Professional Documents
Culture Documents
As somewhat of a different view, Exhibit 3.2 shows the COSO internal control as pyramid,
with the control environtment as its foundation. Here, the information and communications
component is not shown as an individual layer in the model but a side component that encompasses
the Risk Assessment and Control Activities layers. This view was more common when the COSO
internal control framework was first drafted, but the Exhibit 3.1 version is much more common today.
This view does not really describe the components separated entity by entity shown in the right hand
side of exhibit 3.1.
Although not the typical view of the COSO internal controls framework, this concept is
important. Just as a strong foundation is necessary for a multistory building, the control environtment
provides the foundation for the other components of internal control. An enterprise that is building a
strong internal control structure should give special attention to placing solid foundation bricks. Of
course, internal auditors should also keep this concept in mind when assessing internal controls.
Internal audit is a key part of this foundation, but the other components are essential as well.
Evaluating the COSO internal control environment does not just require as series of “do the
debits equal the credits?” types of rules or measures, but points to the need for strong overall policies
that the fundamental but still may be different in many enterprises. For example, there is no set of rule
for defining what is meant by tone at the top, each executive’s message may be different. However,
the CEO and other key managers should adequately communicate these important enterprise
messages, usually following the CEO’s lead.
Exhibit 3.1 shows the next level above the control foundation as risk assessement. An
enterprise’s ability to achieve its objectives can be at risk due to variety of internal and external
factors. Understanding and management of the risk environtment is a basic elemen of internal control
foundation, and enterprise should have a process in place to evaluate the potential risks that may
impact attainment of its objectives. The risk assessment component focusese on internal control
within an enterprise and has a much narrower focus than the COSO ERM framework discussed in
chapter 6.
3. Consider how the risk should be managed and assess what action must be taken
This COSO risk assessment process places responsibility on management to assess whether a
risk is significant and, if so, to take appropriate actions.COSO internal controls also emphasizes that
risk analysis is not theoretical process ; often it is critical to an entity’s overall success. As part of its
overall assessment of internal control, management should take steps to assess both the risk that many
impact the overall enterprise and those pertaining to various enterprise activities or entities. A viriety
of risk, caused by either internal or external sources, may affect the overall enterprise. The COSO
internal controls framework suggests that risk should be considered from three perspectives :
1. Enterprise risks due to external factors. These risk include technological developments that can
affect the nature and timing of new roduct research and development or lead to changes in
procurement processes. Other external factor risk include changing customer needs or expectations,
prcing, warranties, or service activities. New legislation or regulations can force changes in operating
policies or strategies, and catastrophes, such as the World Trade Center terrorist attack, can lead to
changes in operations and highlight the need for contingency planning.
2. Enterprise risks due to internal factors. As internal auditors often highlight in their ongoing
reviews, there can be many types of enterprise-level risk. For example, a disruption in an enterprise’s
IT server or storage management processing facility can adversely affect overall operations. Also the
quality of personnel hired, as well as their training or motivation, can influence the level of control
consciusness within the entity. In addition, the extent of employee accessibility to assets can
contribute to misappropriation of resources. Although now better remedied by Sox, the COSO
internal controls report also cited the risk of an unassertive or ineffective board or audit committee
that can provide opportunities for ndiscretions.
3. Specific activity-level risks. Besides being viewed at an enterprise-wide level, risk should also be
considered for each significant business unit and key activity. This activity-level concern contribute to
the enterprise-wide risks and should be identified an an ongoing basis, considered in the various
planinning process throughout the enterprise. Where no such risk-assessment process exists in an
enterprise, internal auditor should consider this lack of a formal process as parts an overall internal
controls assessment.
All to often, management may have processes in place that give the appearance of risk
assessments but are lacking substance. For example, a new productauthorization approval form may
include a selection box for the requester to describe the risk associated with the proposed product.
Local management may consistently describe them as “low”, with no furder analysis until three is
some type of massive failure. When performing reviews in these areas, internal auditor should review
this analysis and discuss the reasoning behind these types of low risk assessment.
There has been much misunderstanding and confusion regarding the risk assessment element
of COSO internal controls because of the similarly named COSO ERM framework. The risk
assessment component of the framework includes risk assessment for within an individual enterprise.
