make the risk level decisions that can be taken properly, the organization must have a risk management system installed and its processes implemented systematically.
If the risk can be accurately defined and measured, it can be manageable. Administration can prevent these risks through the controls it develops, and avoid risks by abandoning its purpose in that direction, can transfer risks using methods such as insurance etc., or reduce the residual risks to an acceptable level as a result of the controls. The administration is responsible for which of these methods will be used. It is not possible to avoid all risks and control all risks, and it is clear that all risks cannot be managed with the same methods. The traditional risk management approach of businesses involves identifying risks and taking the necessary measures to avoid them. Therefore, businesses are trying to reduce their potential loss size by setting limits for activities that may reveal risks (Keskin, 2006).
There will be a cost when the risks are not intervened, and there will be a cost for interventions to manage these risks. What is important here is that the cost to control the risks remains below the losses that may occur when the risks are realized. Otherwise, an undesirable situation occurs by exceeding the harm, benefits of interventions on behalf of risk management (Güleç & Gökmen, 2009). Risk management aims to ensure the risks and the extent to which the process should be undertaken in order to achieve the desired service or benefit level. Risk management is a tool used to achieve the desired risk-benefit balance (TUSIAD, 2008).
Risk management was previously used as a purely risk mitigation, but later on consensus was that it should be regarded as a strategic effort that completes and supports the activities of the organization (Özer, 2008). Risk management is based on the best available information, creates and maintains value; eliminates uncertainty by explaining it and is an integral part of decision making and organization processes; dynamic, repetitive and change-sensitive, systematic and has good time management; is designed specifically for the situation within the organization and ensures continuous development; transparent and inclusive, considers human and cultural factors (Crawford, 2012).
In summary, risk management is an integral part of making decisions for good management that enable informed decision making, and supports effective and efficient use of corporate resources and since it is a managing issue, all management functions are also applicable to risk management (Fıkırkoca, 2003). In light of these definitions, we can explain risk management as systematic management policies and procedures established in the processes of identifying, analyzing, assessing, struggling and monitoring risks.
All organizations may face risks such as inefficiency, deviation from objectives, waste, cheat and abuse while carrying out their activities. The public sector may be more likely to face the mentioned risks due to the fact that service areas in the public sector differ in structure with the private sector. Public education institutions are among these sectors with different risks. Moreover, the operating objectives of the educational sector are very large, irregular, ambiguous, blurred and sometimes conflicting, leading to problems in which indicators and performance targets cannot be measured directly (Fisher, 1993: 70). In order to address all of these problems arising from the structure of public institutions and organizations, and to ensure effective, efficient and economic use of assets, it was understood that the risk management practices implemented in the private sector must be created in public institutions as well. Five independent professional organizations in the United States came together to form COSO (Committee of Sponsoring Organization) in 1985. The internal control model designed by COSO in 1992 was adopted as a risk management model in all public institutions in our country by implementing the necessary legal regulations.
Today, COSO's internal control model, designed and developed worldwide, is used in a wide range of industries as a professional management model that envisages the creation of an appropriate organizational environment to fulfill the objectives of public institutions and private organizations, identifying and assessing risks that prevent the organization from achieving its goals, deciding on how to respond to the risks assessed, providing information and communication between the units related to the control activities implemented, and continuous monitoring of control actions.
Internal control consisting of many interrelated elements is created by interacting with employees at each level of the organization. Internal control is a chain of movements that has penetrated the activities carried out in the organization, not a single activity, situation or event (Saltık, 2007: 5). It is integrated with planning, organization, directing and auditing (control) from the functions of internal control management theories, a self-regulating system during the execution of operations, and an interactive management tool created in line with the business workflows and used by the management (Tuan, 2009). The internal control model developed by COSO consists of the main components such as "control environment", "risk assessment", "control activities", "information and communication", and "monitoring".
Control environment component composed of sub-components such as ethical values and integrity, mission, organizational structure, adequacy and performance of personnel and delegation of authority. The control environment is a component that defines the infrastructure, rules and culture requirements that need to be established for the organization to function properly.
Risk assessment component composed of sub-components such as planning, scheduling, risk identification and assessment. Risk assessment is a component that defines the conditions for determining and assessing the risks that may prevent the organization's short-and long-term plans and the achievement of the objectives set in this plan. Monitoring component composed of sub-components such as assessment of internal control and internal audit. Monitoring is a component that aims to determine whether the procedures and controls are properly designed in the organization, whether there are errors or disruptions in the operation, and whether all elements work effectively and sufficiently to complement each other.
Internal control is a multi-dimensional model that aims to ensure that the activities undertaken by the organizations are effective, efficient and economic, to create reliable reports in the organization, and to carry out activities in line with the legislation in the environment in which the organization is located. Today, an internal control system based on the COSO model is adopted and implemented in many countries of the world, including the European Union.
Persons who implement and operate internal control are those who work in the organization.
For this reason, the responsibility for the successful establishment and maintenance of internal control lies with the managers and employees at all levels. According to Gönülaçar (2007), internal control should be regarded as an essential element of the system used in the regulation and direction of managerial activities rather than a separate system in the organization.
In recent years, the importance of risk management has been better understood so that businesses and public and educational institutions can best respond to the risks they face, even though their structures, sizes and sectors are different. Furthermore, organizations are becoming more aware of the risks they face, the rating and how they should manage them. These risks are not only limited to financial risks, but also involve all types of risks such as legal, ethical, educational, social and environmental risks (Erdoğan, 2009).
According to Root (1998), risk assessment is a systematic process that involves identifying the risks that may arise in order to achieve the objectives and targets of the organization, the probability of occurrence of these risks by taking into account and the analysis of the results that will be caused, and this assessment is the basis for managing the risks. Risk management is a process in which senior management, interim managers and all level employees play an active role in the organization. Managing the risks identified in the organization with the same approach is called "Corporate Risk Management". Corporate risk management is the risk management processes that cover the entire organization and envisages and manages risks as a whole. Risk management consists of successive processes such as identifying the risks that may hinder the targets, assessing the identified risks, responding to the assessed risks, and monitoring and reviewing these responses, starting with the determination of the corporate objectives at the strategic planning stage.
