internal control
DESCRIPTION
COSO - Internal Control Integrated FrameworkTRANSCRIPT
1
INTERNAL CONTROL
RANGGA, QILA, PUTRI, DEYE, DITA
AUDIT INTERNAL – FEB UI 2015 2
Outline•Peran Internal Audit dalam Penilaian (Kontrol)• Komponen Internal Control-COSO• Komponen Internal Control-ERM• Komponen Internal Control-CoCo
AUDIT INTERNAL – FEB UI 2015 3
Control
Definitions for External auditor: “Internal control is a process affected by an activity’s BOD, management or other personnel-designed to provide reasonable assurance regarding the achievement of objectives”.
Definitions for Internal Auditor: “Control is the employment of all the means devised in an enterprise to promote, direct, restrain, govern, and check upon its various activities for the purpose of seeing that enterprise objectives are met”.
Control is a suitable system of internal check should eliminate the need for a detailed audit
•Control, the internal auditor’s “open sesame”
•The Purpose of control: to achieve objectives
•The bridge between auditor and client
AUDIT INTERNAL – FEB UI 2015 4
The importance of Control to the Internal Auditor
OBJECTIVES
CONTROL BY
INTERNAL AUDITOR
Operating System
Control System
AUDIT INTERNAL – FEB UI 2015 5
International Standards for The Professional Practice of Internal
Auditing (Standards)
AUDIT INTERNAL – FEB UI 2015 6
Internal Control Framework:The COSO Standard
AUDIT INTERNAL – FEB UI 2015 7
Importance of Internal Controls
Internal and external auditors have many different objectives. Most references to auditors apply to internal auditors, who have a major responsibility to understand and assess COSO internal controls.
internal control extends beyond just accounting and financial matters and includes all enterprise processes
AUDIT INTERNAL – FEB UI 2015 8
Internal controls are processes that are designedto provide reasonable assurance for:
Reliable financial and operational information
Compliance with policies and procedures plans, laws, rules, and regulations
Safeguarding of assets
operations and programs
Integrity and ethical values
Achievement of an established mission, objectives and goals for enterprise
Operational efficiency
AUDIT INTERNAL – FEB UI 2015 9
Internal Control Standards: Background
AICPA’s first codified standards: Statement on Auditing Standards (SASNo. 1)
modified to add administrative and accounting controls to the basic internal control definition
The overlapping relationships of the two types of internal control were then further clarified in pre-1988 AICPA standards
AUDIT INTERNAL – FEB UI 2015 10
Foreign Corrupt Practice Act 1977
A federal United States law aimed at preventing the bribery of foreign government officials in an effort to obtain or retain business.
It was an important first step for helping enterprises to think about the need for effective internal controls, even though there were no guidelines or standards over the FCPA’s systems documentation requirements.
AUDIT INTERNAL – FEB UI 2015 11
The FCPA required that SEC-regulated enterprises must:
Make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuers.
Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
Transactions are executed in accordance with management’s general or specific authorization.
Transactions are recorded as necessary both to permit the preparation of financial statements in conformity with generally accepted accounting principles (GAAP) or any other criteria applicable to such statements, and also to maintain accountability for assets.
Access to assets is permitted only in accordance with management’s general or specific authorization.
The recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken with respect to any differences.
AUDIT INTERNAL – FEB UI 2015 12
FCPA Facts the FCPA record-keeping requirements applied to all public
corporations registered with the SEC.
It contained provisions requiring the maintenance of accurate
books and records as well as systems of internal accounting
control.
The FCPA required that companies maintain a system of internal
accounting controls sufficient to provide reasonable assurances
that transactions are authorized and recorded to permit
preparation of financial statements in conformity with GAAP.
AUDIT INTERNAL – FEB UI 2015 13
Events Leading to the Treadway Commission
In the late 1970s, external auditors only reported that an enterprise’s financial statements were “fairly presented”;
there was no mention of the adequacy of the internal control procedures supporting those audited financial
statements.In 1974, the AICPA formed a high-level Commission on
Auditor’s Responsibilities: Cohen Commission, recommended in 1978 that a statement on the condition of
an enterprise’s internal controls should be required along with their financial statements.