The COSO ERM framework covers the entire entity and beyond. These are two separate issues, one is
not a replacement for the other.
The next layer up in the exhibit 3.1 COSO internal control framework is called control
activities. This layer also appears as a separate horizontal layer above control activities in axhibit 3.2,
but is encompassed here by the information and communication component. Control activities are the
policies and procedures that help ensure that actions identified to address risks are carried out,
following a wide range of control activities sub-processes. Control activities axist at all levels within
an enterprise and, in many cases, may overlap one another. The concept of control activities is an
essential part of building and the establishing effective internal controls in an enterprise. The COSO
internal controls framework identifies a series of these activities by type of process. From an internal
audit prespective, they should together be helpful in building effective overall internal control.
(i) TYPES OF CONTROL ACTIVITIES internal controls are generally classified as manual,
IT, or management controls, and they are also described in terms of whether they are preventive,
corrective, or detective control activities. While no one set of internal control definitions is correct for
all situations, COSO internal controls suggests a way to classify these control activities is an
enterprise. Although it certainly is not an all-inclusive list, the next point is represent some of this
COSO-recommended internal control activities for an enterprise :
Top-level reviews. Management and internal auditors, at various levels, should review the
results of their performance, contrasting those results with budgets, competitive statistics, and
other benchmark measurements. Management actions to follow up on the results of these top
level reviews and to take corrective action represent a control activity.
Direct functional ar activity management. Managers at various levels should review the
operational reports from their control systems and take corrective action as appropriat. Many
management system have been build to produce exception reports covering these control
activities. The control activity hereis the management process of following up on these
reported events and taking appropriate corrective action.
Information processing. IT systems contain many controls where systems internally check
for compliance in certain areas and then report any internal control exceptions. Those
reported exception items should receive corrective action by automated systems procedures,
by operational personnel, or by management.other control activities include controls over the
development of new systems or over access to data and program files.
Physical controls. An enterprise should have appropiate control over its physical assets,
including fixtures, inventories, and negotiable securities. An active program of periodic
physical inventories represents a major control activity here, and internal auditors can play a
major role in monitoring compliance.
Performance indicators. Management should relate sets of data, both operational and
financial, to one another and take appropriate analytical, investigative, or corrective actions.
This process represents an important enterprise control activity that can also satisfy financial
and operational reporting requirements.
Segregation of duties. Duties should be segregated among defferent people to reduce the risk
of error or inappropriate actions. This basic internal control procedure should be on almost
every internal auditor’s radar screen.
These control activities are included in the COSO internal controls report but represent only
a small number of the many control activities performed in the normal course of business : these and
others keep an enterprise and track toward achieving its many objectives. Control activities usually
involve both a policy establishing what should be done and procedures to affect those policies. While
these internal control activities sometimes may be communicated only orally, according to COSO
internal controls, no matter how they are communicated, the matter should implemented
“thoughtfully, conscientiously, and consistently”. This is a strong message for internal auditors
reviewing internal control activities. Even though an enterprise may have a published policy covering
a given area, there should be established internal control procedures to support that policy. Procedures
are of little use unless there is a sharp focus on the condition to which they are directed. All to often,
an enterprise may establish a control violations exception report, as part of an IT system, yet reported
control violations receive little more than a cursory review by the report recipients. However,
depending on the types of conditions reported, those exceptions should receive appropriate follow-up
actions.
Control activities should be closely related to the identified risk from the COSO internal
controls risk assessment component. Internal control is a process, and appropriate control activities
should not be installed to address indentified risk. Controlactivities should not be installed just
because they seem to be the right thing to do even if there area no significant risk in the area where
the control activities would be installed. Sometimes control activities in place once served some
control-risk concern, although the concerns have largely gone away. A control activity procedure
should not be discarded just because there have not been control violation incidents in recent years,
but management needs periodically to reevaluate the relative risk. All internal control activities should
contribute to the overall control structure. Internal auditors should keep this concept in mind as they
review internal controls and make recommendations.
(iii) CONTROLS OVER INFORMATION SYSTEMS. The COSO internal controls framework
emhasizes that control procedures are needed over all significant IT or information systems financial,
operational, and compliance related. COSO internal controls breaks down information system
controls into the well-recognozed general and aplication controls. General controls apply to much of
function of the information systems to help ensure adequate control procedures over all aplications. A
physical security lock on the door to the IT server center is such a general control for all aplications
running in on servers whitin that facility.
