You are on page 1of 69

INTERNAL

CONTROL
RANGGA, QILA, PUTRI, DEYE, DITA

Outline
Peran Internal Audit dalam Penilaian
(Kontrol)
Komponen Internal Control-COSO

Komponen Internal Control-ERM


Komponen Internal Control-CoCo

AUDIT INTERNAL FEB UI 2015

Control
Definitions for External auditor: Internal control is a process affected
by an activitys BOD, management or other personnel-designed to provide
reasonable assurance regarding the achievement of objectives.
Definitions for Internal Auditor: Control is the employment of all the
means devised in an enterprise to promote, direct, restrain, govern, and
check upon its various activities for the purpose of seeing that enterprise
objectives are met.
Control is a suitable system of internal check should eliminate the
need for a detailed audit

Control, the internal auditors open sesame


The Purpose of control: to achieve objectives
The bridge between auditor and client

AUDIT INTERNAL FEB UI 2015

The importance of
Control to the Internal
Auditor
Operati
ng
System

Control
System
CONTR
CONTR
OL BY
BY
INTERN
AL
AL
AUDIT
AUDIT
OR
OR

OBJECTIVES

AUDIT INTERNAL FEB UI 2015

International Standards for The


Professional Practice of Internal
Auditing (Standards)

AUDIT INTERNAL FEB UI 2015

Internal Control Framework:


The COSO Standard
AUDIT INTERNAL FEB UI 2015

Importance of Internal
Controls
Internal and external auditors have many different objectives.
Most references to auditors apply to internal auditors, who have
a major responsibility to understand and assess COSO internal
controls.

internal control extends beyond just accounting and financial


matters and includes all enterprise processes

AUDIT INTERNAL FEB UI 2015

Internal controls are processes that are


designed
to provide reasonable assurance for:
Reliable financial and operational information
Compliance with policies and procedures plans, laws, rules,
and regulations
Safeguarding of assets
operations and programs
Integrity and ethical values
Achievement of an established mission, objectives and goals
for enterprise
Operational efficiency
AUDIT INTERNAL FEB UI 2015

Internal Control Standards:


Background
AICPAs first codified standards: Statement on
Auditing Standards (SASNo. 1)

modified to add administrative and accounting


controls to the basic internal control definition

The overlapping relationships of the two types of


internal control were then further clarified in pre1988 AICPA standards

AUDIT INTERNAL FEB UI 2015

Foreign Corrupt Practice


Act 1977
A federal United States law aimed at preventing the
bribery of foreign government officials in an effort to
obtain or retain business.

It was an important first step for helping enterprises to


think about the need for effective internal controls, even
though there were no guidelines or standards over the
FCPAs systems documentation requirements.

AUDIT INTERNAL FEB UI 2015

10

The FCPA required that SECregulated enterprises must:


Make and keep books, records, and accounts, which, in reasonable
detail, accurately and fairly reflect the transactions and dispositions
of the assets of the issuers.
Devise and maintain a system of internal accounting controls sufficient
to provide reasonable assurances that:
Transactions are executed in accordance with managements general
or specific authorization.
Transactions are recorded as necessary both to permit the preparation
of financial statements in conformity with generally accepted
accounting principles (GAAP) or any other criteria applicable to such
statements, and also to maintain accountability for assets.
Access to assets is permitted only in accordance with managements
general or specific authorization.
The recorded accountability for assets is compared with the existing
assets at reasonable intervals, and appropriate action is taken with
11
respect to any differences. AUDIT INTERNAL FEB UI 2015

FCPA Facts
the FCPA record-keeping requirements applied to
all public corporations registered with the SEC.
It contained provisions requiring the maintenance
of accurate books and records as well as systems
of internal accounting control.
The FCPA required that companies maintain a
system of internal accounting controls sufficient to
provide reasonable assurances that
transactions are authorized and recorded to permit
preparation of financial statements in conformity
with GAAP.

AUDIT INTERNAL FEB UI 2015

12

Events Leading to the


Treadway
Commission
In the late 1970s, external auditors only reported

that an enterprises financial statements were


fairly presented; there was no mention of the
adequacy of the internal control
procedures supporting those audited financial
statements.
In 1974, the AICPA
formed a high-level
Commission on Auditors Responsibilities: Cohen
Commission, recommended in 1978 that a
statement on the condition of an enterprises
internal controls should be required along with
their financial statements.
FEI involvement: In the late 1970s, the FEI
endorsed the Cohen Commissions internal
controls recommendations and agreed that
corporations should report on the status of their
internal accounting controls.

