internal control

1

INTERNAL CONTROL

RANGGA, QILA, PUTRI, DEYE, DITA

AUDIT INTERNAL – FEB UI 2015 2

Outline•Peran Internal Audit dalam Penilaian (Kontrol)• Komponen Internal Control-COSO• Komponen Internal Control-ERM• Komponen Internal Control-CoCo


Control

Definitions for External auditor: “Internal control is a process affected by an activity’s BOD, management or other personnel-designed to provide reasonable assurance regarding the achievement of objectives”.

Definitions for Internal Auditor: “Control is the employment of all the means devised in an enterprise to promote, direct, restrain, govern, and check upon its various activities for the purpose of seeing that enterprise objectives are met”.

Control is a suitable system of internal check should eliminate the need for a detailed audit

•Control, the internal auditor’s “open sesame”

•The Purpose of control: to achieve objectives

•The bridge between auditor and client


The importance of Control to the Internal Auditor

OBJECTIVES

CONTROL BY

INTERNAL AUDITOR

Operating System

Control System


International Standards for The Professional Practice of Internal

Auditing (Standards)


Internal Control Framework:The COSO Standard


Importance of Internal Controls

Internal and external auditors have many different objectives. Most references to auditors apply to internal auditors, who have a major responsibility to understand and assess COSO internal controls.

internal control extends beyond just accounting and financial matters and includes all enterprise processes


Internal controls are processes that are designedto provide reasonable assurance for:

Reliable financial and operational information

Compliance with policies and procedures plans, laws, rules, and regulations

Safeguarding of assets

operations and programs

Integrity and ethical values

Achievement of an established mission, objectives and goals for enterprise

Operational efficiency


Internal Control Standards: Background

AICPA’s first codified standards: Statement on Auditing Standards (SASNo. 1)

modified to add administrative and accounting controls to the basic internal control definition

The overlapping relationships of the two types of internal control were then further clarified in pre-1988 AICPA standards


Foreign Corrupt Practice Act 1977

A federal United States law aimed at preventing the bribery of foreign government officials in an effort to obtain or retain business.

It was an important first step for helping enterprises to think about the need for effective internal controls, even though there were no guidelines or standards over the FCPA’s systems documentation requirements.


The FCPA required that SEC-regulated enterprises must:

Make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuers.

Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:

Transactions are executed in accordance with management’s general or specific authorization.

Transactions are recorded as necessary both to permit the preparation of financial statements in conformity with generally accepted accounting principles (GAAP) or any other criteria applicable to such statements, and also to maintain accountability for assets.

Access to assets is permitted only in accordance with management’s general or specific authorization.

The recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken with respect to any differences.


FCPA Facts the FCPA record-keeping requirements applied to all public

corporations registered with the SEC.

It contained provisions requiring the maintenance of accurate

books and records as well as systems of internal accounting

control.

The FCPA required that companies maintain a system of internal

accounting controls sufficient to provide reasonable assurances

that transactions are authorized and recorded to permit

preparation of financial statements in conformity with GAAP.


Events Leading to the Treadway Commission

In the late 1970s, external auditors only reported that an enterprise’s financial statements were “fairly presented”;

there was no mention of the adequacy of the internal control procedures supporting those audited financial

statements.In 1974, the AICPA formed a high-level Commission on

Auditor’s Responsibilities: Cohen Commission, recommended in 1978 that a statement on the condition of

an enterprise’s internal controls should be required along with their financial statements.

FEI involvement: In the late 1970s, the FEI endorsed the Cohen Commission’s internal controls recommendations and agreed that corporations should report on the status of their

internal accounting controls.


SAS No. 55

Begin with expectation gap of SAS no. 1

the AICPA released a series of new SASs between 1980 and 1985, “guidance for the terminology to be used in

internal accounting control reports”.

SAS no. 55: Control environment, accounting system, control procedures


Treadway Comittee Report

The National Commission on Fraudulent Financial Reporting (Treadway Commission) has objectives to identify the causal factors that allowed

fraudulent financial reporting and to make recommendations to reduce their incidence.

The Treadway Commission’s final report was issued in 1987*: recommendations to management, boards of directors, the public

accounting profession, and others

Although it issued no standards, the Treadway report was important in raising the level of concern and attention

regarding reporting on internal control.