The term application controls refers to specific IT processes. A control in a weekly payroll IT
program that prevents any employee from being paid for over 80 hours in a given week. The COSO
internal controls framework highlights a series of IT control areas for evaluating the overall adequacy
of internal controls. General controls include all centralized server center or data storage management
controls, including job scheduling, database management, and business continuity planning. These
controls typically are responsibility of specialists in centralized computer server or storage
management centers. However, with newer, more modern systems connected to one another through
telecommunications and network links these controls can be distributed across a large web of server-
based systems.
The COSO internal controls framework document concludes with a discussion on the need to
consider the impact of enevolving technologies when evaluating information systems control
activities. Due to the rapid introduction of new technologies, what is new today will soon be replsced
by something else. COSO internal controls have not introduced anything new with regard to IT
controls but highlighted their importance in the overall internal control environment.
(d) Communications and Information
Exhibit 3.1, the model of the COSO internal controls framework,describes its components as layers,
one on top of another, starting with the internal control environment as the foundation. The pyramid
model in exhibit 3.2 describe the information and communication component not as a horizontal layer
but a side element that crosses other components. Information and communications are related but
distinct components of internal control framework. Appropiate information, supported by IT systems,
must be communicated up and down the enterprise in a manner and time that allows people to carry
out their responsibilities. In addition to formal and informal communication systems, enterprises must
have effective procedures in place to communicate with internal and external parties. These
information and communication flows in the enterprise must be understood for any internal control
evaluation, such as for a S)x section 404 evaluation.
ii) LINGKUNGAN PENGENDALIAN DALAM PERSPEKTIF COSO
Exhibit 3.2 menunjukkan pengendalian COSO internal sebagai piramida, dengan kontrol
lingkungan sebagai landasannya. Di sini, informasi dan komponen komunikasi tidak
ditampilkan sebagai lapisan individu akan tetapi sisi komponen yang meliputi Penilaian
Risiko dan Aktivitas Pengendalian lapisan. Pandangan ini lebih umum ketika kerangka
pengendalian internal COSO pertama kali dirancang, tetapi Bukti versi 3.1 jauh lebih umum
saat ini. Suatu perusahaan yang membangun struktur pengendalian internal yang kuat
harus memberikan perhatian khusus untuk menempatkan batu bata pondasi yang
kuat. Tentu saja, auditor internal juga harus menjaga konsep ini ketika menilai pengendalian
internal.
3. Pertimbangkan bagaimana resiko harus dikelola dan menilai tindakan apa yang harus
diambil.
Proses penilaian risiko COSO ini tanggung jawab terletak pada manajemen untuk menilai
apakah risiko signifikan dan, jika demikian, mengambil tindakan kontrol internal yang tepat.
COSO juga menekankan bahwa proses analisis risiko tidak teoritis; seringkali sangat
penting untuk keberhasilan keseluruhan entitas. Sebagai bagian dari penilaian secara
keseluruhan pengendalian internal, manajemen harus mengambil langkah untuk menilai
kedua risiko bahwa banyak dampak perusahaan secara keseluruhan dan kegiatan yang
berhubungan dengan berbagai perusahaan atau badan. Sebuah viriety risiko, yang
disebabkan oleh baik sumber internal maupun eksternal, dapat mempengaruhi perusahaan
secara keseluruhan. Pengendalian internal COSO menunjukkan kerangka kerja risiko yang
harus dipertimbangkan dari tiga perspektif:
Lapisan berikutnya 3.1 COSO internal yang disebut kegiatan pengendalian. Lapisan
ini juga muncul sebagai lapisan horizontal terpisah atas kegiatan pengawasan di tampilan
3.2, tetapi mencakup informasi dan komponen komunikasi. Aktifitas Pengendalian adalah
kebijakan dan prosedur yang membantu memastikan bahwa tindakan yang diidentifikasi
untuk mengatasi risiko dilakukan. Aktifitas Pengendalian ada di semua tingkatan dalam
perusahaan dan, dalam banyak kasus, mungkin tumpang tindih satu sama lain.Konsep
kegiatan pengendalian merupakan bagian penting dari bangunan dan pengendalian
internal yang efektif dalam membentuk suatu perusahaan. Pengendalian internal COSO
mengidentifikasi kerangka serangkaian kegiatan menurut jenis proses. Dari perspektif
audit internal, mereka bersama-sama harus membantu dalam membangun pengendalian
internal yang efektif secara keseluruhan.
