SIA B_INTERNAL CONTROL REVIEW: THE PRACTICAL APPROACH

Group 5 Member:
● Zahra Nurhanisa (1906358625)
● Amartya Krisna Permana (1906358562)
● Ricky Adya Prima (1906286286)
● Kevin Hizkia Simatupang (1906358581)
● Muhammad Rana Evan F. (1906286191)
● Athena Adriane (1906358272)

Jawaban:
1. Review the observations of your team members on the control environment of the
Group [as documented in Exhibit 5] and state your other observations, if any.
PRINCIPLE 1 - INEFFECTIVE
Demonstrated a commitment to integrity and ethical values
● TM failed to communicate to its staff the core values, vision and mission of TM.
● Code of conduct and employee handbook were not readily available to staff.
● More evaluation on standards of conduct should be conducted, for example, conduct
when using social media platforms.
● Lack of whistle-blowing system or policy.
● Lack of supplier’s code of conduct.

PRINCIPLE 2 - INEFFECTIVE
Bond exercised oversight responsibility over internal control
● Lack of independent non-executive director.
● Roles of chairman and CEO were not separated. Potential conflict of interest arising
out of Richard Namkong’s shareholding in distributor of TM.
● Lack on risk management policies.

PRINCIPLE 3 - INEFFECTIVE
Management established structures, authorities, and responsibilities
● Lack of clear reporting lines for incidents. Employees were unclear of reporting
processes.
● Lack of limitations in accessing TM’s accounts.

PRINCIPLE 4 - INEFFECTIVE
Demonstrated commitment to competence
● Lack of policies for businesses processes.
● Lack of policies on conflict of interest.
● Lack of a nomination committee.

PRINCIPLE 5 - INEFFECTIVE
Enforced Accountability
● Verbal warning was inadequate to reflect the severity of the misconduct.
● No consistent disciplinary policies.
2. Analyze the:
2.1. risk assessment
Principle Point of Focus Design Description
Effectiveness

P6. Specified Reflected management’s choices - TBO

suitable
objectives Considered tolerance for risk
-Specified
suitable
Included operations and financial E
objectives
performance goals

Formed a basis for committing of I Lack of resources to

resources hold regular staff
trainings

-External Complied with applicable accounting I Recorded expenses not

financing standards when they were
reporting incurred
objectives
Considered materiality I TM does not require its
employees to submit
original receipts for
reimbursement

Reflected entity activities

-External non- Complied with externally established I Lack of supplier of

financing standards and framework conduct or signed
reporting contract
objectives
Considered the required level of - TBO
precision

-Internal Reflected entity activities

reporting
objectives Reflected management’s choices - TBO

Considered the required level of - TBO

precision

-Compliance Reflected external laws and I Lack of supplier of

objectives regulations conduct or signed
contract
 Considered tolerances for risk I Lack of policy to
address the risks in its
online platforms

P7. Identified Included entity, subsidiary, division, - Information to be

and analyzed operating unit and functional levels obtained
risks
Analyzed internal and external factors I TM had not conducted
any risk analyses or
made any contingency
plans

Involved appropriate level of E

management

Estimated significance of risks I Inadequate penalty to

identified reflect the severity of
misconduct

Determined how to respond to risks I Lack of risk

management policies or
procedures

P8. Assessed Considered various types of fraud - TBO

fraud risk
Assessed incentives and pressures - TBO

Assessed opportunities I Lack of whistle-blowing

policy
Lack of risk
management policies
and procedures

Assessed attitudes and -

rationalizations

P9. Identified Assessed changes in the external E TM viewed that the

and analyzed environment conventional way of
significant distribution had become
change too costly and
unpopular

Assessed changes in the business - TBO

model
 Assessed changes in leadership - TBO

Overall Effectiveness of the Component Comment

Design effectiveness Ineffective

TM should consider various types of fraud, as well as assess incentive and pressures,
opportunities, attitudes and rationalizations that may lead to fraudulent activities. Further, the
lack of a protocol function for reporting fraud and lack of fraud awareness training means
that employees do not have the necessary tools to identify and report potential fraudulent
activities.

TM also should establish risk management for evaluate internal and external changes and
their impact on objectives and risks. Without a formal assessment of risk, including analyses
and mitigation planning, there may be increased risk of activities occurring.