COSO Internal Control Framework


5 Professio

nal Organizati

ons

IIA

AICPA

FEI

AAA

IMA

Formed a Committee:

COSO

Internal Control–Integrated Framework

In September 1992

A common framework:

Definisi dari internal control

Prosedur bagaimana mengevaluasi control

Menurut COSO

Internal control adalah proses yang dipengaruhi oleh BOD, manajemen, dan personil lain dalam perusahaan, yang didesain untuk memberikan reasonable assurance terkait pencapaian atas tujuan perusahaan meliputi:

Efektivitas dan efisiensi dari operasi

Keandalan dari pelaporan keuangan

Kesesuaian dengan hukum dan peraturan yang berlaku


Inti dari COSO Internal Control Framework adalah bahwa perusahaan harus selalu mempertimbangkan masing-masing internal control dalam kaitannya dengan internal control lain yang berhubungan.

Control Environment

Fondasi dari struktur internal control

Memiliki pengaruh terhadap ketiga

tujuan dan terhadap keseluruhan unit

Merefleksikan keseluruhan sikap, kesadaran, dan

perilaku dari BOD, manajemen, dan pihak

lainnya mengenai pentingnya internal control

di dalam perusahaan

Sejarah dan budaya di perusahaan memiliki peran penting dalam

pembentukan internal control environment.

Components of Control Environment

• In order to build integrity and ethical values, a strong internal audit function should be a major component of the COSO control environment.

INTEGRITY AND ETHICAL VALUES

• By placing the proper people in appropriate jobs and giving adequate training when required, an enterprise is satisfying this important COSO control environment component

COMMITMENT TO COMPETENCE

• An active and independent board can setting high-level policies and reviewing overall enterprise conduct

BOARD OF DIRECTORS AND AUDIT COMMITTEE


• No one set of styles and philosophies is best for all enterprises, but these factors are important when considering the other components of internal control in an enterprise.

MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE

• How business function are managed and organized. Every enterprise or entity needs an effective plan of organization.

ORGANIZATIONAL STRUCTURE

• each person in the enterprise must have a good understanding of the enterprise’s overall objectives and how individual actions interrelate to achieve those objectives

ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY


• Effective human resource policies and procedures are a critical component in the overall control environment.

HUMAN RESOURCES

POLICIES AND PRACTICES

Risk Assessment

COSO describes risk assessment as a three-step process:• Estimate the significance of the risk.• Assess the likelihood or frequency of the risk occurring.• Consider how the risk should be managed and assess

what actions must be taken.

Risk Assessment

The COSO internal controls framework suggests that risks should be considered from three perspectives• Risks due to external factors• Risks due to internal factors• Specific activity-level risks

Control Activities

Control Activities are the policies and procedures

that help ensure that actions identified to

address risks are carried out

Control activities exist at all levels within an enterprise

Essential part of building and then establishing

effective internal controls in an enterprise

Control Activities

Top-level reviews

Direct functional or activity management

Information processing

Physical controls

Performance indicators

Segregation of duties

Some of COSO-recommended internal control activities for an enterprise:

Information and Communication

RELATIONSHIP OF INFORMATION AND INTERNAL CONTROL

An enterprise needs informationat all levels

Strategic and Integrated Systems

Quality of Information

THE COMMUNICATIONS ASPECT OF INTERNAL CONTROL

Communication must take place on a broad level

Communications: Internal Components

External Communications

Monitoring

ONGOING MONITOR ACTIVITIES

Operating management normal functions

Communications from external parties

Enterprise structure and supervisory activities

Physical inventories and asset reconciliation

SEPARATE INTERNAL CONTROL EVALUATION

performed by direct linemanagement through self-assessment reviews.

Benchmarking

A monitoring process should be in place to assess the effectiveness of established internal control components and to

take corrective action when appropriate.

Monitoring Reporting internal control deficiencies:

Findings on internal control deficiencies usually should be reported not only to the individual responsible for the function or activity involved, who is in the position to take corrective action, but also to at least one level of management above the directly responsible person. This process enables that individual to provide needed support or oversight for taking corrective action, and to communicate with others in the enterprise whose activities may be affected.