AUDIT INTERNAL FEB UI 2015

13

SAS No. 55
Begin with expectation gap of SAS no. 1
the AICPA released a series of new SASs
between 1980 and 1985, guidance for the
terminology to be used in internal accounting
control reports.
SAS no. 55: Control environment, accounting
system, control procedures
AUDIT INTERNAL FEB UI 2015

14

Treadway Comittee
Report
The National Commission on Fraudulent Financial
Reporting (Treadway Commission) has objectives to
identify the causal factors that allowed fraudulent financial
reporting and to make recommendations to reduce their
incidence.
The Treadway Commissions final report was issued in
1987*: recommendations to management, boards of
directors, the public accounting profession, and others

Although it issued no standards, the Treadway


report was important in raising the level of
concern and attention regarding reporting on
internal control.
AUDIT INTERNAL FEB UI 2015

15

COSO Internal
Control
Framework
AUDIT INTERNAL FEB UI 2015

16

COSO Internal Control


Framework
IIA
5
Professi
onal
Organiz
ations

Internal
Control
Integrated
Framework

AICPA
FEI
AAA
IMA

Formed a
Committe
e: COSO

In September
1992

A common framework:
Definisi dari internal control
Prosedur bagaimana
mengevaluasi control

Menurut COSO
Internal control adalah
proses yang
dipengaruhi oleh BOD,
manajemen, dan
personil lain dalam
perusahaan, yang
didesain untuk
memberikan
reasonable assurance
terkait pencapaian
atas tujuan
perusahaan meliputi:

Efektivitas dan
efisiensi dari operasi
Keandalan dari
pelaporan keuangan
Kesesuaian dengan
hukum dan peraturan
yang berlaku

COSO Internal Control


Framework
Inti dari COSO Internal
Control
Framework
adalah
bahwa
perusahaan
harus
selalu
mempertimbangkan
masing-masing internal
control
dalam
kaitannya
dengan
internal control lain
yang berhubungan.

Control Environment
Fondasi dari
struktur internal
control
Merefleksikan
keseluruhan sikap,
kesadaran, dan
perilaku dari BOD,
manajemen, dan pihak
lainnya mengenai
pentingnya internal
control di dalam
perusahaan

Memiliki
pengaruh
terhadap ketiga
tujuan dan
terhadap
keseluruhan unit
Sejarah dan budaya
di perusahaan
memiliki peran
penting dalam
pembentukan
internal control
environment.

Components of Control
Environment
INTEGRITY AND
ETHICAL VALUES

In order to build integrity and ethical


values, a strong internal audit function
should be a major component of the
COSO control environment.

COMMITMENT TO
COMPETENCE

By placing the proper people in appropriate


jobs and giving adequate training when
required, an enterprise is satisfying this
important COSO control environment component

BOARD OF
DIRECTORS AND
AUDIT COMMITTEE

An active and independent board can setting


high-level policies and reviewing overall
enterprise conduct

Components of Control
Environment
MANAGEMENTS
PHILOSOPHY AND
OPERATING STYLE

No one set of styles and philosophies is best for all enterprises,


but these factors are important when considering the
other components of internal control in an enterprise.

ORGANIZATIONAL
STRUCTURE

How business function are managed and organized. Every


enterprise or entity needs an effective plan of organization.

ASSIGNMENT OF
AUTHORITY AND
RESPONSIBILITY

each person in the enterprise must have a good


understanding of the enterprises overall objectives and
how individual actions interrelate to achieve those objectives

Components of Control
Environment
HUMAN
RESOURCES
POLICIES AND
PRACTICES

Effective human resource


policies and procedures are a
critical component in the
overall control environment.

Risk Assessment
COSO describes risk assessment as
a three-step process:
Estimate the significance of the risk.
Assess the likelihood or frequency of the risk
occurring.
Consider how the risk should be managed
and assess what actions must be taken.

Risk Assessment
The COSO internal controls
framework suggests that risks
should be considered from three
perspectives
Risks due to external factors
Risks due to internal factors
Specific activity-level risks

Control Activities
Control Activities are
the policies and
procedures that help
ensure that actions
identified to address
risks are carried out

Control activities exist


at all levels within an
enterprise

Essential part of
building and then
establishing effective
internal controls in an
enterprise

Control Activities

Some of COSO-recommended internal control activities for an enterprise:


Top-level reviews
Direct functional or activity management
Information processing
Physical controls
Performance indicators
Segregation of duties

Information and
Communication
RELATIONSHIP OF
INFORMATION AND
INTERNAL CONTROL

THE COMMUNICATIONS
ASPECT OF INTERNAL
CONTROL

An enterprise needs information


at all levels

Communication must take place on a


broad level

Strategic and Integrated Systems

Communications: Internal Components

Quality of Information

External Communications

Monitoring

A monitoring process should be in place to assess the


effectiveness of established internal control
components and to take corrective action when
appropriate.