2.2. control activities:

Control activities are policies and procedures, which are the actions of people to implement
the policies, directly or through application of technology, to help ensure that management’s
risk responses are carried out. Policies reflect management’s statement of what should be
done to effect control. Such statements may be documented, explicitly stated in
communications, or implied through management’s actions and decisions. Procedures consist
of actions that implement a policy.

In this case the control activities shown in Exhibit 2 is a Pro Forma review tool. The acting
on evaluating the control activities with the review tools is a procedure of assessing the
effectiveness of the control risk’s activities that had been designed and currently being
practised.

The review pinpoint on the classification of principle, then point of focus. Both are guidelines
on whether each component, operating individually or in an integrated manner, was
effectively designed and implemented. The parts being assessed are control, the description
of current controls, control unit/location, point of focus in place/addressed, control operating
effectiveness, effectiveness of control’s design, if there’s any deficiency, deficiency
description, the severity of the deficiency and lastly, comments on the assessment.

As a note, internal control deficiencies were shortcomings in components and principles that
might reduce the likelihood an entity would achieve its control objectives. A major deficiency
existed when components with its relevant principles were absent or non-functioning/not
operating together, so much that they had trouble achieving their objectives.

These are components of control activities that are being assessed of their compliance to
principles. The classifications are:
Principle 10: The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.

● Integrated with risk assessment(which has been assessed as a part of controlling risk
before: according to the IT’s department there’s been an incident because of the lack
of policy to address the risks in relation to its online platforms.
● Consider entity specific factors: GC does have specific factors of theft problem,
supplier problem, etc as GC design, manufactures, markets and distributes their
product mostly with T.M. however there’s no specific policy set between the two
company online work, which lead into the unauthorized sale incident.
● Determined relevant business processes, evaluated a mix of control activity types: no
written policies for fixing their performance that had deviated from their goals
● Considering what level activities were applied, addressed segregation of duties:
although the top management still oversaw the performance, as they were able to tell
that the firm had deviated from their goals, it seems that there’s not actual way to put
their input unto the firm’s daily operation. Their director is also the CEO of T.M.
which makes less views come to their operation.

Principle 11: The organization selects and develops general control activities over technology
to support the achievement of objectives.
● Determined dependency between the use of tech in business processes and tech
general controls: management seems to be insensitive about how the business process
is linked with their tech, especially online security
● Established relevant technology infrastructure control activities: the firm does have
available technology to help with their product processing
● Established relevant security management process control activities: the firm have no
actual policy to restrict tech access, proven with the incident
● Established relevant technology acquisition, development and maintenance process
control activities: it seems after the initial tech structure was set to help with sales and
inventory regulation, there’s no significant updates to the structure

Principle 12: The organization deploys control activities through policies that establish what
is expected and procedures that put policies into action.
● Established policies and procedures to support deployment of management’s
directives: the business seems to be unstructured and this results in high turnover.
● Established responsibility and accountability for executing policies and procedures:
once again stated, the firm is low in policies and thus there is no specific
accountability control activities, aside from the senior officer and finance manager
that manage and check supporting documents for finance process level control.
● Performed in a timely manner: no policies specifying when a problem should
immediately be assessed
● Took corrective action: no responsible personnel that helps with investigating their
control activities, as the control activities usually are done only when problem arise
 ● Performed using competent personnel: no competent personnel to make sure the
control activities is done correctly, even auditing, which is done by departments that
only do random checks.
● Reassessed policies and procedures: no formal policy for checking activities’s
relevance.

The assessment is closed by evaluating the overall effectiveness of the control activities’s
component, both the design effectiveness and operating effectiveness. This is done to help
when taking corrective action as when conducting a control activity, matters identified for
follow-up should be investigated and, if appropriate, corrective action taken. Management
also should periodically reassess policies and procedures and related control activities for
continued relevance and effectiveness, unrelated to being responsive to significant changes in
the entity’s risks or objectives. Significant changes would be evaluated through the risk
assessment process.

For example from the paper, a list of companies in Hong Kong are required to evaluate the
internal control system at least annually. However for the case of GC, they did not have a
follow up action, even after the privacy breach incident had quite a harsh response from their
customer on the internet. Therefore their control activities can objectively be deemed less
effective than needed. Information that can help us give them more specific recommendations
are how the company’s top managers usually relay their input on the various situations the
firm’s currently facing, to lower levels of management.