FEI involvement: In the late 1970s, the FEI endorsed the Cohen Commission’s internal controls recommendations and agreed that corporations should report on the status of their
internal accounting controls.
AUDIT INTERNAL – FEB UI 2015 14
SAS No. 55
Begin with expectation gap of SAS no. 1
the AICPA released a series of new SASs between 1980 and 1985, “guidance for the terminology to be used in
internal accounting control reports”.
SAS no. 55: Control environment, accounting system, control procedures
AUDIT INTERNAL – FEB UI 2015 15
Treadway Comittee Report
The National Commission on Fraudulent Financial Reporting (Treadway Commission) has objectives to identify the causal factors that allowed
fraudulent financial reporting and to make recommendations to reduce their incidence.
The Treadway Commission’s final report was issued in 1987*: recommendations to management, boards of directors, the public
accounting profession, and others
Although it issued no standards, the Treadway report was important in raising the level of concern and attention
regarding reporting on internal control.
AUDIT INTERNAL – FEB UI 2015 16
COSO Internal Control Framework
COSO Internal Control Framework
5 Professio
nal Organizati
ons
IIA
AICPA
FEI
AAA
IMA
Formed a Committee:
COSO
Internal Control–Integrated Framework
In September 1992
A common framework:
Definisi dari internal control
Prosedur bagaimana mengevaluasi control
Menurut COSO
Internal control adalah proses yang dipengaruhi oleh BOD, manajemen, dan personil lain dalam perusahaan, yang didesain untuk memberikan reasonable assurance terkait pencapaian atas tujuan perusahaan meliputi:
Efektivitas dan efisiensi dari operasi
Keandalan dari pelaporan keuangan
Kesesuaian dengan hukum dan peraturan yang berlaku
COSO Internal Control Framework
Inti dari COSO Internal Control Framework adalah bahwa perusahaan harus selalu mempertimbangkan masing-masing internal control dalam kaitannya dengan internal control lain yang berhubungan.
Control Environment
Fondasi dari struktur internal control
Memiliki pengaruh terhadap ketiga
tujuan dan terhadap keseluruhan unit
Merefleksikan keseluruhan sikap, kesadaran, dan
perilaku dari BOD, manajemen, dan pihak
lainnya mengenai pentingnya internal control
di dalam perusahaan
Sejarah dan budaya di perusahaan memiliki peran penting dalam
pembentukan internal control environment.
Components of Control Environment
• In order to build integrity and ethical values, a strong internal audit function should be a major component of the COSO control environment.
INTEGRITY AND ETHICAL VALUES
• By placing the proper people in appropriate jobs and giving adequate training when required, an enterprise is satisfying this important COSO control environment component
COMMITMENT TO COMPETENCE
• An active and independent board can setting high-level policies and reviewing overall enterprise conduct
BOARD OF DIRECTORS AND AUDIT COMMITTEE
Components of Control Environment
• No one set of styles and philosophies is best for all enterprises, but these factors are important when considering the other components of internal control in an enterprise.
MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
• How business function are managed and organized. Every enterprise or entity needs an effective plan of organization.
ORGANIZATIONAL STRUCTURE
• each person in the enterprise must have a good understanding of the enterprise’s overall objectives and how individual actions interrelate to achieve those objectives
ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
Components of Control Environment
• Effective human resource policies and procedures are a critical component in the overall control environment.
HUMAN RESOURCES
POLICIES AND PRACTICES
Risk Assessment
COSO describes risk assessment as a three-step process:• Estimate the significance of the risk.• Assess the likelihood or frequency of the risk occurring.• Consider how the risk should be managed and assess
what actions must be taken.