ONGOING MONITOR
ACTIVITIES

SEPARATE INTERNAL
CONTROL
EVALUATION

Operating management normal


functions

performed by direct line


management through selfassessment reviews.

Communications from external


parties

Benchmarking

Enterprise structure and supervisory


activities
Physical inventories and asset
reconciliation

Monitoring
Reporting internal control deficiencies:
Findings on internal control deficiencies usually should be
reported not only to the individual responsible for the
function or activity involved, who is in the position to take
corrective action, but also to at least one level of
management above the directly responsible person. This
process enables that individual to provide needed support
or oversight for taking corrective action, and to
communicate with others in the enterprise whose
activities may be affected.

Other Dimensions of the COSO


Internal Controls Framework
Top of the framework cube covers three dimensions of all
internal controls:
1.

Reliability of financial reporting

2.

Compliance with applicable laws and regulations

3.

Effectiveness and efficiency of operations

AUDIT INTERNAL FEB UI 2015

32

Internal Audit CBOK


Needs
COSO internal control is different from an internal audit
CBOK perspective. This framework is becoming the
worldwide standard for building and evaluating all levels
of internal controls.

AUDIT INTERNAL FEB UI 2015

33

Risk
Management:
COSO ERM
AUDIT INTERNAL FEB UI 2015

34

Perusahaan
perlu
mengidentifikasi
kan semua risiko
bisnis yang
mereka hadapi

Sampai Comitte of Sponsoring


Organizations (COSO) membuat COSO
Enterprise Risk Management
Intergrated Format (COSO ERM)
COSO ERM membantu perusahaan
dan internal audit untuk
mempertimbangkan dan menilai
risiko di semua tingkatan, baik di
individual area ataupun global

Tetapi, dahulu tidak terdapat


definisi yang konsisten
mengenai apa yang
dimaksud sebagai risiko

AUDIT INTERNAL FEB UI 2015

35

Risk Management
Fundamentals
Perusahaan harus
memberikan tambahan
nilai kepada
stakeholdernya dengan
cara melakukan
aktivitas bisnis.
Tetapi setiap aktivitas
merupakan subject dari
ketidakpastian/risiko

Manajemen risiko adalah konsep yang


berkaitan dengan asuransi, dimana
individu atau perusahaan menggunakan
mekanisme asuransi untuk menyediakan
perlindungan dari risiko

AUDIT INTERNAL FEB UI 2015

36

Effective Risk Management


Process

AUDIT INTERNAL FEB UI 2015

37

(1). Mengidentifikasi Risiko


Melihat potensial risiko di tiap area operasi, kemudian
mengindentifikasi risiko mana yang dapat memiliki
major impact

AUDIT INTERNAL FEB UI 2015

38

(2). Menilai Risiko


Tujuannya adalah menentukan potensial risiko mana yang
harus terlebih dahulu dikhawatirkan oleh manajemen

AUDIT INTERNAL FEB UI 2015

39

Tools
Risk Assessment Analysis
Map

Risk Scoring Schedule

AUDIT INTERNAL FEB UI 2015

40

(3). Menentukan prioritas risiko

AUDIT INTERNAL FEB UI 2015

41

(4). Risk Monitoring


Kondisi lingkungan akan terus-menerus berubah yg mebuat
resiko juga akan berubah

Risk identification not continuous exercise


Once these risks have been identified, the enterprise
needs to monitor them and make ongoing adjustments as
needed.

AUDIT INTERNAL FEB UI 2015

42

COSO ERM: Enterprise


Risk Management

COSO Enterprise
Risk Management
is a framework to
help enterprises to
have a
consistent
definition of their
risks.

COSO contracted
with
Pricewaterhouse
Coopers (PwC) to
develop this
risk framework.
The COSO ERM
framework was
published in
September 2004.