2.3. information and communication, and

Principle 13: The use of Relevant Information, this is to check if the company records and
uses relevant information for it’s operating purposes. One of the points of focus is the
processing of relevant data into information. They have a knowledge team in which they
gather customer satisfaction. They record it by having the customer to rate their satisfaction
from 1 to 5. This data later processed to meaningful information that notify TM about the
numbers of their customer satisfaction. Turns out it’s quite high, achieving 99%. They also
considered costs and benefits of employee training. They also lack a data privacy policy for
the customer, reason is that TM believed it isn’t necessary because they are cautious in
disclosing customer’s personal data to marketing firms, and that their employees conform to
all applicable law. Still they need a certain rule for these kind of data because it involves the
customer and their data, they need to know what we will do with it and how we will keep it
secure.

Principle 14. Communicated Internally. This principle is to see whether the company have a
good communication channel within the company. The first point of focus is the
communicated internal control information, this doesn’t happen in TM. Because the staff
doesn’t receive training about the internal control, worse they expected their staff to
understand TM's mission and vision on their own. TM hoped that their employee would learn
it from the employee handbook, which is not accessible through the internet and haven’t been
updated for 3 years. There is also a lack in communicating with the board of directors,
separate communication lines, and selected relevant method of communication. This is
further proven by a case from Buzz, where Rex found out about it but doesn’t know where or
who to speak the matter to. So he resolved it in a gossip page. This is bad, because if there is
no communication channel the problem won’t reach the eyes of the manager, or senior
manager to be addressed. By going to the gossip page, it might just be another passing gossip
and won’t be further processed.

Principle 15. Communicated Externally. This is to check whether the company has a relevant
channel to external parties and how do they send a message to an external party. The first
point of focus is the Communicated to external party, this part is lacking in TM structures.
Proven by a case from a junior staff that stole three boxes of “Super Hero” sixth generation
toy gun prototypes, and the company didn’t report to the police about this theft because they
don't want it to become a news headline. Simply put they don’t know how to handle the
press
2.4. monitoring activities of the Group (other components).

Principle 16: The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and
functioning.
● Considered a mix of ongoing and separate evaluations: neither secretary collects
records, making it difficult for the company to record separate evaluations. This will
also have an impact on continuous evaluation
● Considered rate of changes: companies are less able to apply the use of technology
and innovation amid the increasing trend of online games
● Established baseline understanding: they do not understand the essence of gun games
that are fun and safe to use for children
● Used knowledgeable personnel: the company does not enter the serial number data
from the purchase data so that there is a difference in recording between the
managers, they will ignore it. This is the right step, which is needed by the right
company to generate high objectivity
● Integrated with business processes: there are transactions that are not recorded at the
applicable time so that they have the potential to interfere with business performance
● Adjusted scope and frequency: they do not have a data privacy policy that threatens
harm to their consumers mainly related to security
● Objectively evaluated: Sometimes they ignore objectivity in order to get a good result
rather than conforming to reality

Principle 17: The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
● Assessed result:they do not have a policy regarding application online in producing
accurate data
 ● Communicated deficiencies:the low performance control environment which results
in the level of operational effectiveness and design inefficiencies being judged from
ethical values, responsibility of internal control, management structures, competence,
and accountability.
● Monitored corrective actions: the absence of a whistleblowing policy has resulted in a
potentially large deficiency in monitoring

You were to use the table in Exhibit 2 as the template to analyze the design effectiveness of
each of the other components. You were also to note any questions or additional information
that you needed for your assessment.

3. Last Question: In your view, were there major deficiencies in the Group’s entity-
level? How would your team proceed to further test such controls’ reliability? What
mitigating actions would you suggest?

There were several deficiencies in the entity-level of the company, such as:
1. The company doesn’t have independent nonexecutive director and there is no regular
director meeting
2. They didn’t have internal audit function
3. They didn’t have a good policy about the risk

The thing that is going on in the company is so bad. Therefore, they need to restructure some
systems. We suggest the company to add a better system, such as internal control team to
make the company perform better.