Risks that may prevent the organization from achieving its objectives are identified in the risk management process. Management against these risks determines the organization's risk acceptance level (risk appetite). Risks are assessed and analyzed in accordance with the level of acceptability, and precaution-control is performed against risks. Responses to risks may be accepting risk, controlling and mitigating risk, transferring risk or avoid risk in a manner that is proportional to the importance of risk. Accordingly, considering the risk assessment of the institution based on the risk acceptance level of the institution, the responses to the risks should be determined, the threats that may arise should be reduced and opportunities should be considered. Measures to be taken by performing a benefit cost analysis should not cost higher than the consequences of the risks and should be proportionate to the risk (Hubbard, 2003). The purpose of responding to risks is to reduce the likelihood of the risk to occur and its impact if it occurs and to achieve the planned goals faster.
Once the risks are identified and assessed, the stage of dealing with the risks should begin.
Management should decide whether to accept risks identified in the organization, try to reduce control procedures and risks, transfer them out of the organization, or avoid them (Dinapoli, 2007). In this sense, risk avoidance, risk mitigation, risk taking and sharing are among the techniques used for risk management.
If the risks are accepted as they are, the activities of the institution regarding risky transactions are continued. No action is taken against risk. Transfer of risks means assigning the risks under the responsibility of the institution to other institutions or persons by means of insurance, tender etc. In the event of risk avoidance, the company does not perform operations in this direction by abandoning risky transactions. Each technique to be used depends on the situation. In order to determine which technique can be used at which risk, management must calculate loss probability, size of loss and how to compensate if loss occurs. No decision should be made without considering all possibilities for benefit and loss (Saka, 2006). Regarding the uncontrolled risks, managers must decide whether to accept or eliminate risks; reduce the level of corporate activities. Furthermore, decisions must be made in line with the answers to such questions as "Which risks have priority?
What happens if I accept the risk? Can we reduce costs when I transfer the risk? Can we achieve our goals if we avoid risks or postpone activity? Is the size of the risk taken proportional to the size of the opportunity?" in regards to how risks should be answered. COSO (2004) states that there is always some risk due to lack of resources and limitations in the internal control system. Likewise, it is important to make sure that responses to certain risks are not too much. The company will suffer from insufficient controls as well as excessive controls against risks. In addition to some adverse effects due to risks, different opportunities may be encountered in the organization. Predetermined strategies must be found to take advantage of these opportunities that will contribute to the organization's goal. These strategies make the organization prepared for opportunities and take advantage of these opportunities while managing risks. Taking a certain amount of additional risk at a reasonable additional cost may be considered as a managerial choice where the benefit from the opportunities encountered is considered important.
According to the internal control, control activities are policies, procedures and measures that are established and implemented by the institution management in order to reduce the impact and probability of the risks that may affect the organization's ability to achieve its goals. Choosing well in control actions depends on performing the risk assessment processes correctly. Management activities must be carried out in accordance with risk management principles and must plan and discipline controls against risks to ensure reasonable assurance. Control activities are implemented for both subunit functions and management level of the organization. Each control action may have a different purpose, and these actions can be implemented at the entire organization level, as well as at a process, function or unit level (Reduce, 1999). It is important that control activities are consistent, comprehensible, applicable, reasonable and comprehensive for the purposes as planned. Since it is important that these controls are as easy to implement as they are designed, they must be established considering the institutional capacity (Koçak Şen, 2008).
Organizations may use a variety of control activities to cope with the risks that may hinder or slow down operations. Some of the controls designed against risks are to prevent the consequences of risks before they occur (preventive controls), some to guide them to achieve a certain result (directive controls), some to identify the consequences of the risks (identifying controls), some to correct the consequences of the risks (corrective controls) (Sawyer et al., 2003). While control activities are commonly classified under these four headings, they can also be identified under different headings, if deemed necessary based on the organization's structure, area of activity and nature of risks. None of these control activities can provide solutions to all risks of the organization on its own. For some risks, a single control activity may be sufficient, while for some, the combination of various control activities may be required, and in some cases a control activity may be replaced with other control activity.
The COSO internal control model, which is the most widely adopted and used international risk management model, has also been adopted as a risk management model in Turkey with the law number 5018. Since 2003, the company has been striving to put in place the internal control system by adopting legislation in many areas so that all public institutions can effectively manage the risks they may be exposed to. In this context, the administrations, that need to carry out strategic plan preparation and implementation activities and risk management activities simultaneously, must consider the risk management cycle (identify -evaluate -answer -report -review) in all stages that begin with the determination of the objectives of the organization in the preparation stages for strategic planning and are concluded by ascertaining whether these objectives are met as foreseen (COSO, 2002;KİKR, 2014). Furthermore, analyzing various possibilities that may pose risks through risk management tools helps to keep corporate risks within the limits that can be managed substantially in strategic planning processes (Tunç, 2014).
In the literature review, although some researches were found on the risks and internal control that may occur in educational institutions, no studies have been conducted to determine the risks according to the internal control model and what measures can be taken against these risks. When studies on school risks are examined, it is observed that the majority of these studies were conducted in relation to the violent behavior and bad habits of students, while others examined the risk management processes of higher education institutions (Çalışkan Maya, 2008;Ersöz, 2012;Tekşen, 2014;Maya, 2019).
As mentioned in the previous sections, it is inevitable that if problems arising from schools, which are the implementation workshops of the education system, are not solved in time, it can grow even further and lead to many new issues related to it. In this study, based on the risk management approach, which argues that growing and chronic problems cannot be overcome by superficial measures, and that the most effective way of dealing with problems should be prevented before these problems occur, the answer for the sentence of "What are the administrator's and teachers' opinions regarding the measures (control) that can be taken for the risks that are considered high in school?" was sought.

