Professional Documents
Culture Documents
Group 5 Member:
● Zahra Nurhanisa (1906358625)
● Amartya Krisna Permana (1906358562)
● Ricky Adya Prima (1906286286)
● Kevin Hizkia Simatupang (1906358581)
● Muhammad Rana Evan F. (1906286191)
● Athena Adriane (1906358272)
Jawaban:
1. Review the observations of your team members on the control environment of the
Group [as documented in Exhibit 5] and state your other observations, if any.
PRINCIPLE 1 - INEFFECTIVE
Demonstrated a commitment to integrity and ethical values
● TM failed to communicate to its staff the core values, vision and mission of TM.
● Code of conduct and employee handbook were not readily available to staff.
● More evaluation on standards of conduct should be conducted, for example, conduct
when using social media platforms.
● Lack of whistle-blowing system or policy.
● Lack of supplier’s code of conduct.
PRINCIPLE 2 - INEFFECTIVE
Bond exercised oversight responsibility over internal control
● Lack of independent non-executive director.
● Roles of chairman and CEO were not separated. Potential conflict of interest arising
out of Richard Namkong’s shareholding in distributor of TM.
● Lack on risk management policies.
PRINCIPLE 3 - INEFFECTIVE
Management established structures, authorities, and responsibilities
● Lack of clear reporting lines for incidents. Employees were unclear of reporting
processes.
● Lack of limitations in accessing TM’s accounts.
PRINCIPLE 4 - INEFFECTIVE
Demonstrated commitment to competence
● Lack of policies for businesses processes.
● Lack of policies on conflict of interest.
● Lack of a nomination committee.
PRINCIPLE 5 - INEFFECTIVE
Enforced Accountability
● Verbal warning was inadequate to reflect the severity of the misconduct.
● No consistent disciplinary policies.
2. Analyze the:
2.1. risk assessment
Principle Point of Focus Design Description
Effectiveness
TM should consider various types of fraud, as well as assess incentive and pressures,
opportunities, attitudes and rationalizations that may lead to fraudulent activities. Further, the
lack of a protocol function for reporting fraud and lack of fraud awareness training means
that employees do not have the necessary tools to identify and report potential fraudulent
activities.
TM also should establish risk management for evaluate internal and external changes and
their impact on objectives and risks. Without a formal assessment of risk, including analyses
and mitigation planning, there may be increased risk of activities occurring.
In this case the control activities shown in Exhibit 2 is a Pro Forma review tool. The acting
on evaluating the control activities with the review tools is a procedure of assessing the
effectiveness of the control risk’s activities that had been designed and currently being
practised.
The review pinpoint on the classification of principle, then point of focus. Both are guidelines
on whether each component, operating individually or in an integrated manner, was
effectively designed and implemented. The parts being assessed are control, the description
of current controls, control unit/location, point of focus in place/addressed, control operating
effectiveness, effectiveness of control’s design, if there’s any deficiency, deficiency
description, the severity of the deficiency and lastly, comments on the assessment.
As a note, internal control deficiencies were shortcomings in components and principles that
might reduce the likelihood an entity would achieve its control objectives. A major deficiency
existed when components with its relevant principles were absent or non-functioning/not
operating together, so much that they had trouble achieving their objectives.
These are components of control activities that are being assessed of their compliance to
principles. The classifications are:
Principle 10: The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
● Integrated with risk assessment(which has been assessed as a part of controlling risk
before: according to the IT’s department there’s been an incident because of the lack
of policy to address the risks in relation to its online platforms.
● Consider entity specific factors: GC does have specific factors of theft problem,
supplier problem, etc as GC design, manufactures, markets and distributes their
product mostly with T.M. however there’s no specific policy set between the two
company online work, which lead into the unauthorized sale incident.
● Determined relevant business processes, evaluated a mix of control activity types: no
written policies for fixing their performance that had deviated from their goals
● Considering what level activities were applied, addressed segregation of duties:
although the top management still oversaw the performance, as they were able to tell
that the firm had deviated from their goals, it seems that there’s not actual way to put
their input unto the firm’s daily operation. Their director is also the CEO of T.M.
which makes less views come to their operation.
Principle 11: The organization selects and develops general control activities over technology
to support the achievement of objectives.
● Determined dependency between the use of tech in business processes and tech
general controls: management seems to be insensitive about how the business process
is linked with their tech, especially online security
● Established relevant technology infrastructure control activities: the firm does have
available technology to help with their product processing
● Established relevant security management process control activities: the firm have no
actual policy to restrict tech access, proven with the incident
● Established relevant technology acquisition, development and maintenance process
control activities: it seems after the initial tech structure was set to help with sales and
inventory regulation, there’s no significant updates to the structure
Principle 12: The organization deploys control activities through policies that establish what
is expected and procedures that put policies into action.