AUDIT INTERNAL FEB UI 2015

43

Enterprise risk management is a


process, effected by an entitys
board of directors,
management and other personnel,
applied in a strategy setting and
across
the enterprise, designed to identify
potential events that may affect the
entity,
and manage risk to be within its risk
appetite, to provide reasonable
assurance
regarding the achievement of entity
objectives.
AUDIT INTERNAL FEB UI 2015

44

Key Point in COSO ERM


Framework Definition

AUDIT INTERNAL FEB UI 2015

45

Key Point in COSO ERM


Framework Definition

AUDIT INTERNAL FEB UI 2015

46

COSO ERM Key Elements

AUDIT INTERNAL FEB UI 2015

47

Risk Component
Internal Environment
This level defines the basis for all other
components in an enterprises ERM model,
influencing how strategies and
objectives should be established, how risk-related
business activities are structured, and how risks are
identified and acted on.
Elemen-elemennya:
Risk management
Commitment to
competence
philosophy
Organizational
Risk appetite
structure
Board of directors
Assignment of
attitude
authority and
Integrity and
responsibility
ethical value
Human
resource
standard

AUDIT INTERNAL FEB UI 2015

48

Risk Component Objective


Setting
COSO ERM menenkankan bahwa
mission statement merupakan elemen
yang krusial dalam menentukan
objective

AUDIT INTERNAL FEB UI 2015

49

Risk
Component
AUDIT INTERNAL FEB UI 2015

50

Risk Component
Event Identification
Sebuah perusahaan perlu mendefinisikan risiko signifikan dari
sebuah events dengan jelas dan kemudian memonitornya
dengan tujuan melakukan tindakan-tindakan yang diperlukan

Pendekatan berdasarkan COSO ERM:

AUDIT INTERNAL FEB UI 2015

51

Risk Component
Risk Assessment
Mengizinkan perusahaan untuk mempertimbangkan efek
apa yang dimiliki oleh event yang memiliki potensi risiko
pada pencapaian tujuan perusahaan

2 perspektif dalam menilai risiko

AUDIT INTERNAL FEB UI 2015

52

Risk Component Risk


Response
Harus ada ulasan mengenai perkiraan risiko likelihoods
dan potential impacts, dengan pertimbangan
mengembangkan strategi respon risiko yang layak

4 cara mendasar untuk merespon


risiko:

AUDIT INTERNAL FEB UI 2015

53

Risk Component
Control Activities
Peraturan dan prosedur yang dibutuhkan untuk
memastikan tindakan pada identified risk responses
Komponen pada control activities harus berhubungan
erat dengan risk response strategies dan action
previously discussed
Control activities biasanya memasukkan area kontrol
internal:
1. Separation of duties
2. Audit trails
3. Security and integrity
4. Documentation

AUDIT INTERNAL FEB UI 2015

54

Risk Component
Information and
Communication

Information and
Communication Flows
in ERM Components

AUDIT INTERNAL FEB UI 2015

55

Risk Component
Monitoring
Diperlukan untuk menentukan apakah seluruh komponen
ERM yang digunakan bekerja dengan efektif

COSO ERM Application Framework document


menyarankan monitoring untuk memasukkan
aktivitas-aktivitas berikut ini:
1. Implementation of ongoing management reporting
mechanism
2. Periodic risk-related alert reporting processes
3. Current and periodic status reporting of riskrelated findings and recommendations from
internal and external audit reports
4. Updated risk-related information

AUDIT INTERNAL FEB UI 2015

56

Other Dimensions of COSO ERM:


Enterprise Risk Objectives

AUDIT INTERNAL FEB UI 2015

57

Entity-Level Risks

AUDIT INTERNAL FEB UI 2015

58

Putting It All Together


1. COSO ERM merupakan sebuah alat yang oenting untuk
mengatur dan memahami Sox Section 404 internal
controls
2. Memberikan pertimbangan lebih kepada risiko ketika
memahami dan mengevaluasi kontrol internal
3. COSO ERM merupakan alat yang penting untuk
memahami multiple risks yang dihadapi perusahaan
saat ini
4. Auditor internal harus membuat persyaratan audit
internal CBOK COSO ERM dan menjalankan audit
internal sesuai dengan proses ERM

AUDIT INTERNAL FEB UI 2015

59

Auditing Risk and COSO


ERM Processes
Audit internal harus me-review proses enterprise-wide
ERM menggunakan beberapa alat ini:
Process flowcharting
Reviews of risk and control materials
Benchmarking
Questionnaires
Audit internal harus menetapkan beberapa tujuan highlevel review untuk efektivitas COSO ERM dalam
perusahaan mereka

AUDIT INTERNAL FEB UI 2015

60

Risk Management and


COSO ERM in Perspective
Risk-related emphasis of the new AS 5 auditing
standards as well as an increasing recognition of risk
issues in professional literature has increased
professional interest in and attention toward
enterprose risk management

The three-dimensional ERM framework helps to


place risk and internal control issues in a better
oerspective when evaluating Sox compliance

AUDIT INTERNAL FEB UI 2015

61

CoCo Model
AUDIT INTERNAL FEB UI 2015

62

CoCo
The Canadian Institute of Chartered Accountants Criteria
of Control Committee (CoCo) menyusun model
pengedalian intern yang mirip dengan COSO
Canadians memiliki model yang menurutnya lebih mudah
dimengerti dan lebih mudah dijadikan sebagai petunjuk
untuk kegiatan internal audit.