Risk Assessment
The COSO internal controls framework suggests that risks should be considered from three perspectives• Risks due to external factors• Risks due to internal factors• Specific activity-level risks
Control Activities
Control Activities are the policies and procedures
that help ensure that actions identified to
address risks are carried out
Control activities exist at all levels within an enterprise
Essential part of building and then establishing
effective internal controls in an enterprise
Control Activities
Top-level reviews
Direct functional or activity management
Information processing
Physical controls
Performance indicators
Segregation of duties
Some of COSO-recommended internal control activities for an enterprise:
Information and Communication
RELATIONSHIP OF INFORMATION AND INTERNAL CONTROL
An enterprise needs informationat all levels
Strategic and Integrated Systems
Quality of Information
THE COMMUNICATIONS ASPECT OF INTERNAL CONTROL
Communication must take place on a broad level
Communications: Internal Components
External Communications
Monitoring
ONGOING MONITOR ACTIVITIES
Operating management normal functions
Communications from external parties
Enterprise structure and supervisory activities
Physical inventories and asset reconciliation
SEPARATE INTERNAL CONTROL EVALUATION
performed by direct linemanagement through self-assessment reviews.
Benchmarking
A monitoring process should be in place to assess the effectiveness of established internal control components and to
take corrective action when appropriate.
Monitoring Reporting internal control deficiencies:
Findings on internal control deficiencies usually should be reported not only to the individual responsible for the function or activity involved, who is in the position to take corrective action, but also to at least one level of management above the directly responsible person. This process enables that individual to provide needed support or oversight for taking corrective action, and to communicate with others in the enterprise whose activities may be affected.
AUDIT INTERNAL – FEB UI 2015 32
Other Dimensions of the COSO Internal Controls Framework
Top of the framework cube covers three dimensions of all internal controls:
1. Reliability of financial reporting
2. Compliance with applicable laws and regulations
3. Effectiveness and efficiency of operations
AUDIT INTERNAL – FEB UI 2015 33
Internal Audit CBOK Needs
COSO internal control is different from an internal audit CBOK perspective. This framework is becoming the worldwide standard for building and evaluating all levels of internal controls.
AUDIT INTERNAL – FEB UI 2015 34
Risk Management: COSO ERM
AUDIT INTERNAL – FEB UI 2015 35
Perusahaan perlu mengidentifikasikan semua risiko bisnis yang mereka hadapi
Sampai Comitte of Sponsoring Organizations (COSO) membuat COSO Enterprise Risk Management – Intergrated Format (COSO – ERM)
COSO ERM membantu perusahaan dan internal audit untuk mempertimbangkan dan menilai risiko di semua tingkatan, baik di individual area ataupun global
Tetapi, dahulu tidak terdapat definisi yang konsisten mengenai apa yang dimaksud sebagai risiko
AUDIT INTERNAL – FEB UI 2015 36
Risk Management Fundamentals
Perusahaan harus memberikan tambahan nilai kepada stakeholdernya dengan cara melakukan aktivitas bisnis.
Tetapi setiap aktivitas merupakan subject dari ketidakpastian/risiko
Manajemen risiko adalah konsep yang berkaitan dengan asuransi, dimana individu atau perusahaan menggunakan mekanisme asuransi untuk menyediakan perlindungan dari risiko
AUDIT INTERNAL – FEB UI 2015 37
Effective Risk Management Process
•Mengidentifikasi Risiko
•Penilaian kuantitatif atau kualitatif risiko
•Menentukan prioritas risiko dan rencana tanggapan
•Risk monitoring
AUDIT INTERNAL – FEB UI 2015 38
(1). Mengidentifikasi Risiko
Melihat potensial risiko di tiap area operasi, kemudian mengindentifikasi risiko mana yang dapat memiliki major impact
Dapat mengidentifikasi
populasi dari keseluruhan
risiko, baik pada level unit individu ataupun
perusahaan
Menugaskan key
people dari setiap unit
sebagai risk-assesor
menggunakan organization chart yang memuat seluruh
corporate-level dan
operating unit
AUDIT INTERNAL – FEB UI 2015 39
(2). Menilai Risiko Tujuannya adalah menentukan potensial risiko mana yang harus terlebih dahulu dikhawatirkan oleh manajemen
Likelihood
Significance
AUDIT INTERNAL – FEB UI 2015 40
Tools
Risk Assessment Analysis Map Risk Scoring Schedule
AUDIT INTERNAL – FEB UI 2015 41
(3). Menentukan prioritas risiko
AUDIT INTERNAL – FEB UI 2015 42
(4). Risk MonitoringKondisi lingkungan akan terus-menerus berubah yg mebuat resiko juga akan berubah
Risk identification not continuous exercise
Once these risks have been identified, the enterprise needs to monitor them and make ongoing adjustments as needed.