Method
In this study, an individual or situational approach was adopted and phenomenology design was used from qualitative research designs. Qualitative research aims to understand the causes of human behavior. In the phenomenology design, the researcher studies the world of the participant and identifies the reactions and perceptions of the participants (Fraenkel et al., 2012). In this way, it is aimed to reveal and interpret individual perceptions or perspectives regarding a particular phenomenon (Yıldırım & Şimşek, 2013). Furthermore, the analysis conducted in the phenomenological design aim to conceptualize data and to reveal themes that can define facts.

Participants
The universe of the study is composed of all school administrators and teachers who work in public high schools under the Ministry of National Education in the city center of Niğde in the 2017-2018 school years. The study group was determined by the maximum variation sampling, one of the purposive sampling methods, among the administrators and teachers working in these schools. The purposeful sampling allows the study of situations that are thought to be rich in information. In this regard, the sampling method is useful in many cases for explaining and exploring facts and events.
The maximum variation sampling is to create a relatively small sample and to maximize the variety of individuals who can take part in the problems studied in this sample (Creswell, 2006;Yıldırım & Şimşek, 2013). The reason for taking a purposeful sampling is to get the opinions of administrators and teachers working in different school types on managing risks and to show how schools can be better managed.
For this purpose, variation is taken according to the task, seniority and school type. Within the scope of the study, a total of 22 voluntary participants; 3 school principals, 8 vice principals and 11 teachers working in 6 different school types (high school) were interviewed. 6 of the participants were in Anatolian High School (1 male principal, 2 male vice principals, 1 male -2 female teacher), 2 of them in Science High School (1 male vice principal, 1 male teacher) and 5 of them in Anatolian Imam Hatip High School (1 male principal, 1 male vice principal, 1 male -2 female teacher), 5 of them in Vocational Technical Anatolian High School (1 male principal, 1 female vice principal, 2 male -1 female teacher), 2 of them from Fine Arts High School (1 female vice principal, 1 female teacher) and Regarding the school administrators and teachers in the working group; 6 have 1-10 years, 9 have 11-20 years and 7 have more than 21 years of professional seniority.

Data Collection Tools
In order to collect data within the scope of the research, the high-score risks that arise from the implementation of the "School Internal Risks Assessment Scale", which was previously developed by the same researchers, independently from this research, were discussed. In this study, "Interview Form for Measures (Controls) to be Taken Against Internal Risks" was developed regarding the risks assessed as high risk at the scale mentioned above. Interviews were made with school administrators and teachers through this semi-structured interview form. This form contains 10 open-ended questions. These questions, which constitute the interview form, aim to determine the measures (controls) to be taken against the risks assessed by school administrators and teachers with highscores in the school internal risks assessment scale.
There are 47 items consisting of five-point grading to determine school risks of school administrators and teachers in the school internal risks assessment scale developed by the same researchers (Ak & Şahin, 2021). As a result of the implementation of this scale, 10 of the 47 risks were assessed by the participants with a higher score than other risks. The Interview Form has been developed regarding the measures to be taken for these high-score risks, and it is aimed to determine what measures (controls) can be taken in schools against the risks assessed as high-score with the 10 interview questions in this form.
With the interview form prepared, a pre-trial application was made for 2 school administrators and 1 teacher, and no changes were made to this form according to their answers. Afterwards, separate and face-to-face interviews were conducted with 11 school administrators and 11 teachers working at the schools covered by the study and voluntarily participating in the study. During the interviews with the participants, permission was requested to record the audio and take notes during the interview, and the meetings of the participants who deemed appropriate were recorded. During the interviews, repeated inquiries were conducted to ensure the saturation of the collected data.
Additional explanations were made in a way that the participants would understand when the interview questions were not understood.