Other Dimensions of the COSO Internal Controls Framework

Top of the framework cube covers three dimensions of all internal controls:

1. Reliability of financial reporting

2. Compliance with applicable laws and regulations

3. Effectiveness and efficiency of operations


Internal Audit CBOK Needs

COSO internal control is different from an internal audit CBOK perspective. This framework is becoming the worldwide standard for building and evaluating all levels of internal controls.


Risk Management: COSO ERM


Perusahaan perlu mengidentifikasikan semua risiko bisnis yang mereka hadapi

Sampai Comitte of Sponsoring Organizations (COSO) membuat COSO Enterprise Risk Management – Intergrated Format (COSO – ERM)

COSO ERM membantu perusahaan dan internal audit untuk mempertimbangkan dan menilai risiko di semua tingkatan, baik di individual area ataupun global

Tetapi, dahulu tidak terdapat definisi yang konsisten mengenai apa yang dimaksud sebagai risiko


Risk Management Fundamentals

Perusahaan harus memberikan tambahan nilai kepada stakeholdernya dengan cara melakukan aktivitas bisnis.

Tetapi setiap aktivitas merupakan subject dari ketidakpastian/risiko

Manajemen risiko adalah konsep yang berkaitan dengan asuransi, dimana individu atau perusahaan menggunakan mekanisme asuransi untuk menyediakan perlindungan dari risiko


Effective Risk Management Process

•Mengidentifikasi Risiko

•Penilaian kuantitatif atau kualitatif risiko

•Menentukan prioritas risiko dan rencana tanggapan

•Risk monitoring


(1). Mengidentifikasi Risiko

Melihat potensial risiko di tiap area operasi, kemudian mengindentifikasi risiko mana yang dapat memiliki major impact

Dapat mengidentifikasi

populasi dari keseluruhan

risiko, baik pada level unit individu ataupun

perusahaan

Menugaskan key

people dari setiap unit

sebagai risk-assesor

menggunakan organization chart yang memuat seluruh

corporate-level dan

operating unit


(2). Menilai Risiko Tujuannya adalah menentukan potensial risiko mana yang harus terlebih dahulu dikhawatirkan oleh manajemen

Likelihood

Significance


Tools

Risk Assessment Analysis Map Risk Scoring Schedule


(3). Menentukan prioritas risiko


(4). Risk MonitoringKondisi lingkungan akan terus-menerus berubah yg mebuat resiko juga akan berubah

Risk identification not continuous exercise

Once these risks have been identified, the enterprise needs to monitor them and make ongoing adjustments as needed.


COSO ERM: Enterprise Risk Management

COSO Enterprise Risk Management is a framework to help enterprises to have aconsistent definition of their risks.

COSO contracted with PricewaterhouseCoopers (PwC) to develop thisrisk framework. The COSO ERM framework was published in September 2004.


Enterprise risk management is a process, effected by an entity’s board of directors,

management and other personnel, applied in a strategy setting and across

the enterprise, designed to identify potential events that may affect the entity,

and manage risk to be within its risk appetite, to provide reasonable assurance

regarding the achievement of entity objectives.


Key Point in COSO ERM Framework Definition

ERM is a process.

• process is a set of actions designed to achieve a result.

ERM process is implemented by people in the enterprise.

ERM is applied through the setting of strategies across the overall enterprise.

• Harus produksi sendiri atau outsource? ERM should be applied across the entire enterprise using a portfolio type of approach that blends a mix of high- and low-risk activities.


Key Point in COSO ERM Framework Definition

Concept of risk appetite must be considered.

• risk appetite is the amount of risk, on a broad level, that an enterprise and its individual managers are willing to accept in their pursuit of value.

ERM provides reasonable but not positive assurance on objective achievements.

ERM is designed to help achieve objectives.

• It describes, for example, how an enterprise’s compliance with regulations impacts all levels of internal controls, control environment, and how that compliance is important for all entities or units of the enterprise.


COSO ERM Key Elements


Risk Component –Internal Environment

This level defines the basis for all other components in an enterprise’s ERM model, influencing how strategies andobjectives should be established, how risk-related business activities are structured, and how risks are identified and acted on.

