“IMPORTANCE OF

INTERNAL
CONTROL”
KELOMPOK 1

ANNISA AULIA RAHMA ATMARIANI 041811333052

ESA ANESTI PUTRI MUHARDINI 041811333054

RUHTITAH ZEN 041811333062

MELLYANTI FELICIA ARY 041811333073

WANDA ALVINA DAMAYANTI 041811333096

JUSTIKA FITRIANA 041811333223

5.1 KEY SOX ELEMENTS

• SOx introduced a series of totally changed processes for external auditing and gave new governance responsibilities to senior executives and board members.

Title I : Public Company Accounting Oversight Board (PCAOB)

• The PCAOB assumes responsibility for the external auditing practices that were formerly managed by the AICPA members.

• The PCAOB releases rules to support SOx legislation, and as this book goes to press, there have been five new standards up through the very important AS5.

Title II : Auditor Independence

• Internal and external auditors are separate and independent resources.

• External auditors responsible for assessing the fairness of an enterprise’s publish financial reports.

• Internal auditors serve management in a wide variety of other areas.

Title III : Corporate Responsibility

• This is an area where internal auditors should have a greater level of interest and role.

• SOx introduced a wide range of governance rules covering corporate boards and their audit committees.
Title IV : Enhanced Financial Disclosure
• Designed to correct some financial reporting disclosure problems, to tighten up conflict-of-
interest rules for corporate officers and directors, to mandate a management assessment of
internal controls, to require senior officer codes of conduct, and other matters.
• SOx tightened up many rules and made these financial disclosure tactics difficult or illegal.
Title V : Analyst Conflicts of Interest
• Designed to rectify to some securities analyst abuse.
• Rules of conduct have been established with legal punishments for violations. SOx has
reformed and regulated the practices for securities analysts.
Title IV through X : Fraud Accountability and White-Collar Crime
• The Organizational Sentencing Guidelines is a published list of corporate penalties for violations of
certain federal laws. If an enterprise is found to be guilty, the punishment or sentencing could be
shortened if there had been an ethics program in place that should normally reduce the possibility of
such a violation. While the basic concepts of the sentencing guidelines are still in place, SOx modifies
them to include the destruction or alternation of documents as offenses.
Title XI : Corporate Fraud Accountability
• The last SOx title covers corporate responsibilities for fraudulent financial reporting.
• Section 1105 also gives the SEC the authority to prohibit persons who hae violated certain SOx rules
from serving as corporate officers and directors.
5.2 PERFORMING SECTION 404 REVIEWS
UNDER AS5
Section 404 mandates that an enterprise is responsible for reviewing, documenting, and testing its own
internal accounting controls, with the results then being passed on to the enterprise’s external auditors,
who are charges with reviewing and attesting to that work as part of their review of the reported financial
statements. In 2007, Section 404 auditing rules changed with the release of AS5, a more risk-based audit
approach that allows external auditors to better use the work of internal auditors in their assessments.
• A. Section 404 Internal Control Assessments Today
• Launching the Section 404 Compliance Review: Identifying Key Processes
• Launching the Sox Section 404 Compliance Review: Internal Audit’s Rules
• Launching the section 404 compliance review: organizing the project
5.3 AS5 RULES AND INTERNAL AUDIT

AS5 is really a set of standars for the external auditor who review certify published financial
statement. These new rules are important for intenal auditors and financial managers as well. AS5
introduces risk-based rules with an emphasis on the effectiveness of interprise-level controls
that are more oriented to enterprise facts and cicumstances. AS5 has four board objectives, is :
• Focus internal control audit on the most important matters
• Eliminate audit procedures that are unnecessary to achieve their intended benefits
• Make the audit clearly scalable to fit the size and the complexity of any enterprise
• Simplify the text of the standard
5.4 IMPACT OF THE SARBANES‐OXLEY ACT

• SOx is an important law, and every internal auditor should have a general understanding of its
content as CBOK requirement. Going beyond just this general understanding, SOx’s Section
404 on reviews of internal accounting controls should receive the most internal audit
attention and understanding. In Section 404, an enterprise is made responsible for reviewing,
documenting, and testing its own internal accounting controls, with those review results then
being passed on to the enterprise’s external auditors, who are charged with reviewing and
attesting to that work as part of their review of the reported financial statements. When SOx
first became law, Section 404 reviews were a major difficulty for many enterprises because
external auditors were required to follow the very detailed AS2 set of financial accounting
audit procedures.
6.1 INTRODUCTION TO COBIT