Data Analysis
In this study, the descriptive analysis (Yıldırım & Şimşek, 2013) approach used for research in which the conceptual structure of the research was clearly stated in advance was adopted. The analysis and interpretations of qualitative data collected as part of the research are described below.
With the research problem, as a result of the application of the internal risk assessment scale developed by the same researchers before (Ak ve Şahin, 2019), it was tried to put forward the opinions about what measures can be taken by the administrators and teachers against the risks with high risk scores and how these risks should be managed. In this context, the interview form prepared for the views of the participants included P1, P2, ... for principals, Vp1, Vp2, ... for vice principals and "T1, T2, ..." for the teachers. Afterwards, the transcripts of the interviews with the administrators and teachers were written and recorded on the computer. In order to prevent data losses that may occur during this transfer process, the records of the four interviews that the researcher has identified randomly were given to another specialist for review. During the review conducted by the specialist, it was reported that there was no difference between the records and transcripts. The data obtained from the interview form were thoroughly examined and coded with an inductive approach, adhering to the essence of the statements. Then the codes were combined to examine the similarity and differences, and common aspects of similar codes were found and categorized according to the following themes. The themes specified for the controls (measures) suggested by the participants against risks consist of the types of controls (measures) defined in the literature as identifying controls, preventive controls, directive controls and corrective controls. Some of the controls designed against risks are to prevent the consequences of risks before they occur (preventive controls), some to guide them to achieve a certain result (directive controls), some to identify the consequences of the risks (identifying controls), some to correct the consequences of the risks (corrective controls) (Sawyer et al., 2003). Although some controls (measures) fall within the scope of two or more control types, they are categorized under that control type, whichever is more dominant.
The audio recordings collected during the interviews were made into text by the researcher and analyzed. For the analysis performed, the data were first encoded and then the findings were interpreted by classifying them according to themes, categories and sub-categories. In order to obtain reliable results in qualitative research, the coding and thematization that different individuals have performed with the same data must be consistent. These encoding and thematization procedures by more than one person enable the assessment of the reliability of the research (Weber, 1990). In this context, the breakdown of the interviews collected as part of the research was made according to the themes determined by the coding key. Assistance was obtained from a specialist to ensure consistency between encoders. The transcripts of the 3 randomly determined interview forms, which correspond to 25 percent of all interview forms (Gay, 1987), were individually encoded by the researcher and the specialist. Miles and Huberman's (1994) formula (reliability = agreement / consensus + disagreement) was applied and the coefficient percentage of reliability was calculated as 88.25 according to the calculations. According to this formula that ensures internal consistency, there must be at least 80% consensus among encoders (Gay, 1987;Miles & Huberman, 1994). Since reliability was achieved according to this result, the research continued.
In order to ensure credibility in qualitative studies, some of the participants were read the transcripts of the interviews in order to obtain participant approval, and the participants were asked to Educational Policy Analysis and Strategic Research, V16, N2, 2021 © 2021 INASED 220 state whether the records and what the participants wanted to say corresponded to each other. In addition, it has been observed that some of the participants expressed multiple views on the same question. Since it is possible to express qualitative data in numbers at a certain level, frequencies related to codes and themes were calculated. Participants' views were given in their original form, taking care to present the statements directly to the reader without adding the researcher's own views and comments, thus external validity was tried to be achieved. The results of the research were shared with 2 administrators and 2 teachers who were consulted with them as part of the research and the approval of the participants was obtained. Internal validity was tried to be increased by consulting specialists' views during both the approval of the participants and the preparation of the questions.

Findings
The views of school administrators and teachers gathered with semi-structured interview forms on how to check high-risk situations in schools and what measures to take against these risks were analyzed using qualitative research methods.
The analysis of the findings of the participants' views on what the measures (controls) to be taken for the risks that are considered high in importance are given below.
1. The participants' views on the measures to be taken against the risk of "Failure to apply disciplinary provisions for students who do not obey the rules" are presented in Table 1. Applying disciplinary rules equally to every student without discriminating 1 2 3 Not leaving students unattended 1 1 2 Ignoring some negative minor behaviors of students 1 1 Total 8 11 19 Directive Controls Announcement and good explanation of school rules 2 4 6 Directing students to projects, social activities and community service that will fill their free time 2 3 5 Determining the school rules with the students 1 2 3 Providing effective information and guidance to students and parents "School and discipline rules should be posted on boards, and should be well explained to students by teachers and administrators." (P2) "…Teachers and administrators should show a common attitude towards students who break discipline and discipline should not be compromised." (Vp2) "If one teacher or administrator turns a blind eye what the other one cares and encourages it to discipline, contradictory practices occur, and brazen students use this situation…" (T6) "…the deterrence of applicable disciplinary penalties and the power of sanction should be increased..." (Vp4), "…students who constantly violate the rules should also be dismissed from the school and directed to the open education system. Because these kids set bad example for other students at school and lead them to indiscipline." (T9), In summary, participants argue that this risk can be solved through communication, effective guidance and a common determined attitude. Some participants suggest that every adverse behavior should not be sentenced disciplinary punishment and minor undisciplined actions may be ignored, while some participants argue that legal provisions should be applied without compromise, otherwise the risk will increase.

2.
The participants' views on the measures to be taken against the risk of "Disruption of audit tasks by administrators" are given in Table 2. When Table 2 is examined, it is seen that the participant views are grouped under the types of preventive, directive and identifying controls, and preventive and directive controls are predominant among the control types. Views of some participants regarding this risk are as follows: "If the administrators are trained on the management and audit tasks they will perform based on merit, the risk of disrupting the audit assignment is eliminated...." (T11) "In order to avoid disruptions in school, school administrators should be better trained in relations with people and legislation than other staff …" (Vp5) "The work done by the administrators and whether the class audits are done correctly should be checked by inspectors. …" (T3) "…in addition, audit tasks should be performed in an appropriate and understanding manner without being turned into a repressive element. Saying the right rule with the wrong style can reduce the acceptance level of that rule.…" (T2) In summary, participants of this risk claim that this risk can be controlled by the fair, equal and consistent behavior of the school administrators appointed on a merit basis and by the awarenessraising education programs offered at the school. Some participants also suggested that periodic auditing of administrators would reduce this risk.
3. The participants' views on the measures to be taken against the risk of "Not taking measures to be taken by determining risks that prevent the institution from achieving its objectives" are given in Table 3.

4.
The participants' views on the measures to be taken against the risk of "Failure to determine and implement principles that will prevent ideological, political and the union groupings among staff" are given in Table 4. Organizing social events that involve all staff in the school to increase the sense of belonging and strengthen communication 2 3 5 Receiving the views of the staff in administrative matters and assignments 1 3 4 To take the principle decisions to avoid political and discriminatory rhetoric during school meetings 1 1 Rewarding those who devote more and contribute to achieving the school's objectives 1 1 Total 8 10 18 When Table 4 is examined, it is seen that the views of administrators and teachers are collected under preventive and directive control types. Some of the views on this risk are as follows: "...conflicts and groupings do not occur if all staff, regardless of their political views and ideological perspectives, refrains from expressing their views in educational institutions. Otherwise, these groupings will be reflected on the students and reduce the quality of education..." (P3) "...those who do politics at school must not be allowed and punished..." (T4) "...in order to prevent such groupings at school, especially the administrators must be impartial and fair, the staff and events must be prejudiced, and the assignments must be transparent." "All education unions should be given equal opportunities to express their views, be open to criticism and no one should be excluded..." (Vp3) "...we should not use discriminatory attitudes and expressions especially in the presence of students." (T7) In summary, most participants stated that this risk can be controlled if all staff in educational institutions avoids discriminatory attitudes and statements, regardless of their political views and ideological point of view, and emphasized that the administrators must approach staff and events without prejudice, impartiality and fairness. A few participants argue that political and union activities should not be allowed in school.