AUDIT INTERNAL FEB UI 2015

63

Keunggulan CoCo

AUDIT INTERNAL FEB UI 2015

64

The CoCo Model


Purpose
Commitment
Capability
Monitoring and Learning

AUDIT INTERNAL FEB UI 2015

65

The CoCo Model:


Purpose
1.

Tujuan harus dinyatakan dan dikomunikasikan kepada seluruh


stakeholder

2.

Risiko signifikan baik dari dalam maupun luar organisasi yang


terkait dengan pencapaian tujuan harus diidentifikasikan dan dinilai.

3.

Kebijakan yang didesain untuk mendukung pencapaian tujuan


organisasi dan pengelolaan risik harus dibuat, dikomunikasikan dan
dipraktekan sehingga pegawai mengerti apa yang diharapkan dan
kebebasan yang diperlukan untuk bertindak.

4.

Perencanaan untuk menuntun pencapaian tujuan organisasi harus


disusun dan dikomunikasikan.

5.

Tujuan dan perencanaan terkait harus mencantumkan target dan


indicator kinerja.

AUDIT INTERNAL FEB UI 2015

66

The CoCo Model:


Commitment
1.

Nilai-nilai etika termasuk integritas harus dibuat secara formal,


dikomukasikan kepada seluruh stakeholder dalam organisasi.

2.

Kebijakan dan praktek managemen SDM harus konsisten


dengan etika dan nilai-nilai dan pencapaian tujuan.

3.

Wewenang, tanggungjawab dan tanggungjelasan harus secara


jelas didefinisikan dan konsisten dengan tujuan oerganiasi
sehingga keputusan-keputusan dan pelaku-pelaku diperagakan
dengan benar oleh pegawai.

4.

Atmosfir kepercayaan yang tinggi harus dipelihara dan didukung


oleh informasi yang mengalir antara pegawai dan kinerja
mereka dalam mendukung pencapaian tujuan oeganisasi.

AUDIT INTERNAL FEB UI 2015

67

The CoCo Model:


Capability
1.

Pegawai harus memiliki pengetahuan, keahlian dan peralatan yang


cukup untuk mendukung pencapaian tujuan organisasi.

2.

Proses komunikasikan harus mendukung nilai dan pencapaian


organisasi atas tujuan yang telah ditetapkan.

3.

Informasi yang cukup dan relevan harus diidentifikasi dan


dikomunikasikan pada saat yang tept sehingga pegawai dapat
menjalankan tugasnya dengan baik.

4.

Tujuan dan aktivitas dari bagian yang berbeda dalam suatu


organisasi harus dikoordinasikan.

5.

Aktivitas pengendalian harus didesain sebagai kesatuan yang


menyeluruh dari suatu organisasi dengan mempertimbangkan
tujuan, risiko dan hubungan terkait antar komponen pengendalian.

AUDIT INTERNAL FEB UI 2015

68

The CoCo Model:


Monitoring and Learning
1.

Lingkungan internal dan eksternal harus diminitor untuk memperoleh


informasi sehingga tujan dan pengendalian organisasi tetap mutakhir.

2.

Kinerja harus dimonitor dibandingkan dengan target dan indikator


yang telah ditetapkan.

3.

Asumsi yang digunakan dalam penentuan tujuan dan sistem harus


secara periodik dikaji ulang.

4.

Informasi yang dibutuhkan harus dikaji terus menerus sesuai dengan


adanya perubahan tujuan atau adanya pelaporan yang menunjukan
penyimpangan.

5.

Prosedur tindaklanjut harus disusun dan dilakukan untuk menjamin


bahwa perubahan dan kegiatan yang tepat dilakukan.

6.

Manajemen secara periodik menilai efektifitas pengendalian dan


kemudian mengkomunikasikan yang tepat dilakukan.

AUDIT INTERNAL FEB UI 2015

69