• COBIT (originally written as CobiT) is an acronym that is becoming increasingly

recognized by many internal and external auditors and IT professionals. COBIT is an
important internal control framework that can stand by itself, but it is also an important
support tool for documenting and understanding both COSO and SOx internal controls.
A general knowledge of COBIT should be an internal auditor CBOK requirement.
• These show COBIT’s five major areas of emphasis arranged around the important core concept of IT
governance:
• Strategic alignment
• Value delivery
• Risk Management
• Resource Management
• Performance measurement
• These five COBIT internal control concerns or areas of emphasis are the framework’s elements and
define IT governance. The COBIT framework is an effective tool for documenting IT and all other
internal controls.
6.2 - COBIT FRAMEWORK

• COBIT provides an alternative approach to define and describe internal controls that has
more of an IT emphasis than even the newly revised COSO internal control framework.
• A combination of management, users of IT, and internal auditors all need to understand
these information related processes and the controls that support them. This
combination is concerned about the effectiveness and efficiency of their IT resources, its
It processes, and overall business requirements describing COBIT's five basic principles,
with business requirement driving the demand for IT resources and those resources
initiating IT processes and enterprise information in a continuous circular manner.
6.3 PRINCIPLE 1 : MEETING STAKEHOLDER
NEEDS
• An enterprise and its key management should recognize that their enterprise exist to
create value for their stakeholders, whether they are investors, customers, employees,
users, or others.
• Value Creation : realizing a wide range of benefits at optimal resources costs, risks, and
resource utilization.
• When initiating a review following COBIT principles :
• Internal auditor should step back and develop an understanding of the financial, customer,
internal, and enterprise needs of the enterprise.
• The identified IT and management needs should be formalized and converted into more
established goals.
• The team implementing this process to cascade these established goals into COBIT’s
enabler goals.
6.4 PRINCIPLE 2: COVERING THE ENTERPRISE
END TO END
• COBIT states that it addresses the governance and management of information and
related technology from an enterprise-wide end-to-end perspective–not a very common
expression for most internal auditors. COBIT provides a holistic and systemic view on
governance and management of enterprise IT based on a number of enablers. We have
taken the term holistic from COBIT. It is one of those terms often used by academics but
not by internal auditors as they discuss the progress of their reviews, nor by many
enterprise managers. It refers to taking an all‐encompassing view of things based on the
nature, functions, and properties of the components and their interactions.
6.5 A SINGLE INTEGRATED FRAMEWORK

• COBIT is a single and integrated framework as it align with other current relevant
standard and framework. COBIT provides a simple architecture for structuring guidance
materials and producing a consistant product set.
• COBIT is an alternative tool that an internal auditor should consider as an alternative
internal control review framework, particularly given COBIT emphasis on IT systems and
processed.
• This is an overall COBIT goals
and metric flows
6.6 PRINCIPLE 4: ENABLING A HOLISTIC
APPROACH
• Enablers are factors that, individually and collectively, infl uence whether something will work—in this
case, the governance and management over enterprise IT. Enablers are driven by the goals that cascade
from principle 3, where higher‐level IT‐related goals defi ne what the different enablers should achieve.
Exhibit 6.5 describes these classes or types of enablers:
• ■ Principles, policies, and frameworks are enabler vehicles to translate the
• desired behavior into practical guidance for day‐to‐day management.
• ■ Organizational structure enablers are the key decision‐making entities in an
• enterprise.
• ■ Culture, ethics, and behavior of individuals and of the enterprise are
• enablers often underestimated as a success factor in governance and management activities.
• There are four common dimensions to enablers:
• (1) the internal stakeholders,
• (2) external stakeholder goals
• , (3) the stakeholder enabler life cycle, and
• (4) just good practices. That is, each enabler has stakeholders who play an active role and/
• or have an interest.
6.7 PRINCIPLE 5: SEPARATING GOVERNANCE
FROM MANAGEMENT
• COBIT’s remaining and fifth principle focuses on the importance of separate but related
concepts of management and governance in an IT‐oriented enterprise. The COBIT
framework makes a clear distinction between governance and management. These two
disciplines include different types of activities, require different organizational structures,
and serve different purposes. This distinction is a key to COBIT’s view of governance and
management.
6.8 - USING COBIT TO ASSESS INTERNAL
CONTROLS
COBIT divides the steps necessary to evaluate IT controls and processes into what COBIT
calls five domain areas :
• Evaluate, Direct, and Monitor (EDM)
• Align, Plan, and Organize (APO)
• Build, Acquire, and Implement (BAI)
• Deliver, Service, and Support (DSS)
• Monitor, Evaluate, and Assess (MEA)
 6.9 MAPPING COBIT TO COSO INTERNAL
CONTROLS
COBIT COSO Internal Controls
Framework
Approaches IT controls by looking at The internal control is a process designed
information that is needed to support to provide reasonable assurance
business requirement and the associated regarding the achievement of stated
IT resources and processes objectives
Target audience : IT management, IT Target audience : general and directed to
users, and IT internal and external senior management
auditors
7.1 RISK MANAGEMENT FUNDAMENTAL