5.
The participants' views on the measures to be taken against the risk of "The risk that the quality of the undergraduate and formation education teachers receive is not sufficient for the coursesubject they will teach" are given in Table 5. Making changes to the education system with long-term rather than immediate planning 2 3 5 Completing all the courses by teachers of their own branch 3 3 To pay attention to pedagogical formation in universities and to increase the duration of applied education 1 1 2 When Table 5 is examined, it is seen that participant views are collected under four basic control types and preventive controls and directive controls are predominant among them. In this regard, the views of the participants are as follows; "The Ministry should not appoint from different branches." (T5) "Great importance should be given to the pedagogical formation courses of prospective teachers at universities. Because it is much more different to know a subject and to explain it in a way that others can understand. This is where the art of teaching comes into play…" (P3) "…although some teachers disagree, I think teacher performance should be measured periodically and those who need education should be determined." (T11) "…course audits should be conducted to identify inadequate teachers. These teachers should be provided with in-service training activities by the Ministry…" (Vp6) "…changes to the education system should be planned for a long time period and should not be done suddenly." (T4) "It is very difficult to intervene against this risk in the Ministry of National Education. This is because even if it is insufficient, the course is distributed among the branch teachers. Students do not receive the necessary training because some of the courses that are left vacant are filled with paid teachers who do not own a branch…" (P1) Most participants argue that in order to struggle with the risk that the quality of the undergraduate and formation education received by the teachers is not sufficient for the course and subject they will teach, reviewing and updating the training provided by universities and that should not be appointed by the Ministry from different branches. Some participants stated that teachers who fail to qualify despite the training programs should be assigned to the administrative paperwork.
6. The participants' views on the measures to be taken against the risk of "Reflecting the problems experienced by teachers with personal-psychological problems to the classroom" are given in Table 6. When Table 6 is examined, it is seen that participant views are collected under four basic control types and preventive controls and directive controls are predominant among them. In this regard, the views of the participants are as follows; "…a warm and social environment should be created for incoming teachers by administrators and teachers and a support should be provided to struggle with stress and personal problems." (T1) "…it is important to keep in mind that teachers are social modals for students and personal rights that are adequate to meet their social needs must be provided…" (T10) "…it is against the philosophy of education to turn your back on people's problems by saying Most participants in relation to the risk of "Reflecting the problems experienced by teachers with personal-psychological problems to the classroom" have stated that it is necessary to direct the teacher with problems to an specialist to get professional help and that organizing hot and interactive social, athletic and cultural programs for teachers at school that can struggle stress and personal problems has an impact on preventing this risk. Some participants stated that teachers who have serious problems should be prevented from entering the course and their duties should be changed or discharged.

7.
The participants' views on the measures to be taken against the risk of "Teacher's inability to develop a respectable relationship with the students" are given in Table 7. Building a corporate culture based on love, respect and understanding 2 3 5 Not being discriminated in classroom by the teacher, abstaining from behaviors and words that will humiliate students 2 1 3 Knowing the rights and limits of the parties well 1 1 Not reflecting the teacher's personal life and problems on the students 1 1 Attention to teacher-student relationships in private courses and classrooms 1 1 When Table 7 is examined, it is seen that participant views are collected under four basic control types and preventive controls and directive controls are predominant among them. In this regard, the views of the participants are as follows; "…teacher student relationships should be raised on a regular basis in all meetings and courses should be accompanied with activities to prevent this problem…" (T7) "…because some trainings are based on family, the administrators must provide feedback from students, teachers and parents, and make an effort to solve problems by taking care of the students who have problems with domestic relationship…" (P3) "Students may not be able to adjust the distance in relationships with teachers at age.
However, teachers should manage the teacher-student relationship and make sure that the relationships are in line with the legislation and practices." (T10) "…the administrators should be an informed observer of the attitudes and behaviors of all teachers and students. When a relationship that is contrary to the principles is observed or reported, the necessary steps should be taken to resolve this situation with an appropriate approach…" (Vp3) Many of the participants in this risk claim that this risk can be resolved by establishing principles about how teacher-student relations should be at school, in order to achieve it without compromising discipline, and they also suggest that training programs on communication and classroom management should be organized at school and various activities in the classroom should be conducted. Some participants have suggested that disciplinary sanctions could be imposed on students who act contrary.

The participants' views on the measures to be taken against the risk of "Existence of broken windows and doors, balconies and ladders without guardrails, open lift space, phosseptic pit
and similar dangers both in and around the school" are given in Table 8. Keeping a careful and effective watch for teachers 2 1 3 Giving separate budgets to schools dealing with these risks 1 1 Total 7 3 10