AUDIT INTERNAL – FEB UI 2015 43
COSO ERM: Enterprise Risk Management
COSO Enterprise Risk Management is a framework to help enterprises to have aconsistent definition of their risks.
COSO contracted with PricewaterhouseCoopers (PwC) to develop thisrisk framework. The COSO ERM framework was published in September 2004.
AUDIT INTERNAL – FEB UI 2015 44
Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied in a strategy setting and across
the enterprise, designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
AUDIT INTERNAL – FEB UI 2015 45
Key Point in COSO ERM Framework Definition
ERM is a process.
• process is a set of actions designed to achieve a result.
ERM process is implemented by people in the enterprise.
ERM is applied through the setting of strategies across the overall enterprise.
• Harus produksi sendiri atau outsource? ERM should be applied across the entire enterprise using a portfolio type of approach that blends a mix of high- and low-risk activities.
AUDIT INTERNAL – FEB UI 2015 46
Key Point in COSO ERM Framework Definition
Concept of risk appetite must be considered.
• risk appetite is the amount of risk, on a broad level, that an enterprise and its individual managers are willing to accept in their pursuit of value.
ERM provides reasonable but not positive assurance on objective achievements.
ERM is designed to help achieve objectives.
• It describes, for example, how an enterprise’s compliance with regulations impacts all levels of internal controls, control environment, and how that compliance is important for all entities or units of the enterprise.
AUDIT INTERNAL – FEB UI 2015 47
COSO ERM Key Elements
AUDIT INTERNAL – FEB UI 2015 48
Risk Component –Internal Environment
This level defines the basis for all other components in an enterprise’s ERM model, influencing how strategies andobjectives should be established, how risk-related business activities are structured, and how risks are identified and acted on.
Elemen-elemennya:• Risk management
philosophy• Risk appetite• Board of directors
attitude• Integrity and ethical
value
• Commitment to competence
• Organizational structure
• Assignment of authority and responsibility
• Human resource standard
AUDIT INTERNAL – FEB UI 2015 49
Risk Component – Objective Setting
COSO ERM menenkankan bahwa mission statement merupakan elemen yang krusial dalam menentukan objective
Mission Statetment Define any related objective
AUDIT INTERNAL – FEB UI 2015 50
Risk Component
AUDIT INTERNAL – FEB UI 2015 51
Risk Component –Event Identification
Sebuah perusahaan perlu mendefinisikan risiko signifikan dari sebuah events dengan jelas dan kemudian memonitornya dengan tujuan melakukan tindakan-tindakan yang diperlukan
Event Inventories Fasilitated Workshops
Interviews, Questionnaires, Surveys Process Flow Analysis
Pendekatan berdasarkan COSO ERM:
AUDIT INTERNAL – FEB UI 2015 52
Risk Component –Risk Assessment
Mengizinkan perusahaan untuk mempertimbangkan efek apa yang dimiliki oleh event yang memiliki potensi risiko pada pencapaian tujuan perusahaan
2 perspektif dalam menilai risiko
Likelihood of the risk occurring
Potential impact
AUDIT INTERNAL – FEB UI 2015 53
Risk Component – Risk Response
Harus ada ulasan mengenai perkiraan risiko likelihoods dan potential impacts, dengan pertimbangan mengembangkan strategi respon risiko yang layak
4 cara mendasar untuk merespon risiko:
Avoidance Reduction
Sharing Acceptance
AUDIT INTERNAL – FEB UI 2015 54
Risk Component –Control Activities
Peraturan dan prosedur yang dibutuhkan untuk memastikan tindakan pada identified risk responses