♣ Top-level review. Manajemen dan auditor internal, di berbagai tingkatan, harus meninjau
hasil kinerja mereka, hasil tersebut kontras dengan anggaran, statistik kompetitif, dan
pengukuran acuan lainnya. Tindakan manajemen untuk menindaklanjuti hasil review
tersebut dan untuk mengambil tindakan korektif merupakan aktivitas pengendalian.
♣ Kontrol fisik. Perusahaan harus memiliki kontrol yang tepat atas aset fisik, termasuk
perlengkapan, persediaan, dan efek negosiasi. Program aktif persediaan fisik periodik
merupakan aktivitas pengendalian utama di sini, dan auditor internal dapat memainkan
peran utama dalam pengawasan kepatuhan.
♣ Indikator kinerja. Manajemen harus berhubungan set data, baik operasional dan
keuangan, untuk satu sama lain dan mengambil tindakan analitis, investigasi, atau
koreksi yang tepat. Proses ini merupakan pengendalian kegiatan perusahaan yang
penting yang juga dapat memenuhi persyaratan pelaporan keuangan dan operasional.
♣ Pemisahan tugas. Tugas harus dipisahkan antara orang-orang yang berbeda untuk
mengurangi risiko dari tindakan kesalahan. Prosedur dasar pengendalian internal harus
ada di layar radar setiap auditor internal.
Kegiatan kontrol ini termasuk dalam laporan pengendalian internal COSO, namun
hanya mewakili sejumlah kecil dari banyak kegiatan pengawasan yang dilakukan dalam
kegiatan untuk mencapai tujuannya. Kegiatan pengendalian biasanya melibatkan baik
kebijakan menetapkan apa yang harus dilakukan dan prosedur untuk mempengaruhi
kebijakan tersebut. Sedangkan kegiatan pengawasan internal ini kadang-kadang dapat
disampaikan hanya secara lisan, menurut COSO pengendalian internal, tidak peduli
bagaimana mereka dikomunikasikan, masalah ini harus dilaksanakan secara serius,
sungguh-sungguh, dan konsisten. Ini adalah pesan yang kuat untuk auditor internal yang
meninjau kegiatan pengendalian internal. Meskipun perusahaan mungkin memiliki kebijakan
diterbitkan meliputi area tertentu, harus ada prosedur menetapkan pengendalian internal
untuk mendukung kebijakan itu. Prosedur jarang digunakan kecuali ada fokus yang tajam
pada kondisi yang mereka diarahkan.
Kontrol aplikasi spesifik merujuk pada proses TI. Kerangka pengendalian internal
COSO menyoroti rangkaian area kontrol TI untuk mengevaluasi kecukupan pengendalian
internal secara keseluruhan. kontrol Umum mencakup semua server atau data center
terpusat kontrol manajemen penyimpanan, termasuk penjadwalan pekerjaan, manajemen
database, dan rencana kelangsungan bisnis. Kontrol ini biasanya adalah tanggung jawab
para spesialis komputer server terpusat atau pusat penyimpanan manajemen. Namun,
dengan sistem baru yang lebih modern terhubung ke satu sama lain melalui link jaringan
telekomunikasi dan kontrol ini dapat didistribusikan di web besar dari sistem berbasis
server.
Dokumen kerangka kerja pengendalian internal COSO menyimpulkan mengenai
kebutuhan untuk mempertimbangkan dampak perkembangan teknologi ketika mengevaluasi
kegiatan pengendalian sistem informasi. Karena pengenalan yang cepat dari teknologi baru,
apa yang baru hari ini akan segera diganti oleh sesuatu yang lain. Pengendalian internal
COSO tidak memperkenalkan sesuatu yang baru berkaitan dengan TI kontrol tetapi
menyoroti pentingnya mereka dalam lingkungan pengendalian intern secara menyeluruh.