Directive Controls
Taking precautions to report the danger by using adequate signs 2 4 6 Providing training for students on the protection and use of school property 3 2 5 Establishing an early warning system by providing training to all staff and students and preparing posters 1 1 2 Total 6 7 13 Identifying Controls Early detection of problems by creating school security teams and conducting continuous audits and checks 2 2 4 Collaborating with different institutions to identify and solve problems 1 1 Total 3 2 5 Corrective Controls Getting paid for by those who intentionally abuse and broke school properties and implementing disciplinary actions 1 1 2 Total 1 1 2 When Table 8 is examined, it is seen that participant views are collected under four basic control types and preventive controls and directive controls are predominant among them. In this regard, the views of the participants are as follows; "Nothing is more important than human life. Therefore, you should not be lax about security issues…" (T8) "…lists of places to check at school should be prepared and these places should be checked constantly... (Vp1) "…teachers must be careful on watches and maintain an effective watch." (Vp6) "Some students are intentionally damaging items at school. In this way, if anyone abuses or breaks the items, the cost must be taken from them and disciplinary actions must be taken. Otherwise, no one pays attention to their use…" (T4) "…as such problems can cause significant harm, action must be taken immediately and, if necessary, cooperate with different institutions and solutions must be searched." (Vp8) Most participants on how to cope with the security risks that may occur in schools stated that occupational health and safety principles and standards should be complied with and students should be given training on the protection and use of school property. Some participants also argue that it is necessary to collect the cost and disciplinary actions from those who deliberately abuse and break school items; otherwise the risk would likely arise.

9.
The participants' views on the measures to be taken against the risk of "Failure to enforce adequate precautions to prevent abuse of students at school and at student lodgings" are given in Table 9. Table 9. The measures to be taken against the risk of "Failure to enforce adequate precautions to prevent abuse of students at school and student lodgings" THEME CATEGORY F Control Type Controls (Measures) Administrator Teacher Total

Preventive Controls
Elimination of environments and places that can pose risks 3 2 5 Increasing the deterrent effect of abuses, and imposing the most severe penalties on abusers 2 2 4 Full implementation of instructions 1 1 2 Not being assigned to tasks with potential exploitation those who has suspicious behavior and who have previously been processed 2 2 Assigning female teachers for girls and male teachers for boys at the student lodging 1 1 At least four same-level students staying together in the dormitory 1 1 Reducing the capacity of the lodging 1 1 Total 9 7 16 Directive Controls Providing awareness training on abuse to all teachers and students 4 3 7 Informing students and teachers on watch 3 3 Emphasizing the issue of abuse in courses regarding the subject 2 2 Continuous communication with students 2 2 Guiding students on moral and ethical values 1 1 2 Conducting questionnaires by guidance teachers on how students can express themselves freely, identify the student and acquaintance the school 1 1 2 When Table 9 is examined, it is seen that participant views are collected under four basic control types and preventive controls and directive controls are predominant among them. In this regard, the views of the participants are as follows; "…awareness-raising training for all teachers and students should be provided by specialists on how to handle abuse types and abuses." (T6) "…the lodging instructions should be fully implemented and audited, the teachers on watch and students must be informed, and the environments and places that may pose a risk must be removed..." (Vp3) "The camera system must be installed and kept in record without leaving no blind spots in school and lodging buildings." (P2) "…security camera records should be monitored continuously by different administrators..." "These types of situations are very serious. As long as the abused person does not say it, it is very difficult to detect it. Therefore, the school should take precautions by constantly communicating with students and their parents." (Vp7) "The staff with suspicious behavior should not be relied on a task that is likely to be abused.
Furthermore, persons who have previously complained about these issues and who have been investigated should not be assigned..." (P1) Most participants on how to cope with this risk that may occur in schools and lodgings argue that the risk should be provided to all teachers and students with awareness training on abuse, and also that the buildings should be equipped with a camera system to remove environments and places that may pose a risk in schools and lodgings. Some participants stated that abuses should be imposed in the most severe way to abusers by increasing the deterrent effect of abuses.

10.
The participants' views on the measures to be taken against the risk of "Lack of controls on student meals given at school" are given in Table 10. When Table 10 is examined, it is seen that participant views are collected regarding four basic control types. In this regard, the views of the participants are as follows; "The caterers should monitor daily meal samples to be stored according to the time specified in the legislation, whether the meals are prepared in a healthy environment, whether or not the food presentations have been performed properly and whether such items have occurred." (Vp2) "…Staff should be trained in human health, food controls and hygiene in order to avoid the use of spoiled foods, pay attention to cleanliness, and other aspects…" (Vp3) "…students throw away most of the food when they do not like it. In this respect, it is also possible to check the discarded meals, to see if they will be pleased with that dish. In addition, student requests can be obtained regarding the foods that are best liked to avoid waste. " (T9) "…a staff should definitely stand by his side during the delivery of food and check for adequate and equal distribution of food portions." (Vp5) Most participants stress that this risk can be controlled by purchasing supplies from reliable places with a team and providing training to the staff in the areas of human health, food controls and hygiene. They also stated that the food must be kept regarding their expiry dates and storage conditions, and daily food samples must be taken and kept according to the duration specified in the legislation. Some participants say that if the caterers fail to meet standards, the sanctions mentioned in the contract must be activated immediately.