Komponen pada control activities harus berhubungan erat dengan risk response strategies dan action previously discussed
Control activities biasanya memasukkan area kontrol internal:1. Separation of duties2. Audit trails3. Security and integrity4. Documentation
AUDIT INTERNAL – FEB UI 2015 55
Risk Component –Information and Communication
Information and Communication Flows in ERM Components
AUDIT INTERNAL – FEB UI 2015 56
Risk Component –Monitoring
Diperlukan untuk menentukan apakah seluruh komponen ERM yang digunakan bekerja dengan efektif
COSO ERM Application Framework document menyarankan monitoring untuk memasukkan aktivitas-aktivitas berikut ini:1. Implementation of ongoing management reporting mechanism2. Periodic risk-related alert reporting processes3. Current and periodic status reporting of risk-related findings
and recommendations from internal and external audit reports4. Updated risk-related information
AUDIT INTERNAL – FEB UI 2015 57
Other Dimensions of COSO ERM:Enterprise Risk Objectives
Operations Risk Management Objectives Identifikasi risiko pada setiap unit enterpriseMemerlukan pengumpulan data dan analisis yang detail
Reporting Risk Management Objectives Realitabilitas dari laporan keuangan dan non-keuangan internal dan eksternal perusahaanKeakuratan pelaporan
Legal & Regulatory Compliance Risk Objectives Seluruh perusahaan harus mengikuti standar peraturan industri dan pemerintahMenyarankan untuk mempertimbangkan compliance-related risk untuk setiap komponen risiko
AUDIT INTERNAL – FEB UI 2015 58
Entity-Level Risks
Risks Encompassing the Entire Organizations
• Multiple risks pada unit level bisniis harus dinaikkan menjadi risiko level entitas• Risiko major dan minor dapat mempengaruhi keseluruhan perusahaan
Business Unit-Level Risks
• Tanggung jawab risiko seringkali dimulai dari manajemen kepada setiap divisi untuk men-survey tujuan operasi dari semua bisnis
AUDIT INTERNAL – FEB UI 2015 59
Putting It All Together1. COSO ERM merupakan sebuah alat yang oenting untuk mengatur
dan memahami Sox Section 404 internal controls
2. Memberikan pertimbangan lebih kepada risiko ketika memahami dan mengevaluasi kontrol internal
3. COSO ERM merupakan alat yang penting untuk memahami multiple risks yang dihadapi perusahaan saat ini
4. Auditor internal harus membuat persyaratan audit internal CBOK COSO ERM dan menjalankan audit internal sesuai dengan proses ERM
AUDIT INTERNAL – FEB UI 2015 60
Auditing Risk and COSO ERM ProcessesAudit internal harus me-review proses enterprise-wide ERM menggunakan beberapa alat ini:
Process flowcharting
Reviews of risk and control materials
Benchmarking
Questionnaires
Audit internal harus menetapkan beberapa tujuan high-level review untuk efektivitas COSO ERM dalam perusahaan mereka
AUDIT INTERNAL – FEB UI 2015 61
Risk Management and COSO ERM in Perspective
Risk-related emphasis of the new AS 5 auditing standards as well as an increasing recognition of risk issues in professional
literature has increased professional interest in and attention toward enterprose risk management
The three-dimensional ERM framework helps to place risk and internal control issues in a better oerspective when evaluating
Sox compliance
AUDIT INTERNAL – FEB UI 2015 62
CoCo Model
AUDIT INTERNAL – FEB UI 2015 63
CoCo The Canadian Institute of Chartered Accountants Criteria of Control Committee (CoCo) menyusun model pengedalian intern yang mirip dengan COSO
Canadians memiliki model yang menurutnya lebih mudah dimengerti dan lebih mudah dijadikan sebagai petunjuk untuk kegiatan internal audit.