Elemen-elemennya:• Risk management

philosophy• Risk appetite• Board of directors

attitude• Integrity and ethical

value

• Commitment to competence

• Organizational structure

• Assignment of authority and responsibility

• Human resource standard


Risk Component – Objective Setting

COSO ERM menenkankan bahwa mission statement merupakan elemen yang krusial dalam menentukan objective

Mission Statetment Define any related objective


Risk Component


Risk Component –Event Identification

Sebuah perusahaan perlu mendefinisikan risiko signifikan dari sebuah events dengan jelas dan kemudian memonitornya dengan tujuan melakukan tindakan-tindakan yang diperlukan

Event Inventories Fasilitated Workshops

Interviews, Questionnaires, Surveys Process Flow Analysis

Pendekatan berdasarkan COSO ERM:


Risk Component –Risk Assessment

Mengizinkan perusahaan untuk mempertimbangkan efek apa yang dimiliki oleh event yang memiliki potensi risiko pada pencapaian tujuan perusahaan

2 perspektif dalam menilai risiko

Likelihood of the risk occurring

Potential impact


Risk Component – Risk Response

Harus ada ulasan mengenai perkiraan risiko likelihoods dan potential impacts, dengan pertimbangan mengembangkan strategi respon risiko yang layak

4 cara mendasar untuk merespon risiko:

Avoidance Reduction

Sharing Acceptance


Risk Component –Control Activities

Peraturan dan prosedur yang dibutuhkan untuk memastikan tindakan pada identified risk responses

Komponen pada control activities harus berhubungan erat dengan risk response strategies dan action previously discussed

Control activities biasanya memasukkan area kontrol internal:1. Separation of duties2. Audit trails3. Security and integrity4. Documentation


Risk Component –Information and Communication

Information and Communication Flows in ERM Components


Risk Component –Monitoring

Diperlukan untuk menentukan apakah seluruh komponen ERM yang digunakan bekerja dengan efektif

COSO ERM Application Framework document menyarankan monitoring untuk memasukkan aktivitas-aktivitas berikut ini:1. Implementation of ongoing management reporting mechanism2. Periodic risk-related alert reporting processes3. Current and periodic status reporting of risk-related findings

and recommendations from internal and external audit reports4. Updated risk-related information


Other Dimensions of COSO ERM:Enterprise Risk Objectives

Operations Risk Management Objectives Identifikasi risiko pada setiap unit enterpriseMemerlukan pengumpulan data dan analisis yang detail

Reporting Risk Management Objectives Realitabilitas dari laporan keuangan dan non-keuangan internal dan eksternal perusahaanKeakuratan pelaporan

Legal & Regulatory Compliance Risk Objectives Seluruh perusahaan harus mengikuti standar peraturan industri dan pemerintahMenyarankan untuk mempertimbangkan compliance-related risk untuk setiap komponen risiko


Entity-Level Risks

Risks Encompassing the Entire Organizations

• Multiple risks pada unit level bisniis harus dinaikkan menjadi risiko level entitas• Risiko major dan minor dapat mempengaruhi keseluruhan perusahaan

Business Unit-Level Risks

• Tanggung jawab risiko seringkali dimulai dari manajemen kepada setiap divisi untuk men-survey tujuan operasi dari semua bisnis


Putting It All Together1. COSO ERM merupakan sebuah alat yang oenting untuk mengatur

dan memahami Sox Section 404 internal controls

2. Memberikan pertimbangan lebih kepada risiko ketika memahami dan mengevaluasi kontrol internal

3. COSO ERM merupakan alat yang penting untuk memahami multiple risks yang dihadapi perusahaan saat ini

4. Auditor internal harus membuat persyaratan audit internal CBOK COSO ERM dan menjalankan audit internal sesuai dengan proses ERM


Auditing Risk and COSO ERM ProcessesAudit internal harus me-review proses enterprise-wide ERM menggunakan beberapa alat ini:

Process flowcharting

Reviews of risk and control materials

Benchmarking

Questionnaires

Audit internal harus menetapkan beberapa tujuan high-level review untuk efektivitas COSO ERM dalam perusahaan mereka