Discussion and Conclusion
In discussions with school administrators and teachers on what precautions (controls) should be taken against risks that are highly rated in terms of impact and probability as a result of the assessments made on internal risks identified in schools, in response to the risk of "Disruption of audit tasks by administrators", the risk of "Not taking measures to be taken by determining risks that prevent the institution from achieving its objectives" and the risk of "Failure to determine and succeed in his organization. In internal control, the administrator's support for the controls as a leader and the clarity of their attitude and behavior increases the efficiency of the organization (Kulak, 2009). Therefore, the administrator should clearly show the value and positive attitude he/she gives to the internal control system and the controls.
In some studies conducted by participants on issues similar to those with high risk scores; it is stated that the behavior of "reflection of ideological opinion in class by teachers" is on the list of unethical behaviors and rarely seen in teachers (Gözütok, 1999). The research conducted by Cemaloğlu (2007) revealed that the participants stated that the role of school administrators as a training leader by establishing a healthy communication would be effective in solving problems, but the current school administrators performed their leadership roles at a low level. Similarly, according to Bakioğlu and Tokmak (2009), one of the main objectives of educational institutions is to exchange the cultural values that sustain society. In this respect, the administrative approach adopted by school administrators has a particular significance. School administrators are the ones who can understand the problems arising from the conflicts in educational institutions and eliminate these problems through appropriate methods. In this context, the role and tasks of school administrators that will harmonize the differences of the values in school are very important.
Participants stated that the administrators and teachers should demonstrate common, decisive and fair attitudes regarding the risks of "Applying disciplinary provisions for students who do not obey the rules" and that the disciplinary rules should be applied equally to all without discrimination. In terms of disciplinary rules at school, most participants argue that the fact that the different disciplinary understanding of administrators and teachers is affects students negatively. Some teachers state that the difference in disciplinary understanding has adversely affected students' personality development, while others state that students' behavior is inconsistent and that they are trying to abuse it.
The research conducted by Pehlivan & Demirtaş (2019) shows that school administrators gather their views on the method used in disciplinary issues in three main themes: preventive, supportive and corrective disciplinary approaches. In the research, it was determined that the views on the "preventive disciplinary approach" are predominant, and that administrators use the most approach to collaborate with teachers to solve problems in order to achieve discipline and to inform parents about negative behaviors. In this context, the disciplinary problems in schools are related to the quality of life of the school, and the opportunities offered to the students have an impact on the way students perceive schools and the quality of life affect student behaviors. In this regard, administrators and teachers should strive to improve the school and increase their students' loyalty to the school.
Against the risk of "Teacher's inability to develop a respectable relationship with the students", which is considered high-risk at school, participants stated that the principles on how teacher-student relationships should be established at school and that these principles should be applied without compromising discipline. They also state that training programs on communication and classroom management should be organized at school and various activities should be held in the courses. In the event of the risk that "The quality of the undergraduate and formation education teachers receive is not sufficient for the course-subject they will teach", the participants state that the training given to prospective teachers at universities should be reviewed and updated and that the Ministry of National Education should not appoint students from different branches for the current courses.
Teachers who are role models for their students will benefit their students as long as they adopt behavioral principles related to their professions and provide their educational competencies.
According to Gedikoğlu (2005) in many universities which have all the necessary qualifications and have initiated infrastructure with the standards, unqualified education is conducted in mass form, and the quality of education is not given any importance. Furthermore, there are very serious problems in the field of teacher training in our country and the living standards and professional development opportunities that teachers deserve are not ensured. Honigsfeld & Schiering (2004) stated that it would be useful for the lecturers to be more effective in learning-teaching processes through various information and seminar activities.
According to Burnside (1996;cited in Gözütok, 1999), suggests that the vast majority of teachers, who are noble-minded and reputable, work long-term in difficult conditions to ensure that their students are successful. However, there are also teachers who cannot depend on a little bit of basic ethics. By neglecting their duties, these people push themselves to disgraceful misbehavior.
Thus, they hurt vulnerable and innocent students, embarrass their colleagues and become a source of disgrace for their institutions.
Ethical values and integrity are the first standard of the control environment, which is the primary component of internal control and serves as the ground for providing other components. In other words, the absence of ethical values in an organization or the fact that the staff do not abide by those values, indicates that the organization is not functioning healthy and the ground is intact. As a matter of fact, these ethical values need to be internalized by staff rather than just on paper, and it needs to be sustained in practice, in order to make the organizational culture.
Many of the participants stated that teachers with personal-psychological problems should be directed to a specialist to get professional help in order to avoid the risk of "Reflecting the problems experienced by teachers with personal-psychological problems to the classroom". They also emphasize the view that it is necessary to organize warm and interactive social, athletic and cultural programs for teachers that can deal with stress and personal problems.
Because the most fundamental element of education is human, the most important of risks are human resources related. Other risks such as money, time, data, energy, reputation, morale and loss of products can be more easily compensated against human resource risks. Therefore, human life is more valuable than anything (Boone, 2004 Kaya et al., 2014). The more books people read, the wider their horizon become. A person with a wider horizon also makes sense of life easier, better evaluates the events that come out and is less affected by adverse situations (Arı & Demir, 2013). This could lead to a more meaningful life. Sarı & Şahin (2013) state that the teachers with high hopes and strong psychology believe that they are more qualified to make plans and achieve strategies by providing the necessary motivation in the process of reaching the objective. In this respect, it can be said that teachers with these qualifications can be effective in planning by making accurate assessments for themselves and their professions and also determine the correct strategies in the professional elections.
Participants stated that school staff should be given training on human health, food audits and hygiene, and the principles and standards regarding occupational health and safety should be applied against the high-risk physical safety risks in the school.
According to Güven & Dönmez (2002), achieving the desired level of education and achieving educational objectives in schools depends on ensuring a safe education environment where students, teachers and school staff can feel free. The concept of safe school is expressed in the form of an environment in which education is freely provided without the concern of all school stakeholders to suffer physical and psychological harm (California Department of Education, 1989; as cited in Dönmez & Özer, 2009).
Similar to the opinions and suggestions of the participants, the study by Akyol (2015) requires that schools become more secure by cooperating between school administrators, teachers, families, students and other relevant institutions, establishing written school security policies and determining duties and responsibilities, establishing security plans in schools, checking the entrance and exit of visitors in schools, and taking physical security measures in schools. It can also be said to ensure students, parents, teachers, and school administrators are connected constantly in order to protect against the security risks that can occur in the school, to be taught awareness-raising training by specialists at specific intervals about security risks, and to share the examples of good practices.
"Monitoring", one of the main components of internal control, is a process that involves auditing in accordance with the standards that specify whether the internal control system contributes to the organization's objectives and determining the weaknesses. In other words, the monitoring process aims to determine and evaluate such as, whether the activities carried out to achieve the targets specified by the company management are carried out in line with the objectives, whether the necessary controls are determined according to the risk management, whether the designated controls are implemented, and whether the communication methods performed within and outside the institution are adequate. The task of inspection among the standards of the monitoring component and performed by different actors is one of the factors that will directly affect the proper functioning of the institution's activities. Participants state that all teachers and students should be provided with awareness training on abuse and also the buildings should be equipped with a camera system to remove environments and places that may pose a risk in schools and lodgings, in order to prevent the students from being abused.
According to Koçtürk (2018), children who are suffering from child abuse and neglect are affected throughout their lives, and medical, psychological and behavioral disorders such as mental problems, depression, stress, drug addiction, suicide attempt and self-injury can occur. Considering that children who continue their education spend most of their time at school, great responsibilities are being assigned to the school staff to prevent the abuse and neglect of children. School environments can be protective in terms of children being subjected to abuse and neglect, but sometimes they can also be risk factors. Protecting the children's healthy life rights protects them from being victims and also prevents them from becoming criminals in the future (Kır, 2013). School administrators, teachers and psychological counselors are critical in both preventing and determining the child abuse and intervening in this problem. In this respect, it is very important to provide compulsory prevention training for children and parents at all levels of education with the support of the Ministry of National Education (Koçtürk, 2018). Furthermore, school administrators, teachers and psychological counselors should be constantly available when students encounter any security problems at school (violence, abuse, bullying, etc.). In order to ensure this environment, students are advised to be informed in a sincere and natural manner, and to provide training to administrators, teachers and students for extraordinary situations in schools (Akyol, 2015).
In order for schools to achieve success both in terms of management and in terms of education, certain standards for school activities must be achieved and these standards must be developed and made sustainable. An effective organizational culture should be established to ensure sustainability. According to Barutçugil (2011) culture is a combination of different disciplines such as history, technology, ideology and ecology. It is the result of the use of similar symbols by people from the same date, speaking the same language, and living in certain geography. Organizational culture is a system of beliefs, premises, values, meanings and symbols (Schein, 2004) created over time by the organization's staff and especially its founder, manager or leader, and adopted by the members of the group. Staff or members embrace their values, attitudes and assumptions, integrate with the objectives of the organization, and socialize and reshape the organizational culture (Tüm & Reyhanoğlu, 2015).
It is understood from the definitions that the culture that is created or created in society and organizations is not a single-layered, single-dimensional structure, and that the very different elements associated with each other interact in different dimensions. Accordingly, a corporate culture must be established to develop a risk-based perspective for all activities to be undertaken in the corporate culture that will be established in order to identify, assess and manage risks in schools, and to manage risks in a way that will lead to the best results.
Internal control was designed as five main components to create a risk management-based corporate culture by taking into account the relationships of all elements in different dimensions. The control environment in particular serves as the infrastructure for the creation of this culture. In the COSO model, the control environment is based on principles such as the adoption of honesty and ethical values, the execution of the management's independent supervision function, the identification of powers and responsibilities in the organization structure, the human resources policies adopted by qualified staff, and the responsibility of the staff in the controls. The main factors that influence the establishment of a control environment are its culture, history and management philosophy. An effective internal control system can be achieved through the organizational culture that will be created by internalizing ethical behaviors such as honesty, transparency, justice, communication and accountability among the staff. A proper functioning of the internal control system cannot be mentioned unless the staff of the institution complies with the ethical rules.
Any rules and regulations in social areas shall not be applied to dry exchange rates as written on paper. The culture of the organization, which consists of the social fabric of the organization to which these amendments will be implemented, interpersonal relations, past practices and similar issues, is the greatest factor in the success or failure of these new regulations. Even the most ideal changes may not succeed because of the negative attitudes of the organization's staff. Accordingly, the staff adopt ethical rules, act according to transparency and accountability in the business and services performed, set objective performance criteria in the organization and determine performance assessments based on these criteria, determine assignments and transfer of powers based on merit and expertise, and utilize internal and external communication effectively, share resource allocation and expenditures according to the priorities in strategic objectives, and manage risk-oriented the internal control management model, which incorporates risk-based control, can be said to have many benefits for schools.