● Established policies and procedures to support deployment of management’s
directives: the business seems to be unstructured and this results in high turnover.
● Established responsibility and accountability for executing policies and procedures:
once again stated, the firm is low in policies and thus there is no specific
accountability control activities, aside from the senior officer and finance manager
that manage and check supporting documents for finance process level control.
● Performed in a timely manner: no policies specifying when a problem should
immediately be assessed
● Took corrective action: no responsible personnel that helps with investigating their
control activities, as the control activities usually are done only when problem arise
● Performed using competent personnel: no competent personnel to make sure the
control activities is done correctly, even auditing, which is done by departments that
only do random checks.
● Reassessed policies and procedures: no formal policy for checking activities’s
relevance.
The assessment is closed by evaluating the overall effectiveness of the control activities’s
component, both the design effectiveness and operating effectiveness. This is done to help
when taking corrective action as when conducting a control activity, matters identified for
follow-up should be investigated and, if appropriate, corrective action taken. Management
also should periodically reassess policies and procedures and related control activities for
continued relevance and effectiveness, unrelated to being responsive to significant changes in
the entity’s risks or objectives. Significant changes would be evaluated through the risk
assessment process.
For example from the paper, a list of companies in Hong Kong are required to evaluate the
internal control system at least annually. However for the case of GC, they did not have a
follow up action, even after the privacy breach incident had quite a harsh response from their
customer on the internet. Therefore their control activities can objectively be deemed less
effective than needed. Information that can help us give them more specific recommendations
are how the company’s top managers usually relay their input on the various situations the
firm’s currently facing, to lower levels of management.
Principle 14. Communicated Internally. This principle is to see whether the company have a
good communication channel within the company. The first point of focus is the
communicated internal control information, this doesn’t happen in TM. Because the staff
doesn’t receive training about the internal control, worse they expected their staff to
understand TM's mission and vision on their own. TM hoped that their employee would learn
it from the employee handbook, which is not accessible through the internet and haven’t been
updated for 3 years. There is also a lack in communicating with the board of directors,
separate communication lines, and selected relevant method of communication. This is
further proven by a case from Buzz, where Rex found out about it but doesn’t know where or
who to speak the matter to. So he resolved it in a gossip page. This is bad, because if there is
no communication channel the problem won’t reach the eyes of the manager, or senior
manager to be addressed. By going to the gossip page, it might just be another passing gossip
and won’t be further processed.
Principle 15. Communicated Externally. This is to check whether the company has a relevant
channel to external parties and how do they send a message to an external party. The first
point of focus is the Communicated to external party, this part is lacking in TM structures.
Proven by a case from a junior staff that stole three boxes of “Super Hero” sixth generation
toy gun prototypes, and the company didn’t report to the police about this theft because they
don't want it to become a news headline. Simply put they don’t know how to handle the
press
2.4. monitoring activities of the Group (other components).
Principle 16: The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and
functioning.
● Considered a mix of ongoing and separate evaluations: neither secretary collects
records, making it difficult for the company to record separate evaluations. This will
also have an impact on continuous evaluation
● Considered rate of changes: companies are less able to apply the use of technology
and innovation amid the increasing trend of online games
● Established baseline understanding: they do not understand the essence of gun games
that are fun and safe to use for children
● Used knowledgeable personnel: the company does not enter the serial number data
from the purchase data so that there is a difference in recording between the
managers, they will ignore it. This is the right step, which is needed by the right
company to generate high objectivity
● Integrated with business processes: there are transactions that are not recorded at the
applicable time so that they have the potential to interfere with business performance
● Adjusted scope and frequency: they do not have a data privacy policy that threatens
harm to their consumers mainly related to security
● Objectively evaluated: Sometimes they ignore objectivity in order to get a good result
rather than conforming to reality
Principle 17: The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
● Assessed result:they do not have a policy regarding application online in producing
accurate data
● Communicated deficiencies:the low performance control environment which results
in the level of operational effectiveness and design inefficiencies being judged from
ethical values, responsibility of internal control, management structures, competence,
and accountability.
● Monitored corrective actions: the absence of a whistleblowing policy has resulted in a
potentially large deficiency in monitoring
You were to use the table in Exhibit 2 as the template to analyze the design effectiveness of
each of the other components. You were also to note any questions or additional information
that you needed for your assessment.
3. Last Question: In your view, were there major deficiencies in the Group’s entity-
level? How would your team proceed to further test such controls’ reliability? What
mitigating actions would you suggest?
There were several deficiencies in the entity-level of the company, such as:
1. The company doesn’t have independent nonexecutive director and there is no regular
director meeting
2. They didn’t have internal audit function
3. They didn’t have a good policy about the risk
The thing that is going on in the company is so bad. Therefore, they need to restructure some
systems. We suggest the company to add a better system, such as internal control team to
make the company perform better.