Risk management is an insurance – related concept where an individual or enterprise

typically uses insurance mechanisms to provide a shield or protection from those risks. Risk
management began to emphasize protecting enterprises against a major catastrophe. An
effective risk management process requires four steps:
• Risk Identification
• Quantitative or qualitative assessment of the documented risk
• Risk prioritization and response planning
• Risk Monitoring
7.2 COSO ERM : ENTERPRISE RISK
MANAGEMENT
• Coso Enterprise Risk Management is a framework to help enteprises have a
consistent definition of their risk. COSO ERM was launched in a manner similar to the
development of the original COSO Internal Control framework.
• Enterprise risk management is a process, effected by an entity’s board of directors.
Management and other personnel, applied in a strategy setting and across the enterprise,
designed to identity potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding achievement of entity
objectives.
Profesional should consider these key points and concept supporting the COSO ERM
framework definition, including :
• ERM is processes
• The ERM process is implemented by people in the enterprise
• ERM is applied through the setting of strategies across the overall enterprise
• An enterprise’s risk appetite must be considered
• ERM provides only reasonable, not positive, assurance on objective achievements
• An ERM is designed to help attain the achievement of objectives
7.3 COSO ERM KEY ELEMENTS

• This COSO ERM framework is shown in Exhibit 7.5 as a cube with the components of:
• ■ Four columns representing the strategic objectives of enterprise risk;
• ■ Eight horizontal rows or risk components; and
• ■ Multiple levels to describe any enterprise, from a headquarters entity level to
individual subsidiaries. Depending on organization size, there can be many slices of the
model here.
• ERM as just an update or supplement to the
more familiar COSO internal control
framework. However, COSO ERM has
different objectives and uses. COSO ERM
should not be considered just a new and
improved or revised version of the COSO
internal control framework. It is much more.
The following sections will outline this
framework from a risk components
perspective. COSO ERM: The Internal
•
7.4 OTHER DIMENSIONS OF COSO ERM:
ENTERPRISE RISK OBJECTIVES

Although many look at COSO ERM from the perspective of the front‐facing side of its
three‐dimensional framework, the two other dimensions—the operational and organizational
levels—should always be considered. Each component of COSO ERM operates in this
three‐dimensional space where each must be considered in terms of the other related
categories. The top‐facing components of strategic, operations, reporting, and compliance risk
objectives are important for understanding and implementing COSO ERM.
• Operations Risk Management Objectives
• Reporting Risk Management Objectives
• Legal and Regulatory Compliance Risk Objectives
7.5 - ENTITY LEVEL RISK

• COSO ERM risks should be indentified and manaaged within each significant
organizational unit, including risks on an entity-wide basis through individual business
units
• Risk are important on an overall organizational level, there should be a level of
consideration on a unit-by-unit basis to s low a level as necessary to allow the enterprise
to understand and manage its risks. COSO ERM does not specify how thinly these unit-
level risks should be sliced, and the critically and materiality of individual business units
should be given consederation.
• Multiple risks at the business unit level should roll up to entity-level risks. Both Major and
seemingly small risks can impact an entire enterprise. It is relatively easy to identify high -
level entity-wide risks such as compliance with SOx Section 404, and to identify and
monitor these as part of the COSO ERM process, care must be taken that smaller
potential risks do not slip between the cracks. As risks are identified through
organization-wide objective setting, they should be considered on an entity-wide basis as
well as by indivudual operating units. Those individual unit risks should be first reviewed
and consolidated to identify any key risks that may impact the overall organization. in
addition, any organization-wide risk should be indentified.
• Risks must be considered in each significant organizational unit.
• Depending on the complexity and number of operating units, risk responsibility can often
best start as a push-down process whre corporate-level management will formally
outline its major risk-related concerns and ask responsible management at each of the
maajor divisions to survey risk objectives through the operating units within that division.
• In this manner, significant risks can br identified at all levels and then managed at levels
where they can receive the most direct, local support.
7.6 PUTTING IT ALL TOGETHER : AUDITING
RISK AND COSO ERM PROCESSES
• COSO ERM framework outlines a risk management approach applicable to all industries
and encompassing all types of risk.
• With a focus on the COSO ERM framework as well as general good risk management
practices, internal audit can provide a service to their enterprise by planning and
performing reviews of enterprise-level risk management processes.
• Any internal audit review of enterprise ERM processes should be planned through risk-
based internal audit project planning approaches, using some of the following tools :
• Process flowcharting
• Reviews of risk and control materials
• Benchmarking
• Questionnaires