Suggestions
 Educational institutions must systematically determine the risks regarding their purposes and objectives each year, classify these according to their level of importance, review them from time to time and make an action plan for the measures that can be taken against the risks.
 Administrators should pay attention to the management of social relations in the institution, establish principles that hinder ideological, political and union groupings among school staff, and motivate staff in a continuous integration direction.
 Administrators should adopt modern audit principles and conduct guidance-based audits so that teachers and staff can improve themselves.
 School staff must be consulted before school decisions are made, and all duties shared at school must be treated with impartiality and fairness.
 School disciplinary rules must be appropriate and applicable, and disclosed to students and their parents by identifying persistent averse student behaviors, and all managers and teachers must act in line with the disciplinary rules.
 Teachers should not only be regarded as individuals who convey the best information, but also be exemplified by their behavior and life, as the profession must balance theory and practice.
 Teachers with personal-psychological problems should be directed to the doctor to prevent them from reflecting these problems on the classroom and the students.
 Written school safety procedures and policies with duties and responsibilities must be established and implemented in order to ensure school safety.
 In order for physical and psychological risks such as safety, violence, and abuse to be reported in schools to be immediately communicated, the communication environment must be ensured that the school staff can be reached by the students, and awareness must be raised by organizing training sessions on abuse, mistreatment and neglect.
 Academic studies may be conducted on the causes of the risks that may occur in schools and the social, physical and psychological aspects of these risks.
 Quantitative and qualitative research may be conducted on measures that may be taken against risks that may occur in educational institutions and the study group may be diversified and expanded according to the opinions of different level education managers, teachers, parents, and students.