Risk Management and COSO ERM in Perspective

Risk-related emphasis of the new AS 5 auditing standards as well as an increasing recognition of risk issues in professional

literature has increased professional interest in and attention toward enterprose risk management

The three-dimensional ERM framework helps to place risk and internal control issues in a better oerspective when evaluating

Sox compliance


CoCo Model


CoCo The Canadian Institute of Chartered Accountants Criteria of Control Committee (CoCo) menyusun model pengedalian intern yang mirip dengan COSO

Canadians memiliki model yang menurutnya lebih mudah dimengerti dan lebih mudah dijadikan sebagai petunjuk untuk kegiatan internal audit.


Keunggulan CoCoMencegah risiko ketidaktecapaian organisasi


The CoCo Model Purpose

Commitment

Capability

Monitoring and Learning


The CoCo Model: Purpose

1. Tujuan harus dinyatakan dan dikomunikasikan kepada seluruh stakeholder

2. Risiko signifikan baik dari dalam maupun luar organisasi yang terkait dengan pencapaian tujuan harus diidentifikasikan dan dinilai.

3. Kebijakan yang didesain untuk mendukung pencapaian tujuan organisasi dan pengelolaan risik harus dibuat, dikomunikasikan dan dipraktekan sehingga pegawai mengerti apa yang diharapkan dan kebebasan yang diperlukan untuk bertindak.

4. Perencanaan untuk menuntun pencapaian tujuan organisasi harus disusun dan dikomunikasikan.

5. Tujuan dan perencanaan terkait harus mencantumkan target dan indicator kinerja.


The CoCo Model: Commitment

1. Nilai-nilai etika termasuk integritas harus dibuat secara formal, dikomukasikan kepada seluruh stakeholder dalam organisasi.

2. Kebijakan dan praktek managemen SDM harus konsisten dengan etika dan nilai-nilai dan pencapaian tujuan.

3. Wewenang, tanggungjawab dan tanggungjelasan harus secara jelas didefinisikan dan konsisten dengan tujuan oerganiasi sehingga keputusan-keputusan dan pelaku-pelaku diperagakan dengan benar oleh pegawai.

4. Atmosfir kepercayaan yang tinggi harus dipelihara dan didukung oleh informasi yang mengalir antara pegawai dan kinerja mereka dalam mendukung pencapaian tujuan oeganisasi.


The CoCo Model: Capability

1. Pegawai harus memiliki pengetahuan, keahlian dan peralatan yang cukup untuk mendukung pencapaian tujuan organisasi.

2. Proses komunikasikan harus mendukung nilai dan pencapaian organisasi atas tujuan yang telah ditetapkan.

3. Informasi yang cukup dan relevan harus diidentifikasi dan dikomunikasikan pada saat yang tept sehingga pegawai dapat menjalankan tugasnya dengan baik.

4. Tujuan dan aktivitas dari bagian yang berbeda dalam suatu organisasi harus dikoordinasikan.

5. Aktivitas pengendalian harus didesain sebagai kesatuan yang menyeluruh dari suatu organisasi dengan mempertimbangkan tujuan, risiko dan hubungan terkait antar komponen pengendalian.


The CoCo Model: Monitoring and Learning

1. Lingkungan internal dan eksternal harus diminitor untuk memperoleh informasi sehingga tujan dan pengendalian organisasi tetap mutakhir.

2. Kinerja harus dimonitor dibandingkan dengan target dan indikator yang telah ditetapkan.

3. Asumsi yang digunakan dalam penentuan tujuan dan sistem harus secara periodik dikaji ulang.

4. Informasi yang dibutuhkan harus dikaji terus menerus sesuai dengan adanya perubahan tujuan atau adanya pelaporan yang menunjukan penyimpangan.

5. Prosedur tindaklanjut harus disusun dan dilakukan untuk menjamin bahwa perubahan dan kegiatan yang tepat dilakukan.

6. Manajemen secara periodik menilai efektifitas pengendalian dan kemudian mengkomunikasikan yang tepat dilakukan.

internal control

Documents

internal auditoraudit

backgroundaudit internal

clientaudit internal

internal control standards

internal control framework

effective internal controls

coso standard audit

importance of control