AUDIT INTERNAL – FEB UI 2015 64
Keunggulan CoCoMencegah risiko ketidaktecapaian organisasi
AUDIT INTERNAL – FEB UI 2015 65
The CoCo Model Purpose
Commitment
Capability
Monitoring and Learning
AUDIT INTERNAL – FEB UI 2015 66
The CoCo Model: Purpose
1. Tujuan harus dinyatakan dan dikomunikasikan kepada seluruh stakeholder
2. Risiko signifikan baik dari dalam maupun luar organisasi yang terkait dengan pencapaian tujuan harus diidentifikasikan dan dinilai.
3. Kebijakan yang didesain untuk mendukung pencapaian tujuan organisasi dan pengelolaan risik harus dibuat, dikomunikasikan dan dipraktekan sehingga pegawai mengerti apa yang diharapkan dan kebebasan yang diperlukan untuk bertindak.
4. Perencanaan untuk menuntun pencapaian tujuan organisasi harus disusun dan dikomunikasikan.
5. Tujuan dan perencanaan terkait harus mencantumkan target dan indicator kinerja.
AUDIT INTERNAL – FEB UI 2015 67
The CoCo Model: Commitment
1. Nilai-nilai etika termasuk integritas harus dibuat secara formal, dikomukasikan kepada seluruh stakeholder dalam organisasi.
2. Kebijakan dan praktek managemen SDM harus konsisten dengan etika dan nilai-nilai dan pencapaian tujuan.
3. Wewenang, tanggungjawab dan tanggungjelasan harus secara jelas didefinisikan dan konsisten dengan tujuan oerganiasi sehingga keputusan-keputusan dan pelaku-pelaku diperagakan dengan benar oleh pegawai.
4. Atmosfir kepercayaan yang tinggi harus dipelihara dan didukung oleh informasi yang mengalir antara pegawai dan kinerja mereka dalam mendukung pencapaian tujuan oeganisasi.
AUDIT INTERNAL – FEB UI 2015 68
The CoCo Model: Capability
1. Pegawai harus memiliki pengetahuan, keahlian dan peralatan yang cukup untuk mendukung pencapaian tujuan organisasi.
2. Proses komunikasikan harus mendukung nilai dan pencapaian organisasi atas tujuan yang telah ditetapkan.
3. Informasi yang cukup dan relevan harus diidentifikasi dan dikomunikasikan pada saat yang tept sehingga pegawai dapat menjalankan tugasnya dengan baik.
4. Tujuan dan aktivitas dari bagian yang berbeda dalam suatu organisasi harus dikoordinasikan.
5. Aktivitas pengendalian harus didesain sebagai kesatuan yang menyeluruh dari suatu organisasi dengan mempertimbangkan tujuan, risiko dan hubungan terkait antar komponen pengendalian.
AUDIT INTERNAL – FEB UI 2015 69
The CoCo Model: Monitoring and Learning
1. Lingkungan internal dan eksternal harus diminitor untuk memperoleh informasi sehingga tujan dan pengendalian organisasi tetap mutakhir.
2. Kinerja harus dimonitor dibandingkan dengan target dan indikator yang telah ditetapkan.
3. Asumsi yang digunakan dalam penentuan tujuan dan sistem harus secara periodik dikaji ulang.
4. Informasi yang dibutuhkan harus dikaji terus menerus sesuai dengan adanya perubahan tujuan atau adanya pelaporan yang menunjukan penyimpangan.
5. Prosedur tindaklanjut harus disusun dan dilakukan untuk menjamin bahwa perubahan dan kegiatan yang tepat dilakukan.
6. Manajemen secara periodik menilai efektifitas pengendalian dan kemudian mengkomunikasikan yang tepat dilakukan.